CCSK Success Story: From a Financial Services Cloud Security Architect

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Mohammed Hashim, a cloud security architect in the financial services industry.

1. Can you tell us what your job involves?

My job involves working closely with different business teams to develop a comprehensive cloud security framework for the organization. I also co-chair solution architecture meetings and serve as the primary subject matter expert for security architecture consultations. In addition to these responsibilities, I wear multiple hats in the organization, including taking on the role of a cloud compliance analyst when assessing external third-party cloud services. Outside of work, I am passionate about offering security advice to small and medium-sized enterprises and startups on a pro bono basis.

2. Can you share with us some complexities in managing cloud computing projects?

One of the main complexities in managing cloud computing projects is ensuring data security and governance. The responsibility for data security varies between the cloud service provider (CSP) and the customer depending on the type of cloud adoption model used, such as SaaS, PaaS, or IaaS. Cloud architects face challenges in establishing security baselines that are specific not only to a particular cloud service but also to the organization. Additionally, the dynamic and ever-evolving nature of cloud services offered by different CSPs adds to the complexity of managing cloud computing projects.

3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Understand the Data Flow and Shared Responsibility Model: One of the most important steps in managing outsourced cloud projects is to have a clear understanding of the data flow and shared responsibility model between the customer and the outsourced cloud project. This will help to ensure that everyone involved in the project understands their roles and responsibilities, which is essential for effective collaboration and successful project delivery.

Service Level Agreements, Backup, and Disaster Recovery: Service Level Agreements (SLAs), backup, and disaster recovery are key areas that need to be understood and addressed at the outset of the project. These areas will help to ensure that the outsourced cloud project meets the client's requirements and expectations, and that any potential risks or issues are identified and addressed early on.

Standard Operating Procedures (SOPs): Establishing well-crafted SOPs between the client and the outsourced cloud project is another important step in effective project management. SOPs provide a clear and consistent framework for how the project will be managed, which can help to avoid misunderstandings and delays.

Check Cloud Project Engineers' Certifications and Experience: To ensure that the outsourced cloud project is managed effectively, it's important to check that the cloud project engineers have the necessary cloud certifications and demonstrated experience in the field. This will help to ensure that they have the necessary skills and knowledge to successfully deliver the project.

4. What made you decide to earn your CCSK? What part of the material from CCSK has been the most relevant in your work and why?

My role transitioned from a solutions engineer to a cloud security practitioner. My previous organization was heavily involved in migrating its critical applications from on-prem to the cloud, and it was crucial for me to upscale my technical knowledge.

In my opinion, all 14 modules in the CSA guide are relevant, from cloud compliance to incident response. I found Domain 7 (Infrastructure Security) and Domain 9 (Incident Response, Notification, and Remediation) particularly interesting. Having spent the early part of my career as an incident responder for on-prem SOC environments, this section gave me insights into how incident response procedures should be initiated in a cloud environment.

I always keep the Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 on my desktop for easy reference.

5. How does CCM help communicate with customers?

The Cloud Controls Matrix (CCM) is a comprehensive list of security controls that are mapped to various standards and regulations. Whether you're a startup consuming cloud services from different CSPs or a regulated financial organization exploring cloud services, CCM v4 is a relevant cybersecurity control framework for cloud security assessments. It advises on specific implementation controls mapped to your enterprise architecture, cloud models, and regional and international security standards. Recently, CSA published a CCM v4.0 Addendum - CRI FS Profile v1.2 that contains controls mapping between CCM and the Financial Services Profile. This addendum has been helpful in identifying specific security controls applicable to financial services. Overall, CCM provides a useful framework for communicating cloud security requirements with customers and vendors.

6. What’s the value in a vendor-neutral certificate like CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

CCSK and CCSP certifications provide a foundational understanding of cloud security concepts and best practices, which can be applied in any cloud environment. Vendor-based AWS or Microsoft certifications, on the other hand, are important if the organization uses that specific cloud service extensively or if one has to specialize in specific vendor technology. The value of a certification depends on the individual's career goals, their organization's needs, and the specific cloud technologies they work with.

7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?

I strongly encourage both staff and colleagues to pursue CSA certificates, specifically CCSK. Whether you are a college student or a professional engineer interested in cloud technology, it is essential to understand the breadth and depth of cloud security. By investing in, preparing, and reading CSA materials, you can stay up-to-date with the latest trends and best practices in cloud security and compliance. This applies to operations engineers, solution architects, and business leaders alike.

8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

My best advice to IT professionals who want to scale new heights in their careers is to continually seek opportunities to learn and grow. This can be achieved by obtaining industry certifications and participating in research groups and collaborative projects. For example, in addition to pursuing a CCSK certificate, I would encourage colleagues to actively participate in research groups related to topics such as threat intelligence, emerging technologies, security services, financial services, and privacy. By joining these groups, IT professionals can learn from subject matter experts and contribute to the research ecosystem, ultimately expanding their knowledge and skills. Additionally, staying up-to-date with industry changes and advancements is key to staying relevant and competitive in the job market.