The rise of "Cloud Architect" DevOps Security Consultant" "Cloud Security Architects"

UnixGuy

I just want to pick your brains here, and I'm really open to new ideas and I am open to change my mind as well...

I noticed a trend of having "SABSA/TOGAF" certified architects that do "Cloud Security Architecture", get paid handsomely..but the reality of their actual experience leaves a lot to be desired (to put it mildly).

I've been in meeting with them, and their job boils down to to telling people how important it is to have complex password, review AWS security group to see who has access to what, and organise a pen test for the application by talking to a 3rd party company that will do the pentest (i.e. be the middle man between the pentester and the actualy devops professional).

Now I know this is not the case everywhere, but I've been seeing an increasing trend. Make no mistake: The architects I described above, their job can be done by anyone with McDonald's experience. Anyone can call Microsoft/Amazon and ask them to assess the security, check boxes, call Pentesting companies, go to meeting, and basically talk all day.

I think the rise of 'cloud' have some facilitated this. In the past, you really needed to know your stuff to be able to talk about servers/networks, but now apparently not. I've heard countless cringeworthy things in meetings it's not even funny anymore.


I hope I'm wrong, but I'm curious if you guys have noticed this? I'm very suspicious now when I hear the word 'cloud architect' 'cloud security consultant'....


So my questions are:

1) Have you seen this trend?

2) Do you think this is a common thing now?

3) Am I exaggerating here?

3) What we can we do about it?

gespenstern

That has been like that for quite a while in infosec. Paper/compliance folks, despised by the rest of "true" infosec ppl, who know how to write shellcode.

Not saying exactly that their job is useless, but for the most part I agree, people who end up on these positions usually aren't the brightest ones, but the ones with connections and developed smooth speech skills. "I have people skills", lol.

UnixGuy

Thing is, I have nothing against GRC/Risk/ISO/Audit/Compliance work, it's important and I see the need for it.

My problem is with Architects really; traditionally they're meant to come from a VERY strong technical background, but the rise of 'Cloud/Security/Agile/etc', you really have clowns becoming architects by just reviewing the permissions on AWS Security groups (and not even doing it properly); This gives InfoSec in general a really bad reputation, and security folks aren't being taken seriously as result (in some occasions. I know this is a generalisation)

I just want to know what everybody thinks and what can we do about it

gespenstern

This again is kinda expected. Although I personally don't know any architects without very solid technical background, I admit that this observation is probably true.

But if we look back, "architect" wasn't a thing in IT at all in 90-s. I believe that one of the first mentions of this word was from Bill Gates when he retired from managing the company and called his new position an "architect". Nowadays I learn about positions advertised as "architects" who aren't even architecting anything, it becomes something like "someone who's knowledgeable and experiences and probably above Sr. Whatever Engineer position".

Also, Amazon's use of the word doesn't help. According to them everyone who can spin up a few VMs in AWS is an architect starting with "associate architect" (WTF).

I expect that the quality of this position deteriorates further down the road and we'll have to develop some other new buzzword and jump off the "architect" ship.

When everyone's an architect noboby's essentially an architect.

infosec123

There is nothing you can do about it, just worry about yourself and your company. There are people who are bad at their jobs in literally every job category out there. If you see someone performing poorly and putting your org's security at risk (and it sounds like you have), put some documentation together and bring it up with your management. Show what the person missed and how it can affect your org, these actions will not only protect the company, but if the issue continually occurs, they may look to replace the bad employee. In regards to pen testing done by 3rd party companies, I do my own pentesting and am ok at it (at best), but if I had the budget I would hire companies like Praetorian any day of the week. No infosec pro is an expert at everything he/she does, and should recognize his/her limits and put the company' security ahead of their own ego.

UnixGuy

gespenstern wrote: »

...

Also, Amazon's use of the word doesn't help. According to them everyone who can spin up a few VMs in AWS is an architect starting with "associate architect" (WTF).

....

