Is CompTIA’s Cloud+ certification right for you?

[00:00:00] Chris Sienko: I'm sorry, you won't be able to stay on prem forever. You just won't. Whether your company has migrated its assets wholly, partly, or hesitantly into the cloud, security practitioners will need a rudimentary education in how the cloud works. Today's guest, CompTIA’s Chief Technology Evangelist, James Stanger, gives you the hows and whys of the Cloud+ certification, a soon to be cornerstone cert on today's Cyber Work Hack.

[00:00:30] CS: Welcome to a new episode of Cyber Work Hacks. The purpose of this spin off of our popular Cyber Work podcast is to take a single fundamental question and give you a quick clear and actionable solution to that problem.

Today's guest is, James Stanger, the Chief Technology Evangelist at CompTIA. James recently recorded an episode of the Cyber Work podcast with me about the new CompTIA Data+ certification, and if you haven't listened to it yet, I highly recommend that you do. We had a blast.

So, for this hack, we're going to talk about another semi recent CompTIA cert, the Cloud+ certification, and why security professionals really need to consider adding that to the certification toolbox. So, thanks for joining me today, James.

[00:01:11] James Stanger: It's good to be here, man. Thanks.

[00:01:14] CS: Most of our listeners know the foundational CompTIA certifications for people in the cybersecurity field. There's A+, the Network+, Security+, what is the Cloud+? What are the parameters of the cert and what is it built to test its certain spectrums?

[00:01:28] JS: The great thing about Cloud+ is it basically does the foundational parameters for the cloud. Recently, I was talking to a gentleman named Robert Wenier. He is the person over cloud and data center for a company called AstraZeneca. You know AstraZeneca? They helped come up with various things, including one of the vaccines for COVID. I asked him about what it meant to be working in the cloud. And he said something interesting. He said, “James, too often a lot of people misuse the idea of computing power changes or doubles every year or 18 months, or something like that.” And they misuse that in saying, “Oh, technology changes over 18 months.” And I said, “Yeah, I know.”

He said, “Well, when it comes to the cloud, when he goes up to using whatever resource, whether it be Google Cloud, or AWS, or Azure.” He says, “He finds radical changes, radical change every three weeks.” Think about that for a second. So, what does Cloud+ give you? It gives you a foundation, so that you can keep your feet in spite of that kind of radical change that happens so often. Because if you go and stampede into learning about feature sets of whatever cloud there, I really like AWS and Azure is great and all that.

But if you're focusing on feature sets, and really not understanding the essentials of storage and things, for example, then you're going to be kind of lost. And Cloud+ gives you the ability to understand whether it be an S3 bucket, or its equivalent, that's for storage and things, or its equivalent in Azure. You can actually start understanding the foundations of what it means to scope, and source, and provision, and maintain, and troubleshoot, and pay for, right? All of these different elements. If you don't have that foundation, then whatever vendor specific stuff you might want to stampede into, ain't going to make a whole lot of sense in three weeks.

[00:03:25] CS: Right. Yes. I think, that's a really good insight. Again, we talked to so many people who feel, they're looking at whatever their career goal is, and it's like, they're looking at a 75-foot mile per hour highway, and they're trying to get on the on ramp from zero miles per hour here. It's hard to sort of understand how you can get into – you nailed it perfectly there, every 18 weeks or whatever, like radical changes are happening. So, if you have like the roots of all of this. So, this is apparently like vendor agnostic certification.

[00:04:04] JS: Much so. Very much so. Yes, even though it's vendor agnostic, it's not something that just says, over and over again, the cloud is good, or the cloud is hard, or whatever. It actually goes in, and really talks about a lot of the – teaches you so many of the elements that you really need to know when it comes to working with the cloud. So, for example, cloud and security. If you take Cloud+, are you going to be a cloud security expert? Uh-uh. But you'll be able to talk with one, and you'll be able to eventually become one because it gives you that foundation that you need.

Too many people, for example, they don't know what identity access management is. They'll go into the IAM manager, whatever, in AWS or in Azure or Google Cloud. What does that even mean in the cloud? Even understanding things like virtual machines that you can launch, you can onto a Linux system and then start installing stuff on it and all that. Well, why would you do that? Which at times you should? Or why would you choose a serverless application?

In other words, because the cloud abstract stuff, or it gets rid of the middle player, right? And by middle player, in other words, if you and I, 20 years ago, “Hey, go make a web service.” Like, “Well, you got to find a room, you got to find a way to cool it, because servers need great space use.” You got to get the server, and all this hardware and all this, right?

