As companies move more and more of their infrastructure to the cloud, they're forced to shift their approach to security. The security controls you need to put in place for a cloud-based infrastructure are different from those for a traditional datacentre. There are also threats specific to a cloud environment. A mistake could put your data at risk.
It's no surprise that hiring managers are looking for candidates who can demonstrate their cloud security know-how—and a number of companies and organisations have come up with certifications to help candidates set themselves apart. As in many other areas of IT, these certs can help give your career a boost.
"Cloud security certifications can set professionals up for long-term career success in designing, operating, and maintaining secure cloud environments for today’s enterprises," says Joe Vadakkan, senior director of services alliances at Optiv. "In addition to the process being a fun learning experience, each certification offers a unique benefit to understanding the security controls, associated risks, and dynamic needs of cloud operating models."
But which certification should you pursue? We spoke to a number of IT security pros to get their take on those that are the most widely accepted signals of high-quality candidates. These include cloud security certifications for both relative beginners and advanced practitioners.
Top cloud security certifications
We've got the details eight of the best security certifications identified: four that are generalist certifications and four built around specific platforms.
Four good general cloud security certifications...
1. Certificate of Cloud Security Knowledge (CCSK)
Strictly speaking, CCSK, as its name implies, is a certificate rather than a certification, but it still represents a valuable first step on your cloud security career path. "If you have to choose one certification and want (as you should) to understand more of the technical concepts beyond a theoretical level, a CCSK is the way to go," says Aaron Rosenmund, Director of Security Research and Curriculum at Pluralsight. "It is vendor-agnostic knowledge about securing data in the cloud. It ensures that technologists have the foundational and in-depth knowledge needed—from cloud architecture and infrastructure to data security, key management, identity and access management—to utilise cloud services more securely."
The CCSK test asks participants to demonstrate knowledge of three key documents: the CSA Security Guidance for Critical Areas of Focus in Cloud Computing, the CSA Cloud Control Matrix, and the EU's Agency for Cybersecurity's Cloud Computing Risk Assessment. The exam is open book, and you can take it online.
Offered by: Cloud Security Alliance
Test format: 60 multiple choice questions
Official website: https://cloudsecurityalliance.org/education/ccsk/
2. CompTIA Cloud+
Cloud+ is strictly speaking a general cloud administration certification rather than a security cert, but it includes extensive cloud security content and many people we spoke to mentioned it as a way to demonstrate that you understand both the cloud and security's place in it, including the implementation of cloud security controls and the troubleshooting of cloud security problems. It's a successor to the CompTIA Cloud Essentials+ cert, and it's definitely more technical; while there are no formal prerequisites, two to three years of sysadmin experience is recommended.
"Certifications like CompTIA Cloud+ provide a solid understanding of concepts, common vocabulary, and cloud approaches," notes Dustin Hutchison, PhD, VP of Services and CISO at Pondurance. "However, they do not provide technical-platform-specific job-ready skills." (We'll talk about those in more detail in a moment.)
Offered by: CompTIA
Test format: 90 performance-based and multiple-choice questions
Official website: https://www.comptia.org/certifications/cloud
3. GIAC Cloud Security Automation (GSA)
The GSA Automation certification may be one of the less well-known certs on this list, but Adam Gordon, Instructor at ITProTV, says that hiring managers recognise its place in the market. Like the other certs we've discussed so far, it has no formal requirements, but it is one of the more advanced certs and candidates should probably have three to five years of experience.
The certification is built around the SANS Institute's Cloud Security and DevSecOps Automation training, and those who take that course can get a discount on the not-insignificant price of the test. The test focuses in particular on securing automated processes associated with CI/CD, and includes material on services specific to AWS and Azure.
Offered by: GIAC
Test format: 75 questions
Official website: https://www.giac.org/certification/cloud-security-automation-gcsa
4. Certified Cloud Security Professional (CCSP)
Almost everyone we spoke to agreed: ISC2's CCSP is one of the most well-known and respected certifications on the market. Unlike the previous certs we discussed, CCSP is meant for higher-level and more experienced pros, with a requirement for several years of industry employment before you can apply to be certified. "From a general sense of demonstrating cloud security expertise and credibility, I think CCSP is the best," says Dave Hatter, Cyber Security Consultant at IntrustIT. "It’s vendor agnostic, requires knowledge across critical domains, requires real world experience and comes from one of the most respected cybersecurity organisations in the industry."
"As an experienced hiring manager, certificates are important, for they show a candidate's potential for retaining knowledge, but what certificates don't clearly reflect is the candidate's ability to apply that knowledge to real-world applications," adds Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct. "The CSSP is highly respected due to the requirement that the candidate must have a number of years of paid work experience in the infosec field that actually relates to the topic of cloud security, risk, and compliance."
