7 Must-Have Cloud Security Certifications In 2019

Technical experts at seven of the world's leading cloud security firms provide their recommendations for which certifications they value most when making hiring decisions or mentoring subordinates.

Mastering The Cloud

Cloud security practitioners looking to raise their games should pursue a combination of vendor and vertical-specific certifications as well as vendor-agnostic trainings that demonstrate a mastery of cloud and container security fundamentals.

That's according to seven cloud practitioners at both emerging and established cybersecurity players who spoke with CRN about which certifications they value most when making hiring decisions or mentoring subordinates.

Two of the recommended certifications provide baseline knowledge about how the cloud functions, while two others are focused on gaining mastery around the world's largest public cloud players. The remaining three certifications will help customers break into the public sector, implement DevSecOps methodologies, or prove to enterprise customers that their information is secure.

Below are the must-have cloud security certifications for practitioners in 2019.

AWS Certified DevOps Engineer – Professional

Associate-level certification provides a good introduction to cloud security, and indicates familiarity with compute, storage, databases and unique services in the cloud, according to Tim Jefferson, Barracuda Networks' SVP of data protection, network and application security.

But when Barracuda is looking to hire a site reliability engineer (SRE), Jefferson said the company prioritizes professional-level certificates like the AWS Certified DevOps Engineer since the more advanced level indicates that the prospective employee has hands-on keyboard skills rather than just abstract knowledge of how it should work.

A professional-level certificate indicates that the practitioner knows how to leverage independent services and write code that maximizes their benefit, Jefferson said. Given that AWS has 168 native services and counting, Jefferson said the magic of public cloud comes from tying services together.

Certificate Of Cloud Security Knowledge (CCSK)

The Certificate of Cloud Security Knowledge (CCSK) provides a comprehensive view of how the cloud operates and what the security principles are at the highest level, according to Aditya Joshi, Threat Stack's EVP, Products and Technology. Having a basic understanding of how the cloud operates and the different security standards to think about is vital to keeping up with the constant changes, he said.

Having a full perspective over everything from identifying assets to protecting and detection them is vital in the cloud, Joshi said. Understanding how the cloud security platform works both in terms of monitoring and detection as well as how the rest of the pieces connect into that is really critical, according to Joshi.

Practitioners should also have a strong foundation in areas of DevOps, Joshi said, with a deep understanding of how Docker, containerization and Kubernetes work. Understanding the operating model is foundational to being able to lock down infrastructure with all of these different components, according to Joshi.

Certified Cloud Security Professional (CCSP)

The Certified Cloud Security Professional (CCSP) has become the most widely-recognized cloud security certification, showing up in more job descriptions than any other certificate on the topic, according to Chris Noell, Alert Logic's SVP of product. The CCSP has a very thorough and rigorous exam behind it, Noell said, and the organizations behind the certification are well very-regarded.

The CSSP requires documented real-world experience, Noell said, and is not something that practitioners can earn simply by cramming overnight and doing well on a test. Given the complexities inherent to the cloud, Noell said that proficiency requires actual practice and not just reading a book.

The CSSP exam shows good grounding across security concepts found in all different types of clouds, which Noell said should ensure that certificate-holders are able to institute best practices. By passing the rigorous CCSP exam, Noell said a practitioner can help organizations spot issues and eliminate risks from their cloud environment.

FedRAMP (Federal Risk And Authorization Management Program)

The Federal Risk and Authorization Management Program (FedRAMP) certification is almost table stakes for businesses looking to sell into the federal government, and effectively opens up access to the entire government, according to Ryan Kalember, Proofpoint's EVP of cybersecurity strategy.

It's a massive meaningful cloud certification in the public sector today, and Kalember said there's nothing on par with it at this point. And the importance of FedRAMP is only set to increase going forward as state governments increasing adopt it as their own standard for cloud security, according to Kalember.

No certification is more broadly used in the U.S. government space than FedRAMP, Kalember said.

GIAC Python Coder (GPYC)

The GIAC Python Coder (GPYC) certificate ensure that security engineers know how to use the Python scripting language in security environment, according to Matt Chiodi, Palo Alto Networks' chief security officer, public cloud.

As organizations move from DevOps to DevSecOps application building cycles, Chiodi said cloud security teams have engineers that need to learn how to code. The GPYC certification can help retool engineering teams around automation while conferring mastery of the most common scripting language, according to Chiodi.

The GYPC is issued by the Global Information Assurance Certification (GIAC) organization.

Microsoft Certified: Azure Security Engineer Associate

The Microsoft Certified: Azure Security Engineer Associate came recommended by Scott Woodgate, senior director of Microsoft Azure management and security marketing. It assesses the ability of practitioners to implement security controls and threat protection, manage identity and access, and protect data, applications, and networks in cloud and hybrid environments.

Specifically, Azure Security Engineer Associates practitioners are expected to be able to configure Microsoft Azure Tenant Security, Active Directory for Workloads, and Active Directory Privileged Identity Management. Certificate holders are also expected to implement network security, container security, host security, and management security, as well as configure security policies and application security.

Candidates for the subsequent AZ-500 exam are expected to have strong skills in scripting and automation, a deep understanding of networking, virtualization, and cloud N-tier architecture, as well as a strong familiarity with cloud capabilities. As a Microsoft Azure security engineer, candidates often serve as part of a larger team dedicated to cloud-based management and security.

SOC (Service and Organization Controls) 2 Certification

Businesses that have embraced the cloud are most concerned about their controls around customer data, as well as who in the company can view the data and administer a cloud service, according to Bitglass Chief Technology Officer Anurag Kahol.

The SOC 2 certification puts stringent controls on customer data, Kahol said, requiring companies to define the boundaries around their cloud and record who in the organization has access to what customer data. SOC 2 specifically puts lots of controls in place for cloud administrator best practices, which Kahol said helps protects consumers from misuse of their data or breaches in confidentiality.

SOC 2 is focused primarily around tight administrative policies, and Kahol said the thorough controls help organizations get their cloud security posture where it needs to be.