But with the cloud, in an afternoon or less, we can spin up much that same thing, because it kind of gets rid of the hardware. That becomes somebody else's problem, right? So, the idea with the cloud becomes and knowing the foundations of this, well, when is it time to actually well, no, we actually do want to not be in the cloud. We might want to be in a data center or we want to even have on prem. Believe it or not, you have to make those smart decisions, right? We live in a cloud first, what I call a cloud first hybrid world, which is a fancy way of saying, sure, we might go to the cloud first. But there are compelling reasons why you use a data center, which is not the cloud. Or there are compelling reasons why you still might stick something in a server room, when I say here, the server room, somewhere in the building, right?

So, you have to make those smart decisions, and Cloud+ allows you to understand when to make those smart decisions.

[00:06:28] CS: Now, can we talk about the Cloud+ cert, and if there are any kind of input points, specifically, to Sec+ in the security track? Are there aspects of IT and security certs mentioned above that come into play when preparing for Cloud+? Because you said basically, like, it'll get you towards cloud security, but it's not a cloud security thing. Just like A+, what on ramps you towards networking and networking –

[00:06:57] JS: There’s significant portion of Cloud+ get 20% as it were. That does focus specifically on security. So, if you've gone to A+, Network+, and Cloud+ route, you've already picked up some cloud already, because A+ starts, it's very cloud aware. So as Network+. So as Security+. So, Cloud+ is also security aware that there's – I wouldn't even call it overlap, but there's just a commingling of concepts there.

What Cloud+ will do is it will teach you things that go beyond datacenter, or beyond install, and talk about what it means to do security in terms of the cloud. For example, usually, when you're working in the cloud, you can work through a web browser. But you can also work through a command line or a terminal. And that means that if you're going to remote in using something, it's a tool called Secure Shell. SSH. It's a command line, a little thing that as you – if you've ever opened up a DOS command prompt or a PowerShell, or whatever, or a Linux terminal, you can use a tool called SSH, you type SSH, and then the address of where you want to go. And you'll have to learn about public key and private key authentication to even get into the cloud. Because the cloud doesn't want you to use passwords anymore, right? So, you'll learn about things like two-factor authentication. You'll learn about using Secure Shell to enable public key authentication.

It's things like that that if you get the proper foundation, doesn't matter if you're SSH-ing or whatever, in or terminalling into IBM's cloud, Google's cloud, Oracle's, AWS. It doesn't matter. Because you could work with them with equal aplomb, as I say, or with equal dexterity.

[00:08:44] CS: Love it. So, how pervasive do you think will cloud and cloud be within cloud security in the years to come? Is this something that security professionals should consider sort of an essential part of their skill set? Or is this –

[00:08:57] JS: Absolutely. There's more data, I should say, there's more computing power that finds its way into that exists in data centers, that even the cloud right now. That's going to be that way for a long time. But nobody does that mean, that you should discount the cloud for heaven's sake. Again, it’s the first choice, that you're that you're going to look at, probably, right? So, it's absolutely something that if you want to go into security, you better understand what it means to administer the cloud securely. And also, to understand what goes wrong when it comes to the cloud.

Generally, I'm generalizing, but I'll go out on a limb. Probably, the cloud is going to be running a whole lot of applications. I was talking recently, it was last summer, not so recent, to a managed service provider and he works in Belgium, he owns a company. He said, “James, we moved to the cloud a long time ago. And yes, we still use data centers.” We say we move the cloud, but no matter where you are, it's all about the application.

I said, “Well, what do you mean the all about the application?” He said, “Well, that's where we make our money as an MSP, is in making applications for whatever company.” He tends to work with a lot of finance, insurance, manufacturers, believe it or not, right? Other MSPs might work with grocery stores or might work with insurance companies or something. They all pick a sector they work with. He said, “It's with the applications because that particular store or that insurance company, that manufacturer uses applications to run its business. CRM, they have customer relationship management software, or software that runs on a treadmill.” Sorry, not a treadmill, that a conveyor belt, right? Things like that.

So, hackers are going to be in the applications too. If those applications are installed, or in a data center, or in the cloud, how do they behave there? They usually behave about the same no matter where you stick them. But if you put something in the cloud, excuse me, that you just lift and shift from a data center into the cloud, you're going to run into problems, generally. Function fine, but you may not be supporting it, and giving it the security that it needs. It's all about really enabling web application filtering. It's all about enabling web application firewalls and things.

