Ashish Rajan: Hello, and welcome to another episode of Virtual coffee with Ashish. Happy new year to start off with. I’m so glad you all join us, We’re gonna talk about how to become a cloud security architect in 2021. And a lot of you reached out to me and, well your wish has come true, surprising, totally unplanned, but it worked out.
So I’m not going to complain about it. And I have an amazing guest over here to basically help us get through this. Interesting world of cloud security, architecture and cloud security architect, so without further ado, let me get the vibe going. . Hey Sriya, How are you?
Sriya Potham: Hello? I’m good. How are you?
Ashish Rajan: Good,
thank you for coming to the show.
Really awesome to have you on the show here. I’m super excited, happy new year, by the way. First of all,
Sriya Potham: happy new year. Hope. It’s great for everyone.
Ashish Rajan: Yeah, hopefully safe. I do want to say Cheers! Welcome to the show.
[00:01:00] Sriya Potham: thank you really excited to be here.
Ashish Rajan: Awesome. I want to start with the obvious one for people you and I spoke about, the whole cloud security architecture piece last year.
And for people who may not have heard from you before. how did you get into this space? What was your path into it out of curiosity? Where are you based?
Sriya Potham: so right now I work as a cloud security architect for United airlines in Chicago. and I’ve spent like a good bit of my career with the United, but I kind of bounced around to a couple of different industries, a couple of different companies, within my career.
for the majority of my career, really, I kind of lived in this cloud security world. I like to say that like I’m cloud native, right?
Ashish Rajan: Yep. That’s a good one.
Sriya Potham: Yeah. So like in college, I majored in information decision sciences or kind of had this business side. And then I also learned a little bit about technology, a little bit about [00:02:00] data. and while I was doing that, I was working as a web developer for my school.
So I got a lot of those, like lab fundamentals. what does development look like? And, you know, When you’re working with other people and not just on my personal projects right. At that time I was in college. So, I did that for a little bit. I worked in help desk for a startup for a little bit, so I, kind of get my feet inside, like identity and access management space, office 365, and got a
good foundation. I think of IT. before I started at United, which was my first internship. at that time I had no idea of what cybersecurity was. I was really like, yeah, like I’m going to be a project manager, you know, and you know, that’s gonna be really cool. And, My options were to be a project management intern within a couple of different spaces and cybersecurity at that time was like really cool.
and it was very hot. Right. And it is so, that’s where I decided I wanted to be I was there for a summer and I really liked it and I really [00:03:00] liked security, especially. So, I wanted to get deeper. So the next summer I came back, still an intern, but this time I was in the app sec space, because I already had this basic web fundamental.
I knew what code meant. I knew how to code. I was learning a lot about the security fundamentals, right? what does it mean to secure code? what factors are managed by this application and what factors are managed beyond that?
So, I did that for a little while. And then, I decided to join this team when I was joining United full-time. That was more in the architecture space. So, at, at the time they called it the security advisory organization. So, all of the projects came into my team and all of the more senior architects, I was reviewing the projects in advance to know what questions
the architects would be asking. So, we can kind of speed this process along, right. So, I worked really closely with a lot of architects. and around that time we were noticing [00:04:00] that there was a lot of cloud specific projects and you didn’t really have any competency within the security organization in cloud.
So, with the help of, some outside consultants and, more senior architects who were getting trained on the cloud, I kind of joined that team as well. So now we have this cloud security organization and I was one of the first members, I was learning about the cloud realistically, at the time when I was just learning about security as well.
So that’s why I call myself cloud native. I spent my realistically my entire life in Chicago. So , I want to go out, see more stuff. And I joined this financial company in New York doing again, cloud security, but looking at it from a financial perspective.
compliance is a big driver, tying everything back to being compliant. all that kind of stuff. And after doing that for a little bit, I moved into, again, a more consumer facing company. So I was working at, like a consumer goods company doing again, cloud security and
[00:05:00] Ashish Rajan: yep.
Sriya Potham: circled back. And I’m back at United,
Ashish Rajan: well clearly you love them enough to come back again, but I think it’s really interesting from what you mentioned. So it sounded like you probably started when the whole. cause I think my understanding is when cloud security kind of started, people don’t really know what to call it.
