In mid-August, I continued my studies into cloud security by tackling the Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) v4 (2017). This is a vendor-agnostic certification based around guidance documentation for cloud security topics (commissioned from Securosis, by looking at the author list). This is a really good treatment of cloud security, with heavy applicability to pretty much everything other than procedures on how to actually do the things in various services.

Logistics. The cost is about $400 and comes with 2 attempts to take the 90 minute 60 question exam. The exam itself is mostly multiple choice with some true/false questions thrown in. Passing is 80%. The exam is also available online, so you can not only take it at home any time you want, but it is also an open book exam. The study materials are really threefold. About 87% of the exam is taken from the CSA Security Guidance v4 (2017) which is 152 pages long. The rest of the exam is pulled from the CSA Cloud Controls Matrix (a spreadsheet of controls) and the ENISA Cloud Computing Recommendations (~150 pages). If you’re absolutely crunched for time, I think a student could be fine just being aware of the ENISA and Controls documents. Though, honestly, they’re really good materials to consume, exam or not. Oh, also they’re all free to download past a register-wall you can fake out.

Exam Details. The exam questions from the ENISA and Cloud Controls Matrix materials are actually labeled to say they refer to those materials, so you don’t really have to guess. I had some questions with those dreaded “A and C” or “A and B” answers. I would also say that about half of the questions I could do a Find on the materials relatively easily, and less than half the questions were much harder to do that. It definitely helps to know the general format of the main document and where answers will come from and I found it pretty clear most of the time which domain a question came from. The only overlapping domains that get a little confusing are the Management Plane and Infrastructure Security domains. I ended up using 86 of the 90 minutes on my first pass through the questions, with an answer for every one. I then spent all but 20 seconds of the remaining time reviewing 6-8 questions I had marked for review. You do not get to see the answers after you finish, but you get an extensive breakdown on how you did on the 14 domains and 2 additional materials.

Realistic Expectations. I think someone with 1-2 years of cloud experience will still find something to learn through the exam. Someone with 2+ years of general infrastructure IT or IT security should be able to follow along pretty easily as well, and learn a lot about cloud computing considerations. This isn’t some crazy difficult senior level type of certification, but it’s also not a push-over either. I think it’s really the price tag that keeps it from being something you just do to pocket it, and you only do it when you actually want/need it. I think anyone working in cloud security or even engineering/architect should honestly have this cert unless their experience level is already beyond it. There is also training offered, but I honestly am not sure it would be necessary unless someone is new to IT.

My results. I have a long background in IT solutions and systems and security (15+ years), which means the material felt very comfortable to consume and made for easy (if dry in some sections) reading. My cloud experience is minimal, but growing right now (I passed the AWS Cloud Practitioner certification about 2 weeks before this one). When I sat to use my first attempt on this material, I did so not really being confident that I would pass, but wanting to see what the exam was like and what my gaps were. I typically have 2 desktop systems at my desk (3 monitors total) and I can set up another dual-monitor laptop when needed, which I did for this. Doing so allowed me to have all three documents up while also having the exam front and center. This let me look things up very nicely. I also had some somafm going on in the background as my preferred mood music. I felt good going through my first attempt, and was surprised by passing on that first try quite comfortably. I will say if I hadn’t been able to look up answers, I don’t think I would have passed this as the questions really do get a bit tricky. That said, the material along is well worth the time spend to read and reference as you or your organization make moves into modern cloud services.