Cloud Security Knowledge Sharing By Guy-Bertrand Kamga

To promote a Secure Cloud-Based Digital Transformation

Tag: Cloud Security Expert

Key milestone in my Multi-Cloud Security expertise development

I’m very glad of what have been accomplished so far in the development of my Multi-Cloud Security expertise.

I started this journey after having completed 3 vendor neutral security certifications (CISSP & CCSK in 2014 and CCSP in 2016).

Then, I decided to focus on the leading cloud IaaS platform (AWS) with the completion of its Solutions Architect and Security Specialty certifications in 2019.

The journey continues with the successful completion of Azure Security, Google Cloud Security and Google Cloud Architect certifications in April, May and November 2021 respectively.

I want to thank Nokia for providing a working environment which makes possible such Multi-Cloud Security expertise development.

Special thank to learning platforms such as Udemy, Pluralsight, Qwiklabs and Whizlabs which provide useful self-paced contents to prepare for those certifications.

AWS SAAAWS SCSAZ SECGoogle Cloud PCSE

Becoming a Cloud Security Expert

If you are an IT specialist and want to know what effort is required, how much time is needed to become a Cloud Security Subject Matter Expert (SME), this guide might be of your interest.

Cloud Benefits vs Security Risks: two main pieces of the cloud solution puzzle

A security risk manager (ISO 27005 certified) not familiar with cloud solutions but who is interested in cloud topics, recently asked me to share my experience about the main cloud security knowledge & skills required to become a key member of cloud-based business transformation programs or initiatives.

It was not the first time for me to receive such request and I decided to provide some insights in this post.

Understanding the difference between business & security priorities

Most companies are transforming their businesses using cloud technologies and services.

Indeed, cloud services provide several benefits (pay as you go model, less or no CAPEX, dynamic scaling, high availability, collaboration efficiency, improved mobility, etc.) that enable a rapid business development and/or transformation.

Business divisions are then interested in trying and quickly adopting these cloud services. Their interests are mostly governed by the cloud benefits.

On the other side, the Security team who is sometime early involved or discovers by chance the businesses’ cloud initiatives, don’t look at the cloud services with the same mindset as business divisions.

Security staff mostly understands and/or analyzes the cloud services via the security risks angle, which is completely different from the benefits angle.

From the business perspective, the main goal is to maximize the cloud benefits for the company while from the security perspective, the main goal is to minimize the security risks for the company.

These two distinct goals are very important for organizations to take the most benefits from the cloud services without jeopardizing their main assets.

This is where a cloud security expert can bring the most value.

Cloud security expertise consists in a set of knowledge & skills that can help an organization to maximize the cloud benefits while minimizing (at the same time) the related security risks for the company.

Organizations should have on board, people who can understand the cloud benefits as well as the cloud security risks and who can support the business divisions to properly balance between cloud benefits & cloud security risks.

This expertise can be acquired via (i) experiences on designing & implementing cloud-based programs, (ii) cloud security trainings and (iii) cloud security certifications.

The main cloud security standards, guidelines and best practices I listed here, cloud certifications such as the top 5 vendor-neutral cloud security certifications I listed here or the platform-dependent cloud certifications such as AWS Certified Solutions Architect or MCSE: Cloud Platform and Infrastructure can be considered as main sources for developing & maintaining the cloud security expertise.

Key characteristics of cloud security expertise

A cloud security expert is a security specialist who can understand the cloud benefits for the company’s businesses and can identify the security risks applicable to a specific cloud use case.

I depict in the below figure, the main cloud benefits and security threats:

Cloud Benefits vs Cloud Security Threats

Cloud Benefits vs Cloud Security Threats

As you may know, there are 3 cloud service models (IaaS, PaaS & SaaS) and 4 cloud deployment models (Public, Private, Community & Hybrid). All the security threats are not relevant/applicable for each cloud use cases. As for other contexts, there is never a one-size fits all in terms of cloud security.

A cloud security expert should be able to perform the following tasks:

  1. Understand the business requirements (specific for each cloud use case)
  2. Map the business requirements to cloud services capabilities
  3. Analyze the security controls available in the targeted cloud service (e.g. MS Azure, AWS, Salesforce.com, SAP 4/HANA, etc.)
  4. Identify & assess the security risks applicable to a given cloud use case (main impact for the business)
  5. Help the business to decide if the security risks are acceptable (as per the company risk appetite – cloud security policy)
  6. If necessary, recommend reasonable additional security controls that can be implemented to reduce the security risks to an acceptable level (remediation)
  7. Support the business & IT during the implementation of the additional security controls
  8. Ensure that the security posture of the cloud solutions remains acceptable over the time

In short, a cloud security expert should be able to support the business in the following activities:

  • Cloud services/platforms evaluation & selection (RFP/I/Q processes)
  • Cloud solutions implementation
  • Cloud solution operation

The above tasks & activities can be performed by leveraging an agile & effective cloud security strategy such as the Cloud Usage Profile based strategy I described in this previous post.