Cloud Security Certifications
Here is a short introduction to the course before we get started.
I hope you enjoy the following this module on cloud security certifications. Below is the script from the video if you prefer reading.
Lecture 8: Cloud Security Certifications
Now that we have covered the high-level framework needed to implement cloud security and the solutions; let us talk about increasing your cloud security knowledge via certifications.
Getting certified has traditionally been the best way in Technology to demonstrate your knowledge about a subject and that you are serious about a particular topic. Cloud security in this instance. It is also a great way to build a foundational knowledge of cloud security if you are unfamiliar with the topic and to get your foot in the door for a career.
Certifications — Good or Bad?
Cyber-security professionals often have a love/hate relationship with certifications. Some scoff at them and consider them no substitute for experience while others believe they are a necessary validation of knowledge for every security pro. I personally believe cloud security certifications can be very useful in helping professionals get started and give a good baseline on which you can build your experience. However, one problem new entrants into this field face is what Cloud Security Certification path should they choose?
There are two paths for a Cloud Security Certification
- Platform Agnostic: Certifications that are not bound to any specific platform like Google, Azure, or AWS and instead focus more on technical concepts and creating a strong foundational knowledge of the cloud
- Platform Specific: Certifications like AWS security specialty or Azure Security Engineer which are specific to a particular platform. These usually assume you have knowledge of the platform you are trying to secure.
If you have ZERO knowledge of cloud concepts, then I would suggest going with a platform agnostic cert first before attempting the platform ones. You need to make sure your foundation is rock solid before focusing on a specific cloud provider. Let’s look at the most popular certs in the market
Platform agnostic certifications
When talking about platform agnostic cloud certs, the discussion usually boils down to either the CCSK or CCSP. Let’s look at each in detail:
CCSK (Certificate of Cloud Security Knowledge)
Offered by the Cloud Security Alliance (CSA), the CCSK gives a great in-depth overview of Cloud Security concepts such as Cloud Architecture, Identity and Access Management, Key Management, etc. The exam can be taken online and has around 60 questions. It requires you to show knowledge of the below topics:
- CSA Security Guidance for Critical Areas of Focus in Cloud Computing
- CSA Cloud Control Matrix
- Cloud Computing Risk Assessment
Below is the official description from CSA The CCSK is an open-book, online exam, completed in 90 minutes with 60 multiple-choice questions selected randomly from the CCSK question pool. Purchasing the exam costs $395 and provides you with two test attempts, which you will have 2 years to use. The minimum passing score is 80%.
The CCSK also has no prior work experience requirement to appear for the exam, however you should have a solid foundational knowledge of the cloud before attempting it. The CCSK is widely known and respected throughout the industry and is a great cert for getting your foot in the cloud security door. It has routinely featured in the top certs to get for Cloud Security, and you really cannot go wrong with getting CCSK certified if cloud security is something you are serious about. If you are serious then below are my top tips for getting CCSK certified.
- Download the CCSK prep kit which is totally free and gives all the prep material for Free!
- Understand how the exam is structured. It tests your knowledge about three key documents: the CSA Security Guidance for Critical Areas of Focus in Cloud Computing, the CSA Cloud Control Matrix, and the EU’s Agency for Cybersecurity’s Cloud Computing Risk Assessment.
- Understand thoroughly the CSA Security Guidance for Critical Areas of Focus in Computing which a list of best practices is recommended by security experts. 87% of the questions are based on this report so know it inside out!
- Read the ENISA risk assessment report which comes with the prep kit which is a thorough analysis of the risks and benefits of cloud computing. Know the guidance and the risk report inside out. Around 6% of the questions are based on this document.
- Fully understand the Cloud Controls Matrix which comes to around 7% of the total exam.
- Enroll in self-paced training which is easily available on Udemy. If you don’t feel like shelling out $$$ then there are some great videos freely available on Youtube.
- Practice! Do not underestimate the exam and attempt to give it without having a few practice exams under your belt.
I would suggest taking a month of prep for the CCSK cert. Make sure you have a solid foundation via the three documents and supplement it via training and practice tests. The exam itself is online and non-proctored which makes it a more relaxing experience than other examinations and you usually find out the results immediately. Once you pass, then the CCSK is a great stepping stone for other certs like the CCSP, AWS, Azure, etc.
CCSP ( Certified Cloud Security Professional )
ISC2 is famous for introducing the gold standard in security certs which is the CISSP, so everyone was quite excited when they introduced their own cloud security cert. The CCSP is similar to the CISSP and has become well respected in the industry for demonstrating cloud security expertise and is meant for people who have a few years of experience in the field.
The CCSP is structured as per the below domains:
- Domain 1. Cloud Concepts, Architecture, and Design
- Domain 2. Cloud Data Security
- Domain 3. Cloud Platform & Infrastructure Security
- Domain 4. Cloud Application Security
- Domain 5. Cloud Security Operations
- Domain 6. Legal, Risk and Compliance
The CCSP also benefits from the respect and credibility which the CISSP already has in the industry and the fact that at least one year of that experience should have been in one of the above domains.
