The Australian Signals Directorate (ASD) announced this week that the Cloud Security Certification Programme (CSCP) is being scrapped, and references to both the CSCP and Certified Cloud Provider List (CCPL) are being removed from the Information Security Manual (ISM) and other publications. So, what does this mean for government agencies, businesses and individuals who rely upon these artefacts?

 

When considering moving to the cloud, the onus has always been on the Cloud Customer (“Customer”) to ask the right questions and have their security and privacy requirements met in the contract with the Cloud Service Provider (“Provider”). The Cloud Security Alliance (CSA) referred to this in their previous artefact, The Treacherous Twelve, as Lack of Due Diligence. The corollary is that, if Customers do not ask, then they are consuming the default security and privacy offerings from the Provider. Unfortunately, many Customers race to consume cloud solutions and forget the contention between cheap, fast, secure – pick any two. Cloud is often chosen as a cheap and fast “quick fix”, with security often neglected.

 

So what now? Organisations will need to ensure that their information security professionals are trained up in understanding the most important points to consider when engaging a Provider. This will include jurisdictional issues, contracts, roles and responsibilities and ensuring service level agreements meet the needs of the Customer, not the Provider. According to a recent online Forbes article, Certified Cloud Security Professional (CCSP), a body of knowledge and certification offered through (ISC)2, is the fifth most sought-after certification. Cloud is also a topic in the four certifications ahead of it – CISSP, CISA, CISM and CRISC. The CCSP is a well thought-out body of knowledge that is relevant and meets the needs of today’s cloud customers and providers.

 

ALC has been at the forefront of cloud training across the Asia Pacific region, and our internal statistics show we have trained over 60% of information security professionals who hold the (ISC)2 Certified Cloud Security Professional (CCSP) in Australia and New Zealand. As the focus will increasingly shift to information security professionals within organisations to ask the right questions and demonstrate good governance, it is prudent to consider a solid basis and foundational level within many of ALC’s cloud, security and privacy training portfolio. Our CCSP trainers include the first person to be certified as a CCSP in Australia and the former lead cloud architect for a major service provider.