Cloud Security Career Path — The Ultimate Guide For 2024
Hit the road running with the cloud security career guide!
2024 is just a few months away
This year was insane, with AI dominating the news and tech layoffs happening everywhere.
Cybersecurity as a career choice remains a safe bet, however, and Cloud Security is one niche that is going strong.
If AI is the future, then Cloud is the backbone on which this future is being built.
The amount of data and processing power that AI requires means that cloud is the first choice to host these systems.
The demand for Cloud Security professionals will remain strong, but with all the available platforms and certifications, it can become overwhelming!
This is why I have made this comprehensive career guide to help people get started on their cloud security journey.
These are the steps I recommend starting with if you are serious about a career in cloud security in 2024.
Step 1 — Choose a Cloud Platform
To start in cloud security, you should gain the following:
Hands-on with one cloud provider and its security services
Knowledge of Infrastructure as Code
Knowledge of Cloud Concepts such as the Shared Responsibility Model, Infrastructure as Code, Serverless, etc.
The first step is to choose a cloud platform that you will use to hone your cloud skills.
There are major players available such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and IBM Cloud.
Each has its own security features and services to help protect data and applications.
Most of them also provide free tier sandboxes that you can use to get familiar with their environments
I would recommend AWS as it is the most popular of the cloud providers with a large number of services.
Decide which cloud provider you want to gain knowledge on before you proceed.
Step 2 — Get Hands-On with the Cloud
You do not learn about cloud security by just reading books or watching courses
You need to get your hands dirty with how it works
Below are my tips on how to get hands-on cloud security experience and plug in your skills gap
A — Sign up for a free tier account
A key starting point for getting hands on is to have a home lab / sandbox where you can play around with services in the cloud.
Thankfully most of the major providers already provide the same as they want users to try out their services before moving onto paid services. Google Cloud have a free plan and AWS free tier gives you the ability to try out AWS services free up-to specified limits.
Provided you keep an eye on these services you can easily create a cloud sandbox to play around in.
B — Learn Infrastructure as Code (IaC)
Now that you have a cloud sandbox, it is time to provision some infrastructure but not via the easy way i.e. the management console.
If you are working in the cloud then there is no escape from Infrastructure as Code as it is one of the most basic skills you need.
IaC like its name basically means you define Infrastructure in a code template which is then processed by the provider and converted into actual infra in the cloud.
There are some amazing free tutorials present for learning IaC such as the one from Terraform
Spin up a few infrastructure in your sandbox (while staying within the limits) so you get a feel for how it works
C — Scan your IaC templates for security issues
Now that you know about IaC .. it is time to scan these templates for security issues
There are numerous commercial and free tools available and the one I would recommend is Checkov which is a static code analysis tool for IaC which detects insecure templates and also lets you know if any insecure packages or images are being used.
Checkov can be installed from its github repo above and you can simply point it towards an Iac template and let it work its magic below.
D — Conduct a cloud security assessment
By now you should be getting comfortable with the cloud
It is time to conduct a complete security review of your cloud environment.
This is not something you can ( or would ) do manually but the good news is that there are numerous free tools present on the market.
If you are using AWS like me then the best option would be Prowler.
As per the official documentation :
“Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, AWS Well-Architected Framework Security Pillar, AWS Foundational Technical Review (FTR), ENS (Spanish National Security Scheme) and your custom security frameworks”
Prowler can be downloaded easily and run after you have configured the required credentials.
Run it on your free AWS account and see the results
Step 3 — Get Certified
Getting Certified is a great way to understand the basics of the cloud and its providers.
You can do this step in parallel as you get hands on !
Cloud security certifications can be provider provider specific or provider-agnostic.
Provider specific ones focus on a specific platform while agnostic ones cover concepts.
If you are entirely new to the cloud, choose a provider-agnostic one that will build your foundation before moving on to the more technical stuff.
In Cloud Security .. two tech-agnostic certifications stand above the rest.
They are the Certified Cloud Security Professional (CCSP) and Certificate of Cloud Security Knowledge (CCSK)
But which one should you choose if you start out in Cloud Security?
CCSP
The CCSP is an intermediate to advanced level cert
It validates your knowledge across six domains, from security architecture to design to legal issues of the cloud
The CCSP is not a beginner level cert and is usually for professionals who have good knowledge of cybersecurity and cloud
I would not recommend this if you are just starting out
The CCSK
The CCSK is a beginner-level cert by the Cloud Security Alliance (CSA)
It is geared more towards beginners who want to gain knowledge of the Cloud and its security areas
It also covers the cloud and its different models, risk areas, and security response.
The CCSK is a great way to enter the field if you are interested in starting a career in cloud security or want to transition into this field from another one.
Step 4 — Understand Cloud Job Roles
Step 4 is to understand the types of cloud roles that are present
This is important before you start applying for jobs and helps you know what types of roles are suited to you
Some of the most common cloud security roles are:
Cloud Security Engineer
A Cloud Security Engineer focuses on the day-to-day running of your cloud security ecosystem and is supposed to know all the security controls in your cloud infrastructure.
This person usually works with all the different cyber-security teams to ensure cloud controls are working correctly and interfacing with your systems, like the SIEM, to integrate them into the cloud infrastructure.
Cloud Security Architect
The Cloud Security Architect is more specialized role requiring more experience in cloud security.
I would not advise anyone doing this role if you are not experienced in the cloud, as you are supposed to be a Subject Matter Expert.
This role does architecture and design reviews and guides best practices and frameworks.
You should have an in-depth understanding of how the cloud works. For example, in Google Cloud, you should know stuff like Cloud functions, Kubernetes, etc., and how they integrate with different cloud services.
Cloud Security Consultant
A Cloud Security Consultant advises companies on cloud security best practices and risk mitigation.
There is sometimes a lot of overlap between a Cloud Security consultant and the role of a Cloud Security Architect.
But, a key difference would be that this role is usually more advisory and customer-facing.
You work closely with customers and guide them on their cloud security journey.
That’s it. Following these steps will give you a great foundation on which to start your cloud security career. I hope this was useful to you . Good luck on your Cloud Security Journey in 2024 !