A Practical Pathway for Mid-Career IT and Security Professionals to Master Cloud Security

Can Cloud Security be learned theoretically ? 

 Many believe that they can learn cloud security by simply studying white papers and completing online courses without hands-on experience with cloud service providers. While this may be enough to gain some understanding and participate in discussions, it falls short when it comes to effectively securing organisations against cyber attacks 

 The cloud represents a paradigm shift from traditional on-premise strategies, requiring professionals to master new engineering concepts and technologies. This learning is an essential prerequisite to gain required knowledge and acquire necessary skills to secure a cloud environment. 

In this blog,  I am sharing a small pathway to learn cloud security below for an absolute beginner in cloud security. This is targeted towards mid career professionals who have experience in IT and Security but have not handled Cloud environments. The article is primarily focused on IaaS ( Infrastructure as a Service ) and not on PaaS and SaaS. 

 Step 1 - Learn the Cloud fundamentals
  1.  Start by learning cloud fundamentals through courses such as AWS Certified Cloud Practitioner, Google Cloud Fundamentals, or Microsoft Azure Fundamentals, depending on the provider you choose 
  2. Pick one Cloud Service Provider - IAAS Infra as a Service Choose between Amazon AWS, Microsoft Azure Cloud and GCP Google Cloud Platform as they are the most adopted and popular Cloud providers 
  3. Open an account and create some basic resources such as Virtual Machine, Storage Bucket, Web Server , DNS. Creating these assets in the cloud will help you get a real life feel of how Cloud computing works. This can cement your understanding of cloud concepts. 

 Step 2 : Understand Cloud Security Fundamentals 
  1.  Visit the Cloud Security Alliance website and download the Cloud Security guidance Document
  2.  Read and review the document to get a high level understanding of key cloud security concepts. 
  3. Understanding the core principles in this document will give you a comprehensive, industry-recognized view of cloud security challenges and solutions

 Step 3 - Learn to secure Cloud practically 
  1. Leverage Open Source controls to identify security issues in your cloud infrastructure.These tools help identify common misconfigurations and vulnerabilities, offering real-world insights into cloud security issues that can’t be learned solely from theory. 
  2. Leverage tools like Scout Suite for multi-cloud auditing, Prowler for multi-cloud security checks and compliance audits (AWS, Azure, GCP), and Cloud Custodian for policy enforcement to gain practical security insights. 
  3. Practically implement Cloud Security in a chosen Cloud solution using Native security controls of the Cloud Service Provider. For example in AWS you can leverage solutions such as AWS Security Hub for posture management, AWS Inspector for vulnerability management, AWS WAF for protecting against application levet attacks, AWS Secrets Manager for securing credentials and AWS Firewall manager for managing and reviewing security groups and network firewalls. 

 Step 4 : Understand the commercial solutions available to secure your cloud environment 

  1.  As organisations grow and adopt multi-cloud environments, commercial solutions offer enhanced automation, scalability, and compliance features not always available in open-source tools. 
  2. Some of main solutions with key vendors with which can be leveraged are 
    1.  CSPM (Cloud Security Posture Management): Monitors and remediates cloud misconfigurations to improve overall security posture. Eg : Palo Alto Prisma Cloud, Orca, Check Point CloudGuard 
    2. CWPP (Cloud Workload Protection Platform): Protects workloads such as virtual machines, containers, and serverless functions from threats. Eg : Trend Micro Cloud One, McAfee MVISION Cloud, Palo Alto Prisma Cloud 
    3. CNAPP (Cloud-Native Application Protection Platform): Combines CSPM and CWPP to provide end-to-end security for cloud-native applications.Eg Wiz, Palo Alto Prisma 
    4. CIEM (Cloud Infrastructure Entitlement Management): Manages and secures cloud identities and permissions to prevent privilege abuse. Eg: Sonrai Security, Ermetic, Zscaler CIEM 
  3. These tools help identify common misconfigurations and vulnerabilities, offering real-world insights into cloud security issues that can’t be learned solely from theory 

 Step 5 Build a Cloud Security Strategy leveraging NIST CSF 
  1.  Identify key solutions and processes to secure your cloud environment using the NIST CSF framework 
  2.  For each of the five NIST functions, decide and plan what processes and solutions you will implement. For eg 
    1. Identify: Inventory and classify cloud resources and data to understand the risks in your environment. 
    2. Protect: Implement security controls like encryption, IAM, and network security to safeguard cloud assets. 
    3. Detect: Continuously monitor for anomalies and potential threats using cloud-native or third-party detection tools. 
    4. Respond: Develop and automate incident response procedures to quickly mitigate and address security incidents. 
    5. Recover: Implement backup, disaster recovery, and business continuity plans to restore operations after an incident. 
  3. Make this into a 3, 6 and 12 month roadmap for an effective cloud security journey for an organisation.  

This learning path can take anywhere from 3 - 6 months to attain limited proficiency in Cloud Security. By following this pathway, you'll gain a solid foundation in cloud security, enabling you to contribute significantly to your organisation’s cloud strategy and build a robust, secure cloud environment. Though this may not make you an expert overnight, it is the right step towards mastering cloud security and advancing your career. 

 This pathway not only lays the groundwork for securing your organization but also positions you for future career growth in cloud security

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more