What does a cloud security engineer do?

Cloud security engineers design, develop, manage and maintain a secure infrastructure leveraging cloud platform security technologies. They use technical guidance and engineering best practices to securely build and scale cloud-native applications and configure network security defenses within the cloud environment. These individuals are proficient in identity and access management (IAM), using cloud technology to provide data protection, container security, networking, system administration and zero-trust architecture.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 - Intro
  • 0:25 - What does a cloud security engineer do?
  • 1:55 - How to become a cloud security engineer?
  • 2:55 - How to gain knowledge for the role
  • 4:43 - Skills needed for cloud security engineers
  • 6:00 - Common tools cloud security engineers use
  • 7:43 - Job options available for this work
  • 8:35 - Types of jobs
  • 9:16 - Can you pivot into other roles?
  • 11:03 - What can I do right now?
  • 12:33 - Outro

[00:00:05] Chris Sienko: Welcome to the InfoSec Career Video Series. These set of short videos will provide a brief look inside cybersecurity careers and the experience needed to enter them. Today, I'll be speaking with InfoSec skills author, Joseph South about the role of cloud security engineer. Without further ado, let's get into it. Welcome, Joe.

[00:00:23] Joseph South: Hi, thanks for having me.

[00:00:25] CS: Joe, let's start with the basics. What does a cloud security engineer do? What are the day-to-day tasks of a cloud security engineer?

[00:00:33] JS: Yeah, that's a very interesting question. It can definitely vary, depending on where your organization is, what their cloud security journey, and what they're actually doing, what their market is. Really, I like to break it up into three different roles. We have a junior level cloud security engineer, which is definitely not a junior role in security overall. Then, we have a senior cloud security engineer, and then we have a lead cloud security engineer.

The more junior level role is going to be responding to different alerts across the different tools that we have set up to be alerting across, whichever cloud provider we may be in. The senior cloud security engineer is the one that's typically building out those tools and tuning them and designing them, really from the ground up and deploying them. The lead is identifying gaps in the environment, identifying viable solutions to fill those gaps, and really driving the direction of the cloud security team as a whole.

[00:01:43] CS: What I like about that is that we can see the ladder of success here. You see what you need to do to go from one to the next. They sound like, for the most part, have fairly delineated job roles. I guess, to start at the very ground level, how does one become an entry level cloud security engineer? Do you need to experience first? Can it be your first job?

[00:02:06] JS: I would say, that it definitely cannot be your first job. Because cloud security expands, or spans across just about every single domain in security. A cloud security engineer needs to have experience in several different domains. I'm not just talking about two domains. I'm talking about three, four, five domains across security. They're deploying tools in those domains. They're working with internal clients, and maybe even some external facing clients.

They really need to have those sorts of skills and experience under their belt, before they're going into the cloud, where they're not allowed to touch the cable. They can't touch the server. They're not able to go do a hard reset, like you would normally do. A total shift in your thinking.

[00:02:57] CS: Now, to that end, what types of education is typically required, and/or what types of certs will help you break in, or support this role, or just get the knowledge that you need to do the role?

[00:03:07] JS: Yeah. I'd say, the first step is obviously, the experience. When you're getting the experience, I always strongly encourage everyone to go with whatever cloud provider their company is already in. If your company is already in Azure, start looking at Azure certs. If you're in AWS, start looking at AWS certs. The first cert that I would start working to accomplish, or achieve is the AWS certified cloud practitioner. Sorry, that's a mouthful. It really gives you a very good foundational knowledge of the cloud. Yes, it's geared towards AWS, but really, the foundational knowledge will work for Azure, it'll work for GCP, or any other cloud provider. From there, once you have that cert under your belt, I would really start looking at the CCSP. The reason why I would do that is because the CCSP is very broad. It's vendor agnostic, it's not going to be specific to any one vendor. The material that you're going to be learning to achieve that certification will work no matter what cloud provider you're in.

The topics on encryption, IEM, all of it. All of those foundational topics are going to be the same, which really puts you ahead of everyone else, because I will be honest, I'm in this field and I don't know very many other people in this field that have the CCSP. If you have the CCSP, it's really going to set you apart.

[00:04:42] CS: Got you. Now, we talked about some of the skills that you learned through these certifications. Can you lay them out? What are some skills that cloud security engineers need to do their job well? If you're just going to start working on learning something right after this video, where would you start?

[00:05:00] JS: Yeah. That's really interesting. I would take a look at the different services that the cloud provider is offering. Whichever cloud provider you're choosing, take a look at the different services, and not just the security services. Take a look at how AWS deploys EC2s. Think of what security controls you can deploy. AWS does a really amazing job. Azure actually does a really good job as well. Posting a lot of different white papers, a lot of documents, really walking you through all this stuff. It's all out there. You just have to look for it.

When you're going through, and getting all that knowledge, you should also be developing your soft skills. The best way to do that is just on the job. Whatever job you're in, try to work on your soft skills. Try to be more personable. Try to actually work with people, hear them out, listen to them, and respond effectively to whatever they're asking.

