CCSK cert guide author's insights into cloud security credential

Cybersecurity jobs are in demand. A 2019 Burning Glass Technologies study found the number of cybersecurity job postings grew 94% over the past six years, compared to 30% for IT positions overall. However, the study also found that, though cybersecurity jobs account for 13% of all IT job listings, they often take 20% longer to fill.

One key challenge of filling a cybersecurity job posting is finding the employee with the proper skills. The Burning Glass study determined the skill with the highest projected demand is public cloud security, with a 170% five-year growth rate, followed by cloud security architecture (113%) and cloud security applications (87%).

To prove to employers that they have what it takes, applicants often turn to certifications.

"Certifications support having a baseline of knowledge," said Graham Thompson, CTO at Intrinsec Security. "There's a form of validation."

The Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK) is one such industry credential aimed at helping potential employees prove their cloud security knowledge base, increase employment opportunities and demonstrate their technical skills in the cloud.

Geared toward infosec pros, consultants, managers and security architects, the CCSK certificate has no prerequisites. There are formal training courses available from the CSA, as well as self-learning books and study guides. Thompson wrote one such book, CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide.

Click to learn more about
the CCSK cert exam guide
by Graham Thompson.

"The book is written for somebody who wants to change themselves and get into the cloud security environment," Thompson said. "Some of the trainings out there are very expensive. To help people who aren't in a position to take time off or spend whatever amount of dollars for any type of training -- that's the reason I wrote the book."

Here, Thompson discusses the benefits of the CCSK certificate, provides an overview of containers and container security, and offers advice on the top overall cloud security issues he has experienced.

Editor's note: This transcript has been edited for length and clarity.

How does CCSK help IT professionals?

Graham Thompson: There's always a premium applied to new technology, such as the cloud. There are a lot of people that think, 'OK, it's a Windows box,' or 'It's a Linux box, so it's no big deal.' But it's much more than just running a server in somebody else's environments. How do you architect the whole thing? How do you build up your virtual infrastructure to be able to meet business requirements in a cost-friendly manner?

The CCSK is important because the demand right now is high -- and it's only going to get higher as more and more workloads get shifted to cloud environments. There's going to be requirements for professionals that can do that.

The CCSK has 14 domains. Are there some you see as more difficult for test-takers than others?

It's important to address the weaknesses you have because the CCSK covers a wide range of information that you need to know to pass the exam.

Thompson: People are usually either very comfortable with the governance, risk management and compliance side but not so much the technical, or they're very technical but they don't know much about GRC. If you're a technical person coming in, your weakness is probably going to be the GRC side -- why enterprises do things the way they do -- whereas, if you're coming from a risk management perspective, the new technology is going to be more overwhelming than what you're used to.

It's important to address the weaknesses you have because the CCSK covers a wide range of information that you need to know to pass the exam.

Speaking of, what are some of the biggest cloud security considerations test-takers and enterprises in general should be aware of?

Thompson: Logging is a big area. I've been in environments where companies that had implemented cloud security services didn't have the ability to see anything that was going on in their virtual environment. They could get their server logs, but that was it -- they didn't have any action as to who was logging in and who was failing to log in.

Then, there's access controls with public shares -- for example, with Amazon's S3 service. There have been many occasions where millions of client records have been leaked online because people missed the basics of access controls. With IaaS, providers are giving you the facility. How you build that up and how you secure that is on you. If you don't have professionals who know that and understand the platform itself, then you're looking for trouble.

We're excerpting a section of Chapter 8 on container security. Can you give a quick overview of containers?

Thompson: Containers are like software virtualization. With a virtualized environment, you have a lot of what I refer to as bloat of an OS. For example, do you really need MS Paint in order to run your app? Do you need 20 gigs worth of OS?

With containers, it makes it a much smaller package than having the OS, the application code and all the dependencies. It transforms all that into just the application and the required dependencies in order to run.

Containers are much simpler, smaller packages that help with portability. Rather than spinning up an OS and waiting for it to boot, you can quickly instantiate or start up a container, have it do its job and then shut it right back down.

What are some of the unique security concerns of containers?

Thompson: It's about identifying the system components. For example, if you have a Docker runtime or some kind of container engine, you have a repository that's involved, and you have Kubernetes, which does the orchestration and scheduling. Compromise of any component can wind up to bad things.

Look at Tesla -- its Kubernetes system was exposed to the outside world. Somebody found it and started deploying Bitcoin mining using its container system. This brings it back to your earlier question because the basics really do matter. If the Kubernetes system had appropriate access controls on it, it wouldn't have been able to have been used by somebody.

With containers, it's important to understand: What are the system components? What are the vendor best practices regarding those particular components? Are there any industry best practices? For example, the Center for Internet Security has benchmarks for both Docker and Kubernetes.

Being able to identify, from a security perspective, the various components of this new technology that you're looking at is critical. Then, look at how you properly secure it according to best practices, either from the vendor or industry-wide. It doesn't matter if it is containers, serverless or function as a service -- this is applicable for any new technology.

About the author

Graham Thompson

Graham Thompson is the founder and CTO of Intrinsec Security, a cloud security consulting and training organization that serves enterprises and governments across North America. He is a security professional with more than 25 years of experience in areas such as systems engineering, technical architecture, vulnerability assessment and a variety of management roles. He has built successful multimillion-dollar security solutions for leading enterprises and government agencies.

Since 2010, Thompson has dedicated himself to cloud security. He has architected and assessed cloud security solutions for government agencies and Fortune 500 financial, telecom and retail companies across North America. He is a CSA and (ISC)² authorized trainer of CCSK, Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP), a course he helped develop as a subject matter expert.

In addition to his CSA and (ISC)² certifications, Thompson has obtained multiple certifications, including Amazon, ISACA (Certified Information Systems Auditor), Microsoft (Microsoft Certified Solutions Expert), Cisco, Symantec, Fortinet, SANS and others. He attended McGill University in Montreal and has been an adjunct professor for multiple security courses at Algonquin College in Ottawa.