top of page

How to Choose a Cloud Security Certification

Writer's picture: Tyler WallTyler Wall

Updated: Dec 8, 2024

Cloud Security Certifications


How to Choose a Cloud Security Certification

Let us talk about increasing your cloud security knowledge via certifications. 


Getting certified has traditionally been the best way in Technology to demonstrate your knowledge about a subject and that you are serious about a particular topic—cloud security, in this instance. It is also a great way to build a foundational knowledge of cloud security if you are unfamiliar with the subject and to get your foot in the door for a career.   


Certifications - Good or Bad? 

Cybersecurity professionals often have a love/hate relationship with certifications. Some scoff at them and consider them no substitute for experience, while others believe they are a necessary validation of knowledge for every security pro. I believe cloud security certifications can be very useful in helping professionals get started and give a good baseline on which you can build your experience. However, one problem new entrants into this field face is the cloud security certification path they should choose.


There are two paths for a Cloud Security Certification. 


  • Platform Agnostic: Certifications that are not bound to any specific platform like Google, Azure, or AWS and instead focus more on technical concepts and creating a solid foundational knowledge of the cloud 

  • Platform Specific: Certifications like AWS security specialty or Azure Security Engineer specific to a particular platform. These usually assume you know the platform you are trying to secure. 


If you have ZERO knowledge of cloud concepts, I would suggest going with a platform agnostic cert before attempting the platform ones. Before focusing on a specific cloud provider, you must ensure your foundation is rock solid. Let's look at the most popular certs in the market. 


Platform agnostic certifications 

When talking about platform agnostic cloud certs, the discussion usually boils down to either the CCSK or CCSP. Let's look at each in detail: 


CCSK (Certificate of Cloud Security Knowledge)

Offered by the Cloud Security Alliance (CSA), the CCSK gives a great in-depth overview of Cloud Security concepts such as Cloud Architecture, Identity and Access Management, Key Management, etc. The exam can be taken online and has around 60 questions. It requires you to show knowledge of the below topics: 


  • CSA Security Guidance for Critical Areas of Focus in Cloud Computing 

  • CSA Cloud Control Matrix  

  • Cloud Computing Risk Assessment 


Below is the official description from CSA. The CCSK is an open-book, online exam completed in 90 minutes with 60 multiple-choice questions selected randomly from the CCSK question pool. Purchasing the exam costs $395 and provides two test attempts, which you will have two years to use. The minimum passing score is 80%. 


The CCSK also has no prior work experience requirement to appear for the exam, however you should have a solid foundational knowledge of the cloud before attempting it. The CCSK is widely known and respected throughout the industry and is an excellent cert for getting your foot in the cloud security door. It has routinely been featured in the top certifications for Cloud Security, and you really cannot go wrong with getting CCSK certified if cloud security is something you are serious about. If you are serious, below are my top tips for getting CCSK certified. 


  • Download the CCSK prep kit, which is free and gives all the prep material for Free! 

  • Understand how the exam is structured. It tests your knowledge about three key documents: the CSA Security Guidance for Critical Areas of Focus in Cloud Computing, the CSA Cloud Control Matrix, and the EU’s Agency for Cybersecurity’s Cloud Computing Risk Assessment. 

  • Understand thoroughly the CSA Security Guidance for Critical Areas of Focus in Computing, which is a list of best practices recommended by security experts. 87% of the questions are based on this report, so know it inside out! 

  • Read the ENISA risk assessment report, which comes with the prep kit. It is a thorough analysis of the risks and benefits of cloud computing. Know the guidance and the risk report inside out. Around 6% of the questions are based on this document. 

  • I fully understand the Cloud Controls Matrix, around 7% of the total exam.

  • Enroll in self-paced training, which is easily available on Udemy. If you don't feel like shelling out $$$, there are some great videos freely available on YouTube. 

  • Practice! Please do not underestimate the exam and attempt to take it without taking a few practice exams.


