The 14 best cloud security certifications for IT pros in 2023

The importance of certifications

Although the debate over the value of security certification programs is hotly contested, they are still one of the top ways employers screen job candidates and assess an interviewee's baseline knowledge. And the fact is that most certifications deliver more significant benefits to professionals than traditional self-study options.

A certification, for instance, covers broader topics than those of interest to the student, which requires the student to learn more than just the minimum around a specific topic. Skipping a few dull, but important, chapters isn't a wise decision if an expensive exam is coming up.

Certification exams also force students to study the material, not just skim it. Exam dates also provide a deadline to finish the material. Certificates also show employers that future employees have put significant time and money into obtaining the certificates and their associated skills.

The infosec industry has been around for decades and has some of the best-known certifications. (ISC)²'s CISSP, for instance, was released in 1994, and ISACA's Certified Information Systems Auditor (CISA) certification dates back to 1978.

These older, well-established certification providers have added cloud components to their material, but the depth of those add-ons can be limited -- sometimes, it's just a few pages in a book. Considering the importance of cloud technologies and the persistent threat of cloud-specific attacks, more focus is required.

Let's take a look at some certification providers that have introduced dedicated, in-depth cloud security certifications and what cloud security pros can expect when pursuing them.

1. (ISC)² Certified Cloud Security Professional (CCSP)

The most well-known and established cloud security certification is (ISC)²'s CCSP. Although (ISC)²'s CISSP now contains more cloud material than in years past, the nonprofit's specialized CCSP program takes it to the next level and covers a broad range of cloud-related topics, from cloud application security to cloud platform security.

Students should expect to invest quite a bit of time to pass this exam and use a self-led or instructor-led training to prepare for this certification.

Candidates must have a minimum of five years of paid work experience in IT before becoming certified. Three years must be in infosec, and one year must be in one or more of the six domains included in the CCSP Common Body of Knowledge (CBK):

1. Cloud Concepts, Architecture and Design (17% of exam)
2. Cloud Data Security (20%)
3. Cloud Platform & Infrastructure Security (17%)
4. Cloud Application Security (17%)
5. Cloud Security Operations (16%)
6. Legal, Risk and Compliance (13%)

The Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK) can be substituted for one year of experience in the CCSK domains. Obtaining the CISSP covers all prerequisites.

2. CSA Certificate of Cloud Security Knowledge (CCSK)

CSA's CCSK is a lighter alternative to CCSP certification. Launched in 2010, this certification is dedicated to cloud security. Like the CCSP, CCSK goes into technical details.

The CCSP and CCSK have a few major differences. For example, the CBK is not as broad for CCSK as it is for CCSP. The study material for CCSK -- sourced from the CSA Security Guidance v.4, the CSA Cloud Controls Matrix and the European Union Agency for Cybersecurity's Cloud Computing Risk Assessment report -- is available on the internet for free, so no books or training courses are required. The CCSK certification also has no prerequisites or experience requirements. In addition, the CCSK exam is available online and is open book.

CCSK is a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud data security but no justification to spend the time and money required for the CCSP certification.

The CCSK covers 16 domains, including Cloud Computing Concepts and Architecture, Data Security and Encryption, and Security as a Service.

3. EC-Council Certified Cloud Security Engineer (C|CSE)

EC-Council added a cloud security-focused certification to its catalog in January 2022. C|CSE is geared toward practitioners with a security focus, including cloud security consultants, managers, analysts, engineers and architects, as well as DevOps engineers and network security pros.

The certification's training covers the following modules:

• Introductions to Cloud Security
• Platform and Infrastructure Security in the Cloud
• Application Security in the Cloud
• Data Security in the Cloud
• Operation Security in the Cloud
• Penetration Testing in the Cloud
• Incident Detection and Response in the Cloud
• Forensics Investigation in the Cloud
• Business Continuity and Disaster Recovery (DR) in the Cloud
• Governance, Risk Management and Compliance in the Cloud
• Standards, Policies and Legal Issues in the Cloud

The 40-hour training is available as instructor-led, synchronous online or asynchronous online offerings. C|CSE has no formal prerequisites, but it is recommended that candidates have a basic understanding of cloud computing and network security management.

4. ISACA and CSA Certificate of Cloud Auditing Knowledge (CCAK)

In March 2021, ISACA and CSA jointly released the CCAK, which builds on and complements CCSK content. It also complements ISACA's CISA and Certified Information Security Manager certifications. Applicants are advised to achieve their CCSK prior to taking CCAK, though it is not a prerequisite.

