Cloud security

Working across multiple cloud service providers: CSP security learning path

Joe South
February 20, 2023 by
Joe South

The basics of the cloud are the same irrespective of which cloud provider you choose. However, as soon as you go into GCP, Azure or AWS, you are stuck learning their vocabulary and the nuances of securing your environment.

In cloud security, it is common for a company to start in AWS (or another cloud) and add one of the other clouds to the environment. This creates a hybrid cloud model where customers are in more than one cloud. To the company, this can be fantastic, taking advantage of possible cost savings, operational optimizations and vast environments to build their solutions. 

To the cloud security engineer, this is a huge burden. To relate this to something you may already be aware of, this is like growing up speaking English and then, in your twenties, you are forced to learn Spanish. Is it impossible? No, but it is highly challenging, and you will make mistakes. 

The number one threat to any company in the cloud is misconfiguration. This means that the engineer that deployed a solution into the cloud thought they were doing it most securely, only to learn the hard way it wasn’t the case. 

CSP challenge inspires cybersecurity training to help others in the same boat

One of the biggest challenges with the cloud is that each cloud uses a different vocabulary for its services. There is also no unified place that compares all the cloud-native security services in each domain across all three big cloud providers. I experienced this when my company was in all three cloud providers: AWS, Azure and GCP. 

At the time, I was only certified in AWS, but my responsibilities extended beyond AWS into Azure and GCP. This meant that I would have to learn each cloud's native services, the differences between each service across each cloud, and identify solutions that could span across all three clouds to best secure our environment. No small task, especially since most large companies have several teams to handle this, and there was only me to handle this for our company. That is when I knew I had to develop the CSP security learning path to help others in the same situation. 

The big three cloud service providers

My training focuses on AWS, Azure and GCP and the native security services they currently offer. I review each of these services, compare them against each other in the course and discuss what kind of companies would best take advantage of them. It is critical to not only know the limitations of a cloud-native security solution but also understand which cloud best fits your company. The cloud is not a one size fits all solution for every company. 

A company might be heavily invested in Microsoft and have a long-standing relationship with Microsoft. In this case, Azure is likely the best cloud for them since they will get a sizable discount on their services, and the migration to the cloud will be a much smoother process than any other cloud.

Another company may be a more dynamic company that builds its infrastructure on Kubernetes and needs to have the latest software versions of Kubernetes. In this case, GCP would best fit this company since GCP always tends to have the most up-to-date Kubernetes features (they created it). 

For each cloud provider, I reviewed services across the following domains: Data Encryption, DLP, Cloud Storage, IAM, Infrastructure Security, Network Security, Application Security and Disaster Recovery. In many of these domains, we go hands-on in the respective cloud console to get some hands-on experience with common best practices that an engineer should follow. 

My CSP security training isn’t intended to be a deep dive into every native security service but more of an overview of each native security service. It is a great starting place that will tell you where to look and gives you the hands-on experience you can easily build upon. At the end of each course is a project designed to walk you through some key areas in each cloud provider. 

For instance, for the data encryption course in GCP,  I take you through the key encryption options for key services in GCP. You will create your free cloud account and walk through these steps to clearly understand each cloud provider's key areas.

Key takeaways from CSP security features

If you are interested in reviewing the native security controls and getting hands-on experience with these cloud services, then CSP security features is excellent for you. My path includes a course project for each cloud provider where we dive into a few of these best practices.

By the end of this course, you will understand which security controls each cloud provider does well and where they fall short. You will also understand which of these services may fit your organization better than its competitors and the risks associated with each cloud provider and service. 

I am always asked which cloud provider someone should start getting certified in. I always tell people to start with the cloud that their organization is currently in. The reason is that the certifications for that cloud provider will make you more valuable to your current company and other companies in that same cloud. 

Once you have 2-3 certifications in that cloud, consider getting certified in another cloud. You only need to obtain some certifications that a cloud provider offers to be fluent in the cloud. I recommend starting with the cloud provider foundational certification, and then you should aim for the solutions architect certification.

Once you have those two, you should focus on your specific area. If you are on the networking team and are in AWS, then the AWS Networking Specialist certification is for you. This course is a fantastic starting place regardless of which cloud provider you aim to get certifications in. 

 

Joe South
Joe South

Joe South has worked at companies of all sizes across multiple industries. Joe is currently in a role where he is empowered to introduce new and innovative solutions to increase the security posture of his organization. He enjoys teaching others what he’s learned and is the creator of a blog where he helps others get into cybersecurity and build a successful career.

Joe worked in vulnerability management, securing applications that served military and Department of Defense clients. He later expanded his skillset by diving into complex identity and access management (IAM) toolsets where he designed solutions for Fortune 500 companies across HIPAA, PCI and financial industries. He also architected solutions for companies to move into AWS, Azure and GCP while maintaining or increasing their security posture. Joe has his CCSP, AWS Security Specialty and AWS CCP certification, among others.