The CCSP is not an entry level cert like the CCSK but it has been made for information security leaders, cloud security managers and experienced professionals who have a few years under their belt. It proves that you have an in-depth understanding of cloud security and how to secure applications on it. Unlike the CCSK it has an experience requirement of 5 years of which 3 must be in information security and one in the six domains on the CCSP syllabus. If you are a junior engineer new to the cloud, then I would recommend going for the CCSK exam instead.
The official quote from (ISC)2 is “To qualify for the CCSP, candidates must pass the exam and have at least five years of cumulative, paid work experience in information technology, of which three years must be in information security, and one year in one or more of the six domains of the (ISC)2 CCSP Common Body of Knowledge (CBK®). A candidate who doesn’t yet have the required experience to become a CCSP may become an Associate of (ISC)2 after successfully passing the CCSP exam. The Associate of (ISC)2 will then have six years to earn the experience needed for the CCSP certification”
An important point to note is that the CCSK cert can be substituted for one year experience in cloud security and CISSP holders automatically meet the experience requirements. So, if you have invested time and effort in getting these certs then you can reap the benefits of your hard work!
The first step like the CCSK is to download the CCSP body of knowledge and fully understand the breakup of the domains on which you will be tested. If you pass the CCSP exam, then this validates that you have expertise in these areas. If you are serious about passing the CCSP, then I would recommend buying the official guide for the CCSP, go through it religiously and make notes of the critical points to understand. Unlike the CISSP which is an inch deep and a mile wide, the CCSP is focused on cloud security and goes into much deeper detail on its concepts. I am recommending the official guide, but you can look at other alternatives and keep in mind like official training and Udemy courses tailored for this specific exam. There is no single magic book or course that will make you pass the CCSP exam. It is all about studying and practicing and giving yourself enough time to be ready
The MOST important part in preparing for this exam is to practice like crazy. Most of the information you get from the study guide and courses you will forget unless you apply it in practice exams. The official guide comes with sample questions, but you should invest in getting more practice questions to really build up your confidence in these areas.
Give yourself enough time and I would recommend setting aside at least one month of dedicated practice on these exams. A good resource is the ISC2 electronic flashcards for CCSP which you can get for free on their website. Remember that ISC2 exams require you to prove that you are maintaining yourself to a high standard with regular submissions of Continuing Professional Education (CPE) credits over a three-year period. There is also an Annual Maintenance Fee (AMF) to be paid every year. While the CCSP may seem more difficult and expensive than the CCSK ( and it is ), the benefits are tremendous to your career with the CCSP regularly showing up on the list of most in-demand certs.
CCSP vs CCSK
This one is a toughie to answer as both are excellent certs backed by respected organizations. I have attempted to break it down as per the three criteria:
- Experience: The CCSK does not have an experience requirement and passing the exam is enough while CCSP requires 5 years of experience in the infosec industry with one of those being in the cloud. The CCSK, therefore, is more suited to those who are at entry level and want to get into cloud security whereas the CCSP is more geared towards experienced professionals
- Cost: As of this lecture, the CCSK exam is cheaper than the CCSP with the latter also having those pesky Annual Maintenance Fees. Sometimes companies are happy to reimburse the costs so do check with your employer before proceeding.
- Industry Standing: Both are respected certs that have a good standing in the industry. You really cannot go wrong with either of them when it comes to validating your cloud security expertise.
Which you should go with depends on where you are in your career. If you are mid to senior level professional, then you should go with the CCSP while people new to cloud security should go with the CCSK.
Platform-specific certifications
Let us now move on to platform-specific certs which show experience in a specific cloud provider. Cloud platforms like Azure, AWS, and GCP can have hundreds of services, and companies that have critical workloads in the cloud want assurance that you are able to navigate them. A specialized cert will make you stand out in their eyes. Let’s look at what cloud security certification path you can take:
AWS Certified Security — Specialty
AWS is the most popular cloud platform in the world today and the demand for certified AWS professionals is not going down anytime soon. There are numerous certification paths available with a specialized AWS security cert present
The AWS Certified Security specialty is a great certification to show you know your way around the huge number of security services that are present and how to configure services like AWS GuardDuty, Config, Security Hub, etc. AWS does recommend that you have a few years’ experience before taking this test so if you do not have any experience with AWS I would recommend first going with the AWS Solutions Architect Associate — Exam as that gives you a great overview of the different AWS services and makes the AWS security specialty exam much easier in my opinion.
As the name suggests this is not a beginner cert but is for those who already have experience in AWS security. As per AWS AWS Certified Security — Specialty is intended for individuals who perform a security role and have at least two years of hands-on experience securing AWS workloads. However, if you already know AWS and want to demonstrate expertise in AWS security then this is definitely the best certification to go for
The certification is still going strong as of 2024 and is very much in demand. The AWS cloud ecosystem is the biggest among the major cloud providers and cyber-security remains a top concern. You really cannot go wrong with having this on your resume.
As per the official exam guide on the AWS Certified Security Specialty page, the exam is a pass or fail one with a minimum passing score of 750 out of 1000.
