Ashish Rajan: [00:00:00] Hello, welcome to another cloud security podcast. Today we’re talking about how to become a cloud security architect in 2023 and beyond. The security architecture role has evolved quite a bit from where it used to be. If you are an experienced security architect, this is the episode for you where we talk about how you transition onto becoming a cloud security architect. 


Let me give you a hint on what you can expect as a security architect. With the years of experience in the field, you probably are a chef who’s just in a different kitchen. You still have the same tools. The short version is your skill set from the on premise world is still valuable in the cloud world. 


For this episode, we had Kat Traxler from Vectra AI she’s also building a course on enterprise security architecture in the SANS space as well. So we had to bring it on to talk about how has the security architecture role changed? What are some of the challenges framework people can use to build architecture in cloud? 


Whether they need to know coding, what’s the difference between a architecture and an engineering space? So if you are someone who’s starting off as well, I think this is pretty good because we had a couple of questions from the online stream about. [00:01:00] The beginning stages. So you’ll definitely find this valuable from that perspective as well. 


And if someone else who’s trying to get become a cloud security architect or is transitioning onto that, definitely share the episode with them. I think they’ll definitely find it valuable. And if you’re here for a second, third of fourth time, I’ll definitely recommend follow, subscribing and maybe leaving a review on a rating on iTunes and Spotify as well, so others can find out about us as well. 


And we get to help out a lot more people like yourself and share the knowledge of cloud and cloud security so they can be better at their job at doing cloud security. This is the continuation of our AWS month as well. Just a reminder, we would be at AWS re:invent so Shilpi and I are attending AWS re:invent and if you’re there, definitely give us a shout and we would love to say hello and take pictures and just say hello in person and thank you for all love that you’ve been sharing. 


Thank you for sharing all the LinkedIn posts as well as the Twitter post and other places where you’ve been sharing the podcast episodes that you’ve really enjoyed. I really appreciate it. Shilpi really appreciated it. As a producer, this is good feedback for us to know that what we are creating is valuable for you. 


If you have any questions about cloud security, feel free to tag us with a [00:02:00] question on it, on on our Twitter, which is @cloudsecpod, or feel free to drop them on our LinkedIn page or also on our YouTube channel. We are available everywhere and we are on a mission to help people democratize cloud security. 


So any questions you have, feel free to drop them over there as well. But as always, I appreciate your time and I hope you enjoy this episode with Kat Traxler from Vector AI and SANS sharing about how can you become a cloud security architect in 2023 and beyond. I’ll see you on the next episode. Enjoy this and I’ll talk to you soon. 


Peace 


Kat Traxler: by bringing developers and security together. You don’t have to choose between speed and security. Develop fast. Stay secure. 


Ashish Rajan: Hi, Kat welcome. Hi, 


Kat Traxler: Ashish. Hi friends. How’s everybody doing? 


Ashish Rajan: Good. And welcome to the show. I appreciate you spending your Friday evening with us as exciting. It would’ve been without me, but I appreciate you hanging out with us all all the thousand people over here, but I appreciate that. 


For people who may not know a bit about you I doubt there are people who don’t know much about you, [00:03:00] but could you tell us a bit about yourself and where you are, these days professionally and how you got there kind of a thing. 


Kat Traxler: Yeah. Thanks. Thanks for having me. So my name’s Kat Traxler. I’m the principal cloud security researcher over at Vector ai. 


So during the day I research cloud data attacks and AWS and GCP, I try to understand what’s the attack progressions like on the cloud plane. How do attackers achieve initial compromise? How do they move from initial compromise to recon to executing their actions on objectives and then how can we detect those behaviors on the control plane? 


So thats my day job in, in the evenings and weekends, I work for SANS. I’m a SANS author for the cloud security. Architecture course, the SANS SEC 549. So currently it’s a two day class focusing on identity architecture in AWS primarily. And we’re building it out to be a four day class starting next spring. 


I’ll be , currently, my bread and butter is in this detection [00:04:00] engineering space in the cloud. I do have experience working in web app penetration testing. That was my very first job in security. Right. Just, , working on web apps, and , trying to get xss and, , get that hello world shell to pop. 


, I’ve also worked. Cloud security architecture and big e-com sites. I’ve worked in, , plain old cloud security engineering and looking at the automation process of infrastructure as as code. So kind of worked the gambit in the cloud space. That tends to happen when, , there’s so few of us who are, are cloud fluent. 


, oftentimes there’s not a whole team of people, , where you can really specialize. Oh, here you have your, your cloud security engineering team, and here you have your cloud security architects, and here you have your cloud pentesters. You just, , if organizations are lucky, they have one or two people who are proficient at the cloud and they end up just doing kind of it all. 


So that was my lead up into moving over to the detection engineering [00:05:00] space about a year and a half ago. 


Ashish Rajan: Wow. And pretty good background as well. Kind of have the pentesting space and the cloud secure engineering, cloud security architecture space as well. Covered. Perfect for this conversation especially cause you’re building a course around the as well or you’ve already built a course around the SANS space. 


