New tools and techniques are developed everyday to protect—and attack—the assets businesses hold in the cloud.
It’s an ongoing battle. Attaining cloud security certifications is important because it helps people gain fluency in current best practices, and puts them in touch with a forward-looking, dedicated information security community.
These two aspects position IT professionals to respond well to the latest challenges, and build the productive knowledge about emerging threats they so desperately need on the frontlines.
For managers, upskilling employees with a cloud security certification, especially those familiar with your infrastructure, can be well worth the one-time costs.
I’ve put together the top 4 cloud security certifications that will help people refine their skills and broaden knowledge-base, regardless of the infrastructure they want to protect.
1. CompTIA Security+
Price of certification: $349
The Computing Technology Industry Association (CompTIA) offers certifications along the pathway for IT professionals that want to focus on infrastructure and security.
The CompTIA Security+ certification is widely known, and signals that a person has the baseline cybersecurity knowledge and practical skills necessary to solve a range of issues.
According to CompTIA, it is the most popular certification used for DoD 8570 compliance. To maintain a valid Security+, people have to recertify every three years, which tests their familiarity with techniques and threats in areas like:
- Risk management
- Risk mitigation
- Threat management
- Intrusion detection
- Penetration testing
- Cryptography and PKI
There are no prerequisites needed to take the CompTIA Security+ exam, making it a useful stepping stone for someone several years away from more advanced cloud security certifications like the CCSP.
The Security+ exam consists of 90 multiple choice and performance-based questions. Performance-based questions test someone’s ability to solve problems in a simulated environment, such as a firewall, operating system, network diagram, or terminal window.
You may be shown a network diagram, for example, and asked to make changes to correct a connectivity issue described in the prompt. It’s an approximation, not a live lab, but you still have to demonstrate that you can assess and address common security issues.
To stay on top of the latest trends and technology, CompTIA updates the Security+ exam every three years, with the latest version (SY0-601) slated for launch in November 2020.
The certification is not cloud-specific, but you will have to understand a lot of the IT fundamentals and hardware that support enterprise cloud deployments. In addition you’ll gain insight in how to monitor and secure hybrid, mobile, and IOT environments.
In short, Security+ is a trusted entry-level certification that establishes core knowledge, best practices, and problem solving skills that provide a strong foundation for work in cloud security.
2. CCSK: Certificate of Cloud Security Knowledge
Price of certificate: $395
The Certificate of Cloud Security Knowledge (CCSK) is a well-established benchmark within the information security industry. It proves that a person has a working understanding of both the strategic and tactical aspects of current cloud security.
It’s offered by the Cloud Security Alliance (CSA), who makes all of the study material necessary to prepare for the exam free online. The body of knowledge people are responsible for is contained within:
- CSA Security Guidance v.4
- ENISA Recommendations (European Union Agency for Network and Information Security)
- CSA Cloud Controls Matrix
The skills the exam covers are vendor-agnostic, and 100% focused on cloud security. Unlike the CompTIA Security+, which is also entry-level, the CCSK goes in depth on cloud-specific technology and architectural patterns that aren’t possible in traditional computing.
The exam is 90 minutes with 60 questions. It’s open-book, but the questions are difficult and it’s not feasible to research answers in the allotted time. There are courses available, and plenty of materials for self-study through CSA and elsewhere online.
The information on the exam is broken into 14 domains:
- Cloud Computing Concepts and Architecture
- Governance and Enterprise Risk Management
- Legal Issues, Contracts, and Electronic Discovery
- Compliance and Audit Management
- Information Governance
- Management Plane and Business Continuity
- Infrastructure Security
- Virtualization and Containers
- Incident Response
- Application Security
- Data Security and Encryption
- Identity, Entitlement and Access Management
- Security as a Service
- Related Technologies
- Extra domain: Cloud Controls Matrix
- Extra domain: ENISA Recommendations
The lion’s share of the material is drawn from the CSA Security Guidance v.4, with the extra domains covering the recommendations from ENISA and the Cloud Controls Matrix, a cloud-specific governance and compliance tool.
What makes the CCSK difficult, according to Graham Thompson, a CCSK authorized trainer, is that it covers both strategic and tactical aspects of cloud security. Thompson writes:
“People are either tactical types or strategic governance types. The tactical types enjoy the bits and bytes of computing and that’s totally cool. Then, you have the governance types. These are the managers, directors and others where the mindset is how the business as a whole may be impacted by cloud adoption.
One person having a foot in both areas is pretty rare, and that is what makes the CCSK exam so hard. I’ve seen hardcore techies fail, and I’ve seen MBA’s fail.”
The real value of a CCSK is that it ensures people have mastered the fundamentals and full capabilities of cloud security. They will be better prepared to cope with issues as they arise, and positioned well to attain advanced cloud security certifications in forensics, incident handling, and penetration testing.
3. CCSP: Certified Cloud Security Professional
Price of certification: $599
In order to become a Certified Cloud Security Professional (CCSP), candidates need to demonstrate a considerable amount of real-world contact with IT security. In addition to passing a challenging exam, requirements include:
- a minimum of 5 years cumulative paid work experience in IT
- 3 years must be in information security
- 1 year or more must be in the 6 domains represented on the CCSP
- *Earning a CCSK counts toward 1 year of domain experience
The CCSP is hosted by the International Information System Security Certification Consortium, also known as (ISC)². This is an advanced cloud security certification that benefits those who oversee information security for their organization, such as enterprise architects, systems engineers, and security administrators.