It just like, I guess we’re doing security in AWS or security in Azure because there was no Google cloud back then. But it’s also fascinating to know that you’ve had experience in that space in different industries, because I think that’s definitely valuable. And, we would love to dig deeper into it, but I wanted to start with, because everyone has a different definition of cloud security.
What’s your definition of cloud security.
Sriya Potham: Yeah. So I think when I think about cloud security, I really think about our shared responsibilities, because when we’re looking on prem, we’re realistically responsible for everything. So everyone kind of has their own role.
They’re looking at the infrastructure, the looking at the app. inside the cloud, you know, we might not be [00:06:00] responsible for every single facet of the infrastructure. And I know you’ve talked about this a lot on your podcast already. we need to understand the security professionals, what are we responsible for when it’s infrastructure as a service versus a platform as a service, versus a pure SAAS application, which, in some companies they’re like, yeah, this is cloud.
So, you know, you cloud security people, you manage SAAS as well. Right? So , having that basic understanding, it really helps, you know what am I supposed to be looking at when I’m thinking about this particular cloud application?
not just, the shared responsibility between the cloud service provider and the customer, but it’s also shared responsibility between.
The teams within your company, right? security. I think when we’re looking at the cloud, isn’t so siloed inside the security organization, your app team might be taking a facet of that, they’re going to be running their own code scans and they’re going to get an output and you’re going to be there to help them.
But at the end of the day, like they’re responsible for securing their code. [00:07:00] And same with this the infrastructure side, right? Like we’re going to be there. We’re going to, we’re going to help you design it. We’re going to, you know, we’re gonna work with you every step of the way, but at the end of the day, the infrastructure is your responsibility.
Ashish Rajan: Yeah. it’s worthwhile calling out when you say shared responsibility. it’s probably one of the most confusing thing about the cloud as well? Where people kind of still wonder, Oh, where does my responsibility finish and where does the responsibility of the cloud service provider start?
Do you have a simple example that you can share for some of the audience members who may not even know what shared responsibility is?
Sriya Potham: Sure. the easiest way to look at it is when you’re looking at like a SAAS product, right?
So in a SAAS product, realistically, what you are responsible for, if it’s true, SAAS is one, the data that’s going into that environment. And two, who are you giving access to your environment? That’s all that you have the ability to configure. then cloud security provider, will take everything else. They’re going to be responsible for, the [00:08:00] underlying hardware, they’re going to be responsible for the security of their code because you didn’t design it. You don’t know what’s going on there. it’s their responsibility.
Ashish Rajan: Yup. And that’s pretty good. And, it’s really interesting. So out of curiosity, what is a day in cloud security architect role look like then?
Sriya Potham: I think most of my day is just reviewing something.
, the app team is responsible for security or code. But I’m responsible for knowing that this tool is going to review their code correctly. Right. So, I am responsible for these underlying tools that we’re using to secure the cloud.
and setting them the correct controls and monitoring those controls. And I’m also responsible for reviewing applications and new design decisions and working with teams to make the correct decision.
Ashish Rajan: All right. So your day probably would have a lot of design reviews of projects being [00:09:00] deployed, or maybe even decisions being made, which are changes in the existing design and the way it works or how it functions.
Is that, would that be
Sriya Potham: accurate? Yeah. I like to kind of divide it into like an application and infrastructure, like the actual underlying infrastructure. So especially if there’s like a big infrastructure change being made, like my team is definitely looped in
because infrastructure people are gonna be looking at, can this data get to this location? They’re not going to be looking at, is it going to get there securely?
Ashish Rajan: Yep. Yep. And to your point, is it worthwhile calling out that between the different industries? Architecture reviews in cloud, are they similar in different industries or are they like different kinds of days in a different industry?
I guess that’s kind of how I’m going with this.
Sriya Potham: Yeah. So. at the basic level, right. architectural reviews are the same. we’re gonna want to know, what data is going to be in this, what services are we using? what access levels do those services have?
Ashish Rajan: Yeah.
Sriya Potham: at that [00:10:00] fundamental stage, like yes, of course we’re gonna be looking at the same things. I think it’s more of a difference in what level of control we’ll be applying.
Ashish Rajan: Right. And I think there’s a question from Vineet, as well as a security architect, would you focus more on the GRC side?
Sriya Potham: it’s definitely something that you need to know. So if we have, let’s say. PCI data. So credit card information, we need to know that, credit card information can’t be exposed. So what controls do I need to make sure that data is protected.
