The cloud, virtualization and a variety of "as a service" functions have become core elements of most business...
infrastructures -- with capabilities ranging from baseline email and content management to specialized services, such as business intelligence and disaster recovery. Even with concerns over security remaining top-of-mind for most organizations, the use of public, private and hybrid clouds has skyrocketed.
While the security concerns haven't disappeared, they have become better understood, and the risks have garnered some level of mitigation. One driver behind this could be the increase in awareness, communication, training and certifications revolving around the cloud and its security requirements.
If you are a CSO working for a company that leverages cloud technologies to run its business, what should you look for in a candidate to add to your staff? Should they be certified in cloud technologies, security, cloud security or some combination therein? What about certification for a management role versus certification for a hands-on architecture/technical implementation role?
To begin to answer these questions, let's first look at the different types of certifications that are available, as well as the pros and cons.
Vendor-neutral cloud security certifications
For independent, vendor-neutral cloud security certifications, the pros include a focus on securing the cloud regardless of the underpinning technology. These certifications also develop a security mindset that can be applied to a variety of cloud-enabled environments. However, the major disadvantage is that these certifications do not go deep enough to cover every aspect of functionality for every major cloud vendor and cloud technology, thereby forcing certificate holders to learn about these intricacies separately. A few examples of this kind of certification include the Cloud Credential Council's Professional Cloud Security Manager (PCS) and the Cloud School's Certified Cloud Security Specialist.
Vendor cloud security certifications
For cloud security certifications created by vendors, the advantage is that they cover the intricate details of the vendor's technologies and how security should be applied to the vendor's virtualized and cloud environment at a high level. The drawback is that the certifications don't cover other elements connected to each vendor's cloud technologies and are usually solely focused on that specific vendor. A good example of this kind of certification includes IBM's Certified Solution Architect-Cloud Computing Infrastructure (CSA-CCI), which focuses on key security areas.
General cloud certifications
General cloud certifications are valuable in that they provide in-depth understanding of cloud technologies and architectures and may also provide a hint of security as it relates to keeping the cloud up and running. The obvious con is that they offer a limited view into security. VMware's Certified Advanced Professional-Cloud Infrastructure Design is an example of this type of certification.
Enterprise and information security certifications offer an in-depth understanding of the threats facing a variety of networks, devices, and environments for networks and applications in on-premises environments. But they offer limited coverage of cloud-specific technologies. Here's a list of the top vendor-neutral information security certifications.
These certifications connect to many government standards and regulations critical for success within government IT environments, both on-premises and in the cloud. However, the guidance may fall short or may not directly apply in commercial settings. Some of these certifications, such as the Federal IT Security Professional Certification, are actually developed and managed by non-profit organizations rather than a government agency. Other government certifications, such as FedRAMP, are for organizations and not individuals.
The rise of cloud security certifications: Why are they needed?
As the use of the cloud and the criticality of the services running on the cloud are rising, the threats are also rising and growing more complex. The combination of public, private and hybrid cloud implementations makes securing an organization's cloud environment that much more challenging. To make matters worse, the number of people who have a combined, in-depth understanding of the cloud and security is low. Worse yet, there is a huge deficiency in security professionals.
Speaking of filling roles in security, what is the value of a certification to companies looking to hire people with cloud security knowledge? First, it creates a standard level of understanding of security as it relates to cloud technologies used by the organization. Second, it develops a common language throughout the organization that can be used to identify, discuss, and respond to security risks and threats affecting cloud implementations. And lastly, it increases confidence that security is taken seriously by subject matter experts, for both the physical and virtual aspects of the organization's network.
But the value isn't all one-sided; certification also provides benefits to the individuals seeking employment by giving them standardized recognition for technical knowledge and skills. It also increases the possibility of being seen as a thought leader, and can open greater opportunities for career advancement and higher pay.
Who typically holds a cloud security certification? In my experience, the types of professionals holding cloud security certifications include security professionals at security software companies and cloud service providers, solution architects at solution providers or resellers, consultants at system integrators and IT consulting firms, and your die-hard "I want them all" certificate holders.
The most prominent cloud security certifications
In many cases, I found that if an individual holds one cloud security certification, then they hold multiple certifications across a range of different vendors and security areas. Generally speaking, it's good for security professionals to hold a combination of prominent vendor-neutral certifications along with a few top vendor-specific certifications.
In my experience, the ISC2's Certified Information Systems Security Professional (CISSP) and the Cloud Security Alliance's Certificate of Cloud Security Knowledge (CCSK) often lead the certification list for many security professionals, and are the two most common certifications I've seen related to cloud security.
A carefully selected collection of certifications can drive up the professional value of their respective holder. So what are some of the other top certifications for cloud security? To get a better sense of this, I consulted with "Tom" Tan Sarihan, a fellow CISSP and security professional with KOBIL Technologies in San Francisco, to see how he viewed the different certifications. We came up with a list of nine of the most prominent cloud-related security certifications, sorted from management-level to entry-level:
- ISC2 CISSP-ISSMP (Information System Security Management Professional): Demonstrates knowledge of enterprise security governance, breach management, business continuity and disaster recovery from the management-level point-of-view.
- ISACA CISM (Certified Information Security Manager): Demonstrates knowledge of enterprise security governance, breach management, business continuity and disaster recovery from the management-level point-of-view.
- ISC2 CISSP-ISSAP (Information System Security Architecture Professional): Demonstrates in-depth knowledge of secure enterprise architectures with initial coverage of cloud security.
- ISC2 CISSP: Demonstrates in-depth knowledge of security with some coverage of cloud security; this certification fits a variety of roles: management, architect, engineer.
- VMware VCP (VMware Certified Professional)-Cloud: Demonstrates knowledge of virtualization, cloud technologies, and provides some security coverage.
- Cisco CCIE (Cisco Certified Internetwork Expert) Security or Cisco CCNP (Cisco Certified Network Professional) Security (formerly CCSP): Demonstrates knowledge of the general infrastructure security of cloud-enabled environments.
- CSA CCSK: Demonstrates knowledge of cloud architecture in general; good for someone in a dedicated cloud security role.
- EC-Council CEH (Certified Ethical Hacker): Demonstrates the ability to put cloud security thinking and related penetration actions to the test (no pun intended).
- CompTIA Cloud+: Demonstrates knowledge of network protocols, cloud basics and some cloud security coverage.
For companies looking to hire managers that have security expertise with a cloud focus, they should look at each candidate's general cloud and security certifications. If the company wants hands-on technical expertise, they should look at vendor-specific cloud certifications coupled with vendor-neutral cloud security certifications. If security is absolutely critical as a means to protect the cloud-enabled business systems, processes and data, then adding vendor-neutral cloud security certifications to the mix is highly recommended.
Of course, there's no replacement for real-world experience; in addition to the certifications each candidate holds, companies should give equal consideration their professional experience.
About the author:
Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk and compliance -- with a focus on specialized industries such as government, finance, healthcare, insurance, legal and the supply chain.
For more on cloud security, check out TechTarget's introduction to cloud security certifications
Read more about the best cloud security certifications