With all the news and information coming out of BlackHat 2010 , DefCon 18, BSides Las Vegas and not to forget WikiLeaks these past days the announcement of the first user certification for cloud security didn’t get much of the attention it probably deserved.
The Cloud Security Alliance, in cooperation with the European Network and Information Security Agency (ENISA), created the “Certificate of Cloud Security Knowledge” or CCSK to “…ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.” I think it was just a matter of time until a specialized certification would become available for cloud professionals but i didn’t expect it to happen this soon and not out of the CSA. The CSA is a great initiative and seems to have the clout and knowledge to initiate a trustworthy certification program but at this point the Common Body of Knowledge, which is derived primarily from –
- Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1
- ENISA Cloud Computing Risk Assessment
seems a bit light. That said the FAQ already accounts for upcoming revisions of the certification so i would expect a evolving CBK similar to e.g. EC Council’s CEH. I’m interested to see how the adoption rate in the first year will be and whether established certification bodies like ISC2, EC Council, Microsoft, etc. fully acknowledge it or start their own cloud certification.
On slightly related news – Microsoft’s research labs released a paper titled “Cloudward Bound: Planning for Beneficial Migration of Enterprise Applications to the Cloud“. It takes a pretty scientific approach looking at hybrid could hosting for enterprise applications. From the abstract –
“In this paper, we tackle challenges in migrating enterprise services into hybrid cloud-based deployments, where enterprise operations are partly hosted on-premise and partly in the cloud. Such hybrid architectures enable enterprises to benefit from cloud-based architectures, while honoring application performance requirements, and privacy restrictions on what services may be migrated to the cloud.”