Top skills to learn for Cloud Security

Cloud Security is one of the hottest fields right now with many professionals eager to?start their cloud careers in 2022. Certifications are an easy way to start but to truly succeed in the long run as cloud security professionals, you need to strongly develop specific skills. Cloud is a different animal from on-prem?and a different mindset is needed. Lets take a look at some of the most important skills you should start developing today for a successful cloud security career . I have made it a point to cover skills which are independent of any provider and scale across AWS , Azure and Google Cloud.

Infrastructure as Code

If you are working in the cloud then there is no escape from Infrastructure as Code as it is one of the most basic skills you need. IaC like its name basically means you define Infrastructure in a code template which is then processed by the provider and converted into actual infra in the cloud.

A few lines of code like the below will literally let you spin up a complete server in the cloud

IaC lets you implement proper automation as no one in a proper cloud environment is going to provision hundreds of servers through a management interface and all of them will be using IaC templates like Cloudformation or Terraform. There are also numerous security benefits like full visibility , code review and immutability. Check out my ISACA journal article here?if you want to know more about IaC

If you are getting a headache just thinking about learning IaC coding then good news is that are numerous resources and graphical tools you can use to create Infrastructure as Code templates without writing a single line of code ( although knowing coding certainly helps ! ). I would suggest starting with the basics of Terraform which can be used in ay cloud environment as that will give you a great advantage over other security professionals

Recommended skill to learn : CloudFormation, Terraform

Integration and APIs

One way of looking at the Cloud is visualizing it as a huge number of services and APIs that are capable of talking to each other. Companies moving to the cloud want to take advantage of native cloud features and connect them to their processes and applications which usually happens via API calls.

How many times have you heard vendors using the term partner APIs or external APIs in the cloud ? But exactly does it mean ? APIs or Application Programming Interfaces are the small pieces of code that are exposed by applications and services which enable other applications or services to talk to them. It forms the backbone of modern applications and how you have applications running on smartphones, internet and your laptop all behaving in the same way.

As a Cloud professional ( security or otherwise ) you will be expected to be able to integrate numerous services and make them “talk” to each other. This is not something you do after your cloud environment has been built ( a bit like putting in the wiring after your house has been built ). Knowing how to integrate and make cloud services communicate with each other is essential

Recommended skill to learn :?Setup an AWS free tier account?and play around with the free services and integrate them.

DevOps and Automation

This skills builds on the previous one as automation is one of the key advantages cloud has over on-prem. Once you realize you can make services talk to each other , you can create complete work-flows without any human involvement whatsoever easily in the cloud. While you can do automation on-prem , the ease and power of the cloud simply gives it a far superiors advantage.

As an example, take a look at the below workflow which you can read about?here?in which a complete security incident response workflow has been created just using native AWS services without a single third party solution in sight !

If you dont want to experiment with cloud environment like AWS , Google or Azure for fear for racking up bill then you can easily download Jenkins which is a free automation tool and play around with how to create automated pipelines.

Recommended skill to learn : Jenkins

Containers

Containers are the next evolution of deploying software applications and build upon the concept of virtual machines. They basically bundle everything the application needs include the code and its dependencies so that it is abstracted away from the OS on which it is running. Meaning you can theoretically move applications from on-prem to the cloud or across different cloud providers without massive changes. The speed and elasticity of the cloud make containers perfect for this environment. Containers also introduce new security risks which require an understanding of the container eco-system to properly secure. Doing your average app-sec will not show the security risks which are present in containerized applications. Learn how an average container works and how to flag any security risks when its being spin up and when it moves to production

Recommended skill to learn : Create a simple "Hello World" container and try to scan it via open source security tools

I hope this gave an overview of some of the skills which on-prem security professionals need to upgrade to before moving to the cloud. Let me know if you feel there are others I should have covered and did not in the comments below.

Author:?Taimur Ijlal

My Blog :?https://cloudsec-guy.com/

My Youtube Channel : https://www.youtube.com/c/CloudSecurityGuy