Blog

What Do You Want to See in the First Cloud Security Alliance Training Course?

By Rich

It leaked a bit over Twitter, but we are pretty excited that we hooked up with the Cloud Security Alliance to develop their first training courses. Better yet, we’re allowed to talk about it and solicit your input.

We are currently building two courses for the CSA to support their Cloud Computing Security Knowledge (CCSK) certification (both of which will be licensed out to training organizations). The first is a one day CCSK Enhanced class which we will be be delivering the Sunday before RSA. This includes the basics of cloud computing security, aligned with the CSA Guidance and ENISA Rick documents, plus some hands-on practice and material beyond the basics.

The second class is the CCSK Review, which will be a 3-hour course optimized for online delivery and to prep you for the CCSK exam.

We don’t want to merely teach to the book, so we are structuring the course to cover all the material in a way that makes more sense for training. Here is our current module outline with the person responsible and their Twitter handle in case you want to send them ideas:

  1. Introduction and Cloud Architectures. (Domain 1; Mike Rothman; @securityincite)
  2. Creating and securing a public cloud instance. (Domains 7 & 8; David Mortman; @mortman)
  3. Securing public cloud data. (Domains 5 & 11; Adrian Lane; @adrianlane)
  4. Securing cloud users and applications (Domains 10 & 12; Gunnar Peterson; @oneraindrop)
  5. Managing cloud computing security and risk (Domains 6 & 9 and parts of 2, 3, & 4; James Arlen; @myrcurial)
  6. Creating and securing a private cloud (Domain 13; Dave Lewis; @gattaca)

The entire class is being built around a fictional case study to provide context and structure, especially for the hands-on portions. We are looking at:

  1. Set up instances on AWS and/or RackSpace with a basic CMS stack (probably on EC2 free, with Joomla).
  2. Set basic instance security.
  3. Encrypt cloud data (possibly the free demo of the Trend EBS encryption service).
  4. Something with federation/OAuth.
  5. Risk/threat modeling exercise.
  6. Set up a private cloud (vCloud or Eucalyptus)

Keep in mind this is a one-day class so these will be very scripted and quick – there’s only so much we can cover.

I will start pushing out some of the module outlines in our Complete feed (our Highlights RSS feed still has everything due to a platform bug – you only need to know that if you visit the site). We can’t put everything out there since this is a commercial class, but here’s your chance to influence the training.

Also remember that we are deep into the project already with a very tight deadline to deliver the pilot class at RSA.

Thanks

No Related Posts
Comments

@Andre Gironda

A bunch of what you’re asking for falls under the materials that I’m covering and I’ll do my best to ensure that we cover what you’re asking for in sufficient detail - keeping in mind that it’s a one day course and there is a LOT of material to cover at a high level.

Thanks for your input, it’s valuable!

By James Arlen


HR/Legal issues such as forensics/e-discovery, data retention, rotation/separation of duties, data and system administrator views/control, employee/contractor termination, rotation/control of primary/admin-level authn/keys/passwords, etc.

By Andre Gironda


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.