By Graham Thompson, CCSK, CCSP, CISSP, Authorized Trainer, Intrinsec Security
I was recently asked about CCSK certification vs AWS certification and which one should be pursued by someone looking to getting into cloud security. This post tries to address the question “which cloud certification is right for you.” I’ll give you a lay of the land for both certifications, available training, the exams, and then conclude with thoughts on which certification is right for you.
Certificate of Cloud Security Knowledge (CCSK)
The Certificate of Cloud Security Knowledge (CCSK) is from a research organization called the Cloud Security Alliance (CSA). The CSA has created guidance for securing cloud services and released a recently updated version of this guidance (CSA Guidance v4). The guidance is about 150 pages and covers most of the knowledge required to successfully pass the CCSK exam (more about the exam down below).
In a nutshell, the goal of the CCSK is a vendor-neutral look at all cloud security issues that covers the three following areas of knowledge:
Cloud computing concepts and architectures
It begins with answering the question “what is cloud computing,” moves on to the differences between, and other fundamental cloud knowledge.
- Service Models (SaaS, PaaS, IaaS)
- Deployment Models (e.g. Public Cloud, Private Cloud)
- Reference Architectures
- Cloud Security Models
Governing in the cloud
Like everything else, cloud security doesn’t (shouldn’t?) operate in a silo. The CCSK addresses how cloud changes governance, risk management and compliance. Other aspects of governing in the cloud include:
- Audit management
- Information governance
- Business continuity
- Jurisdictional issues
- Legal concerns
This information should be known by all individuals who are responsible for governing (and operating) cloud services, regardless of the service models being consumed in your organization.
Operating in the cloud
Moving forward, the CCSK covers the technical components of cloud systems such as:
- Virtualization (e.g. hypervisors, Software Defined Networks (SDN), VLAN
- Incident Response
- Application Security
- Data Security and Encryption
- Identity, Entitlement and Access Management
- Security as a Service
- Related Technologies (e.g. DevOps, Immutable Infrastructure, IoT, etc)
Should you take the training or self-study for the CCSK certification exam? That’s your call. Personally, I’m always a fan of doing training because it allows me to get away from the office and completely immerse myself in the subject at hand. I also get the opportunity to learn how things work in the “real world.”
If you prefer the self-study route, you have all the documentation you need listed below to take the exam.
If you are looking at the training route for yourself or your company, you can check out our offerings here. We offer the official and authorized CCSK in on-demand, on-line and in-person settings. We can also offer on-site training that is modified to your corporate requirements. (If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.)
All course registrants also get access to our exclusive CCSK exam prep kit that includes:
- Immediate access to on-demand CCSK v4 course
- CCSK exam v4 prep videos
- Hundreds of CCSK v4 pre-test questions
- Pre-paid token for the actual CCSK v4 exam
Note: Unfortunately, we are prohibited from offering the exam prep package as a stand-alone product.
CCSK certification exam
In addition to the CSA Guidance, you’ll need to read and understand CSA’s Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and finally the ENISA Cloud Computing Risk Assessment document. All documents are available from the following download links.
CCSK exam details
The exam itself is taken online any time you wish. There are 60 questions, and you are given 90 minutes to finish. It is an open-book exam, but don’t let that fool you – it’s a pretty tough exam, and I have seen people from various backgrounds fail.
My belief on the reason people fail the exam is because of the diverse nature of the CCSK exam itself. You’re looking at an exam that addresses both cloud operations and cloud governance. Most people will be strong in one or the other, but rarely is someone well-versed in both areas. If you’re in a technical position at work, you’ll need to focus on governance and vice versa, of course.
We have published some pre-test practice questions for exam candidates who are looking to see what they might be up against before taking the actual test. All the questions are based on the new v4 version of the CCSK exam.
Amazon Web Services (AWS Certification)
Amazon has multiple AWS and specialty certifications available.
For convenience, I’m including the roadmap graphic that was on the AWS certification site below:
As you can see, there’s more to the question “CCSK or AWS Certification.” AWS has multiple streams available, but I’m going under the assumption that most people mean the AWS Certified Solutions Architect designation.
