So you're interested in becoming a cloud security architect. It's super easy! All you have to do is work for several years as a security engineer or analyst, gain experience in cloud security, get industry-standard certifications specific to security architecture, and...
Okay. Maybe it's not that easy. Cloud security architects are highly sought after, but it's not exactly an entry-level position. So how exactly do you get a job in cloud security architecture? And what skills do you need to develop in order to get there? Read on to find out.
We can demystify the term by looking at what a regular architect does, because they're not too different. An architect drafts the initial blueprint for the construction, figures out the design and layout of the building, and determines how the space will be used. They don't really get involved with the day-to-day challenges of actually building the structure — they just create plans for the engineer to execute.
Similarly, a cloud security architect is responsible for planning how the security systems are going to work and how they will be implemented across the application. They need to consider what tools, components, and platforms they use, how everything is designed, and what risks their organisation is likely to face.
For example, when you upload a file online, your data gets stored in the cloud. A cloud security architect would need to create an input validation mechanism or security policy to prevent a cross-site scripting (XSS) or SQL injection attack.
So while it's still the engineers building the app with these security features enabled, the cloud security architect designs how those security features work in the first place.
Want learn cloud security architecture hands-on? Try our Attacking AWS Serverless Applications course!
I know, I know, I don't want to turn this into a boring listicle either. But these 7 principles are a bite-sized distillation of what a cloud security architect's job is all about.
This might sound rather obvious, but that doesn't make it any less important. Each layer of your cloud stack needs to have its own security controls, ie., it needs to be 'self-defending'.
For example, your organization's network needs to be properly secured with access controls and firewalls, and your data needs to be backed up and securely encrypted.
A big part of security architecture is standardization, which can be achieved through security-as-code. Automating security processes and continuously monitoring your cloud environment can dramatically increase the efficiency of your security program.
This can be achieved through a robust DevSecOps program, but that's a topic for another time.
Start your DevSecOps journey today. Learn from 7 courses in our DevSecOps Learning Path.
One of the challenges with cloud is that you're dealing with multiple cloud providers, platforms, and services. For example, if you're running your cloud stack entirely on AWS, you may have to shift part of your workflow to Azure or Google Cloud.
There's a ton of advantages to going multi-cloud, including disaster recovery, load balancing, and separating development and production environments. With a hybrid cloud model, you can't afford to be wedded to one specific set of components.
"Think about components that can be adopted or adapted to more than one cloud as an architectural principle and design model," says Dave Shackleford, Sr. Instructor at the SANS Institute.
Nobody likes failure, least of all security folks. A failure of security is just about the worst thing that can happen on an organizational level.
But just like every car manufacturer needs to build their vehicles with airbags and seatbelts, security architects need to design their apps for the worst case scenario. Not everything is in your control (or can be), and you need to build redundancies to soften the impact of a security failure.
There are two crucial things to consider here:
It's important for you to figure out all the hundreds of ways your systems could fail, either on a component level (bad) or at a widespread architectural level (very, very bad), and design ways to minimize damage.
Today, the cloud has given us the ability to massively scale up or down the availability of services depending on the level of demand. But in order to achieve this sort of elasticity, you need to answer a few important questions:
You need to figure out how you're going to deploy systems and services before building out your architecture. This will ensure you don't face unforeseen issues in your cloud stack later, leading to delays, or worse, insecure builds.
This isn't something a lot of security folks pay much attention to, yet it's vitally important to literally every application. With the number of cloud providers out there, you're going to come across a host of different cloud storage services.
You need to spend the time understanding each storage service in depth. Here's a short list of what you should be looking out for:
This is just the start. There's tons more things to consider when evaluating a cloud storage service, but these are some of the most important for a cloud security architect.
Logging and monitoring is probably the least sexy part of cloud security, but hey, when do healthy things taste good?
When you're running a complex application in the cloud, you need to be intimately familiar with what's going on at every level of your environment.
To achieve that, you first need to enable logging everywhere you can, from network platforms to access management activity. These logs are like arteries, collecting information for you from all across your app.
But you can't exactly manually pore over all that data yourself: you need to prioritize what you pay attention to. Monitoring services like Amazon CloudWatch or Azure Monitor to alert you to malicious activity, track metrics, and notify you on changes in your AWS resources.
Learn how to monitor AWS environments with our hands-on course, Amazon ECR Security Essentials.
When it comes to cloud stacks, things can quickly get out of hand as you integrate new tools, dashboards, and services into your environment, not all of which are totally compatible with each other.
This can become a big problem over time, making things way harder to manage. Always be mindful of what each service or tool is for, and 'centralize' your toolkit so everything works fluidly together.
You should also be leveraging well-known standards in, for example, access management, configurations, and cryptography. By having a consistent architectural model across the various cloud services, you can make implementing security features much more straightforward.
And finally, automation ties into concepts like DevSecOps, which allows product teams to vastly improve efficiency and scalability by automating security processes. Scripting and orchestration tools really come in handy here.
For instance, automating security scans in your cloud environment lets you efficiently gather data on vulnerabilities on a regular basis. You don't waste precious man-hours on tedious security tasks, and these same processes can be scaled up or down as needed.
The role of a cloud security architect isn't exactly an entry-level role. It requires not only knowledge of application security, networks, and cloud computing, but also risk management, IT infrastructure, and strategy. Not exactly something you can expect to have in your first year or two as a cloud engineer.
But if this is the sort of job that interests you, there's plenty of ways you can start working towards a career in cloud security architecture. Moreover, if you already have experience working on cloud security, your transition to the architecture side of things will go much more smoothly.
If you're just starting out, you shouldn't focus too hard on certifications. You should instead focus on getting a few years of work experience as a security engineer or analyst to develop the technical and operational skills you'll need. Once you have that, however, here's some of the best certifications for cloud security architecture you can take:
According to Leighton Johnson, CTO at ISFMT, Inc., you need to build an arsenal of robust security skills, right from the very basics of security to the complex IT infrastructure management.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.
Rajesh Kanumuru works at we45 as a Cloud Security Lead. Rajesh is a builder and breaker of Cloud applications. He has created some pioneering works in the area of Cloud Security. He is actively researching the effects of emerging technologies on cloud security. Since 2020, Rajesh has mostly been involved with research, development and building solutions around we45 and AppSecEngineer's training offerings. He consults with organizations to help them implement Cloud Security successfully. Rajesh has co-authored and trained a course on Purple Team AWS that was delivered by we45 at BlackHat USA. When AFK, he can be found on the cricket pitch.