There's a big difference between securing data, applications and infrastructure in the cloud versus in an on-premises data center.
Traditional security measures still apply, such as firewalls and antimalware, but enterprise applications in the cloud that require stringent security and isolation are a different beast, said Daniel Carter, senior systems engineer at John Hopkins University. And, he added, businesses are still trying to understand best practices for deploying those apps in various cloud environments.
Having someone fluent in cloud security on your enterprise IT team can make securing cloud deployments much simpler. As such, many organizations are looking to hire employees who maintain cloud security certifications or are requiring existing employees to add certifications to their resume.
The Certified Cloud Security Professional, or CCSP, from (ISC)2 is one such certification. Here, Carter, who wrote CCSP Cloud Security Professional All-in-One Exam Guide, Second Edition, offers his insights into the certification, including some of the top cloud security risks and challenges CCSP certification holders should expect to see in their respective organizations.
Editor's note: This transcript has been edited for length and clarity.
Who is the ideal CCSP candidate?
Daniel Carter: The best candidates are more experienced IT architect and security types, including engineers. For people whose companies are moving into the cloud, it's important. It's also a good way to expand your marketability to employers. Since the cloud is so new, the CCSP gives employers a way to see that potential employees have gone through the rigor of the exam.
What areas on the CCSP exam do you find most challenging for test-takers?
Carter: There are two areas. Translating IT professionals' experience on premises into the way things are done in the cloud is difficult. A lot of stuff is similar, but the cloud has its own nuances that people have to adapt to.
Another area people struggle a lot with on the exam is policy and regulatory content. Most people who earn CCSP certification are experienced IT pros who don't have background in those areas, but these areas have become more important in cloud. In a regular data center, you're subjected to whatever jurisdiction where you're located. With a cloud, you could be anywhere -- on the east coast of the U.S. or spread all over the world. Policy and regulatory content become a lot more important in the cloud because there are so much more to consider when data resides almost anywhere.
We published an excerpt from Chapter 4 on cloud platform and infrastructure security. What are the benefits and risks of these?
Carter: With a cloud platform, you're typically going to get much lower cost of ownership -- you don't have your own data center, hardware or any kind of infrastructure to maintain or upgrade. With software, you don't have to worry about patching and upgrades or newer versions. You're pushing a lot of that lower-level busy work to the provider and can then focus on running your organization's commodity-type services.
The biggest challenge with going to the cloud is being in an environment that has so many other tenants and customers. Most people are used to coming out of a regular data center where you're the only one there -- you can rely on firewalls and perimeter security to wall yourself off. But when you're in a cloud environment, even with logical separations of networks, you're still in the same fabric as others. You've got to make sure your network and data are segregated and encrypted so you don't run into other customers or expose yourself to security risks.
Another challenge is having an understanding of what the cloud provider's responsibilities are versus your own -- if they're providing certain levels of securities or wrappers, what their built-in capabilities are, and then seeing how that meshes with what you need for your organization. With cloud, there are so many different kinds of support models -- whether you're contracting directly with the cloud and spinning up virtual machines yourself, or if you've got somebody in the middle who's providing that for you. It's important to know who's responsible for what and then have controls in place to ensure things are being done the way you want them to be.
How does multi-cloud affect this?
Carter: A lot of companies go all in with one vendor, but many others will opt to use multiple providers. For example, in disaster recovery scenarios you might want to have your active environment in AWS and a passive environment in [Microsoft] Azure. That way if AWS has issues, you can failover to Azure.
But the big challenge of having multiple providers is that the tool sets and features offered by one cloud may not be available in other environments. AWS and Azure have their own tool sets and security libraries that may not be available in the other. Organizations have to weigh the benefits of simplifying configurations, availability, tool sets, duplication of efforts and so forth.