I suggest taking a month of prep for the CCSK cert. Make sure you have a solid foundation via the three documents and supplement it via training and practice tests. The exam itself is online and non-proctored, which makes it a more relaxing experience than other examinations. You usually find out the results immediately. Once you pass, the CCSK is a great stepping stone for other certs like the CCSP, AWS, Azure, etc. 


CCSP ( Certified Cloud Security Professional ) 

ISC2 is famous for introducing the gold standard in security certs, the CISSP, so everyone was quite excited when they introduced their cloud security cert. The CCSP is similar to the CISSP and has become well respected in the industry for demonstrating cloud security expertise. It is meant for people with a few years of experience in the field. 


The CCSP is structured as per the below domains:  


  • Domain 1. Cloud Concepts, Architecture, and Design 

  • Domain 2. Cloud Data Security 

  • Domain 3. Cloud Platform & Infrastructure Security 

  • Domain 4. Cloud Application Security 

  • Domain 5. Cloud Security Operations

  • Domain 6. Legal, Risk and Compliance 


The CCSP also benefits from the respect and credibility that the CISSP already has in the industry, and at least one year of that experience should have been in one of the above domains. 


The CCSP is not an entry-level cert like the CCSK. Still, it has been made for information security leaders, cloud security managers, and experienced professionals with a few years under their belt. It proves you have an in-depth understanding of cloud security and how to secure applications. Unlike the CCSK, it has a five-year experience requirement, of which three must be in information security, and one must be in the six domains on the CCSP syllabus. If you are a junior engineer new to the cloud, I recommend the CCSK exam instead. 


The official quote from (ISC)2 is“To qualify for the CCSP, candidates must pass the exam and have at least five years of cumulative, paid work experience in information technology, of which three years must be in information security, and one year in one or more of the six domains of the (ISC)2 CCSP Common Body of Knowledge (CBK®). A candidate who doesn’t yet have the required experience to become a CCSP may become an Associate of (ISC)2 after successfully passing the CCSP exam. The Associate of (ISC)2 will then have six years to earn the experience needed for the CCSP certification.” 


An important point to note is that the CCSK cert can be substituted for one year of experience in cloud security, and CISSP holders automatically meet the experience requirements. So, if you have invested time and effort in getting these certifications, you can reap the benefits of your hard work! 


Like the CCSK, the first step is to download the CCSP body of knowledge and fully understand the breakup of the domains on which you will be tested. If you pass the CCSP exam, your expertise in these areas will be validated. If you are serious about passing the CCSP, I recommend buying the official guide for the CCSP, going through it religiously, and making notes of the critical points to understand. Unlike the CISSP, which is an inch deep and a mile wide, the CCSP is focused on cloud security and goes into much deeper detail on its concepts. I am recommending the official guide, but you can look at other alternatives and keep in mind, like official training and Udemy courses tailored for this specific exam.  There is no single magic book or course that will make you pass the CCSP exam. It is all about studying, practicing, and giving yourself enough time to be ready. 


The most critical part of preparing for this exam is to practice like crazy. Most of the information you get from the study guide and courses you will forget unless you apply it in practice exams. The official guide comes with sample questions, but you should invest in getting more practice questions to build up your confidence in these areas. 


Give yourself enough time, and I recommend setting aside at least one month of dedicated practice for these exams. A good resource is the ISC2 electronic flashcards for CCSP which you can get for free on their website. Remember that ISC2 exams require you to prove that you maintain a high standard with regular Continuing Professional Education (CPE) credits submissions over three years. An Annual Maintenance Fee (AMF) is also to be paid annually. While the CCSP may seem more difficult and expensive than the CCSK ( and it is ), the benefits are tremendous to your career, as the CCSP regularly shows up on the list of the most in-demand certs. 