So it’s definitely important to know what controls are necessary for what type of data, but. I think at my level, we’re more looking at the actual specific controls and not, what data are you using?
Ashish Rajan: Yep. And I think it was, it’s like calling our, because different organizations have different structures for it as well, because to your point, and I guess they might be roles in a small organization where.
If it’s a startup where everyone’s doing everything as well. So in those kinds of scenarios, maybe an [00:11:00] Architect. Not just look at, I guess, architecture design, but also maybe looking at compliance in GRC as well, because I guess that’s what the role demands, but I think it’s worthwhile calling out. Would you say it’s different depending on the scale of the organization that you’re currently working
Sriya Potham: with?
Yeah. Yeah, definitely. at least in my team, we’re trying to kind of make teams take responsibility of what they’re responsible for. So instead of having everything go through the cloud security organization, we want to make it more holistic. Again, we want to make sure that, , all those teams that are saying that we’re the data people.
We’re going to make sure that your data is protected. We want to make sure that they understand what it means to be in the cloud. I didn’t really hit on this before, but, I think a lot of my day also is translating what is different in the cloud versus on-prem to teams that aren’t necessarily in the cloud day to day.
Ashish Rajan: Yup. Yup. The translation is so difficult sometimes.Specially, when you’re coming with a baggage to the on premise already, is a follow-up question from Vineet about the CCM controls, which is the [00:12:00] cloud control matrix controls for reference.
is that something that you guys use quite often or is it more you have your own, I guess, unless you have your own matrix that you refer for?
Sriya Potham: yeah, so for us that was a great fundamental, as our environment gets more complex , those controls may not necessarily, Be relevant when we’re looking at one specific application.
So, a big effort that we have right now is creating more controls kind of like base questions that we’re asking that are relevant to applications that are going to be sitting on our environment. basic things, maybe it’s something like IAM, just like getting access into the environment.
, these spray marks might give you a specific method, but that might not always translate to , an enterprise and large enterprise environment.
Ashish Rajan: Actually, it’s a great point about large enterprise, because I think you were aware of the CIS benchmark that’s been thrown around [00:13:00] as well. I always use the AWS one as an example, where.
It’s really great if you only have one AWS account, but these days, I don’t know of any company, which only has one AWS account and that CIS benchmarks was written with the intent of having one AWS account. So to to your point about the enterprise and that scale, that’s technically not technically not applicable at that point, because then you’re making a call by the, Hey, am I going to ignore CIS?
And only take the take on the ones that I feel are relevant for me, which is probably a good segway into, I guess, the kind of skills that you would require in such a role, maybe both soft skills as well as technical skills. What do you recommend for say someone like Vineet or others who may be looking at getting into this kind of a space.
let’s start with the soft skills and we’ll come back to the certificate part.
Sriya Potham: Sure. Yeah. So from a soft skills perspective, we kind of talked about this before, being able to communicate, I think is 100% so [00:14:00] necessary when at least in my environment where we’re trying to communicate, Hey, like, this is how it works in the cloud. This is how you might do it on prem.
And this is why this works in the cloud. So being able to communicate that and make sure that . Your partners are aware of, what’s changing when they’re not in inside a specific environment day to day is incredibly important to stay on the same page and to ensure that the speed of business is where it should be.
as we know, security ends up being such a bottleneck. That’s ultimately what we’re trying to prevent. Cloud allows us to be so fast and we just want to make sure that, , we’re not being kind of like stuck with old security methodology when we can do better.
Ashish Rajan: Yep. Yep. to your point about so great communication skills. So at least translating on-premise to cloud of all, to what you were saying earlier, because sometimes you don’t want to, we [00:15:00] talking about the technical details, it’s just about translating. What’s used to be effective and on-premise, but may not be the same in a cloud environment.
Would that be accurate?
Sriya Potham: Yeah, definitely. I think that’s the number one skill that I use day to day.
Ashish Rajan: Perfect. and I definitely wanna get into the technical skills as well as maybe, as an security architect, providing security advisor to the engineering team, do you consider the role as a technical role?
Sriya Potham: Yeah, I would. Because you still need to understand, okay. What the engineering is doing to even give them guidance. Right. you can look at all of these frameworks and say this is how it should be, but you need to understand in context and to do that.
you need to know the underlying technology.
