Popular with:
Cloud Engineer
Security Architect
Cloud Security

A Beginner's Guide to Cloud Security Architecture

June 16, 2022
Written by
Aneesh Bhargav
Rajesh Kanumuru

A Beginner's Guide to Cloud Security Architecture

So you're interested in becoming a cloud security architect. It's super easy! All you have to do is work for several years as a security engineer or analyst, gain experience in cloud security, get industry-standard certifications specific to security architecture, and...

Okay. Maybe it's not that easy. Cloud security architects are highly sought after, but it's not exactly an entry-level position. So how exactly do you get a job in cloud security architecture? And what skills do you need to develop in order to get there? Read on to find out.

Let's start with the basics: What does a Cloud Security Architect do?

We can demystify the term by looking at what a regular architect does, because they're not too different. An architect drafts the initial blueprint for the construction, figures out the design and layout of the building, and determines how the space will be used. They don't really get involved with the day-to-day challenges of actually building the structure — they just create plans for the engineer to execute.

Similarly, a cloud security architect is responsible for planning how the security systems are going to work and how they will be implemented across the application. They need to consider what tools, components, and platforms they use, how everything is designed, and what risks their organisation is likely to face.

For example, when you upload a file online, your data gets stored in the cloud. A cloud security architect would need to create an input validation mechanism or security policy to prevent a cross-site scripting (XSS) or SQL injection attack.

So while it's still the engineers building the app with these security features enabled, the cloud security architect designs how those security features work in the first place.

Want learn cloud security architecture hands-on? Try our Attacking AWS Serverless Applications course!

The 'Seven Commandments' of Cloud Security Architecture

I know, I know, I don't want to turn this into a boring listicle either. But these 7 principles are a bite-sized distillation of what a cloud security architect's job is all about.

Design security for every layer

This might sound rather obvious, but that doesn't make it any less important. Each layer of your cloud stack needs to have its own security controls, ie., it needs to be 'self-defending'.

For example, your organization's network needs to be properly secured with access controls and firewalls, and your data needs to be backed up and securely encrypted.

A big part of security architecture is standardization, which can be achieved through security-as-code. Automating security processes and continuously monitoring your cloud environment can dramatically increase the efficiency of your security program.

This can be achieved through a robust DevSecOps program, but that's a topic for another time.

Start your DevSecOps journey today. Learn from 7 courses in our DevSecOps Learning Path.

Don't get too comfy with components

One of the challenges with cloud is that you're dealing with multiple cloud providers, platforms, and services. For example, if you're running your cloud stack entirely on AWS, you may have to shift part of your workflow to Azure or Google Cloud.

There's a ton of advantages to going multi-cloud, including disaster recovery, load balancing, and separating development and production environments. With a hybrid cloud model, you can't afford to be wedded to one specific set of components.

"Think about components that can be adopted or adapted to more than one cloud as an architectural principle and design model," says Dave Shackleford, Sr. Instructor at the SANS Institute.

Design for failure

Nobody likes failure, least of all security folks. A failure of security is just about the worst thing that can happen on an organizational level.

But just like every car manufacturer needs to build their vehicles with airbags and seatbelts, security architects need to design their apps for the worst case scenario. Not everything is in your control (or can be), and you need to build redundancies to soften the impact of a security failure.

There are two crucial things to consider here:

  • How you'll detect a failure when it happens
  • How you can bring it into a state where it's no longer failing

It's important for you to figure out all the hundreds of ways your systems could fail, either on a component level (bad) or at a widespread architectural level (very, very bad), and design ways to minimize damage.

Design for elasticity

Today, the cloud has given us the ability to massively scale up or down the availability of services depending on the level of demand. But in order to achieve this sort of elasticity, you need to answer a few important questions:

  • Do you need to scale vertically or horizontally, ie., get a bigger server or more servers?
  • How will your systems adjust to changing volumes or loads?
  • What is causing new instances to be spun up?

You need to figure out how you're going to deploy systems and services before building out your architecture. This will ensure you don't face unforeseen issues in your cloud stack later, leading to delays, or worse, insecure builds.

Pay more attention to cloud storage

This isn't something a lot of security folks pay much attention to, yet it's vitally important to literally every application. With the number of cloud providers out there, you're going to come across a host of different cloud storage services.

You need to spend the time understanding each storage service in depth. Here's a short list of what you should be looking out for:

  • Security options and policies
  • Performance
  • Redundancy and archival
  • Access controls
  • Encryption
  • Cost

This is just the start. There's tons more things to consider when evaluating a cloud storage service, but these are some of the most important for a cloud security architect.