This! I think this is part of the problem

UnixGuy

infosec123 wrote: »

There is nothing you can do about it, just worry about yourself and your company. There are people who are bad at their jobs in literally every job category out there. If you see someone performing poorly and putting your org's security at risk (and it sounds like you have), put some documentation together and bring it up with your management. Show what the person missed and how it can affect your org, these actions will not only protect the company, but if the issue continually occurs, they may look to replace the bad employee.

You bring up a lot of good points mate!

infosec123 wrote: »

There is nothing you can do about it, just worry about yourself and your company

True but I think we can also point out that said architects aren't really qualified to design anything (I've done this by the way...not all managers are open to this idea...).

infosec123 wrote: »

In regards to pen testing done by 3rd party companies, I do my own pentesting and am ok at it (at best), but if I had the budget I would hire companies like Praetorian any day of the week. No infosec pro is an expert at everything he/she does, and should recognize his/her limits and put the company' security ahead of their own ego.

I have nothing against using a 3rd party company to do pentesting; I think it should be done anyway. Not everyone should be a pentester for sure!

My problem is with 'Consultants/Architects' who practically do nothing security-wise, and their job boils down to using 3rd partry companies to do EVERYTHING: Pentesting, Firewall configs, Risk assessment....their job is just to call 3rd party companies to do the work for them..that's just ridiculous. Might as well offshore the whole department and save money

thomas_

Sounds like architect might become the new engineer. Eventually we'll see custodial architects instead of custodial engineers.

infosec123

UnixGuy wrote: »

True but I think we can also point out that said architects aren't really qualified to design anything (I've done this by the way...not all managers are open to this idea...).

I definitely agree they arent qualified to design anything, but unfortunately in today's everyone wants an architect, engineer, or consultant title. Companies (especially IT service companies) will throw these titles out like its nothing just to try and impress customers and in the end almost everyone loses.

UnixGuy

thomas_ wrote: »

Sounds like architect might become the new engineer. Eventually we'll see custodial architects instead of custodial engineers.

I'm afraid this is the case right now in so many places...

JoJoCal19

UnixGuy wrote: »

I've been in meeting with them, and their job boils down to to telling people how important it is to have complex password, review AWS security group to see who has access to what, and organise a pen test for the application by talking to a 3rd party company that will do the pentest (i.e. be the middle man between the pentester and the actualy devops professional).

Well, by definition of an architect, those duties don't sound far out of bounds. Designing password management specs or systems is part of the duties of a security architect, and thus communicating those out. Also creating the plans of when, what, and how the systems should be tested is not out of bounds for a security architect. And it sounds like the company is having their architect also handling the vendor management for it rather than putting it on the security management to handle.

If you think about what the cloud is (basically outsourcing stuff to third parties, and/or moving stuff of premises still in their control, whether it be servers, workstations, security, software, etc), the architect is no longer just designing stuff that resides physically on premises. So they are more designing the integration of those features/services with whatever is left on premises. I see what you're saying, but like most things when they're new, cloud security architect positions are defined differently by different companies. You've typically had security architects, then cloud architects, which are both legit positions. Now you see companies have a separate cloud security architect position that abstracts some of the typical duties of both of those positions.

I definitely agree that companies and recruiters start throwing around engineer, architect, etc for all types of positions and it really waters down the original meaning and intent for those types of positions. I can't stand when I see security engineer positions that basically do policy and/or access management type work. In your companies case it sounds like maybe the position is new, not really defined yet, and they're assigning different duties to it.

UnixGuy

@JoJoCal19: But this *new* definition of an 'architect' is basically a middle man with an entry-level basic knowledge. What kind of knowledge is really required of someone to talk to a company and purchase a password management solution? And what kind of knowledge is really required of someone to coordinate a pentest? To me that's not really an architect, that's a 'project' coordinator at best; an entry level project coordinator really.

Payscale should be adjusted, if this new age 'architect' is just coordinating a pentest, then their payscale should be much lower than both the developers and the professionas doing the pentest. Heck, I think this job is redundant and a waste of money; the developers or managers or even service desk can coordinate a pentest. Add to that the delusion that comes with those 'architect' (illusion of knowledge), the stuff I hear that come out of their mouth...

