CCSK Success Stories: From a Cloud Digital Security Architect
In this blog series we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage the Certificate of Cloud Security Knowledge (CCSK) in their current roles. In this blog we'll be interviewing Yogesh, a Cloud Digital Security Architect at Mashreq Bank in the United Arab Emirates (UAE).
(1) In your current role as a Cloud Digital Security Architect at Mashreq Bank in UAE, can you tell us about what your job involves?
I am responsible for managing the secure migration of on-premise workloads to the cloud and looking at security assurance in the cloud. This includes securing multiple disciplines of digitalization like microservices, containers, DevSecOps, blockchain, and data factory etc. Designing security strategies and helping to implement them makes my work very interesting.
(2) Can you share with us some complexities in managing cloud computing projects?
The complexity in managing cloud computing projects does not come from new technologies, but from the governance, risk, and compliance. A bank is not only a part of a regulated industry but has multiple offices around the world; this adds more complexity. On top of that, migrating to a public cloud in the hybrid model and adopting SaaS have thrown in new challenges. I have learned that although the security control remain the same, the security control implementation differs in the cloud.
(3) In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
Assurance reports and contracts are a must as larger and more well-known CSPs may not present issues. The same cannot be said of many new SaaS offerings that are built by start-ups. Do not lower or compromise your security controls to fit into a cloud offering, but make sure the CSP has the right controls to meet your security requirements. Also, take care of data residency; do get an assurance on where your data will be hosted.
(4) What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
It has helped me develop a vendor-neutral approach to cloud security. As an information security professional dealing with multiple CSPs who have their respective interpretation of cloud security, you should have clarity about your cloud security goals and objectives.
Auditing, compliance and architecture are three pieces which have helped me a lot in my day-to-work when dealing with multiple compliance regimes and implementing a multi-cloud strategy.
(5) How does the CCM help you in your role?
The CCM and CAIQ Questionnaire have set the standard level of security for CSPs. It helps the cloud service consumers (CSCs) to evaluate CSPs and understand their responsibilities. Mapping CCM controls to different standards like ISO 27001 has certainly made life easier for cloud security practitioners like me. The recent publication of CCM V4.0 with 197 controls will help the customers to further streamline the security controls.
(6) What’s the value in a vendor-neutral certificate versus getting certified by a vendor? In what scenario are the different certificates important?
I have been emphasizing this for the longest time that a vendor-neutral approach to security is necessary for information security professionals. I did my CCSK and CCSP first and then was certified by vendors. Professionals should have clarity on security control first and then decide on the security solution to implement controls; that is where the CCSK helps security professionals. Apart from that, I would like to say that all certifications have their respective value. I would suggest going for an AWS or Azure certifications when you are a security implementation engineer or in a SOC. If you are a GRC person or architect, you should go for the CCSK or CCSP.
(7) Would you encourage your staff and/or colleagues to obtain the CCSK or another CSA qualification? Why?
Yes, absolutely. As more and more organizations move to a multi-cloud strategy, it is necessary to adopt a vendor-neutral approach to security and dig deep into the security requirements of the organization before evaluating the security solutions. The CCSK gives you that opportunity to understand the underlying security principles of cloud security and take a stand on the cloud security posture of your organization.
(8) What is the best advice you could give to IT professionals in order for them to scale to new heights in their careers?
Focus on continuous learning. Make a habit of reading new materials every day. It will not only help you in developing your knowledge and skills, but will also keep you updated on your industry. You should always be curious to an extent on why things work in the first place. I have always followed one principle from Steve Jobs “Stay Hungry, Stay Foolish.”