Ashish Rajan: Cool. Awesome. Thank you. Good answer. And I’m going to come back to the certificate, the question is there, apart from the certification I’d love for you to jump in and answer that as well, but, any specific technical skills people should be looking at, and then we can go [00:16:00] into the certificate question.
Sriya Potham: Yeah. So I think it’s super helpful to have at least a basic understanding of Python. You know, how API is work. how do you read Jason or Yammel and, cloud formation, at least when we’re looking at the AWS world, , when we understand that, and also we understand , the base underlying services within AWS, I think we’re able to be a lot more powerful as security people.
instead of just looking at, these basic compliance things like, yeah, I know I need to do this, but you know, how do I make that happen? Yep.
Ashish Rajan: And I think to your point, is it worthwhile calling out that it’s. Always misunderstood that people might think that getting a certificate equal into an experience.
would you say having a certificate is a great start or it’s a great way to get an introduction into what that concept maybe in that I guess a cloud service provider, but you still need to kind of go out and have a look at, okay, what else I could be doing? What’s a real life example that I can [00:17:00] go for.
Sriya Potham: be accurate? Yeah, definitely. I think certification is really great when you don’t know anything, when you don’t know your fundamentals, a certification really gives you that structure that you need to get an understanding. And that really work the same for me.
When I was like, just starting out in my career and we were starting with cloud team. The first thing I went out and did was I got my architect associate certification, and I got the security certification. So, you know, I understood at the AWS level, what is possible. What can we do ?
when you have that base knowledge and then you’re looking at your enterprise and you’re taking a step back. You can say, Hey, you know, I don’t need, CloudWatch because I already have Splunk. Yeah. So I just need to get my data into splunk
Ashish Rajan: actually, so that’s a great point.
So if you’re doing certification that at least gives you what’s possible in a cloud provider, and then depending on the [00:18:00] company you’re working with, you can make an informed decision for, do I want to use this or do I already have something that I can use from beforehand?
Sriya Potham: Yeah. Yeah, exactly. you want to make sure that you’re leveraging your enterprise capabilities as much as possible.
So you’re able to centralize all of this knowledge in the teams that have that fundamental knowledge, I’m a cloud security architect, but I’m not a great incident responder. I wouldn’t say that’s my core competency. I understand what they do, but I’m not going to go sit there and look at these logs all day.
To understand that create alerts that’s not where my background is,
Ashish Rajan: yeah. And I think it worthwhile calling out because, depending on the organization, I think we were touching on this earlier as well.
To your point, a large organization would have a person for incident response. they would have people who are generating alerts. the, obviously the scale of work is so large. That’s why you have specific people for specific roles as well, where. Cloud security architect is probably reviewing a lot more designs.
And what, how does something on-premise [00:19:00] translate into the cloud world? I’ve got, another question did you do a CCSP as well or have you considered doing it? would love to know about that as well.
Sriya Potham: Sure. so I’m currently studying for my CCSP. I think what’s interesting. There is for the AWS security CERT I don’t think you really need to have any sort of. Like work history, for your CCSP do that’s an expectation. So, I think the AWS CERT is definitely something that you should do, especially if you’re planning on working in AWS, the CCSP, I think takes a more theoretical look and kind of abstracts or pod provider.
You’re not going to as technical. You’re really looking at the theory behind cloud security, which, you know, 100% you should know. but to be immediately effective in your job, I think it’s good to have this, the technical foundation, that the AWS security cert would give you,
Ashish Rajan: I think, especially in the cloud world, I feel like most of the conversation you would have, I think you touched upon AWS Cloudwatch earlier for someone who probably hasn’t done any certification probably [00:20:00] would not know what AWS Cloudwatch is . I guess it’s a service. And I think you can cover that gap and come across as more.
Experienced or at least have some knowledge in it. So just to get some, I don’t want to use the word respect, but more, knowledgeable, I guess
Sriya Potham: yeah. To speak authoritatively. . Especially as a cloud security architect.
Ashish Rajan: I’ve got a question from a Kanishq as well.
the question is, how’s the architecture different when working with multicloud? Is it necessary to know both Azure and AWS? you can dig either way, however you want to, but I think both are interesting. Do we need to know both.
Sriya Potham: I don’t think it hurts you to have an understanding of all of your clouds.
