What does a cloud security engineer do?

[00:00:05] Chris Sienko: Welcome to the InfoSec Career Video Series. These set of short videos will provide a brief look inside cybersecurity careers and the experience needed to enter them. Today, I'll be speaking with InfoSec skills author, Joseph South about the role of cloud security engineer. Without further ado, let's get into it. Welcome, Joe.

[00:00:23] Joseph South: Hi, thanks for having me.

[00:00:25] CS: Joe, let's start with the basics. What does a cloud security engineer do? What are the day-to-day tasks of a cloud security engineer?

[00:00:33] JS: Yeah, that's a very interesting question. It can definitely vary, depending on where your organization is, what their cloud security journey, and what they're actually doing, what their market is. Really, I like to break it up into three different roles. We have a junior level cloud security engineer, which is definitely not a junior role in security overall. Then, we have a senior cloud security engineer, and then we have a lead cloud security engineer.

The more junior level role is going to be responding to different alerts across the different tools that we have set up to be alerting across, whichever cloud provider we may be in. The senior cloud security engineer is the one that's typically building out those tools and tuning them and designing them, really from the ground up and deploying them. The lead is identifying gaps in the environment, identifying viable solutions to fill those gaps, and really driving the direction of the cloud security team as a whole.

[00:01:43] CS: What I like about that is that we can see the ladder of success here. You see what you need to do to go from one to the next. They sound like, for the most part, have fairly delineated job roles. I guess, to start at the very ground level, how does one become an entry level cloud security engineer? Do you need to experience first? Can it be your first job?

[00:02:06] JS: I would say, that it definitely cannot be your first job. Because cloud security expands, or spans across just about every single domain in security. A cloud security engineer needs to have experience in several different domains. I'm not just talking about two domains. I'm talking about three, four, five domains across security. They're deploying tools in those domains. They're working with internal clients, and maybe even some external facing clients.

They really need to have those sorts of skills and experience under their belt, before they're going into the cloud, where they're not allowed to touch the cable. They can't touch the server. They're not able to go do a hard reset, like you would normally do. A total shift in your thinking.

[00:02:57] CS: Now, to that end, what types of education is typically required, and/or what types of certs will help you break in, or support this role, or just get the knowledge that you need to do the role?

[00:03:07] JS: Yeah. I'd say, the first step is obviously, the experience. When you're getting the experience, I always strongly encourage everyone to go with whatever cloud provider their company is already in. If your company is already in Azure, start looking at Azure certs. If you're in AWS, start looking at AWS certs. The first cert that I would start working to accomplish, or achieve is the AWS certified cloud practitioner. Sorry, that's a mouthful. It really gives you a very good foundational knowledge of the cloud. Yes, it's geared towards AWS, but really, the foundational knowledge will work for Azure, it'll work for GCP, or any other cloud provider. From there, once you have that cert under your belt, I would really start looking at the CCSP. The reason why I would do that is because the CCSP is very broad. It's vendor agnostic, it's not going to be specific to any one vendor. The material that you're going to be learning to achieve that certification will work no matter what cloud provider you're in.

The topics on encryption, IEM, all of it. All of those foundational topics are going to be the same, which really puts you ahead of everyone else, because I will be honest, I'm in this field and I don't know very many other people in this field that have the CCSP. If you have the CCSP, it's really going to set you apart.

[00:04:42] CS: Got you. Now, we talked about some of the skills that you learned through these certifications. Can you lay them out? What are some skills that cloud security engineers need to do their job well? If you're just going to start working on learning something right after this video, where would you start?

[00:05:00] JS: Yeah. That's really interesting. I would take a look at the different services that the cloud provider is offering. Whichever cloud provider you're choosing, take a look at the different services, and not just the security services. Take a look at how AWS deploys EC2s. Think of what security controls you can deploy. AWS does a really amazing job. Azure actually does a really good job as well. Posting a lot of different white papers, a lot of documents, really walking you through all this stuff. It's all out there. You just have to look for it.

When you're going through, and getting all that knowledge, you should also be developing your soft skills. The best way to do that is just on the job. Whatever job you're in, try to work on your soft skills. Try to be more personable. Try to actually work with people, hear them out, listen to them, and respond effectively to whatever they're asking.

[00:05:59] CS: Okay. You mentioned tools before, and that – I think, it's a fairly tool intensive job. Can you talk about some of the common tools that cloud security engineers use?

[00:06:10] JS: Yeah. I would say, there's three pretty common ones. Then the rest are vendor tools that you'll get experience with on the job, because they're far too expensive for anyone to purchase on their own. The first one that I always work with, honestly, is the AWS CLI tool. It connects right into your AWS account, and you can manage your entire account right from your terminal window, or your CLI, whichever it might be.