So think by the way, I think this is probably the first time before SANS DM difference maker award. All three of us are here. Zinet is here. You are here. I’m here as well. So people were listening in word for all three of us as well. 


Kat Traxler: difference 


Ashish Rajan: maker. This is great. Yeah. There’s already difference makers already talking about difference maker. Security architecture is an interesting field as well. Cause we have a lot of people who are to what you called out. Not a lot of people have. Picked up the skills , for a cloud for various reasons, and some people may not even know what a security architect does. 


So maybe let’s start there. How would you define the job of a cloud security? Well, actually, not even a cloud security architect, just a generic security architect. 


Kat Traxler: The primary function of any person working in insecurity, whether the architect or the engineer and they [00:06:00] work in the SOC, is just really, , dumb and simple. 


, it’s identifying risk within your organization and then working to reduce that risk. It’s nothing more fancy than that. , , each of the different roles might approach it a little bit differently. Right. So the architect is looking for those, those larger scale design issues within how the technology is put together that might be put together in an insecure way that 


might create undue risk to the organization. And then, , from there they have, , their Swiss army knife, their basket of controls that they can use to mitigate some of those risks or, try to refactor the technology to bring in line with what’s 


Ashish Rajan: acceptable. Yeah. And how different is it to a cloud security architecture role then? 


Kat Traxler: Well, your basket of controls is different, right? So in, in both cases whether you’re working on a traditional on-prem architecture or your cloud architecture, you’re both looking at patterns. You’re [00:07:00] both looking at designed architectures and you’re saying, , where’s the attack surface? 


Where are the places that pose risk? But in the cloud you have this whole other attack surface that you really didn’t have to consider before. And that’s , the cloud control plane. So, this whole other layer opens up that I think the, maybe it’s initially hard to grasp for your traditional cloud security architect. 


, all of your, your whole data center becomes an API and that is now an attack surface, a risk that needs to be mitigated and controlled. So what are those controls you can layer on to this new attack surface is a whole other ball game and then even in your more traditional architectures, , say , an an application deployed on some pieces of IAAS infrastructure, the identity and network controls you can layer on top of that are gonna be different as well. 


You’re still creating architecture that layers on, , identity and network, but [00:08:00] how you do it’s different. 


Ashish Rajan: And actually that’s a good point. Some people even yesterday we were on a, we’ve been running these cloud security ask me anything sessions every I guess every week. And someone asked a similar question and it was one of the things we came up with was, it’s kind of like being, a chef in a different kitchen. 


Like it, you just, it just not your kitchen. It just basically the same tools exist but you just have to figure out, oh, what kind of knife is available and how do I use it That’s not my regular chef knife or whatever. But I thought it was a great analogy cuz would you say you can still use the same principles of doing identity access management and doing backup and all of that, but you just have basically a different landscape to what you called out earlier 


Kat Traxler: absolutely. Yeah. Such a great analogy. Like you’re still a chef, but it’s somebody else’s kitchen. That’s 


Ashish Rajan: pretty much it. Yeah. When I, when we said that, I’m like, that is it. Like we’ve been talking about this for so long. , why can’t you describe that anymore? Absolutely. 


Kat Traxler: You still need to control your, your ingress and your egress. 


Like that’s still absolutely a thing. [00:09:00] Like you still in the cases where previously maybe you wanted to do a network packet capture, you’re still gonna have wanna do that in the cloud where you wanted to do it in prem. But which drawers do you pull out to get which tools out and how to make that happen? 


Yeah, that’s pretty 


Ashish Rajan: much it. Yeah. And it was, I, I like the more I came out like, can someone write this? Tell this is , one of those ones. But by the who 


Kat Traxler: said that so I can, I can follow them on Maan. Who said that? That’s amazing. 


Ashish Rajan: No, I, we, I just made that up yesterday on the call and I like, as I was saying it, cause someone asked a question about, Yeah, it was like what do you call it? 


The, the question was around, the fact was someone was, they were a networking person in an on premise world looking to transition to a cloud engineer role. And as we were trying to explain to him, and just like, came to me and I’m like, Someone writing this down, can someone write? 


I’ve been telling this to everyone because that way I remembered myself so I don’t forget about it. Maybe it should tweet about it. I’ll, that I could forget. I digress. 


Kat Traxler: [00:10:00] No, that’s, that’s fantastic because, , most of, I don’t wanna stereotype, but most of the classic architects that I know, they’ve got a little bit of gray hair, , little older, little wiser, little bit more mature in their career, and they see cloud come along and they think that’s for the young kids. 


, I can’t, I can’t do that. It’s like every ounce of your expertise skills, knowledge about how to implement controls, is needed in the cloud. ,, we need you, we need your 30 years , of security architecture experience in the cloud. Yeah, what? There might be some upskilling around what this landscape looks like, but there’s no substitute for that professional chef. 


Ashish Rajan: No, there is definitely. No, I think and all that learning you had was still valuable no matter how you look at it. Just different. Cause it’s not that you can’t cook anymore, you can still good the dishes that you want do just for finding out what’s available in the kitchen to kinda use. 