Assessors and auditors, compliance managers, vendor and partner program managers, security and privacy consultants, security analysts and architects could benefit from the training, which covers the following domains:

1. Cloud Governance
2. Cloud Compliance Program
3. CCM and CAIQ: Goals, Objectives and Structure
4. A Threat Analysis Methodology for Cloud Using CCM
5. Evaluating a Cloud Compliance Program
6. Cloud Auditing
7. CCM: Auditing Controls
8. Continuous Assurance and Compliance
9. STAR Program

Candidates can choose self-study or attend CCSK trainings. Training options include online self-paced, online instructor-led and in person.

5. GIAC Cloud Security Automation (GCSA)

Launched in April 2020, GIAC's GCSA certification is specifically designed for developers, analysts and engineers working to secure cloud and DevOps environments. It encompasses topics such as automation of configuration management, continuous integration/continuous delivery (CI/CD) and continuous monitoring, and how to use open source tools, the AWS toolchain and Azure services.

The GIAC certification is based on SANS Institute's in-person or online SEC540: Cloud Security and DevSecOps Automation course. This five-day course, which includes hands-on labs, covers topics in the following five sections:

1. DevOps Security Automation
2. Cloud Infrastructure Security
3. Cloud Security Operations
4. Cloud Security as a Service
5. Compliance as Code

The exam can be purchased by itself or at a discounted rate when bought in conjunction with the SANS training. Purchasing a certification attempt comes with two practice tests, which are in the same format as the exam.

6. GIAC Cloud Security Essentials (GCLD)

Released in April 2021, GIAC's GCLD covers how to evaluate cloud service providers and how to plan, deploy and secure single and multi-cloud environments, as well as topics such as cloud auditing, security assessments and incident response.

Specialized for security engineers, analysts, managers and auditors, GCLD aims to help candidates prove their knowledge in how to prevent, detect and react to cloud workload security events.

GCLD certification based on SANS SEC488: Cloud Security Essentials, a six-day course with hands-on training that teaches the following:

• Identity and Access Management (IAM)
• Compute and Configuration Management
• Data Protection and Automation
• Networking and Logging
• Compliance, Incident Response and Penetration Testing
• CloudWars

The SANS training, offered online and in person, has no prerequisites, but a basic understanding of networking, security, Linux and the cloud is beneficial.

7. GIAC Certified Web Application Defender (GWEB)

GIAC's GWEB certification is specifically for application developers, application security analysts and managers, app architects and pen testers. Topics covered include access control, web application attack techniques, application frameworks, and application and HTTPS basics, configuration and security.

It is affiliated with SANS SEC522: Application Security: Securing Web Apps, APIs and Microservices. The syllabus of this six-day course with hands-on training includes the following:

• Web Fundamentals and Secure Configurations
• Input-Related Defenses
• Authentication and Authorization
• Web Services and Front-End Security
• APIs and Microservices Security
• DevSecOps and Defending the Flag

The course and exam have no formal prerequisites, but a basic understanding of web app technology, including HTML and JavaScript, is recommended.

8. GIAC Public Cloud Security (GPCS)

Released in August 2021, GIAC's GPCS was developed for security analysts, auditors, sys admins, engineers and researchers, as well as cloud and DevOps engineers. Those involved in adopting cloud security offerings at their organizations could also benefit from this certification.

GPCS is based on SANS SEC510: Public Cloud Security: AWS, Azure and GCP. This five-day course with hands-on training teaches the following:

1. Securely Using Identity and Access Management and Defending IAM Credentials
2. Restricting Infrastructure and Data Access to Trusted Networks
3. Encrypting Data at Rest and In-Transit, Locking Down Storage and Auditing Logs
4. Exploring Serverless Functions, App Services and the Firebase Platform
5. Securely Integrating Across Cloud Accounts and Automating Misconfiguration Benchmarking

Course prerequisites include SEC488 and familiarity with IAM, networking, bash commands, HashiCorp Configuration Language (HCL) and Terraform.

9. GIAC Cloud Penetration Tester (GCPN)

Launched in February 2021, GIAC's GCPN is specialized for security practitioners, pen testers and vulnerability analysts. It includes topics such as cloud pen testing, service discovery, AWS and Azure services and attacks, cloud-native apps, containers and CI/CD pipelines.

GCPN is based on SANS SEC588: Cloud Penetration Testing, a six-day course with hands-on training that covers the following:

• Architecture, Discovery and Recon at Scale
• Attacking Identity Systems
• Attacking and Abusing Cloud Services
• Vulnerabilities in Cloud-Native Applications
• Infrastructure Attacks and Red Teaming
• Capstone Event

Students are urged to take SEC488, SEC542, SEC540 and SEC560 prior to SEC510. Familiarity with Linux bash, Azure and AWS command-line interface tools. Networking and TCP/IP knowledge is also helpful.

10. Mile2 Certified Cloud Security Officer (C)CSO)

The C)CSO certification from Mile2 consists of a five-day program that includes instructor-led sessions, self-study time and live virtual trainings. It is composed of 15 modules:

1. Introduction to Cloud Computing and Architecture
2. Cloud Security Risks
3. ERM (Enterprise Risk Management) and Governance
4. Legal Issues
5. Virtualization
6. Data Security
7. Data Center Operations
8. Interoperability and Portability
9. Traditional Security
10. BCM (Business Continuity Management) and DR
11. Incident Response
12. Application Security
13. Encryption and Key Management
14. Identity, Entitlement and Access Management
15. Auditing and Compliance

It also consists of 23 labs, including Virtual Machine Hardening, PaaS in Azure and Key Management in SaaS.

Part of Mile2's Cloud Security and Virtualization career path, this advanced certification is ideal for professionals seeking careers in virtualization, cloud administration, auditing and compliance.

General knowledge of cloud architectures and one year of experience in both virtualization and infosec are recommended.

11. Arcitura Certified Cloud Security Specialist

Arcitura offers several Cloud Certified Professional (CCP) certifications. Its Certified Cloud Security Specialist certification focuses on the security threats associated with cloud platforms, cloud services and other cloud technologies, including virtualization. Geared toward IT and security professionals, as well as cloud architects, the Certified Cloud Security Specialist certification is composed of the following five modules:

1. 01 CCP Fundamental Cloud Computing
2. 02 CCP Cloud Technology Concepts
3. 07 CCP Fundamental Cloud Security
4. 08 CCP Advanced Cloud Security
5. 09 CCP Cloud Security Lab

Completion of these five modules and their respective exams results in a Certified Cloud Security Specialist certification. A general background in IT is recommended, and exams must be taken in order -- for example, C90.01 must be completed before C90.02.

Arcitura offers three exam formats: a single exam that covers all five modules; a partial exam that only tests modules 7, 8 and 9 (appropriate if modules 1 and 2 were completed for a different certification); or five separate, module-specific exams.

12. and 13. CompTIA Cloud Essentials+ and Cloud+

CompTIA offers two certifications that, while not security-specific, cover cloud security topics. Cloud Essentials+ is geared toward cloud business decision-making, while Cloud+ is more about technical cloud implementation.

The entry-level Cloud Essentials+ certification covers cloud security concerns and measures, as well as risk management, incident response and compliance. Six months to one year of IT business analyst experience, along with some cloud technology experience, is recommended. The more in-depth Cloud+ certification covers access control, security troubleshooting and DR. Two to three years of system administration or networking experience is recommended, in addition to CompTIA Network+ and Server+ certifications.

14. EXIN Certified Integrator Secure Cloud Services

EXIN offers many security and cloud courses. Its Certified Integrator Secure Cloud Services certification is granted when specific cloud computing and security qualifications are met. These include achieving three EXIN certifications:

• A service management certification:
  • VeriSM; or
  • EXIN SIAM; or
  • EXIN IT Service Management, based on ISO/IEC 20000
• A cloud computing certification:
  • EXIN Cloud Computing
• A security management certification:
  • EXIN Cyber and IT Security; or
  • EXIN Information Security Management, based on ISO/IEC 27001

While this certification is not dedicated to cloud security, it ensures the certified professional is skilled in both IT security and cloud environments.

Vendor-specific cloud security certifications

• Because many enterprises work with specific vendors and technologies, it could be fruitful for their security team members to hold certifications in those areas. Some cloud platform providers offer practical product training, including the following:

  • AWS Certified Security - Specialty
  • Azure Security Engineer Associate
  • Google Professional Cloud Security Engineer
  • IBM Cloud Security Engineer Specialty
  • Certified Kubernetes Security Specialist (CKS)
  • VMware Certified Professional - Security