JoJoCal19

If what you posted was ALL they are doing, then yea that seems to be a ridiculous position. I was thinking in the course of what they are doing, they are also doing those activities. It seems maybe that's just a unique situation at your company. I would hope that's not the case at all of these companies that have Cloud Security Architects. But really the positions with that name are so new I've yet to talk to anyone who has that title.

thomas_

I'm just dying to hear what some of these "Architects" have said...please, do share UnixGuy...

Ertaz

UnixGuy wrote: »

@JoJoCal19: But this *new* definition of an 'architect' is basically a middle man with an entry-level basic knowledge. What kind of knowledge is really required of someone to talk to a company and purchase a password management solution? And what kind of knowledge is really required of someone to coordinate a pentest? To me that's not really an architect, that's a 'project' coordinator at best; an entry level project coordinator really.

Payscale should be adjusted, if this new age 'architect' is just coordinating a pentest, then their payscale should be much lower than both the developers and the professionas doing the pentest. Heck, I think this job is redundant and a waste of money; the developers or managers or even service desk can coordinate a pentest. Add to that the delusion that comes with those 'architect' (illusion of knowledge), the stuff I hear that come out of their mouth...

**Takes Architect Badge and throws it on the ground** (Just kidding, lowly engineer here.) I've worked with some bad ones and some good ones.

DatabaseHead

Never dealt with a security architects. I have dealt with enterprise / cloud architects in my last 3 positions and all of them had STRONG Dev backgrounds with other methodologies, such as TOGAF or SOA. The transition from senior developer to architect is usually a pretty easy transition, at least from my experience.

In respect to the data architects I work with, they have all had at least 10 years of ETL and specific business vertical experience. They are very bright people so, to answer your question, no I haven't seen a McDonald employee capable of handling the roles I listed above.

I'll keep on the look out though.......

UnixGuy

DatabaseHead wrote: »

...

In respect to the data architects I work with, they have all had at least 10 years of ETL and specific business vertical experience. They are very bright people so, to answer your question,.......

and that's how it should be!!! Unfortunately that's not the case with *some* ( I hope I'm wrong, but I'm noticing a trend...)

UnixGuy

JoJoCal19 wrote: »

If what you posted was ALL they are doing, then yea that seems to be a ridiculous position. I was thinking in the course of what they are doing, they are also doing those activities. It seems maybe that's just a unique situation at your company. I would hope that's not the case at all of these companies that have Cloud Security Architects. But really the positions with that name are so new I've yet to talk to anyone who has that title.

They might not necessarily be called "Cloud Security Architects", but just "Security Architect".... Other tasks that come to mind: calling a third party company to assess the in house ISMS (basically create the ISMS for them). If you can always rely on vendors/service providers to do the real work, In house architects can get away with pretty much doing nothing

UnixGuy

thomas_ wrote: »

I'm just dying to hear what some of these "Architects" have said...please, do share UnixGuy...

Trying to remember the things that my brain try so hard not to remember (for survival purposes)....

- WannaCry is an easy virus I can create one or stop it in 5 minutes

- I'm hacking the websites (runs nmap and finds nothing)

- From a "Security Point of View" --> insert any stupid line here such as: We MUST enable SAML authentication in this solution (all the users are external to the organisation, SAML has no place in that instance).

- From a "Security Point of View": if it uses SSL it is secure, it if doesn't I will 'hack it'.

- I'm doing Agile security==> Calls one of the big4 to run generic pentest against the app.

- Overhears actual security professionals talk about 2 attacks detected and dropped by the IPS ==> "OMG WE ARE UNDER ATTACK WE ARE BEING HACKED WE NEED TO STOP THE ATTACKS" (shouts loudly so everyone hears..)

- Sees one phishing emails....replies to phishing email (cc' everyone) to show them he is stopping phishing.


