CSA, (ISC)2 introduce new cloud security certification

The Cloud Security Alliance and the International Information Systems Security Certification Consortium introduced a new, jointly developed cloud security certification.

SAN FRANCISCO -- The long-awaited collaboration between the Cloud Security Alliance and the International Information Systems Security Certification Consortium on a new cloud security certification is finally a reality.

The two organizations introduced the new Certified Cloud Security Professional (CCSP) certification at RSA Conference 2015 on Monday. The CSA and (ISC)2, which first announced plans to collaborate on a new cloud security certification in 2013, said the CCSP was designed to represent advanced skills required for cloud security as well as implementation and management of cloud environments.

"It's essential to have qualified IT professionals who understand how cloud services need to be securely implemented and managed within their organizations," David Shearer, executive director of (ISC)2, said in a press statement. "We are pleased to collaborate with the distinguished Cloud Security Alliance to build this unique credential that combines the collective experience and research of both organizations and establishes a new benchmark for advanced cloud security knowledge and competence."

The organizations said the CCSP builds upon existing certifications and education programs, including (ISC)2's Certified Information Systems Security Professional (CISSP) and CSA's Certificate of Cloud Security Knowledge (CCSK). The organizations also said the CCSP aims to build a baseline international standard around cloud security and management.

Developing international standards can be a difficult process, according to Jim Reavis, co-founder and CEO of the Cloud Security Alliance. Government efforts usually get stalled, he said, because government agencies have different national security and law enforcement concerns that make it difficult to agree on baselines. As a result, industry organizations have to work across regions to find common ground.

Another concern for cloud security, according to the CSA and (ISC)2, is the dearth of proper skills. The (ISC)2's recent 2015 Global Information Security Workforce Study showed that 73% of nearly 14,000 respondents believe that cloud computing requires information security professionals to develop new skills.

The security skills gap was a topic of conversation at the CSA Summit 2015 at RSA Conference Monday. During his keynote Monday morning, Qualys CEO Philippe Courtot said the security industry needs to do more to encourage education and training for cloud security.

"I believe we need to make a very big effort in education," Courtot said. "[W]e have a huge shortage of talented security individuals."

The organizations said CCSP applicants must have a minimum of five years of experience in IT, three of which must be in information security and one year in cloud computing. All candidates must be able to demonstrate capabilities in each of the six CBK domains: architectural concepts and design requirements, cloud data security, cloud platform and infrastructure security, cloud application security, operations, and legal and compliance.

The CCSP exam will be available at PearsonVUE testing centers worldwide beginning July 21. Training seminars begin June 8, 2015 in the United States.

In addition to the CCSP launch, the CSA also released a new guidance report on the Internet of Things. Specifically, the report looks at IoT security issues and offers basic security controls to help early adopters properly protect and mitigate risks of IoT-connect devices and systems.

Some of the recommendations in the report, titled "New Security Guidance for Early Adopters of the IoT," include defining life-cycle controls for IoT devices, defining and implementing logging and auditing frameworks for IoT ecosystems, and analyzing privacy impacts from IoT deployments.

"Embedded systems and IoT security will be a big topic this year," Reavis said. "The move toward more connected devices and systems has big security implications, and we're interested to see more developments on IoT at RSA this week and throughout the year."


Next Steps

For more, read TechTarget's cloud computing security certification guide

Dig Deeper on Cloud Computing Frameworks and Standards