[00:05:59] CS: Okay. You mentioned tools before, and that – I think, it's a fairly tool intensive job. Can you talk about some of the common tools that cloud security engineers use?

[00:06:10] JS: Yeah. I would say, there's three pretty common ones. Then the rest are vendor tools that you'll get experience with on the job, because they're far too expensive for anyone to purchase on their own. The first one that I always work with, honestly, is the AWS CLI tool. It connects right into your AWS account, and you can manage your entire account right from your terminal window, or your CLI, whichever it might be.

The next one is Steam Pipe. It's a newer open-source tool. It's used to actually run security audits across multiple cloud environments at the same time, and you can map those controls across all the different cloud providers. That is extremely helpful, because to be quite honest, the tools that do it that you actually have to pay for, some of them do it really well, but they're also very expensive. Organizations are looking for alternatives. If you know an open-source version of a tool, you're going to be even more valuable, even if they have that paid for tool because you already know how it works. You already know what to expect.

[00:07:29] CS: Those first couple that you mentioned, those are open source, those are things that people can start messing around with on their own?

[00:07:35] JS: Yeah, absolutely. Scout Suite is another one that's open source. That is a great tool to manage your cloud environment.

[00:07:42] CS: Excellent. Where do cloud security engineers work? What type of job options are available? What job sectors? I imagine with cloud expanding the way it is, it's everywhere, right?

[00:07:54] JS: Yeah. At this point, every company is in the cloud, or they're going to the cloud, or they're thinking about the cloud. Everyone is hiring for cloud security professionals. It sounds a bit crazy, because maybe you're not used to hearing that. Honestly, in security there, there is only a shortage of people. No shortage of jobs.

[00:08:15] CS: Yes, for sure.

[00:08:16] JS: You can work across any industry in the world. You could work for any company in the world, and you can do it from your home. Because nine times out of 10, they're going to be remote. Unless, you're working for the federal government, then it's illegal to work remote.

[00:08:33] CS: Yeah, yeah. Exactly. Now, to that end, I guess, there's a lot of different types of jobs as well. I mean, do cloud security people generally tend to work for the single company, or their vendors, they're freelancers, consultants, or all the above?

[00:08:49] JS: I would say, really, all the above. If you're in cloud security, it's very easy to start doing freelance work, start doing consulting work on the side, or even change organizations fairly easily. Me personally, I work for an organization and I do a bit of side work on the side. I know several people that do that exact same thing.

[00:09:17] CS: Now, for people who might be working, or moving towards cloud security engineer, maybe they decided partway through that it's not the career position for them, how easy is it to pivot into other roles? What types of skills that you learn from cloud security engineer? Are there ways that you can use that in other related fields?

[00:09:36] JS: Yeah, absolutely. If we're just focusing on other security roles, if you make it to be a cloud security engineer, you can go into any other security role. Really, I mean, just about any other security role that you may have a focus on. You could go into IEM security role, where you're deploying technology, you can work on Sims, EDRs, whatever it might be. If you want to go up the level, you could also go and become an architect. What's an architect? An architect is having the 1,000-foot view of the organization, identifying some gaps in technology stacks. A lot of the times, that's really what they're there for. They're there to manage the environment.

As a cloud security engineer, like I said before, you need to know the whole environment. You're already a step ahead of most people that are trying to become architects. If you don't want to be an architect, you can easily jump into being a manager. Because you're managing so much in your day-to-day job, especially when you're a senior, or lead cloud security engineer, that you're basically a manager. You're managing yourself, you're managing your colleagues. I don't mean managing it with an iron fist. I mean, you're working with these other people that are on your team to achieve a certain goal that you may have.

[00:11:03] CS: Now, as we close off here, for our listeners who are ready to get started and start learning today, what’s something they can do right now that will move them toward the goal of becoming a professional cloud security engineer?

[00:11:14] JS: Yeah. I think that that's a great question that has a lot of different facets to it. A few things that I don't hear enough cloud security professionals talking about is when you want to jump into any security role, the first thing that you want to do is get up on the news. Learn about what's actually going on in the security industry.

Secondly, would be to find a video series, or a podcast; a video series like this video series, or my own podcast, Security Unfiltered. Both of those are great ways. There's other podcasts out there that are also doing a fantastic job that help people get into this field. Then aside from that, if you nail those two things, I would start looking at certifications. The AWS certification that I mentioned, you don't require any experience. There's no years of experience that is required. The CCSP, it is required that you have five years. You can pass that cert, and they will still not issue it to you if you don't have the years of experience. If you can do those three things, you are ahead of the curve, by far. It's going to be much easier for you to make this jump, or transition into this line of work and security.

[00:12:33] CS: All right. Joseph South, thank you very much for your time and insight today. I'm really glad to talk to you today.

[00:12:39] JS: Yeah, thanks for having me. I appreciate it.

[00:12:41] CS: Everyone listening, thank you for checking us out. If you'd like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s career video series and check out InfoSec Skills at infosecinstitute.com/skills. We’ll talk to you soon.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.