23 Tips to Pass CCSK (Certificate of Cloud Security Knowledge) from CSA at the first attempt

At the beginning of April 2020, I successfully passed the CCSK certification (Certificate of Cloud Security Knowledge). Now, I give you some tips and tricks below so that you can also pass the exam on the first try.

What is CCSK certification ?

The CCSK is a “vendor neutral” certification on Cloud security. It is considered to be the “state of the art” in Cloud security. It was created in 2010 by the CSA (Cloud Security Alliance) an organization that pilots the STAR (Security, Trust & Assurance Registry) program whose objective is to provide and maintain a high standard to enable independent auditing bodies to deliver certification levels to the different Clouds on the market.

The CSA regularly publishes reference documents to promote best practices in Cloud security. The CSA also leads and organizes several working groups and research projects in which member companies can participate to advance the field of Cloud security.

How do I register for the CCSK exam ?

The CCSK is a distance exam (not in an exam centre), online on the web and “open book” (study material available). Unlike most other certifications, the CCSK, in its past version (currently v4), is valid for life. It is not necessary to prove any experience to take the exam. There is also no annual payment or CPE (Continuous Professional Education) to maintain certification.

The cost of the exam is $395 USD and allows for two attempts. If you pass the first attempt, you will be able to use the second attempt when a new version of the CCSK is released. An exam token is valid for two years from the date of purchase.

To register for the exam, go to https://ccsk.cloudsecurityalliance.org/en

What is the content of the CCSK ?

The current CCSK v4 version exists since December 1, 2017. It underwent an important update compared to the previous version v3 including the latest technologies of the Cloud (micro-service, serverless, container, SDN, Big Data, IOT, etc …).

The exam is composed of 60 questions to be completed in 90 minutes. Questions are of type A/B/C/D/E or True/False. Once the exam is launched, it is not possible to pause it. The minimum score to pass the exam and obtain certification is 80%. The pass rate for the exam is 62%.

You get your result immediately at the end of the exam with your overall score and by domain to identify your areas for improvement. If you pass the exam, you can even download your certificate. However, answers to questions are not provided in order to preserve the integrity of the exam. There is an exam preparation kit and FAQs available for download from the CSA website : https://ccsk.cloudsecurityalliance.org/en/faq

What is the CCSK study material?

The CCSK exam tests the candidate on the content of 3 documents that can be downloaded free of charge from the CSA website : https://cloudsecurityalliance.org/education/ccsk/#_prepare

Together, these 3 documents represent the CBK (Common Body of Knowledge) of the CCSK exam. They are:

1. CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4
2. CSA Cloud Controls Matrix (CCM)
3. ENISA (European Network and Information Security Agency) Whitepaper Cloud Computing: Benefits, Risks and Recommendations for Information Security

The 14 areas of the CSA Security Guidance are as follows:

Domaine 01 : Cloud Computing Concepts and Architectures
Domaine 02 : Governance and Enterprise Risk Management
Domaine 03 : Legal Issues, Contracts and Electronic Discovery
Domaine 04 : Compliance and Audit Management
Domaine 05 : Information Governance
Domaine 06 : Management Plane and Business Continuity
Domaine 07 : Infrastructure Security
Domaine 08 : Virtualization and Containers
Domaine 09 : Incident Response
Domaine 10 : Application Security
Domaine 11 : Data Security and Encryption
Domaine 12 : Identity, Entitlement, and Access Management
Domaine 13 : Security as a Service
Domaine 14 : Related Technologies

The important concepts of the ENISA document are as follows:

- Information Security
- Isolation failure
- Economic Denial of Service
- Licensing Risks
- VM hopping
- Five key legal issues common across all scenarios
- Top security risks in ENISA research
- OVF
- Underlying vulnerability in Loss of Governance
- User provisioning vulnerability
- Risk concerns of a cloud provider being acquired
- Security benefits of cloud
- Risks R.1 – R.35 and underlying vulnerabilities
- Data controller versus data processor definitions
- In IaaS, who is responsible for guest systems monitoring

The important elements of the CSA CCM (Cloud Controls Matrix) to be aware of are the following:

- CCM Domains
- CCM Controls
- Architectural Relevance
- Delivery Model Applicability
- Scope Applicability
- Mapped Standards and Frameworks

By far the most important document is the CSA Security Guidance. It alone accounts for 87% of the questions in the exam. The CSA CCM represents 7% and the ENISA report 6%.

The exact distribution of the number of questions per domain is as follows:

My preparation for the CCSK

My study material

In addition to the official study material, I also used two other documents that helped me a lot:

• « CSA Guidance Summary in 6O minutes » : This is a very good 25-page summary of the CSA Security Guidance v4. I printed it for review and had it in PDF during the exam.

• « CCSK All-in-One Exam Guide » from Graham Thompson : It is an excellent review guide that I highly recommend and which Peter van Eijk with whom I had the honour of discussing. Peter is also an official trainer for the CSA CCSK and I believe he is involved in the drafting committee for the questions. The book reviews with very good explanations the 14 areas of the CBK but also the ENISA and CCM document. At the end of each chapter, there is a “Chapter Review” which includes the essentials for the review. The book also includes 150 test questions which are very similar to those of the exam in terms of wording and difficulty. And finally, at the end of the book, there is a code to access an online simulator on the TotalSem site which contains 200 additional questions. (link to the book on Amazon)

• I’d also like to mention Verisafe’s CCSK e-learning course with Boris Motylewski. I’ve had very good feedback on Boris’s training courses, and he’s very committed to helping you pass your certifications (CISSP, CCSK and soon CCSP). Two videos explain what CCSK is, the benefits of CCSK and how to become CCSK in 30 days. The example slides demonstrate the quality of the course material. They helped me understand the 35 risks identified by ENISA, the 11 major risks, the 23 assets potentially impacted (including those most at risk) and the top 7 vulnerabilities.

My study Plan

My passage of the CCSK certification was done under rather special conditions. Indeed, initially, I had to pass the CCSP (Certified Cloud Security Professional) certification. I had been revising the material for two and a half months when I learned that my exam in early April was postponed due to the Covid-19 pandemic that was circulating in France. In order to make the most of my study and the acquired knowledge, I decided around mid-March to try the CCSK exam which is done online and at home. The lock down period was convenient for the revisions: 1 hour in the morning before starting to telework (replacing travel time), 1 hour during the lunch break and 2 to 3 hours in the late afternoon, after the telework day and in the evening.

In two and a half weeks, I managed to read all the official study material plus additional study material. I tried more than 700 test questions (those in the book but also others on Udemy or found on the internet). I made about 100 Flashcards. I have viewed some videos on Youtube. I mostly took a lot of personal notes. As far as I’m concerned, it’s essential because it allows me to make last minute revisions but it also allows me to better remember everything I learn.

23 Tips to Pass CCSK at the First attempt

Link to the sheet (PDF).

• #01 : Read all the material
• #02 : Watch some training videos and read (e)books to better understand concepts
• #03 : Read the « CSA Guidance Summary in 60 mn »
• #04 : Write your personal notes (it’s better to memorize)
• #05 : Understand well how cloud impact processes
• #06 : Understand benefits but also concerns of the cloud for each domain
• #07 : Practice test questions to test your understanding and to train to use the material
• #08 : Create a study plan and follow it
• #09 : Read the question twice, read the answers and read again the question
• #10 : Be careful about specific technology answers: They are oftenthe wrong answer
• #11 : Identify answers that are not cloud specific : They are often the wrong answer
• #12 : Eliminate answers that are not related to the question
• #13 : Always answer from a business perspective (Business drives Security)
• #14 : Be careful with negative questions with NOT
• #15 : Be careful with questions with words like “the MOST”, “the LEAST”, “IS”, “ARE”
• #16 : If you don’t know the right answer, try to eliminate the bad anwers
• #17 : Identify key words in the question to search within the material
• #18 : Use and practice « Advanced Search » function in your PDF reader to search key phrases throughout all the material
• #19 : Know the structure of the material to find quickly the relavant domain to each question
• #20 : It’s more comfortable to use two screens during the exam
• #21 : Use Google Translate (or other) to translate difficult words in your native language
• #22 : Test and rehearse your method and logistics for the exam
• #23 : If you failed, don’t use your 2^nd attempt in the same day or same week

What is the difference between CCSK and CCSP certifications

CCSP is the “Certified Cloud Security Professional”. It is a certification that was created in 2015 jointly by CSA, the organization that created CCSK and (ISC)², the organization that created the very famous and sought-after CISSP certification.

CCSP certification covers the following 6 areas:

- Domain 1 : Cloud Concepts, Architecture and Design
- Domain 2 : Cloud Data Security
- Domain 3 : Cloud Platform and Infrastructure Security
- Domain 4 : Cloud Application Security
- Domain 5 : Cloud Security Operations  
- Domain 6 : Legal, Risk and Compliance

If we were to do a mathematical operation, it would be this:

CCSP = CCSK + Expanded Governance Items + Traditional Security + Privacy – DevOps

Find below the articles to read to understand the difference between the 2 certifications:

• Comparing the CCSP and CCSK Cloud Security Credentials
• CCSK vs CCSP: An Unbiased Comparison
• CCSK vs CCSP – An Impartial Comparison
• The CCSP is a BEAST that you must defeat to get your org into the clouds
• CCSP vs CCSK Cloud Security Certifications

Conclusion

Good luck and good studies to all. Keep in mind the following quote:

“In a journey it’s not the destination that counts but always the road travelled”

It is not the certification itself that is important but the knowledge you will acquire that will make you more competent. Certification is the icing on the cake or proof of the pudding.