And continuing with our questioning in terms of architecture, , Oh, [00:11:00] there go. Heard that. Perfect. Yeah, I came up with it. Right. ? I think I definitely need a tweet. I’m pretty sure I tweeted somewhere, otherwise I’ll forget for sure. I was gonna say in terms of building applications itself to what you said, we are in a different kitchen now and we are talking about the fact that. 


You’re in different kitchens, the same 20 plus years of architecture experience when you’re building a block of application. But what are the building blocks of building an application in AWS specifically, we are running AWS month, I’m sure it can be translated to other clouds as well. From an AWS perspective, what are some of the building blocks for building a, an application? 


I guess let’s start there. 


Kat Traxler: Well, I think I’m gonna, , just kind of refocus that around. Like where, in what service model, , we’ve heard about maybe the different service models, infrastructure as a service PAAS platform as a service, SAAS . So, , with the different service models, building an application in there, in the different service models can look very different because you’re gonna just have control over different [00:12:00] knobs and levers, right? 


So, in an IAAS environment, Their architectural components aren’t gonna look very different from say maybe like a VM architecture where you’re on some hypervisor. They’re not gonna look tremendously different. Now you start moving to PAAS and you start losing control over some of those network layers. 


And then you have to really focus around your identity perimeter, right? So as you move through that service model, things are changing a little bit as far as what you have control over and what components you can bring to the table to affect controls. 


Ashish Rajan: And to your point then would you say, how in a traditional security architecture people would talk about all these things like, Oh, IAM backup recovery, your BCP, or all that? 


Cause they still are applicable in the cloud context as well, kind of what we spoke about earlier, right? That that’s one that they go away. 


Kat Traxler: No, , they absolutely can’t. , I think , , your backup recovery, your disaster recovery, all of that [00:13:00] still has to matter. Yeah. , , no large organization , would agree to hopefully to agree to move into the cloud without those mattering you go about them differently. 


And it also really necessitates some foundational work to be there that I think that in an on-prem world, you kind of just like take for granted you kind of take for granted that you’re gonna have these, , cordoned off spaces in your network. , to shove things where at AWS you might not have, those landing zones set up. 


So it really requires some foundational groundwork to set up the appropriate landing zone. So, based off the risk of an application, Where do you put it in your estate? 


Ashish Rajan: Actually, that’s a good question. Cause someone asked us on that AMA also would you have a DMZ in a AWS world? 


Where do you do you have thoughts on that? 


Kat Traxler: I mean yeah, of course. Like would you have some publicly facing applications? Sure. Like why wouldn’t you have a publicly facing application? Like, but the [00:14:00] concept of. I’m a large organization and I have a data center and I have, , one or two networks is just not the concept anymore. 


But if you want to abstract that away and just say like, is there going to be networks in your cloud that are publicly facing? A hundred percent. , there will be networks that are publicly facing, but it’s not gonna look like, , these, mass networks that are spanning accounts. 


They can be much more 


Ashish Rajan: segregated. Yeah. Yeah. Actually once, worthwhile calling out maybe people would not even know where DMZ is, demilitarized zone. Not like, not the one that you talk about North Korea, but this is like a way people have, built networks for ages where your private network is kinda like behind a DMZ and DMZ is kinda like the public facing one or was there another one in front of the DMZ. 


Kat Traxler: Oh no, DMZ would be like your public facing zone and then your, your internal network would be kind of like your safe space. That’s pretty much it. Yeah. Yeah. So if you, , depending on [00:15:00] the risk level of an application, a classic architecture thing to do would be you would, talk to an application team, understand the risk level, and then say, Okay, can it go public facing or can it, , get shoved in the corner, , internal, external. 


Yeah. That’s a really classic, like quick risk based decision people have to make. And certainly you are gonna be making similar risk based decisions in the cloud but it, it’s not gonna be as simple as, , here or there. It might be like this pattern or that pattern where that pattern might have, , No ingress connectivity and , people are just connecting through , endpoints maybe. 


So there’s gonna be some slight architecture changes on how you achieve the internal network and yet maintain connectivity 


Ashish Rajan: a hundred percent. And I think Zinet has an interesting take on as well. So DMZ interfaced with an untrusted external network, aka the internet, that is pretty much sums it up. 


Yeah. So I’ve got a question here from Ketan as well. He’s asking I think because you have a threat detection [00:16:00] background as well now have, I’ve seen cybercriminals deploying crypto mining in the cloud, for example, TeamTNT. Have you seen any trends in 2022 for where you see the cyber criminals focusing on for cloud exploitation? 


I think the reason I brought that last question up is also because as an architect you definitely need to talk, know about threats. So can if you have seen any insights that you can probably share from your. I love this 


Kat Traxler: question. This is the best question, especially TeamTNT is my favorite threat actor, so thank you for bringing that up. 


