On the 6/2 Virtualization Security Podcast, Rich Mogull, an analyst for Securosis, joined us to discuss his work with the Cloud Security Alliance (CSA) to develop the two day course called the Certificate of Cloud Security Knowledge (CCSK). While this course is not about learning all the intricacies of cloud security it is about providing a level set of knowledge required to even begin to talk about cloud security.The course is designed as a day of lecture and a hands on lab building a cloud using Amazon and a future set of labs using OpenStack. The labs are there to deploy various security controls such as encrypted EBS volumes. A taste of what security controls are necessary for cloud security.
The key to cloud security is the belief that it is All About the Data.
Data security whether it is in the cloud, virtual environment, or the enterprise is the key component of any security policy and is why security is an issue. Some implement controls using network security, while others implement integrity controls as well as confidentially such as encryption. However, since not all controls are 100% perfect, Trust is part of this picture. The CCSK will cover the key concepts presented by the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing and European Network and Information Security Agency’s (ENISA) Cloud Computing: Benefits, Risks and Recommendations for Information Security.
For those who want to explore cloud security, these two documents are must reads and if read before taking the CCSK will help you to formulate questions and may aid in understanding the material presented.
There are other virtualization security classes available and they all have at least one day of level set, but none that I am aware (if there are please let me know), cover just the cloud and touch on the clouds current issues such as jurisdiction. They instead focus on how to protect your environment from existing and future attacks. However, almost all cloud security discussions are currently architecture discussions and not necessarily about the details.
There will be other courses coming out that will cover the details, but first we all have to level-set, as the cloud changes quickly and is different depending on to whom you talk. This level-set is the first step on the path to cloud security discussions within your environment.