Hi all! I finally passed the CCSK (Certificate of Cloud Security Knowledge) after MONTHS of – very relaxed – studying! Some important things I learned:
– The CCSK has no hard deadline. You buy a token for the test and you can use it whenever you want. This is BAD for motivation! I recommend to self-set a 2/3 weeks deadline for best motivation/performance.
– By using any cloud services, we hand our data to a third party. This sounds obvious but has deep implications. Some questions to be asked:
> Where is the data stored? Many providers scatter the data in several locations, subject to different laws.
> How is the data secured? How is it segregated from other customers’? If it’s encrypted, who encrypts it and who holds the keys?
> Who is responsible/accountable for each part of the stack? Usually the responsibility is shared for cloud services (and this is one of the major differences with on-premises). Important to understand that even cloud providers rely on third party providers. This is crucial and it’s where things get complicated!
> How can I monitor my data? Are logs being provided?
> Can I backup my data? If so how/where? What happens if I have a problem or the provider has an issue? Who to contact? Have a plan!
> Is the cloud provider reliable? Company history, third party audits, reviews etc.
> What happens in case I need to move my data away form the provider? Avoid to get locked-in with a provider (meaning you can’t move to a different one).
I know, this is just the tip of the iceberg! Fortunately there are documents from CSA that contain all the questions you need to ask yourself and your cloud provider (links below).
Download the CAIQ (Consensus Assessment Initiative Questionnaire):
https://cloudsecurityalliance.org/download/artifacts/consensus-assessments-initiative-questionnaire-v3-1/
Download the CAIQ + Cloud Control Matrix:
https://cloudsecurityalliance.org/download/artifacts/cloud-controls-matrix-v4/
