Why I'm Obtaining my CCSK from the Cloud Security Alliance

Should you get your CCSK? Here's 5 reasons why I have decided to get mine:

The Cloud Security Alliance is on the forefront of cloud security. In their words, the CSA "is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment."

More info at https://www.udemy.com/csa-certificate-of-cloud-technology-security-knowledge-ccsk/learn/v4/overview

And to further that end, the CSA has been offering the Certificate of Cloud Security Knowledge (CCSK) since 2010, and it's popularity is growing. I'd like to share five reasons why I've decided to get this professional certification.

1: I love to be at the intersection of major trends. Cloud computing is "hot" and jobs are plentiful, and growing. Additionally, security is hot and security professionals are in demand too. So what could be more fun and HOT than being an expert in both cloud computing and cloud cybersecurity? The demand for cloud security experts will be fantastic, and because of the amount of training and education it requires, there isn't that much competition!

2: The CCSA has a rock solid reputation. When it comes to cloud security, because it's vendor neutral, the CCSK has a solid reputation as an authority on real-world cloud security frameworks and best practices, so if you're going to be in this field, this is the organization to align yourself with and to learn from.

3: It will speed up cloud adoption. One of the biggest concerns that EVERYONE has about cloud adoption is the perceived "security risk" it entails.  The way I see it, the more people who are experts at cloud security, the more cloud technologies will be adopted successfully, and I think overall that cloud adoption enables the potential for tremendous advancements for humanity. 

4: From a purely financial standpoint, its a great investment! If you're good at self studying, you can invest as little as the cost of taking the test (currently $345), and get a certification that could add hundreds of thousands of dollars to your income over the next 10-20 years. It's an excellent long-term career investment with a huge return on that investment (ROI). 

5: It will make you a better cloud architect, or DevOps engineer, or whatever type of I.T. you do. Having the body of knowledge required to achieve this certification will make me (and you) better at what we do. We'll be more competent, more well-rounded, and more security aware - and that can NEVER be a bad thing!

So if you're pursuing a career in cloud computing, I think you should strongly consider getting your CCSK certification. The training can be highly affordable too - I'm currently taking a course I found on Udemy.com that cost me all of $19 for 62 lectures constituting 9 hours of video training. More information on that course can be found HERE. 

I'd love to hear your reasons on why you have decided to get your CCSK, or have decided NOT to. Either way, share your thoughts!


Update 4/10/17  I am happy to report that I passed my test and I am now CCSK certified! 

Here's the proof! :-)

What's All This Talk About Two Factor Authentication (2FA) And Why Should You Have It to Protect Yourself?

What is 2FA And How Can It Help You Prevent Being Hacked?

It's only a matter of time before your email, Facebook, Twitter, or LinkedIn profile - really any social media profile - gets hacked. Not IF, but WHEN.

Let that sink in for a moment...

Logging in to any system usually involves a username and password. Think of that password as 1 form of authentication. What if you had to enter two passwords - would that be two-factor authentication?

No. Why not? Because it's not a different TYPE of authentication. 2FA is when you use two completely different types of authentication to significantly enhance your security posture. This is also sometimes referred to as MFA - multi-factor authentication.

What are some of the many forms of authentication?

• Something you ARE (such as your height, weight, or I.Q. score)
• Something you HAVE (a device, like a smart phone)
• Something you KNOW (such as a code or password)
• Something you DO (draw a design, or speak in your distinctive, unique voice)

So two-factor authentication is a simple technique that requires two different types of authentication to drastically improve your account security.

Get in the habit of using 2FA to protect your social media accounts

And fortunately, nearly every major social media service allows you to turn it on - using a smart code that is sent to your smart phone. At least, that's the easiest way to enable 2FA.

Sure it might force you to glance at your phone and type in a 6 digit code as part of the login process, but that's the point - a hacker won't have the code unless they have your smart phone!

Now you know. Turn it on. Use it. And avoid being hacked and all of the massive embarrassment that goes along with it!

I hope this was helpful. If so, say so in the comments!

