CCSK Success Stories: Cloud Security Education and the Digital Transformation
This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog we'll be interviewing Murugesh Rao, the Project Manager for Cloud & Data Center Transformation at UMW.
(1) In your current role at UMW, as Project Manager for Cloud & Data Center Transformation, what does your job involves?
My primary role is to design and strategize a path for UMW to kick start the UMW digital cloud journey. This is a broad description however that needs to be broken down into near future deliverables. The job is to design a cloud-first strategy and align all the work that is planned and in progress in IT and business. It also entails building awareness for some of the new security considerations, and upskilling and cross-skilling current workforce to manage the future cloud estate.
(2) Can you share with us some complexities in managing cloud computing projects?
One of the biggest challenges is creating a baseline for apps and systems that are on-prem and comparing them as we migrate to the cloud. The baseline may include resource requirements and the true cost of ownership. Given some of the baseline parameters are not monitored within the on-prem implementation, it will result in doing a bit more work and time to create those baselines before creating a positive business case.
The other challenges are skill-sets. Since cloud computing is fast evolving, keeping up with the pace of change for new cloud adopters can be a challenge. An example is the difference between on-prem security and cloud security. On-prem is primarily focused on the outer parameters while the cloud focuses security on every layer of the virtual network and interfaces.
(3) In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
- Understand the connectivity cost, the egress traffic will be a new cost to the setup, hence understanding the amount of traffic flow is important and so is looking out for hidden traffic costs.
- Resource planning is important as well, you might want to configure alerts if there is a cost overrun within your subscription. Begin with a very active cloud cost management approach and start implementing the budget alerts to ensure you don’t get a surprise bill.
- Do not over-solution at the start as cloud is the building blocks of services. Hence craft the project in phases; you also will be able to manage a lower start-up cost
(4) What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
Being a cloud enthusiast, I was keen to get a broader understanding of cloud security in general without the need to understand a specific cloud products or services. It was also important to design and architect a cloud strategy and solution; hence I had to have an in-depth understanding of the security eco-system of a cloud architecture.
There are many sections I could highlight but the one that stood out for me was the Simple Cloud Security Process Model. It was a model that I could easily incorporate in the cloud design process to identify and implement security controls for a more secure and safe cloud landscape.
(5) How does CCM help communicate with customers?
The Cloud Control Matrix (CCM), provides a level of confidence to the customer as each of the control-id maps to the industry security standards. In addition, the ability to use the matrix to ensure the cloud design conforms to the controls (which is well documented in the CCM). The customers could also use this as a checklist for internal audit assessments.
(6) What’s the value in a vendor-neutral certificate versus getting certified by a vendor? In what scenario are the different certificates important?
Conceptually, a vendor-neutral certification provides a framework, in this case cloud security as opposed to focusing on the product features. This is important when an organization is evaluating which public or private cloud to adopt based on the business and organization security requirements. When an organization has narrowed down to a few cloud providers, a vendor-specific certificate would be useful.
(7) Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?
Yes, I have and will continue to do so. CCSK has broadened my view of cloud security and helped me move beyond a cloud provider feature focus on security. The CCSK equips you with the knowledge to question and continuously improve the security landscape and the potential to work with your cloud providers to continuously improve. In addition, you also can evaluate the cloud providers’ security offerings given your vendor-neutral knowledge.
(8) What is the best advice you would give to IT professionals in order for them to scale new heights in their careers?
I truly believe in life-long learning and this quote sums it up nicely
“The capacity to learn is a gift; the ability to learn is a skill; the willingness to learn is a choice”
Interested in earning your CCSK? Download our guide to the Certificate of Cloud Security Knowledge (CCSK).