Cloud security

Cloud Security Certifications

March 7, 2017 by Frank Siemons


It is hard to find any topic around IT Security which is discussed as much as certification. This focus on security certifications is likely the result of the often costly and rapidly changing security sector that needs short, up-to-date and focused training programs. Universities and other traditional educators have lagged behind in that aspect, and they have only partially caught up during the last few years.

There are many professionals who have either already obtained some certificates such as CISSP, CEH, and CISM or who have the intention to obtain one or more of these. It is a very large market. Although there is some debate on the value of certain certification programs, most can deliver significant benefits to professionals, over the more traditional self-study option, which is usually a matter of reading many books. A certification for instance often covers topics that are broader than purely the interest of the student. This requires the student to learn more than just the minimum around a specific topic. Skipping a few “dull” but important chapters is not a wise decision if there is an exam coming up. A proper exam also forces a student actually to learn the material and to not just read through it. It often places a deadline when to finish the material in the form of an exam date. Finally, a certificate such as CISSP shows an employer a (future) employee has put significant time and money into obtaining that certificate. This could help to indicate that a person has the drive and motivation to grow his or her skillset and knowledge base.

Cloud Based Certifications

The security industry has been around for decades, and so have some of the best-known certifications. ISC2’s Certified Information Systems Security Professional (CISSP) for instance, was released in 1994 and ISACA’s Certified Information Systems Auditor (CISA) dates back to 1987.

Some of these older, well-established certification providers have added some cloud components to their subject material since the rise of cloud products in the recent years. The depth of those add-ons is often quite limited, however. The most recent EC-Council Certified Ethical Hacker (CEH) Version 9 study guide only covers a few pages on cloud security for instance. Considering the importance of cloud technologies these days, within organizations of any size and the new cloud-specific attacks spotted in the wild, such as the Man-In-The-Cloud attacks, more focus is required. Which training provider would for instance cover how to securely manage an organization’s data while migrating a server cluster to the Azure or Amazon Web Services cloud? Fortunately, there are some providers who have taken the subject more seriously and who have introduced dedicated, in-depth cloud security training certifications.

ISC2 – Certified Cloud Security Professional (CCSP)

By far the best known and most established cloud-specific security certification is CCSP from ISC2. For over 20 years, ISC2 has also been responsible for the de-facto standard in IT Security certifications: CISSP. Although CISSP now contains a lot more material on the cloud, the specialized CCSP program takes this to the next level. It covers a very broad range of cloud-related topics (called domains) such as Cloud Architecture, Cloud Application Security, and Cloud Platform Security and it will delve deep into the details as well. Students should expect to invest quite a bit of time to pass the exam for this certification successfully. Before becoming certified, there is a requirement to have a history of several years of security and cloud experience as well, which is confirmed via a resume and by ISC2 contacting the supplied references. Although the requirements are high, this all adds to the value of this certification.

CSA – Certificate of Cloud Security Knowledge (CCSK)

A lighter alternative to the quite heavy CCSP certification is offered by the Cloud Security Alliance, in the form of the CCSK certification. As the full name suggests, this certification is dedicated to Cloud Security, and just like CCSP, it will go into the technical details. There are a few major differences between CCSP and CCSK however. First of all, the body of knowledge is not as broad for CCSK as for CCSP. The study material for CCSK is freely available on the internet in the form of two key documents so no books or training courses are required. Secondly, there are no experience requirements for the CCSK certification. A final difference is that the exam for CCSK is available online for a relatively low fee (around 350 USD) and is open-book. These points make the CCSK a good alternative program for an entry-level to a mid-range security professional with an interest in Cloud Security, where there is no justification for the time and costs that the CCSP certification requires.

SANS – Cloud Security Fundamentals (SEC524)

SANS is well-known for its very practical, often costly security training, hosted by experienced instructors. They too have a security course. The SEC524 offering is a two-day program followed by an optional exam, which can be booked at a later stage. Both the training and the exam are not cheap, expect to spend about 4000 USD in total. Especially because the two-day training program is mandatory where CCSP and CCSK can be taken as self-study, this obviously is not a low-budget option. It does offer hands-on training and some labs, however, which could be worth the extra investment for organizations or individuals looking for a more technical experience.


There are other, less-known cloud security programs as well. Some Cloud platform providers offer product training. Some organizations even custom build a program at the request of a customer. However, in the end, the flagship is the CCSP certification, followed closely by the CCSK offering. Of course, there is something to say for self-taught Cloud Security Professionals. After all, when the first cloud products started rolling in about a decade ago, none of these programs existed yet. A professional working on these new technologies simply did not have the time to wait for years before building a secure environment. They hopefully did the responsible thing back then and upskilled via experience, books, and the internet. If that approach, based on personal responsibility, worked for someone back then, it will still work now. Certification, however, will formalize that existing knowledge and will probably even extend it further. For anyone new in this area, certification is always a good opportunity to show an employer that there is an existing interest in the subject and that there is an existing level of knowledge present. That could only be a good thing for both the employer and the employee.

Posted: March 7, 2017
Frank Siemons
View Profile

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia. Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University. He has a true passion for anything related to pentesting and vulnerability assessment and can be found on His Twitter handle is @franksiemons