Many professionals seeking a career in cloud security will turn to certifications to advance their learning and...
prove their knowledge to potential employers.
The number of enterprise cloud deployments is growing: In 2019, more enterprise workloads were executed in the cloud (56%) than in on-premises data centers (44%) or branch offices (4%). Having someone well versed in cloud security on an IT team is integral to securing today's distributed environments.
As cloud adoption has furthered the need for cloud security pros, it has also increased the number of cloud security certifications available.
Are you trying to parse the differences and figure out which certifications will most advance your knowledge and career? Get the lowdown on the best cloud security certifications here.
The importance of certifications
Although the debate over the value of security certification programs is hotly contested, they are still one of the top ways employers screen job candidates and assess an interviewee's baseline knowledge. And the fact of the matter is that most certifications deliver more significant benefits to professionals than traditional self-study options.
A certification, for instance, covers topics that are broader than purely the interest of the student, which requires the student to learn more than just the minimum around a specific topic. Skipping a few dull, but important, chapters is not a wise decision if there is an expensive exam coming up.
Certification exams also force students to study the material, not just skim through it. The exam date also provides a deadline by which to finish the material. Certificates also show employers that future employees have put significant time and money into obtaining the certificates and their associated skills.
The infosec industry has been around for decades and has some of the best-known certifications. (ISC)2's CISSP, for instance, was released in 1994, and ISACA's Certified Information Systems Auditor certification dates back to 1978.
These older, well-established certification providers have added cloud components to their material, but the depth of those add-ons is often quite limited -- sometimes, it's just a few pages in a book. Considering the importance of cloud technologies today and the persistent threat of cloud-specific attacks, more focus is required.
Let's take a look at some certification providers that have introduced dedicated, in-depth cloud security certifications and what cloud security pros can expect when pursuing them.
1. (ISC)2 Certified Cloud Security Professional (CCSP)
The most well-known and established cloud security certification is (ISC)2's CCSP. Although (ISC)2's CISSP now contains more cloud material, its specialized CCSP program takes it to the next level and covers a broad range of cloud-related topics, from cloud application security to cloud platform security.
Students should expect to invest quite a bit of time to pass this exam or should use a training vendor to prepare for this certification.
Candidates must have a minimum of five years paid work experience before becoming certified. Three years must be in infosec, and one year must be in one or more of the six domains included in the CCSP Common Body of Knowledge (CBK):
- Cloud Concepts, Architecture and Design
- Cloud Data Security
- Cloud Platform & Infrastructure Security
- Cloud Application Security
- Cloud Security Operations
- Legal, Risk and Compliance
The Cloud Security Alliance's (CSA) Certificate of Cloud Security Knowledge (CCSK) can be substituted for one year of experience in the CCSK domains, or CISSP can be substituted for the entire CCSP experience requirement.
2. CSA Certificate of Cloud Security Knowledge
CSA's CCSK is a lighter alternative to CCSP certification. Launched in 2010, this certification is dedicated to cloud security, and just like CCSP, it goes into the technical details.
There are a few major differences between CCSP and CCSK. For example, the CBK is not as broad for CCSK as it is for CCSP. The study material for CCSK -- sourced from the CSA Cloud Security Guidance v4, the CSA Cloud Controls Matrix and the EU Agency for Cybersecurity Cloud Computing Risk Assessment report -- is available on the internet for free, so no books or training courses are required. Also, there are no prerequisites or experience requirements for CCSK certification. In addition, the CCSK exam is available online and is open book.
CCSK is a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud data security but no justification to spend the time and costs required for the CCSP certification.
3. GIAC Cloud Security Automation (GCSA)
Launched in April 2020, GIAC's GCSA certification is specifically designed for developers, analysts and engineers working to secure cloud and DevOps environments. It encompasses topics such as automation of configuration management, continuous integration/continuous delivery and continuous monitoring, and how to use open source tools, the AWS toolchain and Azure services.
