More and more people are starting to ask the question how do I get into cloud security? In this post we are going to discuss this a bit and we will be discussing the podcast episode I just released where I discussed this very topic regarding specific information you should be familiar with to make this jump. First and foremost, you need to already have cyber security experience. It goes without saying that cloud security is a separate domain of cyber security, but it should be a higher-level domain where people in that domain should have some a good foundation and skillset in cyber security. For myself this looked like having experience across multiple industries working with several different technologies across several different domains. I did not just pick a domain and stay with that for 5 years, I would go into a role where I would get a broad range of experience in end point security, SIEM’s, IAM solutions and even a small amount of experience in network security. I am by no means an expert in any of these areas however, I do feel my strong suit is IAM as I have spent most of my experience with those solutions. Once you have a solid foundation of security experience then we can start working to venture into cloud security. Cloud security is an area that is rapidly growing and changing within the already growing and changing area of security. Cloud security forces you to think of things in a new and interesting way since the challenges of cloud security can be quite different from on-premises data center security. In the cloud you no longer own the facility or any of the infrastructure. Your data is literally residing on someone else’s computer so there are various security controls like IAM, Pipeline security & Encryption that must be applied properly to effectively protect your data in the cloud.
A few key certifications that I recommend everyone obtain to get started is the AWS CCP, Azure Fundamentals and/or Associate Cloud Engineer for GCP. You don’t necessarily have to have each one but you should have the cloud that you plan on diving more into and learning. A good way to choose which one is to go with the one your company is already using. If they are not in the cloud yet, then try to think of which cloud they would likely move to. Are they more Microsoft focused with everything they do? If so then Azure Fundamentals might be a great option. Is your company working with Big Data or AI/ML to an extent? Then GCP is likely the best route for you to move towards. Is your company looking for a more dynamic environment that can adjust and transform to your current environment? If so, then AWS is likely the route you want to take. No matter where you start eventually you need to become aware of all 3 of the cloud providers. It never hurts to be well versed in all of them. There are some out there that will tell you to get every single cloud certification that is on the market irrespective of the vendor. If you have the thousands of dollars and the time to race through the material and pass the exams, then go for it but I do not recommend this approach to anyone. There is nothing wrong with “going deep” into one or even two cloud providers but at some point the law of diminishing returns will come into effect. This is when the certifications you are getting are no longer increasing your salary as the first handful did and the knowledge you are gaining isn’t being used nearly as often as it should to make getting the certification worth it.
Each cloud provider has a free tier account level that I recommend everyone that wants to learn the cloud use and use often. All you need is an email address and a credit card to sign up and you have access to a limited amount of resources/services within that cloud provider. It is designed to really learn more about the cloud provider and potentially even be used as a study resource for your exams. I have done this several times over with the big 3 cloud providers and it has paid dividends when trying to learn about cross account access in AWS and may other topics that were difficult for me to picture in my head without doing it. The more time you spend in the cloud provider the more familiar you will become with it and the more likely it becomes that you will be able to land a job in cloud security. In cloud security like in all parts of security, you are expected to know that specific environment/tool/service better than most and often it is better than anyone else around you. With this expectation in mind, it means you need to learn the cloud provider of your choosing as much as you possibly can. To do this, you have to take the time and invest in yourself to eventually make the jump into cloud security. That is how I view everything that I work towards in security, I view it all as an investment in myself that will pay dividends in the future. With that mindset I find it easier to pay the money for a Udemy course or Cloud Guru, which I highly recommend both resources for anyone looking to get cloud certifications.
Once you have the foundational certifications out of the way it may be time to start exploring the CCSP. The CCSP was extremely difficult for me and I have also posted a blog post on this certification where I go into detail about how I studied for the exam and what I felt helped me the most to pass it in my second attempt. The CCSP teaches the student not only the fundamentals of every cloud provider and what makes a cloud provider the cloud, but it also frames your mind a certain way to be able to think of these problems properly. I know that sounds difficult to understand but ISC2 exams ask questions in a different way from any other exam I have taken. They ask questions that are designed to be real scenarios that can have several correct answers but based upon a criterion that you should know already you need to choose the most correct option. I know this does not sound any different from any other difficult exam but its more different than I expected when I took it.
While you are working on the certifications to gain more knowledge, I highly recommend you start trying to work your way into any ongoing or upcoming cloud projects at your company. Work with the people that are leading the project and attempt to be able to shadow them for the experience. Eventually you will get moved into a position where you are working directly with the cloud solution and your certifications will be able to back up why you should be allowed to work on it. If your company is not in the cloud which is hard to believe in 2021 then start thinking of ways your organization can use the cloud that will enhance, optimize their business and projects. Think of cost savings ways and use several tools out there to estimate a potential cost savings. Use this information to work towards getting approval for just one project to see if there is any value in the cloud for your company. Take charge of this new initiative and take full ownership of it. This may sound like a daunting task and it is but stay strong and keep pushing on. This is what the security world needs right now, they need go-getters, self-starters that are self-motivated to make radical change in any environment for the better while maintaining a high level of security and efficiency for the business.
In my recent podcast episode (the link is below) we discuss the topics and areas that you will begin learning in what I drew out above. We discuss how governance and cloud security works together and we give you examples of how when they are not working together what can happen. In this episode we give you our unfiltered experience in this area and we give you real world use cases for these foundational cloud security topics. We touch upon the key characteristics of any cloud provider and security concerns with each. We also discuss cloud governance and the extenuating circumstances around contracts that can make or break your cloud deployment. Finally, we dive into Cloud Security Operations where we discuss key items to consider when going into the cloud to best protect your data and your environment. All these topics are key to understand to be successful in the cloud and keep your data secure even while it is residing on someone else’s computer.
If you enjoy this blog and podcast then please leave a like, comment and share the blog & podcast. The traffic that these two mediums have generated is overwhelming and is far more than we ever expected. We are also going to be putting out more podcast episodes more often. We are working towards releasing two episodes a week, one on Wednesday and one on Saturday. I appreciate everyone’s support as we are diving into this new area to help anyone and everyone get into IT and Cyber Security. Please check out our podcast at the link below or we are also available on every podcasting platform out there:
Thank you everyone!