It is really interesting because it’s one of the very few in the wild examples we have of threat actors, going after some really low hanging fruit. We all have as far as cloud credentials , credentials to Kubernetes clusters GCP session tokens, access keys. Basically if people don’t know it’s a malware, it’ll affect your desktop and just like troll local files for these credentials that are just, , stashed on all sorts of endpoints. 


So yeah, I mean that’s probably the best example we have of, well, , [00:17:00] what us Security researchers know is absolutely plausible, but we don’t have a ton of concrete examples around. It being used in the wild. And , it’s problematic that we don’t have a lot of concrete examples in the wild. 


But it’s expected because, we don’t have really robust reporting rules, right? So there’s really not a ton of incentive for people to report how they were breached, , to give a really comprehensive retrospective. Those things are just so few and far between. Unless, unless a breach just really gets out control, they have to report it. 


And their hand is forced. I would have to say the vast majority of ‘them are kept pretty. So all we can do is speculate, right? All we can say is, , there’s thousands of endpoints with cloud credentials just sitting on local files. TeamTNT we know goes after them. 


Who else is going after them? I can imagine that the threat actors would be financially motivated. Absolutely. Yeah. That’s one motivation. Yeah. So from there we’re [00:18:00] imagining data exfiltration we’re thinking ransomware , probably less so risks around defacement. If you’re, , maybe from, , the likes of Google, Apple a government organization, you’re thinking about state actors. 


Also maybe like the medical industry, you’re probably thinking of state actors. But that’s a little bit less. So. So yeah, Fantastic question. I can talk to you about this all day long. It’s a lot of the security researchers talking to other security researchers , we’re reasonable people and we can assume what might happen and what could happen and what should happen if an attacker is, is motivated. 


We just don’t have a ton of examples out there in the wild. 


Ashish Rajan: I think, do you find it very similar to the kubernetes space as well? Thanks for that question, Ketan. Where that we know what can go wrong, but how many examples are out there of actual things that, I mean, cause that’s where a lot of people are like, well this is just theory, right? 


When, when was the real time this has happened. I’m like, well, it kind of can happen. So definitely, hard one. 


Kat Traxler: Yeah. , and without changes to the reporting laws and [00:19:00] I don’t see how we’re going to have any any better data around it. 


Ashish Rajan: That’s true. I’ve got another question from John F as well. 


As a cloud security architect, how do you keep up with the rapid changes with cloud services? 


Kat Traxler: Yeah, , it’s pretty wild, right? Like services are changing constantly. Services are being added. It’s a scramble. I mean, it’s a full-time job. It’s a full-time job. It’s a couple fulltime jobs. Twitter is a huge part of my life. 


The Cloud Security Forum Slack channel is a huge part of my life. I’ve also just made just ad hoc contacts with fellow security researchers who just work at different companies doing similar things that I do. And we just have meetings, , every couple months, like, Hey, what are you working on? 


Hey, what are you working on? Mm-hmm. Just like foster that cooperation. Yeah. But yeah, , I’m glued to the cloud news. Not only does that impact my day job as far as researching threats, but it also affects my course as I need to make sure that all of the information is accurate and up to date. 


It took me a two weeks, [00:20:00] I think, to do course updates after reinforce. So we’ll see what happens after reinvent. It might be a busy week or two after that. 


Ashish Rajan: Yeah. Cause I think with pre:invent is already started, there’s like a few services that have been announced by AWS. Really interesting. So, Yeah. 


And I can already see one of them, at least. The one which is to the ability to query resources all all across AWS accounts across our organizations. Yeah. Yeah. I think that would be great. From a security perspective as well. I wonder that would change the ways people look at SIEMs. A lot of SIEMs were used to do inventory and now you can do inventory inside AWS, but then I don’t know if that would expand to an organization level. Anyway, we going too deep in the weed, but hopefully that’ll answer your question. John, I’ll just, do you have a point about the new service as well? I do wanna let you add your piece on it about that as well. 


Kat Traxler: Oh yeah, the new surface. I don’t know if it’s gonna change the way people work with SIMs. I think that the SIMs they do allow you [00:21:00] to do some of that querying across clouds. Yeah, I think like Steampipe has some, a really good offering around that. But the more like enterprise ready SIMs around, like Splunk and Elastic, those are really more about correlation between the clouds. 


That’s where those really shine. 


Ashish Rajan: Oh, actually that’s, yeah, that’s a good one. Cause I think . The norm of whether you are just AWS or you’re multi-cloud and how many people are gonna be single cloud for a long time? I don’t know. That’ll be only time would tell. Nobody. Yeah. Cause same as the research we were talking about. 


Well, we can find out as many I guess possible scenarios, but unless you actually have a real example, it doesn’t go away., but talking about examples and how people kind of get to these kind of things leads me to IAM as well, which probably has become the most important thing in a cloud context. 


Mm-hmm. , why is IAM so important in the cloud world and Yeah, I know you have, that’s your passion project as well. So can you hear your thoughts in the whole IAM space in cloud. Yeah. 


