Two prominent industry groups have announced plans to collaborate on a new professional certification program targeting cloud computing information security, though it's unclear how it may avoid overlap with existing industry certifications.
The International Information Systems Security Certification Consortium
The partners said rapid global adoption of cloud computing among businesses has created a requirement for what they deemed a "body of knowledge that encompasses the evolving technology and risk landscape, and that validates the skills of the professionals tasked with protecting those businesses."
The need for information security training has grown sharply as businesses shift more data to the cloud and users increasingly access public cloud services via mobile devices. A recent (ISC)2 study found that 61% of respondents worked at companies offering public cloud services.
John Howie, CSA's chief operating officer, described the collaboration with (ISC)2 as "a coming together of minds" on the growing importance of cloud security. Howie said (ISC)2 will leverage the CSA's intellectual property as the partners co-develop a rigorous certification program for cloud security that leverages the strengths of both organizations.
The growing need for a cloud certification program stems in part from what Howie called the "consumerization of [corporate] IT" via the cloud. The trend has resulted in employees accessing corporate networks via the cloud on a range of personal mobile devices. That means corporate data can sometimes end up on personal phones, tablets and other devices.
Hence, Howie explained, certification programs for cloud security must begin to take this trend into account, and training programs should – and will -- seek to implement techniques like "smart mobile device management," which Howie described as a way to support the growing consumerization of IT.
As cloud computing continues to grow, experts are concerned that enterprises lack a full understanding of the associated security risks.
The information security industry, however, is already awash with various certifications. (ISC)2, considered the largest non-profit organization for information security professionals, administers the Certified Information Systems Security Professional (CISSP) program, and numerous other related certifications. Meanwhile, for the past year the CSA has been vigorously promoting its Certificate of Cloud Security Knowledge (CCSK), an exam-based certification for cloud security practitioners seeking to validate their competency in key cloud security issues. The CSA announced version 3.0 of the CCSK in February.
The CSA stressed that its alliance with (ISC)2 will have little impact on its own CCSK effort. "That program is not going away," Howie said. "If anything, we will build on its success."
The partners said the first examinations for the professional certificate, along with new credentials, would be available during the first half of 2014.
Dave Shackleford, founder and principal consultant at Atlanta-based Voodoo Security, senior instructor with the SANS Institute and co-chair of the CSA's Top Threats to the Cloud Working Group, said that while he takes the alliance with a "grain of salt" because (ISC)2's business model hinges on creating certifications that generate ongoing revenue, he expressed confidence that the alliance would move cloud security to a higher, architectural level.
"Half of cloud computing is an outsourcing discussion," Shackleford said. "The biggest challenges for enterprises are around adapting existing audit, risk analysis and security controls definitions for multi-tenant outsourced environments, and there's certainly a wide variety of education areas that relate to this.
"I think CSA has a great framework with their cloud security guidance, both in the 14 areas and some of the controls lists like the [Cloud Control Matrix]," Shackleford added. "This seems like a good strategy for them, and creating a certification may make sense."
Ed Tittel, a network security specialist and authority in IT industry certifications, expressed confidence that the organizations would work toward "a more senior, architect-level cloud security certification.
"This could be good news for the many businesses and organizations that find themselves compelled to invest and jump into cloud-based applications and services to remain competitive," Tittel added, "despite their well-founded reservations about the security, privacy and confidentiality of these very tools."