Cloud security engineer: Is it the career for you?
When the world went home to work last year, the shift to software-as-a-service (SaaS) accelerated. Organizations came to rely on cloud-based applications to power employee productivity and, with the move to hybrid work, this reliance is predicted to grow further.
Gartner forecasts public cloud services will grow another 23% in 2021 to $332.3 billion, with software as a service (SaaS) being the largest market segment. However, with increased SaaS reliance comes new risks, and organizations are scrambling to shore up cloud security threats for a more secure future of work. They need cloud security engineers.
A cloud security engineer’s job is to secure an organization’s cloud use and protect data against malicious actors. Opportunities in this field have followed the upward trajectory of cloud reliance. LinkedIn currently advertises more than 22,000 open positions. Glassdoor lists more than 28,000. The job is well-compensated in most geographies. Payscale says the average annual salary for a cloud security engineer in the U.S. is $136,485.
What does a cloud security engineer do?
When technology leaders at an organization decide to use public cloud technology, they have many providers to choose from. Consistently, the top three are Amazon Web Services (AWS), Microsoft Azure and Google Cloud, but a long list of other options follow.
The cloud provider will deliver baseline security measures around their platform, but organizations who rely on it are responsible for securing what is inevitably an interconnected web of applications and permissions, not to mention the fleet of endpoints that access those applications. This is the shared responsibility model and, in many ways, represents at least a partial job description for cloud security engineers within an organization.
“It’s best to think of Amazon as the plumbers or the water company,” says Andrew Howard, chief technology officer for Kudelski Security. “They provide the plumbing. They’ll get the water and electricity to your house, but once it’s there, you’re responsible for it.”
Cloud security engineer work is both nuanced and challenging. Unlike networks and on-premise technology, cloud infrastructure changes almost on a daily basis as providers compete to provide the most sought-after solutions. “The entire ecosystem is complex,” says Oliver Tavakoli, chief technology officer at Vectra AI. “You don’t have any notion of a stable set of infrastructure that you can choose to remain on for six months or a year.”
On top of a fast-moving ecosystem, plenty of attackers need to find only one attack template that works. From there, it’s entirely reusable. One attack key will have a widespread blast radius across many cloud customers, Tavakoli says. “Attackers need just one way to run a gauntlet that will get through even 20% of customers because of how they have rigged their defenses.”
While network security has had years to build out prevention techniques such as antivirus, firewalls, access control and many others, cloud security is still finding prevention techniques that work well in a containerized cloud environment, says Tavakoli.
“We’re still in the early stages of coming up with preventative measures,” Tavakoli says. Beyond prevention, much more emphasis is also needed on detection and response in the cloud. Overall, “it’s important for today’s security teams to move past the single goal of building a hard shell to keep everything out.”
Instead, the goal is full maturity across prevention, detection and response, and this requires security engineers who are comfortable with ambiguity.
What does it take to be a cloud security engineer?
As cloud reliance grows and the environment continually morphs, organizations are looking to round out their security teams with individuals that bring unique perspectives of the attack surface. Knowing how to deploy firewalls in the cloud is a good skill to have, for example, but more importantly, so is the need for cloud security engineers to know how cybercriminals typically work in a cloud environment.
“The best defenders are people who have a keen understanding of what offense looks like,” Tavakoli says. “I highly encourage security people to try their hands at some of the offense pieces, whether that’s on the lighter end of the spectrum like a Certified Ethical Hacker class or an OSCP and deeper practices.”
To gain the offensive perspective Tavakoli suggests, consider these industry certifications and training to get started in your career as a cloud security engineer:
- Ethical hacking certifications like the EC-Council Certified Ethical Hacker (CEH) and CompTIA PenTest+
- Cloud security certifications like the (ISC)² Certified Cloud Security Professional (CCSP) or Infosec Institute Certified Cloud Penetration Tester (CCPT)
- Hands-on cyber ranges, covering topics like attacking and defending cloud-based applications
To learn more about what it takes to become a cloud security engineer, watch our Cyber Work Podcasts, Should all your company data be in the cloud with Andrew Howard and Cloud security best practices and career tips with Oliver Tavakoli.
- Gartner forecasts worldwide public cloud end-user spending to grow 23% in 2021, April 2021, Gartner Press Release
- Average cloud security engineer salary, Payscale