(ISC)2 and the Cloud Security Alliance have announced a new credential certifying advanced cloud security skills. The Certified Cloud Security Professional (CCSP) qualification is designed as an international standard for top-level design and management of cloud environments.
The CCSP will ensure that cloud security pros have the appropriate expertise to audit, assess and secure cloud infrastructures. It builds upon existing certifications, such as (ISC)²’s gold standard CISSP and the CSA’s Certificate of Cloud Security Knowledge (CCSK).
The latter recognizes baseline cloud security skills; the CCSP will augment the expertise that professionals gain from the CCSK. To achieve the new credential, candidates will have to demonstrate the hands-on skillset that is essential in the day-to-day management and design of cloud security systems.
Speaking to Infosecurity at RSA Conference 2015, (ISC)2 executive director David Shearer explained the decision to create this certification.
“We try to look at where there are specific needs – in the last three years we’ve launched three new credentials: one for healthcare, one for forensics and one for cloud. In these three areas we see the need for specialized skills,” he explained.
“While we’re happy with how the CISSP performs, there’s more work for us to do in these special areas. Cloud is almost becoming ubiquitous – there are so many types of services in cloud. We need to have confidence that the information assets that companies are moving are being protected.”
The recently-published 2015 (ISC)² Global Information Security Workforce Study, found that 73% of security professionals consider cloud computing roles to require infosec professionals to develop new abilities. Cloud was also seen to have growing demand for education and training.
The CCSP addresses this demand, Shearer told Infosecurity, by offering a “deep dive” into understanding various cloud platforms.
“It looks at interfaces, applications, and programming interfaces where we exchange information. It looks at the encryption of data at rest and the encryption of data in transit – the types of thing we would maybe think of in terms of internal data centers.”
But in the past, Shearer said, those data centers tended to be over a private network with greater control.
“Now you’re actually interfacing your systems across the internet into data centers,” he continued. “A lot of people don’t have the money to do dedicated connections into all these cloud providers. It’s extremely expensive. We want professionals to understand the telecommunications aspect of it, the security aspect of it, and then the data security aspects of it. Then there’s a whole operational component.”
To achieve the CCSP, applicants must have at least five years of experience in IT, with a minimum three in information security and one in cloud computing. The criteria require candidates to exhibit their expertise in six domains: architectural concepts and design; cloud data security; platform and infrastructure security; cloud app security; operations; and legal/compliance.
Regarding the partnership with the CSA, Shearer told us that “We admired the CSA from afar, the research that they were doing and saw them as a leader within the space and we just broached conversations around synergies.”
He continued: “We started working together and it took us some time to pull the CCSP together but I’m really pleased with the content and what that certification is going to mean.”
More about CCSP training and examinations can be found here.