If you are an IT specialist and want to know what effort is required, how much time is needed to become a Cloud Security Subject Matter Expert (SME), this guide might be of your interest.
Tag: Cloud Security Expert
A security risk manager (ISO 27005 certified) not familiar with cloud solutions but who is interested in cloud topics, recently asked me to share my experience about the main cloud security knowledge & skills required to become a key member of cloud-based business transformation programs or initiatives.
It was not the first time for me to receive such request and I decided to provide some insights in this post.
Understanding the difference between business & security priorities
Most companies are transforming their businesses using cloud technologies and services.
Indeed, cloud services provide several benefits (pay as you go model, less or no CAPEX, dynamic scaling, high availability, collaboration efficiency, improved mobility, etc.) that enable a rapid business development and/or transformation.
Business divisions are then interested in trying and quickly adopting these cloud services. Their interests are mostly governed by the cloud benefits.
On the other side, the Security team who is sometime early involved or discovers by chance the businesses’ cloud initiatives, don’t look at the cloud services with the same mindset as business divisions.
Security staff mostly understands and/or analyzes the cloud services via the security risks angle, which is completely different from the benefits angle.
From the business perspective, the main goal is to maximize the cloud benefits for the company while from the security perspective, the main goal is to minimize the security risks for the company.
These two distinct goals are very important for organizations to take the most benefits from the cloud services without jeopardizing their main assets.
This is where a cloud security expert can bring the most value.
Cloud security expertise consists in a set of knowledge & skills that can help an organization to maximize the cloud benefits while minimizing (at the same time) the related security risks for the company.
Organizations should have on board, people who can understand the cloud benefits as well as the cloud security risks and who can support the business divisions to properly balance between cloud benefits & cloud security risks.
This expertise can be acquired via (i) experiences on designing & implementing cloud-based programs, (ii) cloud security trainings and (iii) cloud security certifications.
The main cloud security standards, guidelines and best practices I listed here, cloud certifications such as the top 5 vendor-neutral cloud security certifications I listed here or the platform-dependent cloud certifications such as AWS Certified Solutions Architect or MCSE: Cloud Platform and Infrastructure can be considered as main sources for developing & maintaining the cloud security expertise.
Key characteristics of cloud security expertise
A cloud security expert is a security specialist who can understand the cloud benefits for the company’s businesses and can identify the security risks applicable to a specific cloud use case.
I depict in the below figure, the main cloud benefits and security threats:
As you may know, there are 3 cloud service models (IaaS, PaaS & SaaS) and 4 cloud deployment models (Public, Private, Community & Hybrid). All the security threats are not relevant/applicable for each cloud use cases. As for other contexts, there is never a one-size fits all in terms of cloud security.
A cloud security expert should be able to perform the following tasks:
- Understand the business requirements (specific for each cloud use case)
- Map the business requirements to cloud services capabilities
- Analyze the security controls available in the targeted cloud service (e.g. MS Azure, AWS, Salesforce.com, SAP 4/HANA, etc.)
- Identify & assess the security risks applicable to a given cloud use case (main impact for the business)
- Help the business to decide if the security risks are acceptable (as per the company risk appetite – cloud security policy)
- If necessary, recommend reasonable additional security controls that can be implemented to reduce the security risks to an acceptable level (remediation)
- Support the business & IT during the implementation of the additional security controls
- Ensure that the security posture of the cloud solutions remains acceptable over the time
In short, a cloud security expert should be able to support the business in the following activities:
- Cloud services/platforms evaluation & selection (RFP/I/Q processes)
- Cloud solutions implementation
- Cloud solution operation
The above tasks & activities can be performed by leveraging an agile & effective cloud security strategy such as the Cloud Usage Profile based strategy I described in this previous post.
I started my professional career in 2001 as IT Software Engineer for 2 years and I decided in 2003 to return to school for advanced & specialized trainings in Networking & Security Engineering. Then, in 2005, I integrated the R&D division of Alcatel CIT (merged with Lucent Technologies in 2006 to form Alcatel-Lucent and acquired by Nokia in 2016) where I worked for 10 years on several topics including RCA (Root Cause Analysis) for Events Monitoring in GSM & GPRS mobile networks, Intelligent Notification Services for Unified Communications, SDN (Software-Defined Networking) & NFV (Network Function Virtualization) Security, Cloud Security & Data Protection.
During 7 out of these above 10 years, I had a great opportunity to work as Member of Technical Staff in an exciting R&D environment (Bell Labs) which is one of the best R&D centers in the world (in terms of innovations and number of Nobel Prizes).
Since 2015, I decided to leave the R&D activities to join the IT Cyber Security organization as Senior Security Analyst/Advisor and Cloud Security SME, to support the business transformation of the company.
Up to now, I contributed to several cloud security activities including:
- More than 120 security assessments of cloud solutions based on popular cloud services (e.g. Amazon Web Services, MS Azure, IBM SoftLayer, Google Cloud Platform, Salesforce.com, Office 365, SAP S/4HANA, etc.)
- Development of the corporate cloud security baseline
- Development of cloud security processes for private, public & hybrid cloud use cases, as well as the related security assessment questionnaires
- Leading the security of more than 200 cloud-based IT projects in several functional or business domains including HR, Finance, Sales & Marketing, Supply Chain & Procurement, R&D, etc.
In addition to my daily work, I’m teaching Cloud Computing & Cloud Security courses to Master’s degree students since 2016 (40 to 80 hours per year).
Since 2011, I’m also an active volunteer member in the French program Passeport Avenir (now Article 1) where I mentored Engineering schools’ students for 5 years and since 2016, I’m regularly sharing my experience with undergraduate students.
More infos about me: