education Archives - Club Cloud Computing

Just did the CCSP exam

(update: I passed!)

Yesterday I took the CCSP exam. Certified Cloud Security Professional is the new certification launched by ISC2, and is supposed to be complementary to CCSK. I must have been one of the first, as it only opened last Tuesday. I think I did pretty well, but my results won’t be available for the next couple of weeks. This appears to be the normal situation with a new exam.


My overall impression is that the exam covers the field of cloud computing and cloud security pretty broadly with significant detail. Nevertheless, CCSP gives little attention to cloud applications such as Big Data and DevOps. The questions are clear, by and large, and mostly relevant to cloud computing. I have seen other so-called cloud exams that are more like classical technical IT security exams.

Having said that, the CCSP exam still requires significant understanding of IT infrastructure and IT security.

I know how hard it is to make good questions, as I do that for the CCSK trainings I deliver, and this set of questions is pretty decent. Of course, there are some questions that have weird language, and I filed an incident report against them.

At 125 questions this is a significant exam. I took more than an hour to answer them all, and took the rest of two hours reviewing my answers. You have 4 hours in total.

I still think CCSK is a good basis for working your way to CCSP, as CCSP is more extensive in coverage. It is also a more formal exam that you have to take in a controlled testing center. In contrast, CCSK is an open-book on-line exam. This does not make it easier though, as is witnessed by that fact that it is failed regularly by students.


CCSP has 6 domains that cover cloud computing and its risks. Unsurprisingly, the first domain is about cloud architectural concepts and its impact on risk. Second is about data security, arguably the pivotal dimension in cloud computing. The third domain elaborates on the cloud infrastructure stack, which covers business continuity as well. The fourth domain covers application security and identity management, while the fifth domain is about operations in a cloud world. Finally, the last domain is about legal and compliance.

By design, CCSP is a 5 day course, but I currently think that this is very dependent on the background of the attendants. I am not sure if this format is a good way to study for CCSP. In any case students need to do a lot of reading.

Post Scriptum. I now also deliver CCSP courses that train you for the exam. Here is what one of my clients wrote:

Tony Richards, CTO, Securestorm, London UK:

“The training was well paced and covered all the topics. Peter is a knowledgeable and interesting trainer who used his extensive experience with excellent effect. He guided us into very productive group discussions so that we could link what we learned to our work experiences.

As a result our entire team has been able to pass the CCSP exam.”

Goto this page for a one page overview of the differences between CCSK and CCSP.

New cloud security certification CCSP to complement CCSK

Cloud security certification is getting a new dimension.

(Update: I wrote a brief comparison of CCSP versus CCSK).

In 2015 the Cloud Security Alliance and (ISC)2 announced a new cloud security certification: Certified Cloud Security Professional or CCSP for short.

Read the official announcement here and here.

CCSP is supposed to be a more extensive certification than CCSK with a more formal exam and a requirement for 5 years in IT; at least three of which must have been spent in security, and at least one year in cloud computing.

While (ISC)2 (who also run CISSP; arguably the most relevant IT security certification) coming to the game underlines the relevance and maturity of cloud security, there will be some questions left for people who either have or are pursuing  CCSK certification.

The important question is: what is the relevance now of CCSK?

Rest assured that this has my interest as well, as CCSK training is a significant part of my business. That is why I contacted Jim Reavis directly, whom I have met a number of times personally. His answers are reflected in the FAQ that you can find on the (ISC)2 website on CCSP.

Here is a quote from that FAQ:

“The typical cloud security professional will likely achieve the CCSK first, and then the CCSP credential. Attainment of the CCSK also can be substituted for the one year of cloud security experience”

Other text in that FAQ document suggests that CCSK can be seen as somewhat of a broad base, on top of which CCSP is built as a deeper and more focused certification.

So if you are currently thinking of getting CCSK, should this be a moment to reconsider? It does make sense to evaluate your options. If you spend time on a certification, you might as well spend it wisely.

Getting to CCSP is a path with a lot of unknowns at this time. So here is one thing to consider: participants in my CCSK training report that it helps them  in their day jobs now, even more so if they take it as a team. CCSP will take a few months to iron out. Try book CCSP training now, and you will see what I mean.

On the other hand, if you are already very knowledgeable and experienced in cloud and cloud security, CCSK may not add much to your current business value other than public recognition.

In any case, should you want to know more about the value of CCSK, I suggest you judge for yourself. One approach is to join my free course: “Understand the CCSK cloud security certification”.

To get a fact by fact comparison between CCSK and CCSP visit this page, and sign up at the bottom.