Kat Traxler: We really bonded over [00:22:00] identity, didn’t we? Yes, we did. It’s our, it’s both of our loves. And I think yeah, I mean, just referring to, IAM, as , the service from AWS, AWS, IAM, it’s that identity and authorization layer. 


That gatekeeper between you, like the end user or the attacker and all of the functionality of the cloud and the functionality is , from. Spinning up new resources to destroying all of the resources, to exfiltrating all the data, to, , encrypting all the data. It’s full effect of confidentiality, integrity, and availability. 


So, that’s the gatekeeper between. The end user and all of the functionality. And in most cases, by default, all that functionality is publicly accessible. So there’s no network layer controls. , in some more advanced architectures, you can work to put some of that, , behind some network controls. 


But, in the vast majority of cases, all of that’s going to be, , publicly accessible from any point in the [00:23:00] world. And it’s that IAM layer that’s going , to authorize end user access. So it’s the whole ball and axe. It’s the everything. 


Ashish Rajan: And I think OWASP even has the, what’s it called? 


Identification, authentication failure as well, The OWASP top 10 funny enough, they’ve started including things which are sounding very cloud-like as well. And one of them was, I remember identification, authentication failure, which initially used to have more application focus, but nowadays it’s creeping into AWS stuff as well. 


Right? 


Kat Traxler: Yeah. I love the website. I forget who does it, but it’s the website that, , checks to see if AWS IAM has failed open. Oh really? It’s just this public website that just says, , AWS IAM has not failed open yet. But , your often in the background, you just start pinging something to see if it’s failing open, 


Ashish Rajan: failing open, that it wouldn’t be more as in like people can take over. 


IAM or, 


Kat Traxler: Yeah. If anybody on the talk is, knowing what I’m talking about, a link would be awesome. Or I can, I can dig it out. 


Ashish Rajan: Interesting maybe I can share it later aswell if you can [00:24:00] own that service that is just basically, that’s game over for entire AWS that’s it. That’s 


Kat Traxler: it. 


Yeah. Yeah. That’s a layer that like in theory exists in on-prem world. Like there is a management layer to VMware. So like if your organization is really big into containers and hosts, I’m sorry, virtual machines on VMware. Yeah. There’s a management plane layer on top of that. There’s a management layer on top of. 


Like HP servers, , they have the, the lights out, the ILO interfaces that are this management plane on top of those machines. So it’s not like it doesn’t exist OnPrem, that attack service is there. That risk is still present. It’s just on steroids in the cloud because it’s available everywhere. 


There’s no network layer controls blocking that. And , instead of kinda a small piece of functionality, it’s now like everything everything is [00:25:00] programmatically accessible. 


Ashish Rajan: Yep. A hundred percent. I think now we’re in the world. Actually, this kind of leads me to another question where a lot of people ask about the fact that should cloud security architects know coding and automation. 


Kat Traxler: I’m probably , going against popular wisdom here, but I don’t think so. I really don’t. I think it’s, , I know a lot of folks have said that everybody should know how to code at some point, but the security architect’s job really is to understand, , to be able to quickly evaluate risk and then understand how to bring it down, not necessarily how to do that implementation piece. 


, is it helpful if they understand a little bit to kind of put, be in somebody else’s shoes for a bit? Absolutely. But it’s not a requirement by any means and. It’s as far as the automation piece, I think automation can be used in a lot of cases to like centralize, kind of like chaotic configurations in the cloud because we have this like configuration sprawl issue. 


Yeah. And so automation can really help [00:26:00] centralize that. And so it’s great if an architect can understand the role automation has in centralizing configurations and then have that like central policy attachment point to be able to say, Okay, that’s where I can prevent people from making changes to the infrastructure at only these people to make changes to infrastructure because we’re automating and we’re piping through CI/CD. 


but do they know how to work terraform. No., that’s 


Ashish Rajan: a good point. Cause the whole point of an architect is not to build a building, but just to build the frameworks around, Hey, what, for lack of a better word, I guess, where would you, would the screw go into the hole or whatever. 


Like, it’s not about like, oh, what kind a cement should be used and what kind of metal should be that is too down in the weed for them. 


Kat Traxler: Yeah, it’s totally not necessary. I mean, you’re more talking about a, a security engineer who, , needs to understand , the AWS provider for Terraform, understand the difference between Terraform and CDK and how to [00:27:00] integrate that within a C I C D pipeline. 


But from there, An engineer can build this fantastic system that works great but has no security controls as far as who can access it. So the architect needs to swoop in in there and say, Okay, I’m gonna use this system now to put limits on who can make changes to my infrastructure. 


And it’s good for them to know that those possibilities exist. Cause they can try to enforce and inform that end state architecture because otherwise we just have this like configuration, chaos sprawl. And it’s possible to enforce at that point. But they don’t need to implement it. 


Ashish Rajan: Awesome. . There’s questions over here as well. So Zinet is asking if it’s a control plane. I think she’s referring to the IAM piece. Would you say Im is like a control plane for AWS? Yep. 


Kat Traxler: Control plane. Absolutely. 


Ashish Rajan: Awesome. Right? Thank you. Zinet Feel for asking a question as well. 


