CCSK Success Stories: from a Cybersecurity Engineer
In this blog series we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the Certificate of Cloud Security Knowledge (CCSK) in their current roles. In this blog we'll be interviewing Lucas, a Cybersecurity Engineer at LGMS in Malaysia.
(1) You currently work at LGMS, as a Cyber Security Engineer. Can you tell us what your job involves?
My job involves security assessments such as penetration testing, security configuration checks and review. It includes managing and providing consultations to clients and customers around adopting a cybersecurity perspective towards new and existing environments. Constant learning, upskilling and improvement on the latest trends and professional skills in cybersecurity is extremely important when it comes to new cybersecurity considerations, practices, regulatory and standards.
(2) Can you share with us some complexities in managing cloud computing projects?
Performing penetration tests on cloud computing instances would be more complex compared to traditional on-premise infrastructures. As there are various cloud services providers (CSPs), these providers may have their own terms and conditions or policies where customers and vendors are required to abide or apply for a license prior to the penetration test. Moreover, the differences of networking configuration and multitude of infrastructure services in cloud environments also complicate the processes and procedures of a penetration test.
(3) In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
Always be clear with the shared responsibility model and security consideration in cloud environments. Some key highlights here are:
- Identify data/information ownership and how to securely protect them in the cloud infrastructure and services.
- Study and understand the terms and conditions before conducting a penetration test on a cloud environment.
- Ensure targets and services are configured on a per need-to-know basis only.
(4) What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
The CCSK provides a great opportunity to gain a general understanding of cloud computing, considering that cloud computing is now the new norm in the IT industry. Data security and encryption related domains greatly help as they are part of my job responsibilities in penetrating cloud environments. Understanding identity management and the management plane also helps me gain insights into various techniques on how attackers gain access to the system and pivot attacks.
(5) How has the Cloud Controls Matrix (CCM) been helpful?
The Cloud Control Matrix (CCM) simplifies the cybersecurity control framework of cloud computing for the customers. With all the controls and domains covered in CCM, one can know and assess if the current cloud implementation and design meet the controls highlighted in CCM. This helps organizations or customers to assess the risk associated with CSPs through its comprehensive cloud security standard.
(6) What’s the value in a vendor-neutral certificate versus getting certified by AWS? In what scenario are the different certificates important?
In the event of multiple vendors or cloud environments within an organization, vendor-neutral certificates would be more germane and useful in terms of broader options and a higher level of knowledge of best practices and frameworks. Whereas, vendor-specific certificates focus on the specific product or service features and skill expertise of the particular vendor, which in return, may not be useful when working with other vendors or cloud platforms.
(7) Would you encourage your staff and/or colleagues to obtain the CCSK or other CSA qualifications? Why?
Of course. As cloud computing becomes increasingly common and is expected to be a crucial part in the IT industry, knowledge on securing cloud computing will be valued and extremely important. CCSK and other CSA qualifications provide clear insights on cloud computing security with its vendor-neutral nature across all controls and domains within the course.
(8) What is the best advice yo could give to IT professionals in order for them to scale to new heights in their careers?
Being certified in various certifications improve our expertise, but continuous improvement and practice are important especially in the IT industry with rapid technological changes. Additionally, adaptability and actively interacting with new technological changes are as important as networking and communicating with peers and experts.