You can take the exam without having satisfied the professional experience requirement, becoming an Associate of (ISC)², and then you have 6 years to complete the 5 years required for the CCSP.
It’s a standalone credential, but for many, it comes after earning other cloud security certifications throughout the first several years of their career. A CCSP proves you have advanced technical skills and understanding necessary to secure critical assets in a cloud environment.
The body of knowledge for the CCSP is broken down into 6 domains:
- Cloud Concepts, Architecture, and Design
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Cloud Security Operations
- Legal, Risk, and Compliance
For each domain, candidates for the CCSP require a comprehensive understanding of concepts, techniques, and strategy.
Exam questions from Domain 1, for example, could cover any cloud service category (SaaS, Iaas, PaaS), deployment model (public, private, hybrid, community), or related technologies that impact cloud security (artificial intelligence, blockchain, containers, IoT, machine learning, quantum computing). And this is only a fraction of what’s covered in the domain.
Every aspect of cloud security receives attention: from designing physically, logically, and environmentally secure data centers, to articulating how conflicting international legislation impacts the legal requirements and risks within cloud environments.
By covering each domain in significant depth, holding a CCSP reflects broad knowledge and hands-on experience with relevant cloud security best practices.
In order to keep exam questions on point in a changing world, (ISC)² conducts a Job Task Analysis at regular intervals, which determines the actual tasks and challenges those currently involved with cloud security. After each analysis, the test questions are updated to reflect the real-world roles and responsibilities of IT cloud security professionals.
All (ISC)² exams are offered at Pearson VUE testing centers, and you must register ahead of time. The CCSP exam gives you three hours to complete 125 multiple choice questions, and is available in English and Japanese.
Membership in (ISC)² is awarded on successfully completing the CCSP, and connects people with professional development opportunities, technical webinars, and a growing community of more than 140,000 cybersecurity professionals. Keep on top of trends, gain insight into the latest threats, and network at events with others who are dedicated to keeping the cloud safe.
The CCSP is a full-scope, current, vendor-agnostic cloud security certification that ensures those in charge know how to design secure systems and harden them to future attacks.
4. CEH: Certified Ethical Hacker
Price of certification $1,199
Becoming a Certified Ethical Hacker (CEH) is one the best ways to start helping companies improve their IT defenses. It’s an in-demand cloud security certification that’s recognized by ANSI, the Department of Defense, and other governments around the world.
White-hat hackers have the green-light from companies to find and test network infrastructure vulnerabilities. They identify security risks before real hackers with malicious goals can exploit these weaknesses.
At base, the certification familiarizes people with a “Hacker Mindset,” an offensive approach to infrastructure defense.
The CEH is overseen by the International Council of Electronic Commerce Consultants (EC Council), who manage a number of other well-respected cybersecurity credentials. A Certified Network Defender (CND) is a useful credential that comes before the CEH on the EC Council learning track, but it is not a mandatory prerequisite.
That said, it will be very helpful to have a solid understanding of network security configuration and management before attempting the CEH.
The material covered by the CEH is not cloud-specific, but cloud computing is one of several emerging attack vectors the CEH candidates will have to understand. This includes knowledge of threats and attacks, as well as tools necessary to perform a vulnerability assessment of cloud environments.
It’s an well-rounded certification because of the neighboring technologies and skills covered by the exam. A CEH must demonstrate knowledge in:
- Five Phases of Ethical Hacking: reconnaissance, gaining access, enumeration, maintaining access, and covering tracks.
- Different types of attacks: botnets, cryptography, DoS/DDoS, malware, session hijacking, steganalysis, SQL injection, Trojans, viruses, worms and others
- Defense for web apps, web servers, mobile devices and IoT platforms
- Footprinting, scanning, enumeration and countermeasures
- Firewall, IDS and honeypot evasion techniques
And that’s far from a complete list of everything covered. The value of a CEH is in the breadth of IT security concerns it touches on, exposing people to a range of creative techniques they can use to provide insight into a system’s defenses. This includes various types of penetration testing, security audits, and vulnerability assessments to detect gaps in security.
The exam, which is 125 questions to be completed in 4 hours, is routinely updated to address the latest threats. Candidates can take the CEH Practical exam ($550), which gives you 6 hours to complete 20 performance-based challenges in EC Council’s cyber range. Upon completing both the CEH and practical exam, people are eligible to become a CEH master.
Like any other cloud security certification, becoming a CEH doesn’t replace the need for practical experience in the field. That said, as IT professionals encounter issues in the real-world having a CEH gives them a diverse toolkit for approach, analysis and resolution.
Proprietary Cloud Security Certifications
There are other potentially useful advanced cloud security certifications, like the CISSP from (ISC)². With so much of the cloud hosted by a few major players, however, moving forward as an IT professional often hinges on understanding security within vendor-specific environments.
Microsoft, Amazon, and Google, the “big three,” all offer an entire learning path of cloud security certifications. These have proven vital, judging from the job market demand, because the certifications show that someone truly understands how to use the tools of each platform to achieve optimal information security posture for their organization.