I’ve got a question from Alex as well? How important are cloud certificates? For example, the AWS solution architect professional? 


Kat Traxler: I don’t have any [00:28:00] AWS certs. , I have lots of SANS Certs and I’ve always loved doing certs because it gave me this like, goal and focus for my studying. I don’t know that it’s really, maybe it’s helpful when interviewing for a job. 


I think that it’s more important though, if you’re the kind of person who needs this like end goal of studying. , I wanna learn about. , , the availability in AWS, I wanna understand all the resources. It’s much easier to motivate yourself if you’re studying for something. And that’s what I use certs in general for I dunno anything about those solutions architect. 


cert. Once I’m done with my course, I might just go and knock off some of those just for fun. 


Ashish Rajan: Yeah, maybe I can add some because I’ve done the AWS solution, architect professional one. I think the, I think what you said is pretty much the answer as well there, depending on what your goal is. Alex, if you’re say wondering on the principle of you’ve been an architect or you are looking into going into the AWS space. 


If you want to [00:29:00] understand what’s an AWS service, like a generic overview of all the services within AWS, which probably are quite common. They wouldn’t talk about the 200 plus services, any common services that they know is primarily used by a lot of people across the board. 


They will teach you that in the associate, in the professional. The difference you will find is that the question’s a lot more longer and they give you a scenario they’ll say, Alex, you run a 500 million dollar company and you have a requirement to build cloud and , these are specific requirements. 


Which one of these bullet points would you use as an approach? And that’s kind of where it comes in from. I think it’s good from a perspective of having an understanding of how would you use an AWS architecture? But when you’re trying to, to Kat’s point, when you’re building a real life architecture, that certificate is only as good as knowing, we’re gonna go back to the analogy of the, the chef in a new kitchen or in someone else’s kitchen where you just don’t know where things are. 


So you’re trying to figure out based on the experience you’ve had in your on premise world, you’re trying to figure out, Okay, [00:30:00] what’s the service for key management? Oh, it’s AWS KMS. Okay, I’m gonna use that. Oh, , what’s the service like? The. whole conversation then becomes about ensure drinking the koolaid from AWS because that’s what they’re trying to make you go around the path of for AWS solution, architect professional. 


It’s great to get a job or at least get an interview, but when it comes to real life implementation, it’s probably still like you would still rely on your original skills of an architect to go make a call for. Does this make sense? Because I already have a key managing system in my on premise. Do I need to pay for another one or whatever , the balance you need to find. 


Hopefully that. I’ll see your question, Alex, but I think that was my experience with it. It’s good. If you have no idea about AWS, I would start with associate profesional a lot more harder. I even failed, my first professional exam was, I feel it’s a safe space to talk about. So I would, I failed my first professional. 


I had to give it a second time to pass it as well. So happy to kind of share I think the resources I used. But hopefully that answer your question. Alex, thank you for that. 


Kat Traxler: I heard that [00:31:00] the professional one was more difficult because they got a little there with the use cases. Yeah. Very, very attuned to how they’re wording the use cases. 


You have to study the 


Ashish Rajan: test. Yeah. And I don’t think it’s a fair thing to a point also because it’s not talking about all the latest services. So depending on the version of the exam, they might be like, the versions that I gave. They didn’t have a single question of Lambda. 


And, but the version after that, even though Lambda was popping at that point, everyone was talking about Lambda, but none of the solutions were pointed to Lambda. Like, well I would not use any of these cause it would not make sense. So I have to switch off my brain for what’s current in AWS and switch back to what used to be AWS, what they want to answer. 


Yeah. So I mean, there’s a whole can we can make a whole entire, on the whole, like my bitch about the certification thing. I’ve got another question here and I think Malik Bilal Dost is asking, , he’s a student who wants to go into cloud security, cloud computing space. And maybe this [00:32:00] is first of all, it’s awesome that you’re trying to get into the space, but this is also a good point to talk about. 


I don’t think because he’s a student, I, I don’t imagine he has a lot of experience. What is your 2 cents on people who want to get into the cloud security space but with no experience? 


Kat Traxler: Yeah. I think there’s still a lot of roles open around the junior level. I mean, my first job in the security industry was a junior pen tester level, and I moved from development. 


So, there’s some natural pivot points, like if you have some background in development, well, testing web apps for security issues might be a good pivot. If you wanna go into cloud security. Maybe look around your organization. Is anybody doing cloud security right now? Maybe that could be you. 


So try to fill the holes, the gaps in the world where you see them. If you wanna go into cloud security, maybe a good initial step would be to do like DevOps, engineering first, know how to build it first, know how it’s glued together, and then you can [00:33:00] understand later how to secure it. So. 


Hopefully those are some good pivot points. 


Ashish Rajan: Yeah, I would probably throw in the fundamentals as well just to the, I mean, not sure how much experience you have, Malik Bilal Dost, but if you can learn about networking in general, backup identity, access management, what these concepts are fundamental concepts. 