Finally, if you want to know more about my training options, visit the calendar.

Why I go to Manila for Cloud Security

Next week (25/26 November 2013) I will deliver Cloud Security (CCSK) training near Manila, Philippines. If you are interested in attending, drop me a line, we may have a good seat for you.

It is with very mixed feelings that I will travel to Manila. Is delivering CCSK training relevant in a country that has been hit by what is probably the largest typhoon in history, where thousands have died and millions are suffering? Is this the best use of time for me and my attendants? I have asked myself these questions and I have come to the conclusion that it is. My best contribution is to keep doing my job, which is helping people apply cloud computing in the best possible way.

The 2011 earthquake that hit Japan had a peculiar effect on the perception of cloud computing. My friends over there tell me that the earthquake woke people up to the notion that cloud computing can be more resilient to natural disasters than traditional data-centers. This is quite a dramatic shift in attitude for a country where corporate IT was generally approached in a conservative way. Now they have accelerated their adoption of cloud computing.

Last year I visited Bangladesh twice to deliver cloud training. I had a similar question there. Does it make sense to develop advanced technology in a country that is among the poorest in the world, with beggars everywhere? My contacts in Bangladesh think it does, and are convinced that it advances their development out of poverty.

If we believe that IT can better coordinate people in their personal and professional lives, it makes sense to work on IT delivery models that are more accessible and resilient. Cloud computing is such a model.

So, when we start next Monday in Makita, I will take time with my attendants to think of the current situation and its effect on their personal lives and families. Then we can discuss how cloud computing can help them better prepare for the next emergency.

I know a lot of people’s hearts and minds are with the victims, and are looking for a way to demonstrate that. If you have a message, you can send it to me, and I will personally relay it to the people that I meet there.


Why I focus on cloud providers and brokers

About two years ago I decided to focus on cloud computing training. Having developed the content for CompTIA Cloud Essentials, it only seemed natural to deliver the training too. It also allowed me to address a bigger audience with a more focused offering. Though I liked being a consultant on digital infrastructures a lot, it was frustrating to see how little impact I actually was having.

These two years have been quite rewarding in a number of ways.  I have travelled the world to deliver training, meeting lots of interesting people, and it also felt good to be able to focus on a specific body of knowledge and the best way to deliver it. At the same time, my portfolio is deepening into cloud security, risk management, governance and compliance.

However, right now I have come to a point where I need more focus still. Cloud computing has become such a big field, and is expanding so rapidly, that it is encompassing all IT as we know it. This is not bad. Similar disruption has been caused by the PC and the Internet.

To illustrate this point we can take a high level view of where servers are being deployed. Last year Intel reported that three big server manufacturers no longer account for 75% of their turnover in server processors (Intel confirms decline of server giants) . The new kids on the block are the cloud providers. Google in itself is the 5th largest server manufacturer in the world, and they don’t sell servers. They use them exclusively for their own cloud business. Similar activity is in the rest of the top 10.

This only goes to show that IT spend is shifting from buying boxes to renting them. This will have a profound impact on the industry. Servers until recently were deployed at client sites. They will largely move to cloud provider data centers. Cloud providers however are a diverse lot. Though Amazon, Google and Microsoft run millions of servers in their public clouds, there is a big market for midsize private cloud providers, running thousands of servers each. Next to that we see cloud resellers or cloud brokers appear who don’t necessarily own infrastructure, though they might own a lot of software assets. Included in that category are the incarnations of software publishers, who are shifting from selling software licenses to software services. Think, but also Microsoft and a ton of smaller software providers. The smaller ones will find it more economical and reliable to run on infrastructure provided by specialist cloud providers.

My strengths are not in helping small companies with their business IT. These people should not manage technology; they should manage business data and processes. They need help in setting up their financial systems, CRM and similar business functions. That is best done with industry specific expertise.

My strength, I think, is in helping people make better use of the opportunities and risks associated with information technology, improving their service and bottom line. The biggest changes in that area are experienced by cloud providers, who are leading these changes, and IT departments, upon whom change will be forced. The successful IT department will start to act as a cloud broker, integrating and managing services provisioned from multiple external cloud providers. In a sense they will act as an internal cloud provider to the company. So there you have it: my focus is on cloud providers, including professional cloud consumers.

5 organizations that got value from using cloud computing

Just to let you know that I created a brief note about 5 organisations that got value from using cloud computing.

It is brief, but explains the main business reason and how they did it.

Examples include profit and nonprofit businesses, public cloud and private cloud.

You can get immediate access to it by filling in your e-mail address in the box on the right.