Cloud Computing Certification

I have recently obtained two certifications in cloud computing, the CloudU Certificate and the Certificate of Cloud Security Knowledge (CCSK) and thought I’d share my thoughts on each.

The CloudU (or Cloud University to give it it’s full title) is developed and curated by NZ’s own Ben Kepes and is provided by Rackspace (a leading Infrastructure as a Service (IaaS) provider). The certification is promoted as a vendor-neutral introductory programme designed for business owners and technical professionals who want to develop and strengthen their knowledge of the fundamentals of cloud computing.

The CloudU programme and exam are provided free of charge. The curriculum is broken down into 10 lessons that cover a range of cloud related subjects from the cloud computing stack, to security and the use of open standards. Each lesson consists of a downloadable whitepaper and a 60-minute webinar. Once you have completed reading and listening to the lesson material you can sit a test consisting of 10 multiple-choice questions and no time limit. You have to get 80% or higher to pass each test and once you have completed the 10 lessons and the test you can sit a 50 question multiple-choice exam (again there are no time constraints) which uses the same question pool as the lesson tests. Both the lesson tests and the final exam are easy to pass. However, candidates can re-sit the tests and exam as many times as they like to obtain a passing score.

CloudU covers the full range of cloud computing deployment (Public, Private, Community and Hybrid) and service models (Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). In doing so it uses the NIST definitions for cloud computing. These are widely accepted and provide a common language when talking about cloud computing. This is very important in my opinion as the term ‘cloud’ is used to cover a multitude of sins and some services do not actually meet the criteria defined by NIST.

As CloudU is only designed to be an introduction to cloud computing it doesn’t cover any subject in any real detail. The study material generally provides a pretty good primer for the given subject with the notable exceptions of Lesson 5 (security in the cloud) and Lesson 9 (the use of open standards to avoid vendor lock-in). Although the security lesson notes that both the cloud service provider and the customer have security responsibilities its main focus is on technological controls. In my opinion, this is a wasted opportunity as it would be more useful to give a high-level overview of the information security risks associated with the use of cloud services. Similarly, the lesson on open standards places a huge emphasis on the importance of open source software in the foundation and development of the Internet rather than discussing how and why selecting services that use open standards (for Application Programming Interfaces (APIs) and data formats) can reduce the likelihood of vendor lock-in.

Overall the CloudU certificate provides a decent basic introduction to cloud computing. Some of the material could clearly have been better written. Despite this I believe that the CloudU is useful for anyone looking demonstrate that they have a rudimentary understanding of cloud computing concepts. In conclusion, gaining the CloudU will not make you a cloud computing expert. However, I think that it will certainly help business managers (or any non-technical person) decipher the jargon that surrounds the ‘cloud’.

The Certificate of Cloud Security Knowledge (CCSK) has been developed and is provided by the Cloud Security Alliance (CSA). The CSA is a not-for-profit organisation whose mission is to promote the use of best practices (I hate the use of the term ‘best practice’ – see my blog post) to provide security assurance within cloud computing. The CSSK certificate is vendor neutral and focuses on the information security risks associated with the use of cloud services.

The CCSK curriculum and exam is based on two documents, the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 and ENISA’s Cloud Computing Risk Assessment. It is a little disappointing that the CCSK has not been updated to reflect version 3.0 of the CSA guidance. However, the CSA state that this is due to the fact that the material covered in the exam has not changed significantly between the two versions of the document.

70% of the questions are based on the CSA guidance, 20% of the questions are based on the ENISA report and 10% of the questions are applied knowledge that relate to the “best practices” in both documents. To pass the CCSK you have to get 80% or higher in a 50 question multiple-choice exam. Unlike the CloudU the exam is limited to 60 minutes. Although the CSA offers two CCSK courses they suggest that the best way to prepare for the exam is to read and understand the two documents that it is based on. I certainly agree with this assertion, the CCSK exam is straightforward providing you have read both documents and have a comprehensive understanding of the content.

The cost of sitting the CCSK exam is $295 USD. For this you get two attempts at obtaining a passing score. If you pass the exam on the first attempt the second attempt automatically expires. Additionally the CSA has indicated (in principle) that if it introduces a new version of the exam within 12 months of you passing the CCSK it will provide you with a free exam. As a result the price seem very reasonable to me.

The CCSK is broken down into 13 domains covering subjects from cloud computing models, and the data security lifecycle through to the security of virtual machines. Whether you plan on gaining the certification or not I strongly recommend reading both the CSA guidance and ENISA risk assessment documents. They provide useful information for anyone seeking to understand the security challenges of adopting cloud services.

I personally found the CCSK much more valuable than the CloudU (this is hardly surprising given that my area of interest is information security). The study material is really strong and provides a solid understanding of the risks associated with the adoption of cloud services together with some guidance on how they may be managed. It is a worthwhile certification for anyone who is responsible for helping their organisation or clients manage the security implications of moving to the cloud.

In conclusion, no certification will make you an expert on a given subject. However, what they do provide is evidence that you at least have a level of understanding of the subject. In my opinion both the CloudU and CCSK are valuable and although they are aimed at very different audiences they both achieve their stated objectives.