Cause none of the AWS certifications will teach you that. They just tell you that, Hey, use this. IAM service, use this KMS service. But they don’t tell you why do I need a KMS, Why do I need an IAM? Why do I care about any of these? So hopefully that answers your question. 


But Malik Bilal and I think John I’ve had, had a link for you as well. So definitely check that out from AWS. Alright. I’ve got a question from Roderick Rischer as well. What are the most important skills of an architect ? 


Kat Traxler: This is gonna be a an odd one, but I would say, , shaking hands and kissing babies, , , you find yourself in some really tough rooms sometimes. 


You find yourself in, in places where you need to very quickly [00:34:00] understand, , what does this application do., what risk does it bring to an organization and how to mitigate that risk? And oftentimes you have no authority to do any of that. , it’s just the nature of the game. So we often joked that an architect works on the eighth, ninth, and 10th OSI layers people, politics and religion, where you have to use those people skills to go into a room and say, , Hi, my name’s Roderick. 


Please tell me about your application. I really wanna know, you need to be ingratiate yourself to these people. You need to be friendly. You need to care what they’re doing. You need to understand what value it brings to the business, and then you need to convince them to do the right thing. That isn’t gonna be the case in all organizations. 


Some organizations, , architects have a hammer they can hammer down, but I don’t find that those are too frequent. I often find that the security organization the architectural organization in particular is this this like big cross [00:35:00] collaboration organization where their job is to work in partnership with everybody and they don’t have a big hammer to bring down. 


They have to get everybody to do the right thing because they want to. 


Ashish Rajan: Yeah, a hundred percent. I think I love the analogy of kissing babies and it pretty much sums it up even as an auditor as well. It’s the same thing as, well. You wanna produce a report, but you wanna come back and do another audit as well. 


So you wanna have, find the fine balance between. What should be reported at a high risk versus a medium risk. Mm-hmm. and that conversation never changes. Thank you for that. Question Zinet has a question what SANS certificate do you recommend for transitioning to or geared towards a cloud security architect role? 


Kat Traxler: I have I think five SANS I kind of lose track. I think, , the most recent one was the one based off of the five 10, the cloud security, multi-cloud security assessment course, SANS Sec 510. Great course for all around understanding the secure [00:36:00] configurations of GCP, AWS and Azure. 


Fantastic course. I contributed part of it, so it was pretty fantastic. Great cert. I keep coming back to my very first one though. The SANS 401 it’s just, , a security essentials. It’s kind of like their equivalent of the CISSP, very broad, not a ton of depth, but it really is those just fundamentals around CIA confidentiality, integrity, and availability across all technology systems. 


Yeah, I studied like mad for that for three, four months. And I really attribute the the solid foundation I built from that first course and that first cert to be able to kind of like build from there. So anybody first starting on it, always recommend the 4 0 1. 


It was a hard class and it was a really, really hard cert to study for. So Yeah, I mean it is a 400 level course, so maybe somebody might turn their nose up at it, but it is, it is some solid [00:37:00] foundations to get anybody started. 


Ashish Rajan: Awesome. Well, thank you sharing that. Thanks for that question as well. 


Zinet Talking about CISSP, you dropped in there. I feel like a lot of people would be I guess thinking about, , how it has the broad context for cybersecurity in general, and we spoke about certifications. It’s also making me think that it, with regard to clouds as well these days, not many people are, especially if you’re in the enterprise space, you don’t just have one cloud. 


You have multiple clouds and sometimes you have private cloud and public cloud. And I know whatever cloud someone else’s may just happen to make in their basement somewhere. And do you feel it is important for a cloud security architect to know all the clouds, at least in some way or form? 


Kat Traxler: I think that is the idea that , a cloud security architect would have this, like, I would say deep understanding of all the clouds is just, is, is just ridiculous. 


I can’t imagine anybody has enough ram in their brains to contain all of that, ? And, , specialize in one, really go deep in one. If you’re an [00:38:00] overachiever like me, you can specialize in two. But focus your specialization on like one common or two common languages. For me it’s AWS and GCP 


And then every time I have to try to understand a concept in Azure, how I understand those concepts is I draw parallels between, and I start saying, Oh, this is like VPC service controls, or, , this resource model is like GCP, but with this variation. So you can start to get some proficiency, at least baseline proficiency pretty quickly. 


Yeah. Yeah. If you are just deep in one but don’t, don’t think that you have to have this deep experience in all three. I, I think it, it’s kind of ridiculous to expect that from anybody. 


Ashish Rajan: Yeah. I’m the same. I’ve, I started with AWS and I think, I still feel I’m the most in my element in AWS. 


Mm-hmm. , but I can definitely transition to Azure or Google Cloud as, as much as I’ve done. [00:39:00] That transition has always just been to what you said. I’ve drawn a parallel to go, Okay, what was the parallel for this in AWS? Ah, this is the unique way it works. What you can call the service whatever you want. Cause to your point, there might be a fourth Cloud tomorrow. 