I think we’ll learn that they’re all very similar, at the fundamental level, you’re gonna have your VMs, so. Having the fundamentals down, is definitely super helpful.
is it necessary to be super deep or can you even be super deep as we [00:21:00] talked before?
Ashish Rajan: Yep. That’s a hard one because I think, just give people some context, Shri and I were talking about this just before about the whole multicloud concept and for people who have been keeping track on AWS reinvent, which was.
last month and I think we have another batch, of content coming later this month as well, then about I think 300, 400 releases just in December, to imagine yourselves being on top of all the 300 or 400 updates that they’ve done. And then again in January when they do a more update and then that across Azure ,Google Cloud
it’s not practical. So, I mean, I can share my personal opinion on this, if you don’t mind or what I would normally say, is it based on the organization that you would work with, you would realize that either focusing on AWS or Azure, but kind of what Sriya said, focus on the foundational pieces.
Like if you look at identity management or something about network access, how is that being managed? You would be. able to [00:22:00] map that skill to each of the cloud service providers is just where like instead of AWS CloudWatch, it would be Azure monitor or Google cloud monitoring. the names may differ, but the function would be the same.
Would that be another way to say this?
Sriya Potham: Yeah, no, that was, that was great. Perfect. Perfect.
Ashish Rajan: I’ve got another question , certification lasts for two to three years. So what do we do after that, make sure you get some experience, but I’ll let you answer.
Sriya Potham: I think certification really helps you get your foot in the door, right? So you can show someone that theoretically. Yeah, I know all of this, even if I haven’t had my even if I haven’t done like five years inside an enterprise , I understand AWS. So within those two to three years, hopefully, you know, you’re getting a job, maybe as an associate architect or as an engineer where you’re going to be able to get your hands on work.
And then, , for me, at least renewing my certification helps me because it helps me stay [00:23:00] on top of everything that I need to know and make sure that I’m not missing anything that AWS is saying, Hey, like, To be a security person. You need to understand this inside AWS right there. They’re literally telling you that in that certification.
So, I like to renew mine. , some people don’t feel the same way. It, I think
Ashish Rajan: up to you. I I’m definitely on the camp that I haven’t reviewed. my certificates can give you my side of the story. I got my job and then I did my certification. So, to Sriya’s point, you might feel that once you start getting enough experience, the certificate may not be important, but it’s definitely a great way to be up to date on.
Having, an uplifting view on, what’s the updated services in AWS or Azure or Google cloud, because you might be restricted to a limited number of services in your organization. So to Sriya’s point, you might only work with CloudWatch, or you might only work with certain services in your organization, but there might be.
[00:24:00] 200 other services that you may have never heard of, but they might be security related. So at that point, if you go back to renew your security certificate, you might get insight into what those other services are, which you may probably bring back into your organization and your boss might love you for that.
And maybe even give you a promotion for that.
Sriya Potham: Yep.
Ashish Rajan: I’ve got another a couple of questions, for example, layered protection and secure SDLC. Do you need to be technical and have an operational understanding of the controls to give guidance?
Sriya Potham: I think generally it, it never hurts to be technical and to understand.
How operations will work, what type of burden you’re going to be putting on operations, when you’re creating any sort of, architecture,
Ashish Rajan: it’s definitely something you need to have an understanding of. Otherwise you can’t even talk to them about what they’re trying to do as well.
Right. So they might ask you a cloud. So how do you do some cloud? And you kind of have to translate that at that point. But, yeah, I think you’ve answered the question though. I was going to bring up another one, which is from [00:25:00] Paul, which is, I’m pretty sure you would love this as well, because it’s a long one, but I’m going to quickly summarize it basic.
Basically what that means is not all services are mature enough in AWS. So just because there is a service in AWS or Azure or Google Cloud doesn’t necessarily mean that they are ready to be consumed. And obviously being Amazon or Amazon Azure, Google cloud, they would recommend you would use that service, but a lot of services maybe in beta, have you experienced that by the way they, they say that use this service, but the service is not mature enough to be used in a organization.