The problem is I'm one of those guys if I see (or hear) something, I laugh loud...I've had this habit all my life, and it's hard to keep a straight face....

JoJoCal19

UnixGuy wrote: »

Trying to remember the things that my brain try so hard not to remember (for survival purposes)....

- WannaCry is an easy virus I can create one or stop it in 5 minutes

- I'm hacking the websites (runs nmap and finds nothing)

- From a "Security Point of View" --> insert any stupid line here such as: We MUST enable SAML authentication in this solution (all the users are external to the organisation, SAML has no place in that instance).

- From a "Security Point of View": if it uses SSL it is secure, it if doesn't I will 'hack it'.

- I'm doing Agile security==> Calls one of the big4 to run generic pentest against the app.

- Overhears actual security professionals talk about 2 attacks detected and dropped by the IPS ==> "OMG WE ARE UNDER ATTACK WE ARE BEING HACKED WE NEED TO STOP THE ATTACKS" (shouts loudly so everyone hears..)

- Sees one phishing emails....replies to phishing email (cc' everyone) to show them he is stopping phishing.


The problem is I'm one of those guys if I see (or hear) something, I laugh loud...I've had this habit all my life, and it's hard to keep a straight face....

Wow man, that is gross incompetence at it's finest. That's definitely no architect of any kind right there. Does management understand what this guy is doing? Sucks you have to sit there and witness and deal with that, especially when he's probably making top dollar.

UnixGuy wrote: »

They might not necessarily be called "Cloud Security Architects", but just "Security Architect".... Other tasks that come to mind: calling a third party company to assess the in house ISMS (basically create the ISMS for them). If you can always rely on vendors/service providers to do the real work, In house architects can get away with pretty much doing nothing

Oh. Well again companies tend to add duties that are outside of the scope of a persons position, but if that guy is not doing any actual designing of anything (even if it's high-level designs), then he's no Architect.

blargoe

This has been prevalent for a while for companies trying to sell professional services. Architect sounds better, and more expensive.

ITSec14

This may sound like a stupid question, but what exactly is the difference between an architect and an engineer in security? I've never worked with anyone who had an "architect" title.

Remedymp

blargoe wrote: »

This has been prevalent for a while for companies trying to sell professional services. Architect sounds better, and more expensive.

This is exactly how it is where I work. When people started going after the CISSP, no one on this board complained about them calling themselves Security professionals or CEH for that matter.

I think the term "Cloud" is just a fashion symbol or Hash tag at this point. We have Customer Success Engineers and they're basically Help Desk with Business Analyst skills. It never bothered me.

Remedymp

ITSec14 wrote: »

This may sound like a stupid question, but what exactly is the difference between an architect and an engineer in security? I've never worked with anyone who had an "architect" title.

Architects would be your Associate Information Security Officer and Engineers are the ones who Lead off the Analyst. Engineers typically answer to the Architect. Architect answers to the CTO or CISO.

Mitechniq

Interesting set of responses.

The Architect role has emerged due to the consolidation of work being done by Cloud/Virtual Architects. Just 5-10 years ago an IT Shop was very compartmentalized - you had your help desk, network, database, security, OS admins. Each leveraged an Engineer as the SME. While still possible to have these roles in the cloud, it is highly unlikely. Architects must have a wide breadth of knowledge and should be well rounded on all domains but have a deep understanding of 2-3. This approach is no different than a building architect providing you the blueprint and walking you through concept, design, build phases based on your concept/desire. Along the way he/she will leverage several engineers to scope specific requirements. What has happened is Pre-Sales guys have taken over the word Architect and usually provide a sales pitch or marketing fluff to the table and I am thinking that is what you are experiencing.

ITSec14

Remedymp wrote: »

Architects would be your Associate Information Security Officer and Engineers are the ones who Lead off the Analyst. Engineers typically answer to the Architect. Architect answers to the CTO or CISO.

That's sort of what I was thinking, but thanks for clarifying. In all of my IT jobs, we've always had technicians, admins, engineers then either senior level folks or managers who actually get their hands dirty.