PS: Don't let 2FA lull you into using weak passwords as your first form of authentication. Continue to use (or start using) strong, complex passwords, along with 2FA. Otherwise, you really only have 1.5FA, and that wouldn't be good.

PPS: Here's a link on how to enable 2FA on AWS

3 Things That Trailrunning and Cybersecurity Have in Common

I went for a fantastic trail run in the Boise foothills today after work. It's one of the many reasons I love Boise - you can be in the foothills within 10 minutes from my house, and it's one big hike and bike playground, and it's Spring!

Me, trailrunning in the Boise Foothills

As I was running off my winter beer belly, I realized that cyber-security and trailrunning have at least three things in common, and they are:

1: The tortoise beats the hare! Meaning that implementing and maintaining good security in the cloud is not a sprint, it's a marathon - be in it for the long haul! Don't sprint out of the gate, lose steam, and then stop improving your security posture because you got burned out. Small improvements day after day, over time, add up to excellent progress.

2: Pay attention to detail, or you might "twist an ankle". With trail running, if you don't watch where you put your feet, its easy to stumble, fall, or injure and ankle or knee. With cloud security, the same thing applies, but you'll injure your ability to accomplish your organizations goals. One misplaced comma, one bad ACL, or one misconfigured route table can shut down your production network, and possibly get you fired. So stay focused when you're making changes in security policy, or you could cause injury!

3: A little preparation goes a long way! With trail running, having adequate clothing, nutrition, and hydration can make a huge difference in how much you enjoy your trail run (or hate it). With cloud security, preparation is just as important. There are thousands of way to be prepared, but a few include...

• Staying aware of new threats and attack vectors
• Being crystal clear on your organizations goals as it relates to security practices
• Documenting your configurations in case you get hit by a bus, or get fired
• Staying on top of configuration management by having good policies and procedures
• Reviewing configurations for mistakes and errors before implementing that change in production

Those are just a few ways to be properly prepared, and they can make your task of improving your security posture MUCH more enjoyable, so don't just blindly go out there and start making changes to make your network more secure. Plan, prepare, review, and then proceed with confidence.

If you can think of any other ways in which cloud security is like trail running, I'd love to hear your comments. 

Stay fit, have fun, be secure, and I'll see you on the trails!

Amazon AWS Just Made It Easier to Create, Read, and Understand Security Policy Templates

Cybersecurity is challenging enough, but when one of the main tools you use to secure your resources is in a hard to interpret format, such as YAML or JSON, it makes it that much more challenging.

While these two formats are easier to read than code, its still far to easy to misinterpret. The consequences can be serious!

As you probably know, the root of creating effective cybersecurity within Amazon's AWS is the use of IAM - Identity and Access Management.

What is IAM? Basically its the tool you use to create users, roles and policies to control which users or roles have access to your resources, and under what conditions the access is granted or denied.

It basically forms the core plank in a sound AWS security strategy. It's the equivalent of Active Directory in a corporate network, at least the user/groups/roles component of Active Directory.

That's why I'm pleased to share that Amazon AWS has created a tool that displays IAM policies in a very clear and easy to read format - the Policy Summary tool, and it looks like this...

A portion of  an IAM Policy Template Summary

This will help minimize misconfigurations, mistakes, and errors that could leave you vulnerable.

Now you don't have to be a YAML or JSON expert to understand a policy, which can be created by you, or you can use one of AWS' preconfigured policy documents, and tweak it as you see fit depending on your custom needs.

To see policy summaries in your AWS account, sign in to the IAM console and navigate to any managed policy on the Policies page of the IAM console or the Permissions tab on a user’s page.

Below is a link to an article that discusses the Policy Summary tool that is available within AWS.
https://aws.amazon.com/blogs/security/move-over-json-policy-summaries-make-understanding-iam-policies-easier/

If you would like help or guidance on implementing a sound IAM strategy for your organization, don't hesitate to reach out via email or LinkedInhttps://www.linkedin.com/in/ryanaharris

Enjoy!