There are no prerequisites for the GIAC certification, but it is based on SANS Institute's in-person or online SEC540: Cloud Security and DevOps Automation course. This five-day course covers topics in five sections:
- Introduction to DevSecOps
- Cloud Infrastructure and Orchestration
- Cloud Security Operations
- Cloud Security as a Service
- Compliance as Code
The exam can be purchased by itself or at a discounted rate when bought in conjunction with the SANS training. Purchasing a certification attempt comes with two practice tests, which are in the same format as the exam.
4. Mile2 Certified Cloud Security Officer (C)CSO)
The C)CSO certification from Mile2 consists of a five-day program that includes instructor-led sessions, self-study time and live virtual trainings.
C)CSO is composed of 15 modules:
- Introduction to Cloud Computing and Architecture
- Cloud Security Risks
- ERM (Enterprise Risk Management) and Governance
- Legal Issues
- Data Security
- Data Center Operations
- Interoperability and Portability
- Traditional Security
- BCM (Business Continuity Management) and DR
- Incident Response
- Application Security
- Encryption and Key Management
- Identity, Entitlement and Access Management
- Auditing and Compliance
It also consists of 23 labs, including Virtual Machine Hardening, PaaS in Azure and Key Management in SaaS.
Part of Mile2's Cloud Security and Virtualization career path, this advanced certification is ideal for professionals seeking careers in virtualization, cloud administration, auditing and compliance.
General knowledge of cloud architectures and one year of experience in both virtualization and general infosec are recommended.
5. Arcitura Certified Cloud Security Specialist
Arcitura offers several Cloud Certified Professional (CCP) certifications. Its Certified Cloud Security Specialist certification focuses specifically on the security threats associated with cloud platforms, cloud services and other cloud technologies, such as virtualization. Geared toward IT and security professionals and cloud architects, the Certified Cloud Security Specialist certification is composed of five modules:
- C90.01 CCP Fundamental Cloud Computing
- C90.02 CCP Cloud Technology Concepts
- C90.07 CCP Fundamental Cloud Security
- C90.08 CCP Advanced Cloud Security
- C90.09 CCP Cloud Security Lab
Completion of these five modules and their respective exams results in Certified Cloud Security Specialist certification. A general background in IT is recommended, and exams must be taken in order -- for example, C90.01 must be completed prior to C90.02.
Arcitura offers three exam formats: a single exam that covers all five modules; a partial exam that only tests modules 7, 8 and 9 (appropriate if modules 1 and 2 were completed for a different certification); or five separate, module-specific exams. Module-specific exams are available online via Pearson VUE. The combined exam is only available via on-site proctoring.
6. and 7. CompTIA Cloud Essentials+ and Cloud+
CompTIA offers two certifications that, while not security-specific, cover cloud security topics. Cloud Essentials+ is geared toward cloud business decision-making, while Cloud+ is more about technical cloud implementation.
The entry-level Cloud Essentials+ certification covers specific cloud security concerns and measures, as well as risk management, incident response and compliance. Six months to one year of IT business analyst experience, along with some cloud technology experience, is recommended. The more in-depth Cloud+ certification covers how to implement appropriate security controls, as well as how to troubleshoot security issues in the cloud. Two to three years of system administration experience is recommended.
8. EXIN Certified Integrator Secure Cloud Services
EXIN offers many security and cloud courses. Its Certified Integrator Secure Cloud Services certification is granted when specific cloud computing and security qualifications are met. These include achieving three EXIN or CCC certifications:
- A service management certification:
- EXIN IT Service Management (ITSM) Foundation;
- VeriSM Foundation or one of the following: VeriSM Professional, EXIN ITSM based on ISO 20000 (any level), Microsoft Operations Framework Foundation, EXIN BCS Service Integration and Management (any level) or ITIL (any level); or
- EXIN BCS SIAM Foundation
- A cloud computing certification:
- EXIN Cloud Computing Foundation or a CCC Cloud Computing certificate
- A security management certification:
- EXIN Cyber and IT Security Foundation
- EXIN Information Security Foundation based on ISO/IEC 27001
While this certification is not purely dedicated to cloud security, it ensures the certified professional is skilled in both IT security and cloud environments.
Vendor-specific cloud security certifications
Because many enterprises work with a few specific vendors and technologies, it could be fruitful for their security team members to hold certifications in those areas. Some cloud platform providers offer practical product training, including the following: