The CCSK certification is currently based on two documents: "Security Guidance For Critical Areas of Focus In Cloud Computing," version 2.1 published in December 2009, and the European Network and Information Security Agency's (ENISA) "Cloud Computing: Benefits, Risks and Recommendations for Information Security," also released late last year. Certification board member and IT security professional Craig Balding says it's about establishing a baseline of knowledge on cloud security issues.
"As with any skill area, there needs to be a way to differentiate those that know what they are talking about," he said. Balding and the CSA say that there is enough traction in cloud computing to have made significant strides in how IT professionals should understand risk if they are going to use cloud services.
Balding said that the CSA doesn't want the certification to stand in for technical expertise or experience using cloud services, but that the CCSK will be a foundation for future training and programs the CSA might offer. He said the test will attempt to go further than memorization and recital. "Rather, candidates will be presented with challenging questions and scenarios to prove they can apply the guidance," he said.
CSA's certification not just for show
Others say it's not so much about the certification as it is a way for the CSA to validate it's accomplishments in a meaningful way.
George Reese, founder of cloud management software company enStratus, said it marks community consensus around the issues of cloud security. "Until this point, it's been lots of talk, lots of meetings, and now there is something concrete," he said.
Reese said the fact that the CSA, whose founders and board of directors include executives from eBay, ING, Barclays, RSA and many others, will stand behind its publications and offer official certification on its contents says that there is a broad consensus on the issues around cloud security.
"The guidance is an encapsulation of the common wisdom out there on the cloud," he said.
Reese said the gist of cloud security is not a technical challenge but understanding the shifts in organizational responsibilities when an IT shop chooses a cloud provider instead of building another data center, and the CSA guidelines lay those ideas out in a useful and organized way. He is under no illusions as to the practical impact of IT certifications; they don't say much about any individual's basic competence.
"Certifications don't really matter [practically speaking]," he said. Their true value lies in setting a baseline for the conversation around cloud security, and having that baseline come from a trusted authority, which is what the CSA hopes to be. "If [the CCSK] can remove even one layer of confusion around cloud security, that's a good thing," Reese said.
Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at firstname.lastname@example.org.