Sriya Potham: Yeah, definitely. And I think as a security architect, that’s your job to understand, you need to understand, , my organization needs this. , the AWS has given me this service, but it’s only going to cover, maybe 80%, it is 80%, , , can I live with 80%?
maybe yes. Or, I can’t live with 80, 80% and I need to look outside. I need to do research. I need to understand, maybe there’s other tools that are [00:26:00] available on the marketplace. and I need to consume those tools. So, it’s always a question of, , understanding your organization
Ashish Rajan: we spoke about the soft skills and technical skills. If you’re already an on-premise security architect is there a specific skill that you need to have to move into a cloud space so you can transition.
Sriya Potham: Yeah. So I think, It’s I’m just going to kind of like hammer on this, all hour you need to know your fundamentals in the cloud. So as an on-premise security architect in my experience a lot of the time we’re going to be looking at maybe the perimeter, and we’re going to say, Hey, like, apart from, if my perimeter is really strong, I’m going to trust a lot of the things that are inside my environment in the cloud.
you have a little bit of a shifting perspective a lot of everything. Actually everything in the cloud is managed by. IAM I need to have a great understanding of. IAM and how IAM permissioning and giving a certain service access to a different service or [00:27:00] giving a human access to certain services.
Do I give them console access or just the CLI Actually let me scratch that whole thing, you need to know IAM.
Ashish Rajan: It’s pretty complex subject as well. It’s funny. I didn’t want to, do a shameless plug, but, I started this thing called cloud security Academy and the first course that we have there is just that it’s just foundational pieces and it discovers IAM simple things right or network access to cloud is a bi-directional or is it like access to certain resources? IAM what does a firewall equivalent look like in a cloud world? Is the security groups or something else. And trying to do that between Azure, AWS and Google cloud, that’s kind of what the cloud security Academy piece focused on.
I think, it’s definitely something that. Translates really well into a cloud environment, especially if you’ve been an on-premise environment, security architect to begin with.\ You just need to map it to the right controls or right. [00:28:00] Parameters that you need to work with. It’s just a different landscape for the same challenge.
Sriya Potham: Yeah. Yeah. No, that’s, that’s very cool.
Ashish Rajan: we spoke about the industry piece earlier and you’ve had different experiences in different roles as well.
And. it’s really interesting. the question that I wanted to find out about, if you are a junior, if you have not had any experience before and kind of like what you were doing with your internship, what do you recommend? what can they do to get into this cloud security space? Maybe even a junior cloud security architect role out there.
Sriya Potham: That. Yeah. So number one, I think especially to get to the architect level, it’s good to have, at least a base understanding of all areas within security.
You’d want to know , what is AppSec doing? What is IAM doing? what does vulnerability management mean? those basic fundamentals and then to move into the cloud world, at least for me, what helped me was getting my certifications, understanding cloud, maybe for me, it was [00:29:00] even better than more senior members of my organization because cloud was new.
you know, taking all that knowledge and being able to, move into the cloud space, I think would make it a lot easier, especially if you have this sort of connections. I think certain things definitely have a place, especially at a junior role.
Ashish Rajan: Yeah. Especially even now find it funny enough, even though AWS and Azure, all these people have been there for almost.
six plus years, but they all still have relevant certificate because a lot of the industry is still transitioning into cloud surprisingly. and surprisingly as in with the cloud security podcast is also a year old, everything is still in the beginning stages to your point. So they might be a lot of people who may have a lot of experience, but just don’t have that translation into the cloud world.
So certificate is definitely great at that point. so from a junior perspective, so you’re recommending, gets some IT experience. You have some basic fundamental understanding and then get a certificate. So you understand how that maps into AWS or Azure or Google cloud, wherever they want to go.
Sriya Potham: Yeah. [00:30:00] especially as at a junior person, having the softer skills, being able to ask your management, Hey, this is something that I’m interested in and this is where I want my career to go. you can never discount that, making sure that people know that you want to do this.
Ashish Rajan: it’s really interesting to your point about. Sometimes the simplest thing you can do is ask I think cyber security is a very welcoming industry. Well, at least the ones that I’ve dealt with, fortunately over the 10 years that I’ve been working in this.
so yeah, feel free to reach out anyone who’s listening to this and feels that ah, I need some direction. I think it was just as simple as sometimes asking people what’s the right thing to do. You may or may not have like the answer, but at least you have an answer. I was gonna ask in terms of, the industry as well, you yourself kind of dabbed into a couple is it a good thing to have experience from different industries and bring them, or you kind of have that thought where, Oh, you should focus on one that way you got to become like a specialized architect for a certain field?
