Despite optimism (at least in the U.S.) that the worst of the COVID-19 pandemic is over, remote and hybrid work is here to stay, with many employees opting to work from home permanently. As this trend continues, businesses and government agencies are likely to grow even more reliant on cloud-based services and technologies to ensure their operations continue without a hitch.
The numbers show how much this need for cloud infrastructure and services has grown since the pandemic began. Analyst firm Gartner, for instance, expected worldwide organizations to spend $332 billion on public cloud services alone in 2021, a 23 percent increase from the previous year.
This spending includes SaaS and IaaS, as well as newer technologies such as containerization, virtualization and edge computing. This suggests the COVID-19 "pandemic served as a multiplier for CIOs’ interest in the cloud," according to the report.
While the use of cloud services is expanding, so too are security concerns around these technologies, which include threats ranging from cybercriminals to sophisticated nation-state groups. Consider a study released earlier this month by Palo Alto Networks that looked at the identity and access management policies of users in about 18,000 cloud environments in 200 organizations.
The results showed that nearly 99 percent of cloud users and services provide excessive permission, which means that attackers have a wide attack surface to exploit—and one compromised account can lead to access to hundreds or even thousands more. The study also noted that many organizations—about 53 percent—allow weak passwords that can be guessed or hacked through brute-force attacks.
For these and other reasons, many private organizations and government agencies are looking to hire cloud security specialists, which is now considered one of the fastest-growing jobs in the cyber field. The average salary for a cloud security specialist stands at about $87,700, according to Glassdoor, but many private firms are willing to boost pay well into the six figures for the right person.
Whether it’s a cybersecurity professional looking to move up through specialization, or a technologist transitioning to a new career direction, experts note that with the right skills and training, the field of cloud security can offer an upwardly mobile path.
What Skills Do I Need to Start?
For experts who watch the field of cloud security, there are several paths technologists can take to start a cloud security specialist career. Aaron Turner, vice president for SaaS posture at security firm Vectra, noted that a career path from a traditional, on-premises IT or security background begins with learning as much about cloud infrastructure as possible.
“The easiest way to get familiarized with cloud security concepts is to investigate the Infrastructure-as-a-Service capabilities that their current organization needs,” Turner told Dice. “IaaS can sometimes boil down to the 'lift and shift' of virtual machines from on-premises servers to cloud-hosted ones. IaaS has the closest corollaries to legacy network and host security. From that landing spot within the cloud, someone can teach themselves additional aspects from that point of familiarity.”
For a true novice with little tech experience, the best way to learn about the cloud is to focus on SaaS offerings, especially those fundamental Microsoft products that almost all enterprises use.
“Using the Microsoft cloud management portals and tools allows for immediate gratification by allowing learners to configure familiar and easy-to-understand services like email and file sharing,” Turner added. “Practicing security concepts within SaaS environments can be understood immediately through penetration testing processes that are widely available through online courses.”
And while many organizations tend to pick one cloud service for their infrastructure, such as Amazon Web Services, it’s a good idea for technologists to know a little bit about how each IaaS offering works, said Grant Kahn, senior director of security intelligence engineering at Lookout.
“It's great to have deeper experience in AWS, for instance, because that's where most things are. However, there aren't very many multi-cloud organizations so pay attention when you're going in for interviews because most companies tend to favor one cloud or the other,” Khan told Dice. “The most important thing is understanding the basic security primitives and topics, which will have analogs across all the clouds, but also know the distinct terminology and any key differences across clouds.”
What Certificates and Skills Matter the Most?
Experts are torn on which skills are needed for a cloud security specialist position, especially when it comes to whether tech and security pros need to invest in certain certifications.
“Certifications are optional, but the learning tracks that are associated with the certifications are useful, and more directed than just Googling around whatever interests you,” Khan added. “So, whether or not you've got the cert, following those learning tracks is a good way to educate yourself about this sort of basic big picture security questions in each cloud and how that stuff operates.”
Whether earning a certificate or not, Khan noted that certain skills can help those working toward a cloud security specialist position, including basic networking skills. To better understand cloud security fundamentals, Khan suggested mastering authentication and authorization methods such as Security Assertion Markup Language (SAML), Open Authorization (OAuth), as well as how the various cloud platforms handle API and SSH keys.
This approach is also favored by Davis McCarthy, principal security researcher at security firm Valtix. “Being able to apply network security fundamentals or concepts like least permission to the cloud will improve the success of people moving into the industry,” he told Dice. “Cloud security specialists need platform-specific knowledge of things like IAM policy, user roles, services that augment network traffic and various tech stacks and operating systems. Look at what businesses use the cloud for and research how to improve security for those use cases.”
For those looking at positions that favor or require a certificate, George Tang, principal solutions architect at security firm JupiterOne, noted that the Cloud Resume Challenge and free training from AWS offer a good start. From there, technologists can look to earn certifications such as the AWS Solutions Architect Associateand CompTIA Security+ to use as a stepping stone toward a cloud security specialist position.
Tang also told Dice about other avenues: “Don't knock governance, risk, and compliance as a way to get into the cloud security specialist space. Cloud GRC work can provide tremendous learning opportunities and ways to grow your career.”
Which Programming Languages Help?
For those who want to become a cloud security specialist, several experts noted that a good working knowledge of Linux is a plus—it will help you understand the foundation that most platforms use.
As for programming languages, experts agreed that Python is the one to master. Other, in-demand languages include Go, Java, Terraform and Bash. Knowing the fundamentals of containers is also helpful.
“Understand Kubernetes—and Kubernetes security—because there are a lot more containerized workloads in the cloud than in most data center environments,” Khan said. “Also, knowing orchestration and automation around ‘infrastructure-as-code,’ as well as the security best practices for those, will help.”