Typical Cloud Security Career Path

egrizzly

I'm considering specializing in cloud security.  What do you folks experienced in cloud feel the typical career path is like, and which qualifications are recommended to reach each level?

scasc

I found doing the CCSK was a good foundation and topped this up with CCSP. This provided a good security perspective to cloud. Then choose a vendor (GCP/Azure etc.). You can tailor what you have learnt to the vendor's specific environment. Containers/Kubernetes is driving the automation and development aspects now - CI/CD pipelining etc. 

JDMurray

In Cloud technology there are architecture, engineering, and development paths. You can also specialize in Cloud networking, security, or application services (e.g., databases, machine learning). Do you have an idea on which path you'd like to follow? 

egrizzly

JDMurray said:

In Cloud technology there are architecture, engineering, and development paths. You can also specialize in Cloud networking, security, or application services (e.g., databases, machine learning). Do you have an idea on which path you'd like to follow? 

yeah bud.  I specified it was Cloud Security remember?

egrizzly

scasc said:

I found doing the CCSK was a good foundation and topped this up with CCSP. This provided a good security perspective to cloud. Then choose a vendor (GCP/Azure etc.). You can tailor what you have learnt to the vendor's specific environment. Containers/Kubernetes is driving the automation and development aspects now - CI/CD pipelining etc. 

Hi Scasc. I noticed that you have both (CCSK, CCSP).  Is your day-to-day role in cloud security?

LonerVamp

As JD said, there's three big areas to go into with Cloud Security: architecture (planning and design), engineering (building systems), developer (coding and more). You can go into oversight and incident response, too.

Thing is, getting into cloud security is like other things security. You can, do so and sort of advise and audit, but for getting into the real nuts and bolts, you have to be conversant in the technologies and services. Even better, it helps to be able to self-serve and build what you need and code the solutions you need in the cloud, too.

IMO, the CCSK and CCSP are useful to learn about Cloud Security management. But, it does not replace being able to be hands-on with the cloud environments.

Some of the easiest routes into something like AWS Security will be for developers and devops/engineers (sysops) who are familiar with doing things and solving issues in the cloud environment. In other words, from non-sec roles into related sec roles.

That said, if you want to blast in, I'd say getting your AWS Security Specialty and any (or all) other Associate certs ASAP. And don't forget Azure (which I'm less familiar with).

scasc

egrizzly said:

scasc said:

I found doing the CCSK was a good foundation and topped this up with CCSP. This provided a good security perspective to cloud. Then choose a vendor (GCP/Azure etc.). You can tailor what you have learnt to the vendor's specific environment. Containers/Kubernetes is driving the automation and development aspects now - CI/CD pipelining etc. 

Hi Scasc. I noticed that you have both (CCSK, CCSP).  Is your day-to-day role in cloud security?

Hi - Cloud Security is a big part of my work, however as I work as a self employed consultant - my work span covers architecture, design, cloud, risk etc. At the moment, I am looking at assessing the security architecture of a client's AWS environment but at the same time also assessing the GPG/PGP security parameters to be used as part of connectivity between 2 remote servers over FTPS. Its a complex setup by they have decided to do it this way. 

Usually, cloud has always been appealing to 2 people - developers to create apps and sys admin to script/automate and maintain their workloads - just like you have with an On-Prem environment. I have found that to ensure solid architectural principles are followed and deployed in the cloud the CCSK/CCSP have been valuable, but to validate how this is done/being achieved, a vendor specific cert is valuable. 

I see the market for devsecops exploding to where you script/automate and embed security scanning as part of your CI/CD pipeline workloads but throwing containers and Kubernetes into the mix (using services such as ACS/AKS, etc.) has created a lot of opportunity. I myself, have not done a tremendous amount in this space, but I find my role sits within the architecture/risk/advisory space anyway so no issue. 

Find an area you reckon you want to develop, get an account in AWS or Azure or even GCP and use some videos you find from linux academy, vendor's own site and see how you can create EC2 instances, internet gateways, static or elastic IP's etc. I hope this helps.