Sriya Potham: For me, I like having the [00:31:00] diversity, I think it’s really cool to understand how things are done in different environments. And for me, that’s really fun. and it’s definitely helped me in my career, I worked at a couple of different organizations at different stages in their cloud journey.
working in a more senior organization, I can go to the more junior organization and say, Hey, you know, like I’ve seen it done. And this is how they did it. And you know, I might have somethings to change now knowing that, you know, they did that. They did something this way and you know, I can see there’s problems.
So now we can fix it.
Ashish Rajan: But
Sriya Potham: I don’t think you necessarily need to, you know, take your industry rotational, right?
Ashish Rajan: the thing that I wanted to call out over here as well is diversity is so important in general, that I think to your point, having.
The same foundational pieces apply to different industries. I think you’ve done a great job. as though I’m glad you could share that experience with us as well, but I’m going to quickly touch on some of these questions. Cloud security architect and DevSecOps architect, how do they differ? Can a [00:32:00] person be both ? you have an answer for this?
Sriya Potham: At least in my organization, what we’re seeing is that the architects are really designing the environment. and then we might be looking at specifically like in code, do we see any like, sort of like security issues? in dev sec ops, they’re a little more tightly integrated with our app teams.
So they might be actually implementing a lot of the security that we might be saying, Hey, here, here are controls. And here’s how you might do it. But they’re the ones who are actually in the console or in the CLI and actually physically doing that work.
Ashish Rajan: Can a person be both in the same role?
Sriya Potham: I think, depending on the size of your organization, you might. Maybe doing everything, I guess,
Ashish Rajan: is there a Doc you can share for us to leverage on mapping the on-premise to cloud technology? Feels like a very open question, but I’ll let you answer that. If you have any specific areas that you kind of ask people to go into,
Sriya Potham: you know, that’s a [00:33:00] hard one when I’m thinking about like actual technologies.
there’s no document, if you’re looking at logging, Hey, AWS logs, everything. In CloudTrail. you can store it in S3, it’s a Bina to view those logs, or you could be more advanced, right. And you could maybe send your logs to a, an elk stack and using use cabana to view your logs, or, , you could completely take them off of AWS and put them in like a third party provider and view your logs there and generate your, your alerts there.
Right. So, Yeah, I think AWS already gives you those like general like service categories. And if you’re looking at your OnPrem, you can kind of see where that aligns
Ashish Rajan: yep. Perfect. have you done Comptia security +?
Sriya Potham: No, I haven’t.
And I can’t speak to it, but again, what I’ll always say is one learning never hurts. learn more, learn as much as you can. And, I think the security plus is like one [00:34:00] of those more like fundamental courses, your basic security knowledge. So yes, definitely. having basic security knowledge is helpful.
Ashish Rajan: My personal opinion. The, if you don’t mind, if I share, if you haven’t had any, experience in security before, and especially if you’re a junior person, I think it’s a great way to at least get some fundamentals, but. That doesn’t necessarily would, translate into cloud just because security plus is more, these are the security concepts and then to Sriya’s point, you might go into a certification to see, Oh, how does AWS do security?
Or how does Azure to security? Then you can map that. Okay. Then you can start mapping that onto. Oh, okay. So I know security plus, which has given me fundamentals of security. Then I’ve got AWS certification, which is giving me information about AWS. How do I combine that to use into a cloud and it’s almost like a three-step process at that point, but yeah, it’s, it’s definitely interesting, especially if you have never had security experience, I think I’ve heard [00:35:00] good things.
I personally haven’t done it. but I’ve heard good things about in terms of exactly what Sriya said. It’s a great fundamental pieces to get an understanding of what security’s about.
Sriya Potham: I think maybe CCSP might be helpful because you can still do the training and you can learn, you’re not going to have your certificate badge at the end of that, or you might get, I think the associate, and that might bridge the gap a little closer for you.
Ashish Rajan: So you recommend CCSP for fundamentals as well for cloud?
Sriya Potham: Yeah. It’s pretty theoretical. So you’re still getting, like the theoretical base. but again, , it’s not going to map you back to your specific, services, with your class.