CCSP vs CCSK 

This one is tough to answer as both are excellent certs backed by respected organizations. I have attempted to break it down as per the three criteria: 


  • Experience: The CCSK does not have an experience requirement, and passing the exam is enough, while CCSP requires 5 years of experience in the infosec industry, one of those being in the cloud. The CCSK, therefore, is more suited to those who are at entry level and want to get into cloud security, whereas the CCSP is more geared towards experienced professionals. 

  • Cost: As of this lecture, the CCSK exam is cheaper than the CCSP, but the latter also has those pesky Annual Maintenance Fees. Sometimes, companies are happy to reimburse the costs, so do check with your employer before proceeding. 

  • Industry Standing: Both are respected certifications with good industry standing. You cannot go wrong with either of them when validating your cloud security expertise.


Which you should choose depends on your career stage. If you are a mid-to senior-level professional, you should select the CCSP, while people new to cloud security should choose the CCSK.


Platform-specific certifications 

Let us move on to platform-specific certs, which show experience in a specific cloud provider. Cloud platforms like Azure, AWS, and GCP can have hundreds of services, and companies with critical workloads in the cloud want assurance that they can navigate them. A specialized cert will make you stand out in their eyes. Let’s look at what cloud security certification path you can take: 


AWS Certified Security – Specialty 

AWS is the most popular cloud platform in the world today, and the demand for certified AWS professionals will not go down anytime soon. Numerous certification paths are available, and a specialized AWS security cert is present. 


The AWS Certified Security specialty is an excellent certification that shows you know your way around the vast number of security services present and how to configure services like AWS GuardDuty, Config, Security Hub, etc. AWS does recommend that you have a few years’ experience before taking this test, so if you do not have any experience with AWS, I would recommend first going with the AWS Solutions Architect Associate – Exam, as that gives you an excellent overview of the different AWS services and makes the AWS security specialty exam much more accessible in my opinion. 


As the name suggests, this is not a beginner certification but is for those with experience in AWS security. AWS AWS Certified Security – Specialty is intended for individuals who perform a security role and have at least two years of hands-on experience securing AWS workloads. However, if you already know AWS and want to demonstrate expertise in AWS security, then this is the best certification to go for 


The certification is still going strong as of 2024 and is in demand. The AWS cloud ecosystem is the biggest among the major cloud providers, and cyber-security remains a top concern. You really cannot go wrong with having this on your resume. 


According to the official exam guide on the AWS Certified Security Specialty page, the exam is pass or fail, with a minimum passing score of 750 out of 1000. 


How to prepare for the AWS Security Specialty Certification 

This is not a platform-agnostic cert like the CCSP and the CCSK, so it must be approached slightly differently. These are my key tips for preparing for it.


  • Know your level: While nothing is stopping you from making this your first AWS certification, if you are just starting out, I would recommend doing a beginner-level AWS certification like the AWS Certified Solutions Architect—Associate first. This will create an excellent foundation for AWS services such as IAM, KMS, and other concepts you will need in the future. The AWS security specialty assumes that you are already familiar with AWS terminology, which can become a big challenge if you attempt this as your first AWS cert. 

  • Get hands-on with AWS Services: Another critical step would be to set up a home lab environment and start playing around with the AWS services so you can start understanding them. A vast number of AWS services are covered in the exam, and you should know all of them. Without having hands-on experience, you will not be able to understand questions that involve IAM Policies, EC2 instances, etc. Create an AWS free tier account and start playing around in the AWS cloud environment. 

  • Learn AWS IAM inside and out: AWS Identity and Access Management is one of the most challenging areas in the exam, requiring you to understand how policies are evaluated and in what order. Know the policy flow and evaluation logic and how IAM elements work. Start experimenting with the IAM policies in your AWS IAM account. 

  • Be ready for “MOST” and “LEAST” questions: Many questions will attempt to trick you by providing correct responses, so you must pick the most suitable one. Understand the pros and cons of each AWS service so you can respond to these questions accurately, as there is no single wrong answer here. 

