A few weeks ago I ran my first CCSP training session (I did more than 40 CCSK sessions before this). As of this writing, the attendants still have to do the exam. Apparently the exam slots are booked a few weeks in advance.
This was an in-company training with a pretty advanced group: info security consultants and a few of their clients, all of whom had experience in being a cloud consumer as well as having been involved on the cloud provider side. Half the group had already done CCSK.
The good news on cloud security is: it is interesting, dynamic, relevant and worthwhile stuff.
The bad news is: it is more complicated than you think.
The CCSP body of knowledge is significantly more elaborate than the CCSK one. And while the book is pretty reasonable, it does have its limitations.
We mused quite a bit about the adoption of cloud computing. Like any disruptive innovation, cloud computing is going to take 10-15 years to grow from zero to saturation. According to my guess, we are in year 3 or 4 of enterprise adoption, with 2021 or so as the target date for near complete adoption.
What we saw in the discussions was a lot of talk on ‘oldskool’ thinking versus ‘newskool’ thinking. Cloud brings a new thinking model, and in cloud security we see the biggest failures when oldskool controls are applied to newskool architectures.
Examples: location no longer implies control, and the uptime of a server no longer implies the uptime of the application.
It was really interesting to tear apart these assumptions and see which will carry over to the new world. The dangers of mixing these modes of thinking can go many ways: you either protect too much, the wrong way, or not at all.
The consequence of this is that in our training we really want to pay attention to the hidden assumptions of these two schools of thinking.
The CCSP body of knowledge itself is a product of its times: it is a peculiar mix of oldskool and newskool thinking, and mostly not very explicit about that. It also does not elaborate much on how ‘newskool’ thinking should be applied to create business benefits while avoiding the new risks.
But we should not confuse the messenger for the news. The text is just the messenger, cloud is the real news.
I am looking forward to the next CCSP training session. What about letting me be your guide for one in your company? Drop me a line.