Despite optimism (at least in the US) that the worst of the COVID-19 pandemic is over, remote and hybrid working is here to stay, with many employees opting to work from home permanently. As this trend continues, businesses and government agencies are likely to become even more dependent on cloud-based services and technologies to ensure their operations continue smoothly.
The numbers show how much this need for cloud infrastructure and services has grown since the start of the pandemic. Analyst firm Gartner, for example, expected global organizations to spend $332 billion on public cloud services alone in 2021, a 23% increase from the previous year.
These expenses include SaaS and IaaS, as well as newer technologies such as containerization, virtualization, and edge computing. This suggests that the COVID-19 pandemic “has served as a multiplier for CIO interest in the cloud,” according to the report.
As the use of cloud services grows, so do the security concerns related to these technologies, which include threats ranging from cybercriminals to sophisticated nation-state groups. Consider a study published earlier this month by Palo Alto Networks that examined user identity and access management policies in approximately 18,000 cloud environments across 200 organizations.
The results showed that nearly 99% of users and cloud services provide excessive permissions, which means attackers have a large attack surface to exploit, and a compromised account can lead to access to hundreds, if not thousands, of others. The study also noted that many organizations (around 53%) allow weak passwords that can be guessed or cracked by brute force attacks.
For these and other reasons, many private organizations and government agencies seek to hire cloud security specialists, which is now considered one of the fastest growing jobs in cybersecurity. The average salary for a cloud security specialist is around $87,700, according to Glassdoor, but many private companies are willing to bump the salary up to six figures for the right person.
Whether it’s a cybersecurity professional looking to grow through specialization or a technologist transitioning to a new career direction, experts note that with the right skills and training, the field cloud security can provide a path to upward mobility.
What skills do I need to get started?
For experts watching the cloud security field, there are several paths technologists can take to start a career as a cloud security specialist. Aaron Turner, vice president of SaaS posture at security firm Vectra, noted that a career path from a traditional on-premises IT or security environment starts with learning as much as possible about cloud infrastructure. .
“The easiest way to become familiar with cloud security concepts is to study what infrastructure-as-a-service capabilities their current organization needs,” Turner told Dice. “IaaS can sometimes boil down to the “lift and shift” of virtual machines from on-premises servers to servers hosted in the cloud. IaaS has the closest corollaries to legacy network and host security. From this point of landing in the cloud, one can learn additional aspects from this point of familiarity. »
For a true novice with little technical experience, the best way to learn more about the cloud is to focus on SaaS offerings, especially the foundational Microsoft products that almost every business uses.
“Using Microsoft cloud management tools and portals provides immediate gratification by allowing learners to set up familiar, easy-to-understand services like email and file sharing,” Turner added. “The practice of security concepts in SaaS environments can be understood immediately through penetration testing processes widely available through online courses.”
And while many organizations tend to choose a cloud service for their infrastructure, like Amazon Web Services, it’s a good idea for technologists to learn a little about how each IaaS offering works, said Grant Kahn. , senior director of security intelligence engineering at Lookout. .
“It’s great to have a deeper experience of AWS, for example, because that’s where most of the stuff is. However, there aren’t many multi-cloud organizations, so be careful when going for interviews, as most companies tend to favor one cloud or the other,” Khan told Dice. “The most important thing is to understand basic security primitives and topics, which will have analogues in all clouds, but also to know the distinct terminology and key differences between clouds.”
Which certificates and skills matter the most?
Experts don’t know what skills are needed for a cloud security specialist position, especially when it comes to whether technology and security professionals should invest in certain certifications.
“Certifications are optional, but the learning paths associated with certifications are useful and more directed than just searching Google for whatever interests you,” Khan added. “So whether or not you have the certificate, following these learning paths is a good way to educate yourself on these kinds of basic security issues in each cloud and how it works.”
Whether it’s getting a certificate or not, Khan noted that there are certain skills that can help those looking to take on a job as a cloud security specialist, including basic networking skills. To better understand cloud security fundamentals, Khan suggested learning about authentication and authorization methods such as Security Assertion Markup Language (SAML), Open Authorization (OAuth), as well as how different platforms cloud manage API and SSH keys.
This approach is also favored by Davis McCarthy, senior security researcher at security firm Valtix. “Being able to apply network security fundamentals or concepts like least permission to the cloud will improve the success of people entering the industry,” he told Dice. “Cloud security specialists need platform-specific knowledge about things like IAM policy, user roles, services that increase network traffic, and various technology stacks and operating systems. Explore why companies use the cloud and how to improve security for those use cases. »
For those looking for roles that favor or require a certificate, George Tang, principal solutions architect at security firm JupiterOne, noted that AWS’s Cloud Resume Challenge and free training provide a good start. From there, technologists can seek certifications such as AWS Solutions Architect Associate and CompTIA Security+ to use as a stepping stone to a cloud security specialist position.
Tang also told Dice about other avenues: “Don’t approach governance, risk and compliance as a way to get into the cloud security specialist space. Working in the Cloud GRC can provide tremendous learning opportunities and ways to grow your career. »
What programming languages help?
For those looking to become a cloud security specialist, several experts have noted that a good working knowledge of Linux is a plus – it will help you understand the basics used by most platforms.
When it comes to programming languages, experts have agreed that Python is the one to master. Other in-demand languages include Go, Java, Terraform, and Bash. Knowing the fundamentals of containers is also helpful.
“Understand Kubernetes and Kubernetes security because there are far more containerized workloads in the cloud than in most data center environments,” Khan said. “Also, knowing about orchestration and automation around ‘infrastructure as code’, as well as security best practices for these, will be helpful.”