Get more involved with logging and monitoring

Logging and monitoring is probably the least sexy part of cloud security, but hey, when do healthy things taste good?

When you're running a complex application in the cloud, you need to be intimately familiar with what's going on at every level of your environment.

To achieve that, you first need to enable logging everywhere you can, from network platforms to access management activity. These logs are like arteries, collecting information for you from all across your app.

But you can't exactly manually pore over all that data yourself: you need to prioritize what you pay attention to. Monitoring services like Amazon CloudWatch or Azure Monitor to alert you to malicious activity, track metrics, and notify you on changes in your AWS resources.

Learn how to monitor AWS environments with our hands-on course, Amazon ECR Security Essentials.

Centralization, Standardization, Automation

When it comes to cloud stacks, things can quickly get out of hand as you integrate new tools, dashboards, and services into your environment, not all of which are totally compatible with each other.

This can become a big problem over time, making things way harder to manage. Always be mindful of what each service or tool is for, and 'centralize' your toolkit so everything works fluidly together.

You should also be leveraging well-known standards in, for example, access management, configurations, and cryptography. By having a consistent architectural model across the various cloud services, you can make implementing security features much more straightforward.

And finally, automation ties into concepts like DevSecOps, which allows product teams to vastly improve efficiency and scalability by automating security processes. Scripting and orchestration tools really come in handy here.

For instance, automating security scans in your cloud environment lets you efficiently gather data on vulnerabilities on a regular basis. You don't waste precious man-hours on tedious security tasks, and these same processes can be scaled up or down as needed.

How do you become a Cloud Security Architect?

The role of a cloud security architect isn't exactly an entry-level role. It requires not only knowledge of application security, networks, and cloud computing, but also risk management, IT infrastructure, and strategy. Not exactly something you can expect to have in your first year or two as a cloud engineer.

But if this is the sort of job that interests you, there's plenty of ways you can start working towards a career in cloud security architecture. Moreover, if you already have experience working on cloud security, your transition to the architecture side of things will go much more smoothly.

What certifications do you need to be a Cloud Security Architect?

If you're just starting out, you shouldn't focus too hard on certifications. You should instead focus on getting a few years of work experience as a security engineer or analyst to develop the technical and operational skills you'll need. Once you have that, however, here's some of the best certifications for cloud security architecture you can take:

  • CASP+: The Advanced Security Practitioner by CompTIA is an advanced-level cybersecurity certification for security architects and senior security engineers charged with leading and improving an enterprise’s cybersecurity readiness.
  • CISSP: The Certified Information Systems Security Professional by (ISC)2 is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles.
  • CISSP-ISSAP: The CISSP-Information Systems Security Architecture Professional is a concentration of the CISSP certification that specifically focuses on security architecture.

What skills do you need in Cloud Security Architecture?

According to Leighton Johnson, CTO at ISFMT, Inc., you need to build an arsenal of robust security skills, right from the very basics of security to the complex IT infrastructure management.

  • Understand how components work: For starters, you need to have an intuitive understanding of how common security protocols and components work. Things like firewalls, network access, intrusion detection systems, etc.
  • Work with various operating systems: You need to be aware of how operating systems like Windows, Linux, and MacOS employ security.
  • Be experienced with networking: Cloud security architects need to have in-depth knowledge of networking principles, and building and maintaining computer networks.
  • Know how to manage and communicate: Since this is a rather advanced role, you'll need to have management skills and the ability to effectively communicate with your team members on important tasks.
  • Understand risk management: You need to be aware not only of what potential threats your cloud environment could face, but how to detect and secure vulnerabilities before they can do serious damage.

Source for article
Aneesh Bhargav

Aneesh Bhargav

Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.

Aneesh Bhargav

Rajesh Kanumuru

Rajesh Kanumuru works at we45 as a Cloud Security Lead. Rajesh is a builder and breaker of Cloud applications. He has created some pioneering works in the area of Cloud Security. He is actively researching the effects of emerging technologies on cloud security. Since 2020, Rajesh has mostly been involved with research, development and building solutions around we45 and AppSecEngineer's training offerings. He consults with organizations to help them implement Cloud Security successfully. Rajesh has co-authored and trained a course on Purple Team AWS that was delivered by we45 at BlackHat USA. When AFK, he can be found on the cricket pitch.