Regardless of the track or specialty, let’s make one thing extremely clear: AWS is a vendor and the complete focus will be on HOW things are done in AWS, specifically. Amazon says so themselves in their certification descriptions: “technical role-based certification.”
AWS Certified Solutions Architect – Associate
Below is the list of recommended knowledge you should have before even considering the AWS Architect – Associate exam. I have done this exam (yes, I passed) and I wrote about my thoughts on that exam here.
- One year of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable distributed systems on AWS
- Hands-on experience using compute, networking, storage, and database AWS services
- Hands-on experience with AWS deployment and management services
- Ability to identify and define technical requirements for an AWS-based application
- Ability to identify which AWS services meet a given technical requirement
- Knowledge of recommended best practices for building secure and reliable applications on the AWS platform
- An understanding of the basic architectural principles of building on the AWS Cloud
- An understanding of the AWS global infrastructure
- An understanding of network technologies as they relate to AWS
- An understanding of security features and tools that AWS provides and how they relate to traditional services
More information about the associate level certification from Amazon can be found here.
AWS Certified Solutions Architect – Professional
I have not taken this exam. That said, I have worked with many people who have taken and passed the professional exam. These people really know their AWS stuff. I think it is fair to say there aren’t many people who have the professional designation who just know the theory of things, but rather have years of practical hands-on experience in AWS.
In order to take the professional-level exam you must have the associate-level certification already.
Here is the list of knowledge AWS expects their professional architect holders to have:
- Designing and deploying dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
- Selecting appropriate AWS services to design and deploy an application based on given requirements
- Migrating complex, multi-tier applications on AWS
- Designing and deploying enterprise-wide scalable operations on AWS
- Implementing cost-control strategies
In my view, you’re expected to be able to take everything you know from the associate level and apply it to enterprise scale.
More information about the professional level certification from Amazon can be found here.
For the AWS Architect – Associate certification, you can either take the self-study approach or attend an actual training session. Bottom line here is this is not a theory-based exam. You will need to have actually spun up server instances and have worked with AWS services before taking the actual exam.
Amazon has excellent learning collateral in their whitepapers that you should study if you are going solo. The resources they recommend are:
- Architecting for the Cloud: AWS Best Practices
- The AWS Well-Architected webpage (various whitepapers located here)
AWS certification exam
A word to the wise. Passing the AWS Architect is all about two things:
- Hands-on experience, and
- Knowing what is covered in the exam.
As I mention in my thoughts on the AWS exam piece, buy the practice exam. Don’t even think about cheaping out on this one. Seriously. Doubly seriously if you’re doing the self-study approach.
AWS exam details
The AWS exam is a scaled score exam. In other words, not all questions have the same value. Easy questions are worth less than harder ones. I’m not alone when I say I hate these types of exams as you have no idea how you’re actually doing as you go through the questions. And an added bonus, Amazon states you need a “720” (out of 1,000) to pass the test, which does not mean 72 percent because the questions all have different values.
Download the AWS Certified Solutions Architect – Associate (February 2018)
Which cloud certification is right for you?
As we covered, the two certifications are not similar at all. The CCSK is relevant to both governance and operational security of cloud services. It is written by an independent body and is completely vendor agnostic. The AWS certifications are 100-percent technical and are specific to AWS implementations.
- CCSK certification addresses the “what” of cloud security
- AWS certification addresses the “how” of AWS implementations
If you are looking to understand cloud security challenges, the CCSK is right for you. If you are in management and need to understand the impact cloud services will have on your organization, the CCSK is for you. If you work in operations and need to better understand the security challenges associated with cloud in general, the CCSK is for you.
If you are working in a dedicated AWS technical position, the AWS Certified Architect is the certification you should go with. If you are working with AWS in a security capacity, you should do the CCSK first, then follow up with the vendor-specific AWS training.
From a corporate perspective, everyone involved with information technology, ranging from procurement through risk management and operations should attend the CCSK session, even if it is an accelerated 1-day “awareness” session.
Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.