How to prepare for the AWS Security Specialty Certification
As this is not a platform-agnostic cert like the CCSP and the CCSK, it must be approached slightly differently. These are my key tips for how to prepare for it.
- Know your level: While there is nothing stopping you from making this your first AWS cert if you are just starting out; I would recommend doing a beginner-level AWS certification like the AWS Certified Solutions Architect — Associate first. This will create a great foundation of AWS services such as IAM, KMS, and other concepts which you will need in the future. The AWS security specialty assumes that you are already familiar with AWS terminology, and this can become a big challenge if you are attempting this as your first AWS cert.
- Get hands-on with AWS Services: Another key step would be to set up a home lab environment and start playing around with the AWS services so you can start understanding them. There are a huge number of AWS services that are covered in the exam, and you should broadly know all of them. Without having hands-on experience, you will not be able to understand questions that involve IAM Policies, EC2 instances, etc. Create an AWS free tier account and start playing around in the AWS cloud environment
- Learn AWS IAM inside and out: AWS Identity and Access Management is one of the toughest areas in the exam requiring you to understand how policies are evaluated and in what order. Know the policy flow and evaluation logic and how IAM elements work. Start experimenting in your AWS IAM account with the IAM policies.
- Be ready for “MOST” and “LEAST” questions: A lot of questions will attempt to trick you by providing correct responses so you will have to pick the most suitable one. Understand the pros and cons of each AWS service so you can respond to these questions accurately as there is no single wrong answer here
- Deep dive into Encryption and Logging: A lot of questions will cover scenarios pertaining to KMS keys and which type of encryption to use in a particular scenario. Additionally, you are expected to know the logging and alerting use cases of AWS CloudTrail and CloudWatch and how they differ from each other along with best practices.
My tips for passing the exam
In addition to the above, these are the steps I took to pass my AWS security specialty exam:
- Training: Invest in training so you follow a structured way of understanding AWS security concepts. There are several good ones on Udemy and even Youtube. There is also a free readiness course provided by AWS which goes over the essentials of the exam and is definitely recommended as a refresher.
- Practice! No amount of studying will get you ready for the exam without preparing so practice tests are a must. Udemy courses have some good practice tests but I would recommend going for the one on WhizLabs as there were ( in my opinion ) the closest to the actual exam.
- AWS White-papers: AWS has some amazing whitepapers which go into great detail about security best practices and their security services. These are not mandatory but are recommended to go through once before the actual exam.
- AWS Labs: Lastly, AWS provides some great labs based on their well-architected framework which I would suggest everyone go through once as they slowly build up your hands-on experience. This can be a great supplement to any training courses you take on and range from Foundational, Intermediate to Advanced.
I hope this gave you a good overview of how to prepare for the AWS Security Specialty exam. The exam is not easy by any means and there is no magic bullet or solution for passing the exam. Build up a solid base of technical knowledge and supplement it with practice exams and you should ace it on the first try.
Microsoft Azure Security Engineer Associate
For those on Microsoft Azure platform, the Azure Security Engineer associate validates your expertise on configuring security services and data protection. You are expected to have a good knowledge of the platform and understand how the different services interact with each other as per Microsoft guide:
“Candidates for this exam should have subject matter expertise implementing Azure security controls that protect identity, access, data, applications, and networks in cloud and hybrid environments as part of an end-to-end infrastructure”
One advantage is that most people are usually familiar with Microsoft Services, so the learning curve is not as a steep as those who are new to AWS or Google Platform. You can get certified by passing the AZ-500 exam however one key point to note is that Microsoft has added lab questions to the Az-500 exam so do not try this exam without first having some hands-on experience with the platform and the different services which Azure offers
When it comes to passing this, you can still pretty much use the advice I gave for AWS Security Specialty and apply it to an Azure environment.
Google Cloud Security Engineer
Like the above two and rounding out the top three providers, the Google Security Engineer proves that you can securely design and implement Google cloud. The foundational elements are like Azure and AWS with the requirement to know concepts like Identity and Access Management, Data protection, key management, etc. This is a great cert to have, and I would recommend having it if you are planning to work on Google Cloud. It is also a stepping stone to one of the most in-demand certifications which is the Google Professional Cloud Architect Cert (GPCA). Although technically not a security cert this is a very in-demand cert and professionals are required to have a firm knowledge of the Google cloud and it is one of the highest paying certs around. Having the Google Cloud Security engineer gives you a great foundation to try this exam also.
Same as previous, when it comes to passing this, you can still pretty much use the advice I gave for AWS Security Specialty and apply it to an Azure environment.
Summary
I hope you got a better idea of the different cloud security certification paths that are present in the market. These are all great ways to show your expertise and give your career a boost but remember they are not the end goal. Certifications get your foot in the door, but the cloud is an extremely challenging field, and you will not go far without hands-on experience. Simply having lots of certs will only help during the interview process but it is your hard work and experience that will make the difference in the long run. Make sure that along with the cert you have the required skills also to make your cloud career a long-lasting and successful one!
Other articles in this series:
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.
Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.
