By: Chris Pollard
September 18, 2020
From Mr. Bean to Mr. Bond: My path to being a cloud security special agent
By: Chris Pollard
September 18, 2020
Everyone starts building in the cloud in different ways - for some, it's a necessity as an organization mandates that you're moving to the cloud. For others, the allure of services such as Lambda, DynamoDB, and S3 (the 8th wonder of the world!) are enough to persuade you to give the cloud a try. Whatever your impetus for playing in the cloud, you'll quickly conclude that security is critical to success.
However, increasing your security smarts is not an overnight endeavor. Here's a bit of what I've learned on my path from progressing from Mr. Bean to (I like to think) a James-Bond-like cloud security special agent.
Don't be in the wrong kind of headline
The criticality of cloud security is evident by the number of newsworthy breaches. Organizations large and small have challenges with cloud security and, in the worse cases, this ends up as a headline on a news site. It's sobering to reflect on this estimate from Gartner: through 2025, 99% of cloud security failures will be the customer’s fault.
I started working in the cloud as a Business Intelligence developer. I was hired to build a data warehousing platform that we were going to sell as a SaaS offering to independent pharmacies throughout the country. While doing an analysis on SQL Server licensing, how many customers I could expect over a year, and what hardware I'd need I got overwhelmed at the potential expense and unknowns about the viability of the product. So I went to my boss and told him I wanted to build the solution on Amazon Web Services (AWS). The company had one or two services running on AWS, but this would be our first platform in the cloud. Exciting times! Or really scary ones!
Here I was with a new role, learning a new platform, and I had no clue what I was doing. Before I was able to leverage the vast resources of AWS, I had to take a crash course in the Health Insurance Portability and Accountability Act (HIPAA) to comply with our Business Associates Agreement (BAA).
Start your security education at the firehose
So, how to get started? I began to digest everything I could about AWS. I read white papers (here's a recent example of some great content from AWS on how to think about security) and service help pages in AWS. And I built! I built prototypes (without personally identifiable information [PII]), and started dabbling in automation. I also received an email from AWS that my EC2 classic AD server was exposed too broadly and presented a security risk! Like Mr. Bean, I was bumbling around.
Throughout the years, I learned more about AWS and the cloud than I ever could have imagined, and moved my career away from building BI solutions to solving problems in the cloud.
There’s a wealth of resources out there to help you get started - now more than ever!
Cybrary offers great learning materials. Ranging from introductory to advanced learning courses to hands-on training and learning paths for your particular interests, there's a wealth of information to help with your education. Courses on the basics of cloud, starting with the Cloud Architecture Foundations and Cloud Governance Principles courses, help you learn more as you start your path to the cloud. The Certified Cloud Security Professional (CCSP) course is a great hands-on course that helps you prepare for the CCSP exam, including a practice exam that you can take after studying the course material.
Remember, we're smarter together
The wonderful communities that are built around the cloud have been a huge enabler to me becoming successful in this endeavor.
The only social media platform I use is Twitter (@Chrisp1516) and one of the big reasons is because you can pick your own communities to follow. In the cloud community, folks such as Corey Quinn (@QuinnyPig) and Scott Piper (@0xdabbad00) share a wealth of knowledge on a daily basis. Automated twitter accounts, such as AWS Doc Updates give you updates from AWS documentation without having to scrape the pages yourself. You can also follow AWS Distinguished engineers such as Colm MacCárthaigh (@colmmacc) and learn more about crypto than you ever thought possible.
Github is also an extremely valuable source of cloud security information. Being able to interact with maintainers and others in the community (and give back) is a huge boost to your cloud savviness. Feel free to follow me to see the repos I've starred and the folks I follow. On github, you can find repositories of information that help categorize AWS services and community repos, such as the Awesome AWS repo. There are so many great tools related to security available, such as Cloud Custodian (which includes a gitter where you can often find Cloud Custodian maintainer Kapil responding to questions), an IAM linter, parliament and tons of resources from AWS themselves.
In addition to these resources, the AWS subreddit is a great place to learn more, as is stackoverflow. I started answering stackoverflow questions some time ago, and it's helped me continue to learn the platform and understand some of the common pain points folks have with it.
Accept that you're never done
Today, I have a great understanding of cloud security, and I know that there's always more to learn. I try to give back to this amazing community by contributing to Github, stackoverflow, joining in on conversations on Twitter, and building enterprise tools to help demystify cloud security. I recognize I'll never be done; there will always be more special-agent powers I can acquire.
Chris is the VP of Design and Engineering at cloudtamer.io, the makers of the industry-leading, multi-cloud governance solution that simplifies cloud account management, budget enforcement, and continuous compliance. cloudtamer.io helps commercial and government organizations achieve a well-governed cloud.