CCSK Success Story: From an IT and Cloud Security Manager

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Niranjan Ganesan, Senior IT and Cloud Security Manager at Plivo Inc.

1. Can you tell us a bit about yourself?

I have a background in Cloud Security, IT Infrastructure Management, Cybersecurity Management, Security Governance, Audit and Compliance, and Enterprise Architecture. My career continues to allow me to help businesses achieve their desired results while also feeling fulfilled myself.

Having worked in the field for over 17 years, I have gained significant knowledge of Regulation and Compliance including PCI-DSS, HIPAA, SOC2, Privacy Shield, GDPR, and ISO. This experience has enabled me to successfully establish and implement several large information security programs.

2. Can you tell us about what your job involves?

I am in charge of security and compliance for the organization, which includes securing our network, servers, and applications from internal and external threats. Additionally, I provide security recommendations during the early stages of design and development. Finally, I work to build a culture within our organization that embraces security protocols.

3. Can you share with us some complexities in managing cloud computing projects?

Cloud technologies enable organizations to be more agile and responsive to change. However, they also introduce new risks that need to be managed. With the advent of cloud service providers (CSPs), models such as IaaS, PaaS, and SaaS have become increasingly popular and brought about a new set of challenges for information security. For example, data breaches have become more common since sensitive data is often stored in the cloud.

Although cloud infrastructure can be complex to manage, the technology itself is not necessarily the primary cause of this difficulty. Instead, it is often due to factors such as governance, risk, and compliance. To overcome these challenges, it is important to have a comprehensive understanding of each service so that security and compliance issues can be managed more effectively.

Before you choose a CSP for your business, make sure to ask the following critical questions about the CSP you are considering:

• What is the CSP’s security strategy?
• How will the CSP help you meet your compliance obligations?
• What is the CSP’s incident response plan?
• What is the CSP’s data retention policy?

It is also important to have a clear understanding of your own organization’s security posture and what needs to be done to ensure that the data you are storing in the cloud is protected.

Remember, just because you are using a CSP does not mean that you are absolved of all responsibilities.

Although migrating to the cloud has plenty of advantages, you must make it a priority to establish a secure design early on in the process. This will help you avoid potential issues down the road and ensure that your data remains protected. Flaws in architecture are some of the hardest obstacles to overcome, so be sure not to overlook this critical step.

4. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Most importantly, you need to have a firm understanding of the shared responsibility model. This will help to avoid any surprises down the road. Ask yourself this question before adopting a service from any CSP: Can I do this myself in the console?

If the answer is yes, then you are responsible for the security and compliance of that service. One example of this is if you are using Amazon S3 to store data. You are responsible for the security of that data, even though it is stored on Amazon servers.

If your answer is no, then your CSP is responsible for the security and compliance of that service. For example, if you are using a managed service such as Amazon RDS, then Amazon is responsible for the security of the database.

In either case, it is important that you have a clear understanding of the security controls that are in place and how they map to your organization’s security requirements. In terms of specific tips, I would recommend the following:

1. Do your homework before selecting a CSP. Read reviews, compare pricing, and ask for recommendations from peers who have experience with the CSP you are considering.
2. Understand the shared responsibility model as I mentioned earlier; it is important to have a clear understanding of the shared responsibility model before migrating to the cloud. Your CSP will have responsibilities, but so will you.
3. Have a clear understanding of your security posture before migrating to the cloud. Make sure you have a clear understanding of your organization’s security posture. This will help you determine what needs to be done to protect your data.

5. What made you decide to earn your CCSK?

The CCSK certificate is globally recognized as the gold standard for cloud security. It is also one of the few certificates that is vendor-neutral. Because it is not specific to any single CSP, it is valuable for those of us who work with multiple providers.

I decided to earn my CCSK because I wanted to gain a better understanding of how to secure data in the cloud. With the increase in cloud adoption, it is more and more important for organizations to have a firm grasp on cloud security. The CCSK certificate was the perfect way for me to acquire the knowledge and skills I need to be able to provide guidance on this topic.

6. What part of the material from the CCSK has been the most relevant in your work and why?

In terms of relevance, my understanding of the Consensus Assessment Initiative Questionnaire (CAIQ) has been invaluable. I utilize the CAIQ on a regular basis when conducting security assessments of CSPs. The CAIQ is a great tool for evaluating the security controls of a CSP.

I firmly believe that my understanding of security controls within cloud-based systems has been vital to my success in this field. The questions cloud consumers and auditors ask providers, alongside the compliance framework set by the Cloud Controls Matrix (CCM) offer an excellent guide for conducting audits of CSPs.

7. How does the CCM help communicate with customers?

The CCM assists in communication with customers by providing a framework for discussing cloud security. The CCM is a great tool for identifying and evaluating the security controls of a CSP. This helps ensure that the customer’s data is protected.

The CCM security controls in the CCM v4.0.5 are founded on a customized relationship to other industry-accepted security standards, regulations, and control frameworks, including CIS v8.0, PCI DSS v3.2.1, AICPA TSC 2017, ISO/IEC 27001/02/17/18, and NIST 800-53 rev 5.

Communicating with customers about the CCM can help them understand how their data is being protected in the cloud. This understanding can help build trust between the customer and the CSP.

8. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

I believe that vendor-neutral certificates, such as the CCSK or CCSP, are more valuable than getting certified by specific CSPs, although I also have also earned the AWS Certified Security -Specialty. While vendor-neutral certificates provide a comprehensive, vendor-neutral understanding of the security risks and concerns associated with cloud computing, there is also a specific use for an AWS certification. The benefit of vendor-neutral certificates is that they are not limited to a single CSP. This means that they can be used to assess the security of any CSP.

Different certificates can be important in different scenarios. For example, if you are a security consultant who assesses the security of CSPs, then a vendor-neutral certificate will be more beneficial. On the other hand, if you are working for a specific CSP, then getting certified by that CSP would certainly be advantageous.

Certification by AWS is specific to their platform and is, therefore, useful for assessing the security of AWS services. It is important to recognize the strengths of each certification you are considering and determining which of them makes sense for you in your current position.

I learned a while ago that it is helpful to think of vendor-neutral and vendor-specific certifications as theory versus practice. Just like you cannot jump into driving a car without first understanding the basics, you cannot specialize in a certain area without having a fundamental knowledge base.

In other words, vendor-neutral certificates provide the theory and vendor-specific certificates provide the practice.

9. Would you encourage your staff and/or colleagues to obtain the CCSK or other CSA qualifications? Why?

I wholeheartedly recommend the CCSK certificate to my staff and colleagues because this certificate is essential for anyone in my line of work. Cloud governance and technical security controls are two of my key responsibilities; the CCSK has provided me with a strong foundation in both of these areas. The CCSK certificate is also highly respected in the industry and is widely recognized as the standard of expertise for cloud security. I use what I learned every day–it really has made an impact.

10. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

Educate yourself daily to have a better understanding of the world around you. Pursue new knowledge and train in your field so that you can continue to progress in your career.