[00:11:18] CS: Okay. So, InfoSec is a primary partner of CompTIA, and is very happy and proud to be offering a bootcamp and course rating for Data+ or Cloud+. Cloud+. So, can you talk about some of the training materials you've seen, and what types of exercises and quizzes students can look forward to during their Cloud+ studies?

[00:11:38] JS: When it comes to the cloud, you can probably go up and find some free resources. Any of those cloud, they allow you to get up there and go out there and create free stuff. But the tiers are rather limited. And if you make a mistake, you'll end up with a bill at the end of the month that you got to pay, okay? Because they don't let you sign up for free unless there's a Visa card or some sort of card, credit card involved, MasterCard, whatever. So, to me, three areas that are really important. One, you've got to learn the material, the objectives, right? And then there's great learning there. There's videos and things that CertMaster Learn. But when it comes to labs, we have CertMaster Labs, for example. And then we also have CertMaster Practice, which kind of simulates the exam environment.

So, to me, it's all about the labs, because I just learned that way. But CertMaster Learn is so great, because it contains videos that contain step by step instructions, labs that reinforce it. And then as you go in, to get ready to take the exam to prove that you know what you know, that's where the practice comes in. To me – there's kind of – I put four in there. I meant to put three. Kind of CertMaster Learn, CertMaster Labs, CertMaster Practice can help.

[00:12:51] CS: Finally, do you have any study or strategy tips for people studying for the Cloud+?

[00:12:55] JS: Get a mentor. Whether it’d be an instructor with you. But again, a mentor and network with people. So, if you learn about a concept, no matter what it is, I'm sure it's an acronym. It's got to be an acronym, right? Isn’t that what we do?

[00:13:10] CS: Yes.

[00:13:12] JS: Work in the cloud to do your identity accesses.

[00:13:15] CS: Second Campbell's in alphabet soup.

[00:13:19] JS: That's right. So, turn that alphabet, make that alphabet soup real and use sort of lab in, and you'll find that with CertMaster Labs, for example, it does a great job of giving you those labs that start out step by step and also can be much more challenging. And then, implement that as physically as humanly possible. If you heard about software as a service, well, what's an example of that? Well go up and grab a software as a service application and play with it. Slack, right? Or Office 365, the trial version. And then compare that to something that's platform as a service. The application is not there for me to just play with. I have to actually call it up and configure it and all that. And yet, that brings me more flexibility than a lot of software as a service.

So, you can actually play with these terms. To me, it's all about play. As a kid, I used to – I still get myself in trouble a lot playing with things, right? But over the years, with the cloud, it's been nice to be able to play with stuff and then break things horribly, and then just restart it. It's not punitive play anymore.

[00:14:25] CS: Yes, absolutely. I think [inaudible 00:14:29] might have a fear of doing something in front of the teacher, in front of the class, like you have these spaces where you can break stuff as hard as you want and then you can look at the debris and go, “Oh, boy.” And then you sweep it under the desk and start over, whatever. Yes, I think there's a lot of value in taking sort of big swings when you're learning the material.

[00:14:54] JS: Exactly. I like how you put that. It’s great.

[00:14:55] CS: Thank you. So, one last question here for our listeners who want to know check out the Cloud+ and its requirements in more detail, where should they look online, James?

[00:15:06] JS: Comptia.org. Go check it out. Probably the best way to do it, the quickest way is to type in CompTIA Cloud+, and you can go check that out. And there's great resources there. Also, InfoSec, you guys can provide great resources. There are great resources that if you contact them, can guide you to Cloud+ as well.

[00:15:26] CS: Thank you very much. James Stanger, thank you, once again for walking us through this essential cert. Appreciate it.

[00:15:33] JS: It's great to be talking with you, Chris. Thank you so much. Really appreciate it, man.

[00:15:34] CS: Thank you all for watching this episode. If this video helped you, please share it with colleagues, with forums, or on your social media account, and definitely subscribe to our podcast feed and YouTube page. Just type in Cyber Work in any of them and you're on your way. There's plenty more to come and if you have any topics that you want us to cover, drop them in the comments. Until then, we will see you next time. Take care.

[00:15:58] CS: Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in demand cybersecurity roles. I asked experts working in the field how to get hired and how to do the work of the security roles so you can choose your study with confidence. I'll see you there.