Context setting: In my first article on cloud security, I talked about the journey to cloud migration. What are the things you need to consider when planning the big move? To realize the full value of this post, you must have already identified the motivations for migration and the locations of some resources you can use to enhance your security posture within yourself and/or your team. Following an investigation at your organisation, you learned that some data and/or service is moving to the cloud and, possibly, that the cloud service provider has been identified. If you’re the migration lead or even one of the team looking to migrate or manage said cloud services, this article is for you.
“Migrating to the cloud ☁️ introduces new fears, but without the proper knowledge and preparation will only result in Storms. The correct cloud security platform only works when your Cloud collaborative Team fits” - Tony Cuevas
If you have yet to choose a platform to migrate to, it would be worth looking at your existing team and see what experience its members have. If you have a team made up of $cloudServiceA certified persons, it might not make sense to move to $cloudServiceB unless you’re happy to provide appropriate training. However, not to forget the primary purpose of the migration, you must align with what makes sense for the business. After the choice has been made on the cloud service provider, logically gaining their dedicated certifications would be important. As a Splunk Architect, I would be the first one to point out that having an in-house architect makes complete sense if you’re implementing that solution in an organisation; I would imagine most cloud services that also rings true. However, and hear me out, having a holistic understanding of security principles means having a team member with a certification like CISSP isn’t going to be negative, either. I know as an industry that we’re pretty critical of certifications, especially ones we deem unnecessary or simply tool-based. Historically, we haven’t been brilliant when it comes to diversity and inclusion, however. Therefore, my personal opinion is that if someone finds a certification beneficial to them, teaches them skills in a way that makes sense to their mind, then I’m all for it. Besides, gaining knowledge on every level is going to help make a better solution. Consider the recent Capital One breach in 2019 where a former Amazon employee was arrested for gaining unauthorised access to over 100 million credit application records. This incident was the result of Server-Side Request Forgery. Simplified, this means a server ran a command to return data that it should not have been able to run– in the case of Capital One, it was a Web Application Firewall that was misconfigured. Unfortunately, whilst massively beneficial in some situations, the use of public cloud solutions must partner with educated decision making and security expertise, as it is all too common to have an incident due to misconfigurations.
Cloud Security Certifications, Events and Social Media
Once you choose the platform that will work for your environment and specific situation, of course supporting your teams with certifications of said platform is vital to the successful configuration and management. But prior to that decision, understanding the new workflows and processes will enhance the appropriate selection. How can you learn more? Try attending conferences aimed at cloud environments. Whether related directly to security or not, it’s going to be beneficial to gain the insights learned from real live environments as well as make the connections in the industry. If you know anything about me, you know I’m a massive fan of conference participation, be it attending, organising, and/or speaking. I believe collecting experts with a shared passion in a room is only going to benefit them by sharing knowledge, discussing experiences and building professional acquaintances, which in many of my personal cases turned into long-term friendships. Some cloud providers have their own conferences. Again, if you have that solution, it is worth attending or even simply following the online video streaming and releases. These events include AWS Ignite and the variety of Google Cloud events that take place throughout the year and world, for example. Other conferences I have personally heard of and/or attended include the following:
- In Europe, you have Cloud Security Expo and InfoSecurity. The latter I have spoken at, attended and enjoyed multiple times. We can’t forget Cisco Live Europe, I haven’t been able to attend yet, but it’s on my list!
- In North America, there is Cisco Live, which I have not only attended but set up for through the Cisco Dream Team in 2015, SANS Cloud Security Summit, Cloud Security Alliance Federal Summit, and Infiltrate. Going north, there’s also iTech, which tours Canada with seven cities, and a variety of vendors showcasing.
Additionally, Sarah Wills created a top 50 conference list to find out more details. Certifications, outside of the vendor specific, that will benefit you and your teams are:
- SANS 524 Cloud Security Risk and Fundamentals: This certification is useful prior to choosing a provider as well as in designing and properly assessing security requirements. This certification is a two-day course, but from the website, no dates are available to book, which could mean it is not offered at this time.
- SANS 545 Architecture and Operations: This certification is for the architects of operations teams. I personally recommend at least one in every environment, be it a third-party operations team or in-house. You go through the offensive and defensive approach, design and even automation. This course is a five-day course listed at $6,090 USD.
Full disclosure, I have not taken these certifications myself, but from my experience with SANS courses and industry experts for instructors, I am confident in the value of their provided knowledge. According to Neeru Jain’s article in WizLabs of the top 5 cloud certifications, the first two are:
- Certificate of Cloud Security Knowledge (CCSK): Provided by the Cloud Security Alliance, this certificate is aimed at tech technical team leads, consultants, architects and managers. Based on the website, it looks to be a two-day course that promotes a choice between self-study, self-paced, and instructor-led (online) material. Its listed pricing is $1,800 USD, and an exam-only price listed at $395 USD.
- Certified Cloud Security Professional (CCSP): Made available by the Cloud Security Alliance and (ISC)², this certificate is aimed at technical team leads, consultants, architects, and managers. It is presented as a four-day training, but in some cases it’s five-days; I imagine this is due to the exam day being included in those. It is offered as a self-paced, or instructor-led (online and in-person), and even private training courses. I don’t see training prices listed directly on the website, however, the InfoSec Institute listed the price at $599 USD.
In a comparison of the two certifications, Graham Thompson states that his preference is for CCSK due to the focus and depth. Even so, “If you have the time and resources doing both…, I would do the CCSK first then the CCSP (and the CCSK counts as 1 year of experience towards the CCSP requirements, as well).” Whilst I recognise that Twitter isn’t for everyone, my personal experience with this social media platform is that it does help nurture beneficial resources and community members. Therefore, I would be remiss to not recognize some of the names whom I enjoy and/or work with Cloud Security:
Those are names I have come across myself or by a search through Twitter. It is in no way exhaustive, and I am more than happy to receive a more robust list. Please feel free to DM/tweet me the names of those who have helped you. To complete this list of resources, last but in no way least, let’s take a look at frameworks and associations that will benefit your organisation in resources, public knowledge, and means for aligning frameworks to security. These resources are listed in no particular order:
- Duo Labs
- Guide for Cloud Security
- Cloud Security Alliance Norway and Kansas
- Cloud Security, which shares news updates
- To name the top three cloud company names Twitter accounts: AWS Security, Google Cloud, Microsoft Azure
Well known frameworks and resources aimed at cloud environments include:
- ISO/IEC 27017:2015
- OWASP Cloud
- CIS Controls Cloud Companion Guide
- The Cloud Native Interactive Landscape
“I'm a big fan of @CompTIA‘s Cloud Certifications. There are a lot of good materials from @cloudsa as well. If you wanna get Loco: ISO/IEC 27017 and not for the faint of heart: @NIST SP 500-299 (draft)* known to cause bleeding from eyes.” - Ian Thornton-Trump.
Overall, there is a massive amount of resources out there, which on one side is excellent for gaining insight but on another side can make it challenging to narrow your scope of focus. My advice is always to honestly look at where your team skills lay currently. Then identify the gaps of knowledge and prioritise these. If you have chosen a vendor, again, make sure your team is able to effectively protect this solution. Then begin to have more advanced and innovative problem solvers by up-skilling and empowering these habits. Please do not, under any circumstance, choose a solution based solely on price and expect your teams to learn how to protect it on their own. Migration to the cloud is a product of team collaboration, not a single person’s decision. You can find Tripwire's great resources on cloud here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.