More and more enterprise organizations are planning and deploying into cloud platforms. This trend is occurring despite organizations historical push-back on cloud services claiming that they are less secure than private on-premises data centers. Even though there is evidence to suggest that cloud application attacks are on the rise, there are best practice methods to secure cloud services. On one hand, internal data center services may be tucked nice and neat behind the corporate perimeter firewall, there is evidence that many enterprises do not secure their systems adequately. On the other hand, even though a cloud serve may be out-of-site and virtualized in a hyperscale multi-tenant data center, patching and solid discipline can make them secure. Now that enterprises have a clearer understanding of cloud services and how to secure them, there are now commonly accepted methods to help make clouds more secure. The appearance of cloud security training and certifications is helping organizations securely consume cloud services.
Cloud Security Alliance
The Cloud Security Alliance (CSA) was formed in late 2008, but now has over 48,000 members. The Cloud Security Alliance aims to educate and promote the use of best practices for providing security assurance within cloud computing. The CSA’s official mission is to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing”.
The CSA created the “Security Guidance for Critical Areas of Focus in Cloud Computing” document and the current version is 3.0. This document helps organizations understand the domains for organizations to focus on to securely adopt cloud services. The CSA also created their Cloud Controls Matrix (CCM). This complimentary spreadsheet lists the important standards, regulations and control frameworks and maps them to the CSA’s security domains.
The CSA created their Certificate of Cloud Security Knowledge (CCSK). This vendor-independent certification validates that a security practitioner has a solid understanding of cloud security concepts and the CSA’s cloud security domains. The required reading for this certification include:
- CSA guidance version 3.0, Security Guidance for Critical Areas of Focus in Cloud Computing
- European Network and Information Security Agency (ENISA) whitepaper “Cloud Computing: Benefits, Risks and Recommendations for Information Security”
- U.S. NIST documents (SP 800-144, SP 800-145, SP 800-146, SP 500-292, SP 500-293, SP 500-299)
- the CCSK certification FAQ
- and the CCSK Prep Guide (CCSK-Prep-Guide-V3.pdf)
Sign up for CIO Asia eNewsletters.