Ashish Rajan: Yeah. Yep. And I think Vineet has done it as well and says
it’s not totally focused in cloud but covers every domain of cybersecurity. So I guess kind of for you, the step seems to be, if you’ve done security plus. Some kind of an Amazon. So to figure, to have an understanding of Amazon services or Azure service, if you want to do [00:36:00] Azure or Google cloud or whatever cloud provider you want to choose and then CCSP, it’s a lot of learning, hopefully enjoy it. but, unfortunately, or fortunately I think all of us are in technology because we get to learn everything every day is something new coming out every day. I take it as a positive thing, so, yeah, that was great. I’ve got two more questions.
is there a myth in cloud security that you hear about quite a bit?
Sriya Potham: I think the one that bothers me the most it’s a notion that the cloud is inherently less secure. I’m sure we’ve all heard it. Oh, you’re putting that data in the cloud. can, can you do that?
Ashish Rajan: it’s funny, I think if I were to do a survey on the last season of cloud security podcast, as well as, the folks who did the cloud security Academy course with us as well, they all mentioned the fact that it’s really funny that that myth hasn’t gone in seven years. People still think cloud isn’t secure.
it’s not the responsibility of the person. That they [00:37:00] haven’t done their job correctly in cloud. It’s the cloud fault. I’m like, yeah. So if it’s on-premise, there’s on premises for it, but it’s not, it’s a great answer. I’ve got a follow-up question to that. What are people not talking enough about in cloud security that you think they should hear about?
I think the one thing that I really want people to know is that cloud security is it, it’s so much more holistic than I think on premise because of the way cloud is managed because it’s API driven because everything is managed by access.
it’s such a shared responsibility, never is cloud security, the only one responsible for security. We should be talking more about, , when we’re looking at organizational structure, how can we make sure that that notion that, cloud security is everyone’s responsibility is reflected.
I don’t want it to be that, you know, if there’s a security question in the cloud, we go to the cloud security team. I think [00:38:00] we should have like a central cloud team that manages cloud security infrastructure, you know, data, like dev sec ops. And having that center of excellence To create that holistic idea and to manage security holistically, instead of having all this finger pointing of your roles and responsibilities and your racing agencies and all of that kind of stuff is
Sriya Potham: yeah. It’s a big ask. Yeah, yeah,
Ashish Rajan: I think we had a guest from Atlassian and. in my first few episodes and they’ve kind of gone down the path where I think it’s called a cloud center of excellence or COE. They basically, these are the folks. And, obviously to your point, it’s different structure for different people because that’s our tech product company.
That’s not an enterprise. Well, enterprise is loosely. It is enterprise loosely speaking. but it they’ve ran down the path of center of excellence. A lot of other people that as well, just exactly what you just said, where. [00:39:00] It’s it should not be treated differently to what you had a regular environment is I guess that’s kinda where it kind of gets lost or sometimes it should be depending on whether you’re on multiple cloud providers as well.
So, it’s a great advice. I’ve got a question what got you to move into cloud security from web development?
Sriya Potham: for me, it was kind of just, you know, I worked in web development for a while and I was looking for something new and exciting
Ashish Rajan: cyber security is exciting. People just saying
Sriya Potham: Yeah. cloud security, fulfills that desire for new and exciting because it’s new and exciting every day.
Ashish Rajan: All right. So, this is kind of like the, towards the end of the show as well. So where can people find you if they want to reach out if they have more questions about the whole cloud security, architecting, what kind of skills they need and how maybe, any follow up questions they might have where can they reach you?
Sriya Potham: Sure. Yeah. you can reach out to me on LinkedIn. Probably LinkedIn is a place where I’m, most responsive. you can find me on Twitter too. Not super active there, but, you can [00:40:00] reach out to me there as well.
Ashish Rajan: thank you for so much for coming in and thank you for all the audience members as well. Great questions. I’ll definitely encourage you to reach out to others who were in the guest space as well as to Sriya as well. If you have any questions, but cloud security is a great space.
Just saying. it’s amazing that so many people are interested and so many people reached out as well to talk about how to become a cloud security architect. So cyber security is interesting, but cloud security is definitely up there in making it more exciting. So, and you have people like Sriya as well, who are making this field exciting.
Sriya Potham: Awesome. Thanks Ashish. This is so much fun and thank you to the audience. You know, it was really fun questions to answer and it’s cool to interact. So, yeah, and I hope everyone has a happy new year.
Ashish Rajan: Oh yes. Happy new year. Happy new year to you as well. Thank you so much.