The next one is Steam Pipe. It's a newer open-source tool. It's used to actually run security audits across multiple cloud environments at the same time, and you can map those controls across all the different cloud providers. That is extremely helpful, because to be quite honest, the tools that do it that you actually have to pay for, some of them do it really well, but they're also very expensive. Organizations are looking for alternatives. If you know an open-source version of a tool, you're going to be even more valuable, even if they have that paid for tool because you already know how it works. You already know what to expect.

[00:07:29] CS: Those first couple that you mentioned, those are open source, those are things that people can start messing around with on their own?

[00:07:35] JS: Yeah, absolutely. Scout Suite is another one that's open source. That is a great tool to manage your cloud environment.

[00:07:42] CS: Excellent. Where do cloud security engineers work? What type of job options are available? What job sectors? I imagine with cloud expanding the way it is, it's everywhere, right?

[00:07:54] JS: Yeah. At this point, every company is in the cloud, or they're going to the cloud, or they're thinking about the cloud. Everyone is hiring for cloud security professionals. It sounds a bit crazy, because maybe you're not used to hearing that. Honestly, in security there, there is only a shortage of people. No shortage of jobs.

[00:08:15] CS: Yes, for sure.

[00:08:16] JS: You can work across any industry in the world. You could work for any company in the world, and you can do it from your home. Because nine times out of 10, they're going to be remote. Unless, you're working for the federal government, then it's illegal to work remote.

[00:08:33] CS: Yeah, yeah. Exactly. Now, to that end, I guess, there's a lot of different types of jobs as well. I mean, do cloud security people generally tend to work for the single company, or their vendors, they're freelancers, consultants, or all the above?

[00:08:49] JS: I would say, really, all the above. If you're in cloud security, it's very easy to start doing freelance work, start doing consulting work on the side, or even change organizations fairly easily. Me personally, I work for an organization and I do a bit of side work on the side. I know several people that do that exact same thing.

[00:09:17] CS: Now, for people who might be working, or moving towards cloud security engineer, maybe they decided partway through that it's not the career position for them, how easy is it to pivot into other roles? What types of skills that you learn from cloud security engineer? Are there ways that you can use that in other related fields?

[00:09:36] JS: Yeah, absolutely. If we're just focusing on other security roles, if you make it to be a cloud security engineer, you can go into any other security role. Really, I mean, just about any other security role that you may have a focus on. You could go into IEM security role, where you're deploying technology, you can work on Sims, EDRs, whatever it might be. If you want to go up the level, you could also go and become an architect. What's an architect? An architect is having the 1,000-foot view of the organization, identifying some gaps in technology stacks. A lot of the times, that's really what they're there for. They're there to manage the environment.

As a cloud security engineer, like I said before, you need to know the whole environment. You're already a step ahead of most people that are trying to become architects. If you don't want to be an architect, you can easily jump into being a manager. Because you're managing so much in your day-to-day job, especially when you're a senior, or lead cloud security engineer, that you're basically a manager. You're managing yourself, you're managing your colleagues. I don't mean managing it with an iron fist. I mean, you're working with these other people that are on your team to achieve a certain goal that you may have.

[00:11:03] CS: Now, as we close off here, for our listeners who are ready to get started and start learning today, what’s something they can do right now that will move them toward the goal of becoming a professional cloud security engineer?

[00:11:14] JS: Yeah. I think that that's a great question that has a lot of different facets to it. A few things that I don't hear enough cloud security professionals talking about is when you want to jump into any security role, the first thing that you want to do is get up on the news. Learn about what's actually going on in the security industry.

Secondly, would be to find a video series, or a podcast; a video series like this video series, or my own podcast, Security Unfiltered. Both of those are great ways. There's other podcasts out there that are also doing a fantastic job that help people get into this field. Then aside from that, if you nail those two things, I would start looking at certifications. The AWS certification that I mentioned, you don't require any experience. There's no years of experience that is required. The CCSP, it is required that you have five years. You can pass that cert, and they will still not issue it to you if you don't have the years of experience. If you can do those three things, you are ahead of the curve, by far. It's going to be much easier for you to make this jump, or transition into this line of work and security.

[00:12:33] CS: All right. Joseph South, thank you very much for your time and insight today. I'm really glad to talk to you today.

[00:12:39] JS: Yeah, thanks for having me. I appreciate it.

[00:12:41] CS: Everyone listening, thank you for checking us out. If you'd like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s career video series and check out InfoSec Skills at infosecinstitute.com/skills. We’ll talk to you soon.