Who can protect us?Education for cloud security professionals

Leonardo GoldimCEO, IT2S Group

Overview

New Technologies, New Models• Virtualization• Cloud Computing• BYO*• Big Data• IoT

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Cloud Computing Concerns

• Security• Privacy• Compliance

2015 (ISC)² Global Information Security Workforce Study

• ~ 14,000 information security professionals: cloud security is a priority for organizations

• 73% - information security professional must develop new skills• 70% - cloud security certification program are relevant

Who are able to protect us?

Industry Needs• Professionals who understand and can apply effective security

measures to cloud environments• A reliable indicator of overall competency in cloud security• Roadmap and career path into cloud security• Common global understanding of professional knowledge and best

practices in the design, implementation and management of cloud computing systems.

Security Professionals Needs• Specialized skill required• Qualified professional help organizations take advantage of cloud services

• Growing adoption of cloud increase the demand for security professional• Cloud expertise move from “nice to have” to “must have”

Required Skills For Cloud• Applying security (general foundational understanding

still needed)• Understanding cloud security guidelines and reference

architectures • Knowing compliance issues • Enhancing technical knowledge • Specifying contractual obligations and requirements

related to security

(ISC)² and CSA

(ISC)² and CSA• CSA

• Individual (CCSK) and organizational (STAR) certifications

• Actively writing ISO standards for cloud security

• 400+ member organizations around the world

• Significant SME pool• Common Book of Knowledge• Ability to reach endorsement on a

company-wide-level with member organizations

• (ISC)2• Individual (CISSP, SSCP, CSSLP etc.)

certifications• Actively involved with ISO on

27xxx• 100,000+ members globally• ISO/IEC 17024 accreditation• DOD mandate• Significant SME pool• Common Bodies of Knowledge

Working Together• Power of two global, industry-leading non-profit associations

• Stewards for the cloud security and information security profession • Corporate cloud thought leaders• Organizations that reinforce professionals’ ability and experience to audit, assess, and

secure cloud infrastructures

• Building on existing certifications from both organizations• Ensures CCSP reflects the most current and comprehensive best practices for

securing & optimizing cloud computing environments• Establishes a globally accepted benchmark for confirming professional

competency in cloud security • Industry expert research and opportunities for continuing education

CCSK(Certificate of Cloud Security knowledge)

Development• Certification Board

– Ariel Litvin– Ben Katsumi– Carlos Saiz– Christofer Hoff– Craig Balding– Gerhard Eschelbeck– Gianluca D’Antonio– Hadass Harel

– Jim Reavis– Joshua Davis– Keith Prabhu– Leonardo Goldim– Peter Gregory– Peter Kunz– Randy Barr– Rich Mogull

Candidates• Suitable for a wide variety of professions that must be concerned with

cloud computing:• IT Professionals• Security Professionals• Auditors• Compliance• Managers• Non-IT Professionals

Value for Candidates• Validate your competence gained through experience in cloud

security• Demonstrate your technical knowledge, skills, and abilities to

effectively develop a holistic cloud security program relative to globally accepted standards• Differentiate yourself from other candidates for desirable

employment in the fast-growing cloud security market• Gain access to valuable career resources, such as tools, networking

and ideas exchange with peers

Value for Organizations• Protect against threats with qualified professionals who have the

expertise to competently design, build, and maintain a secure cloud business environment• Increase your confidence that candidates are qualified and committed

to cloud security• Ensure practitioners use a universal language, circumventing

ambiguity with industry-accepted cloud security terms and practices• Increase organizations’ credibility when working with constituents

Requirements and Domains

• CSA Guidance• Enisa report “Cloud Computing: Benefits, Risks and

Recommendations for Information Security”

CSA Guidance Domains– Cloud Computing Architectural

Framework– Governance and Enterprise Risk

Management– Legal Issues– Compliance and Audit

Management– Information Management and

Data Security– Interoperability and Portability

– Business Continuity and Disaster Recovery

– Data Center Operations– Incident Response– Application Security– Encryption and Key Management– IAM– Virtualization– Security as a Service

Exam• 90 minutes• 60 questions• US$ 345• Web based• No expires

CCSP(Certified cloud security professional)

Development• Job Task Analysis (JTA)

• Subject Matter Experts (SMEs)• (ISC)², CSA, Industry• Asia-Pacific, Europe, Middle East, Brazil, US

Candidates• IT, IT Security, Compliance:

– Enterprise Architect– Security Administrator– Systems Engineer – Security Architect

– Security Consultant– Security Engineer– Security Manager– Systems Architect

Target Organizations• Employers will be crucial to driving adoption of the credential among

appropriate employees and job seekers. • Cloud “thought leaders” (including those attempting to be leaders) who are

trying to promote their position in the cloud market could be influential in driving demand for CCSP. • Target employers include:

• Cloud Service Providers: they know the challenges; value competency; • Information Security Consultants; • IT Integrators and Consultants; • Software Companies. • Government agencies, grappling with migrations to cloud services, should value the

competence reflected by CCSP

Value for Candidates• Demonstrates not just cloud knowledge but competence gained

through hands-on experience in addressing the unique information security demands intrinsic to cloud environments• Affirms commitment to understanding and applying security best

practices to cloud environments – today and in the future• Enhances credibility and marketability for the most desirable cloud

security opportunities; bolsters standing and provides a career differentiator • As a member of (ISC)2, CCSPs gain access to valuable career

resources, such as networking and ideas exchange with peers

Value for Organizations• Secures and optimize organization’s use of cloud computing with qualified

professionals who’ve demonstrated cloud security competence • Ensures the organization is applying the proper cloud security controls internally and

with 3rd parties by reinforcing risk and legal requirements through cloud contract and SLA’s with cloud service providers• Backed by the two leading stewards of information and cloud security knowledge –

(ISC)2 & CSA – organizations can be confident it reflects the most current required best practices and competency• Increases organizational integrity in the eyes of clients and other stakeholders • Ensures work teams stay current on evolving cloud technologies, threats and

mitigation strategies by meeting the continuing professional education requirements

Requirements and Domains• 5 years working experience• 3 years must be in information security• 1 year in one CBK domain

• CCSK can be substituted for 1 year experience in CBK domain• CISSP can be substituted for entire experience requirement

Requirements and Domains• Architectural Concepts & Design Requirements• Cloud Data Security• Cloud Platform and Infrastructure Security• Cloud Application Security• Operations• Legal and Compliance

Exam

• 4 hours• 125 questions• US$ 549• PearsonVUE testing centers

Maintain• 3-year cycle• Annual Maintenance Fee (AMF) US$ 100• 90 CPEs

• 30/year

• Can utilize CSA to satisfy CPE requirements

Compare

Complementary

CCSP

Deeper,

advanced

experience-based

cloud security knowledge

CCSK

Broad, Foundational, Baseline Knowledge

CCSP x Others (ISC)² and CSA Programs

• CCSP complements existing credentials• (ISC)² x CSA: complimentary portifolio• CSA: “Incubator of cloud best practices”• Provide relevant opportunities for CPEs

CCSP x CCSK• Professionals with heavy involvement: CCSK and CCSP• CCSK indicator of broad-based knowledge• CCSP intended for professionals more heavily involved

Questions?leo@it2sgroup.com