If there’s one thing you can’t accuse cloud security of being, it’s stagnant. We’re at a point where the cloud is arguably the most important part of any enterprise’s development strategy, and the field is evolving at breakneck pace. Nothing in the world of cloud ever stays the same week on week, and the same goes for cloud security.
So what does this mean for your career as a cloud security engineer? Well, two things: first, you can rest assured that if you’ve got the goods, there’s almost certainly a job for you out there.
But this also means there’s a ton of competition for cloud security jobs, and if you want to stay competitive, you need to bring some serious skills to the table.
Luckily for you, we’ve got your back! In this article, we’re looking at AppSecEngineer trainer Abhay Bhargav’s top 4 tips you can start implementing RIGHT NOW to get ahead of the curve.
When you’re operating in the cloud, your typical workflow includes deploying builds, provisioning resources or storage, creating compute, etc. While all of these can be done manually through the console itself, this is far from the most efficient way to do it.
What most people do instead is automate these activities using infrastructure as code. This lets them automatically deploy resources at massive scale without having to worry about all the little buttons and levers they’d normally have to push doing the same thing manually. This also means you can deploy security and bug fixes across your entire tech stack without much effort.
And it’s not just about deploying resources — infrastructure as code offers immense flexibility in how you build and maintain your apps. Terraform, an open-source IaC software tool, is compatible with the three major cloud providers: AWS, Azure, and Google Cloud.
Vulnerabilities associated with access control are some of the most common security flaws you’ll come across in cloud applications. This is why it’s critically important to get a solid grasp in the foundational elements of cloud security. Identity and Access Management (IAM), Key Management Services (KMS), and cryptography are three of the most useful skills you can have as a cloud security engineer.
It’s easy to get carried away with the more advanced services like computing, database, or storage, because that’s what most people tend to talk about. To clarify, these are absolutely important and will become a big part of your daily workflow over time. But when it comes to where the real battles are fought, you’re going to want to get your fundamentals as strong as possible.
Cloud security, in many ways, is all about problem-solving. You’re managing multiple cloud services running different parts of your app, while hundreds (if not thousands) of users are accessing resources, storing their data, and taking up compute space.
And all of these need to run like clockwork, which means that every issue—small or large—must be dealt with as quickly and effectively as possible.
In such a scenario, having surface-level knowledge of the cloud just isn’t going to cut it. Cloud security certifications, while useful, only test a certain standardised set of skills or knowledge, and can’t really give you a more holistic perspective.
That isn’t to say certifications are useless — they can certainly be useful to have, particularly when you’re looking for employment.
But as a cloud security engineer, you should focus on acquiring deep, comprehensive knowledge of any single cloud provider, whether it’s AWS, Azure, or GCP.
All three providers typically have identical or similar services and functionalities, which means your skills in one will translate linearly to the other.
The true benchmark of a competent cloud security professional is how well they understand a problem and come up with quick, effective ways to address it. These skills, however, aren’t always taught in certification programs.
The image that comes to mind when you think of ‘networking’ is that of old-school data centres, routers, or firewalls.
Cloud engineers have a misconception that, because they’re operating on the cloud, they’re exempt from dealing with these things. Isn’t networking totally managed for you by the cloud provider?
Yes, and no. Abhay says, “Your organisation might need to run certain types of compute infrastructure on the cloud with isolation or segmentation between the resources they’re running on the cloud. If you don’t understand networking in the cloud, you’ll find this very difficult to implement, assess, or pentest.”
Understanding networking concepts like VPCs, flow logs, and network ACLs can seriously augment your ability to secure cloud infrastructure.
These skills become especially useful when dealing with highly customised cloud infrastructure at large enterprises, where there’s no established ‘rulebook’ for you to follow.
So, there you have it! Follow these 4 tips and you’ll learn unconventional, but highly sought-after skills in cloud security that can be applied universally across any provider or tech stack.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.