Offered by: ISC2
Prerequisites: Five years of paid IT work experience, at least three of which must have been in infosec, and at least one of which must have involved one or more domains in ISC2's common body of knowledge for cloud security
Test format: 125 multiple-choice questions
Official website: https://www.isc2.org/Certifications/CCSP
...and four cloud platform-specific certifications
All of the certs we've talked about so far are more or less vendor neutral, although GSA touches on some technologies specific to particular cloud providers. However, if you're looking to show that you know your way around a particular cloud platform, there are vender-specific certifications that can help you do so.
"The security specialty certifications really make an individual stand out, because they’ll understand the best practices and methodologies for each specific cloud environment," says Optiv's Vadakkan. "Each provider has its own set of hundreds of services, so being an expert in one brings a lot of value to an organisation."
Let's take a look at four certs that many of the experts we spoke to agreed can make you stand out to potential employers who rely on specific cloud platforms.
5. Azure Security Engineer Associate
This certification is meant to validate your expertise in implementing security controls and threat protection on Microsoft's Azure platform, as well as the skills to manage identity and access and protect data, applications, and networking. As with many of the certs on this list, there are no formal prerequisites, but this isn't for newbies: you're expected to not only already be an expert Azure admin, but have solid scripting and automation skills as well, and an understanding of networking, virtualisation, and cloud-based N-tier architectures.
In order to be certified, you must pass Microsoft's Exam AZ-500.
Offered by: Microsoft
Prerequisites: None, though Microsoft has training it recommends you complete
Test format: 40-60 multiple choice and multiple-select questions
Official website: https://docs.microsoft.com/en-us/learn/certifications/azure-security-engineer/
6. AWS Certified Security — Specialty
Amazon's AWS is probably the most widely used public cloud platform, and so getting security certified for it can boost your job prospects. An AWS Certified Security — Specialty holder has demonstrated an understanding of AWS's specialised data classifications and protection measures, how AWS implements encryption, and the security services and features built into the platform.
While there are no formal prerequisites, Amazon recommends that you have at least two years of hands-on AWS experience and a minimum of five years of IT security experience before taking the test.
Offered by: Amazon
Test format: 65 multiple choice or multiple response questions
Official website: https://aws.amazon.com/certification/certified-security-specialty/
7. Professional Cloud Security Engineer
The title of this cert may sound generic, but it's specifically oriented towards Google Cloud, rounding out the Big Three cloud platform providers. A holder of the Professional Cloud Security Engineer certification should be able to design and implement a secure infrastructure on Google's cloud.
While there are no formal prerequisites, Google recommends that you have at least a year of experience with Google Cloud and three years of industry experience generally before taking the test. You should be familiar with all the foundations of cloud security, like identity and access management, as well as Google's specific data protection and incident response technologies.
Offered by: Google
Test format: 50 multiple-choice and multiple-select questions
Official website: https://cloud.google.com/certification/cloud-security-engineer
8. Certified Kubernetes Security Specialist (CKS)
Kubernetes is the dominant platform for orchestrating container-based applications, which in practice almost always run in the cloud. The CKS certification is for high-level Kubernetes practitioners who want to demonstrate that they understand the best practices for securing container-based applications from build to deployment to runtime.
A CKS-certified admin will have demonstrated the ability to set up and harden clusters, minimise vulnerabilities in microservices, and monitor for security issues while applications are running.
Offered by: Cloud Native Computing Foundation
Prerequisites: Candidates must hold a Certified Kubernetes Administrator cert
Test format: Performance-based test in which test-takers solve multiple tasks from a command line running Kubernetes
Official website: https://www.cncf.io/certification/cks/
Going beyond certifications
All of these certs are good ways to demonstrate your skills to your current or potential future employers — they're "a good way to get your foot in the door at a company doing cloud security and they're good for getting past a resume filter," says Karl Fosaaen, Cloud Practice Director at NetSPI. That said, they certainly aren't a be-all, end-all, and a resume with nothing but certifications on it will not impress anybody.
"Candidates need to be able to show an understanding of how the cloud components work and integrate with each other for a given platform," Fosaaen continues. "Many of the currently available certifications only require people to memorise terminology, so you don't have a guaranteed solid candidate if they simply have a certification. For those hiring on these certifications, make sure that you're going the extra level to make sure the candidates really do understand the cloud providers that your organisation uses."
Fosaaen recommends pursuing specific trainings to further burnish your resume, such as the SANS Institute's Cloud Penetration Testing course, BHIS's Breaching The Cloud Perimeter, or his own company's Dark Side Ops Training. Concrete training courses like these can be a great complement to the "book learning" of a certification.