  • Deep dive into Encryption and Logging: Many questions will cover scenarios pertaining to KMS keys and which type of encryption to use in a particular scenario. Additionally, you are expected to know the logging and alerting use cases of AWS CloudTrail and CloudWatch and how they differ from each other, along with best practices. 


My tips for passing the exam 

In addition to the above, these are the steps I took to pass my AWS security specialty exam: 


  • Training: Invest in training so you understand AWS security concepts in a structured way. I used A Cloud Guru training, which is one of the best ones around, but there are several good ones on Udemy and even YouTube. AWS also provides a free readiness course that goes over the essentials of the exam and is definitely recommended as a refresher. 

  • Practice! No amount of studying will prepare you for the exam without practice tests, so they are a must. Cloud Guru and Udemy courses have some excellent practice tests, but I recommend going for the one on WhizLabs as they were ( in my opinion ) the closest to the actual exam. 

  • AWS Whitepapers: AWS has some amazing whitepapers that go into great detail about security best practices and their security services. These are not mandatory but are recommended to be read once before the actual exam. 

  • AWS Labs: Lastly, AWS provides some great labs based on its well-architected framework, which I would suggest everyone go through once as they slowly build up their hands-on experience. These can be a great supplement to any training courses you take on and range from Foundational to intermediate to Advanced. 


I hope this gave you a good overview of how to prepare for the AWS Security Specialty exam. The exam is not easy by any means, and there is no magic bullet or solution for passing it. Build up a solid base of technical knowledge and supplement it with practice exams, and you should ace it on the first try. 


Microsoft Azure Security Engineer Associate 

For those on the Microsoft Azure platform, the Azure Security Engineer associate validates your expertise in configuring security services and data protection. You are expected to have a good knowledge of the platform and understand how the different services interact with each other as per the Microsoft guide: 


“Candidates for this exam should have subject matter expertise implementing Azure security controls that protect identity, access, data, applications, and networks in cloud and hybrid environments as part of an end-to-end infrastructure.” 


One advantage is that most people are usually familiar with Microsoft Services, so the learning curve is not as steep as those new to AWS or Google Platform. You can get certified by passing the AZ-500 exam. However, one key point to note is that Microsoft has added lab questions to the Az-500 exam, so do not try this exam without first having some hands-on experience with the platform and the different services that Azure offers. 


When it comes to passing this, you can still pretty much apply the advice I gave for AWS Security Specialty to an Azure environment. 


Google Cloud Security Engineer 

Like the above two and rounding out the top three providers, the Google Security Engineer proves you can securely design and implement Google Cloud. The foundational elements are like Azure and AWS, which require knowledge of identity and access management, data protection, key management, etc. This is an excellent certification, and I recommend it if you plan to work on Google Cloud. It is also a stepping stone to one of the most in-demand certifications, the Google Professional Cloud Architect Cert (GPCA). Although technically not a security cert, this is a very in-demand cert, and professionals must have a firm knowledge of Google Cloud, one of the highest-paying certifications. Having the Google Cloud Security engineer gives you a great foundation to try this exam.


As with the previous, when it comes to passing this, you can still pretty much use the advice I gave for AWS Security Specialty and apply it to an Azure environment. 


Summary 


I hope you got a better idea of the different cloud security certification paths in the market. These are great ways to show your expertise and boost your career but remember that they are not the end goal. Certifications get your foot in the door, but the cloud is a highly challenging field, and you will not go far without hands-on experience. Having many certifications will only help during the interview process, but your hard work and expertise will make a difference in the long run. Make sure that, along with the certification, you have the required skills to make your cloud career a long-lasting and successful one! 


Cyber NOW Education: How to start your career in cybersecurity

Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.


You can connect with him on LinkedIn.


You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.


Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.


Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.


Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.

99 views0 comments

Recent Posts

See All

Commentaires


bottom of page