Suddenly Oracle Cloud becomes popular. And I or IBM clouds become popular. I mean, how many cloud services can you really remember? This is like back in the day, people used to have one certificate, from Cisco and that would be the best for the rest of their life. That’s not enough anymore. 


Kat Traxler: And that’s why, , get a certificate if you want. Don’t get a certificate if you don’t want. And it’s just a tool to help you learn. 


Ashish Rajan: That’s all. It’s, yeah, I definitely feel like the, the certificates at the moment in the cloud space have become more of a tool to get, to get that next interview. 


Cause to what you said, you may have learned cloud security in your organization without a cloud security title, but you’re trying to get that role somewhere, then that certification actually helps. Cause then that gets you the entry. Cause whatever filter people have for, Hey, I only want people who are AWS certified, or Azure certified or Google [00:40:00] certified. 


At least you pass that filter and get to the interview part when you can really shine at that point in time. 


Kat Traxler: I understand that right. A lot of people have, , software that looks at all the resumes that they, are these, these keywords 


Ashish Rajan: in there? Yeah. Cuz they’re looking at thousand. I mean that’s most of the people that I’ve helped out and spoken to, that’s what they keep referring to, that you can’t even get to the past first filter if you don’t have certificate. 


I’m like, okay, fair enough that that kinda explains the reason. But if you’re in a company where there are already plenty of cloud security roles, you don’t need to have a certificate. You just basically work your way through transitioning onto that role within the company. Yeah. 


Kat Traxler: And I bet there’s tons of people who are working in the cloud space without that official title because there’s so much cloud and so few official practitioners. 


So it, it’s gonna fall in so many people’s laps. 


Ashish Rajan: Yep. Yep. A hundred percent. This also makes me feel talking about frameworks around what, , how architecture space has always been about I think as ISACA or whatever, there’s like a sig there’s a few framework people rely on for building architecture. 


Are there any frameworks that apply to a cloud security world as well in [00:41:00] terms of, Hey, I can go back to this framework and use that as a building foundation, Or should people just use to attack mitre as a way to go, Oh, these are the, my TTPs and I will work on based on that. What do you normally recommend to people for building architectures? 


Kat Traxler: So, I mean, to get really like high level and to get really kind of, , ephemeral around your architecture and to get into like the architect’s architecture. I love, I love SABSA. I dunno if you’ve heard of that. It’s out the UK. I based a lot of my former architecture trading around the SABSA methodology, which is very business oriented. 


Try attempting to drive outcomes from your architecture rather than just, ratchet up the security, make it super secure. So that’s not cloud security architecture, that’s just architecture, security architecture in general. And it’s a very like, traditional formal methodology. I don’t think you should show up to your next job interview with the big formal SABSA book and say, I’m going to, , prescriptively make everything this way. 


But [00:42:00] it’s a really good framework and way to think about things. As far as just like reference architecture and understanding how, what secure patterns look like in the cloud. AWS has their well architected framework which. A guide that we’ll talk to you about some really common use cases, like if you wanna connect your VPCs, OnPrem, what are the patterns, if you wanna connect to VPCs together, , what are use cases, , what’s the pattern? 


And they’ve also have a a website, the well architected labs that’ll you can walk you through all of these different labs of, , building networks and creating identity architectures and roles. And there’s different pillars they work on. Not just security, but also like cost and performance and things like that. 


Ashish Rajan: Oh, sweet. , that actually, that’s a great idea. I’ll put the notes for them in the shownotes as well so people can actually find out about it as well. I’ve got a question here from . I think this is more around the software development side, and the question is more on the fact that. Thanks for your question. 


[00:43:00] Aside pen testing, do I need to know software development, networking as fundamentals to reach cloud security or cloud computing? 


Kat Traxler: Yeah, I mean, networking fundamentals, absolutely. , understanding, , the difference between public and private IP space and, and, and routing and, and probably even how to do some cider math, some, some basic networking concepts. 


Maybe the software development life cycle. It’s nice to be exposed to. Well, I guess I’ll, I’ll make the joke. , how does the bill become a law? How does the soft, how does an application become an application? , I think it’s really important to understand, , that process between, , somebody. 


Somebody writing some JavaScript on their computer and it being packaged and committed to a get repository and picked up by a CICD system and, , deployed into a container. And then maybe the between dev and prop, just that whole, , life cycle system and then like the places where security plugs into it. 


All of those things you’re gonna learn. I, I think, , probably in the first day of your [00:44:00] job, in the first year or two, that’s just, those are things you just soak up by osmosis, by kind of, , living and working within security. And if you find yourself in an organization that’ll let you get exposure to a lot of different areas. 


Hopefully they’ll just kind of pick that up. 


Ashish Rajan: Hopefully that’ll answer your question as well, but that answer the question really well. I think the last question that I had was, is there more of a. Like a roadmap kind of a thing that you kind of tell folks who are trying to transition over from an experienced architecture role onto a cloud security architecture role. 


Is there like usually some kind of a mind map or a roadmap to what we spoke about? Some people love having those milestones that they can take off as they Oh yeah, I can do, do these things and I’ll probably get to that cloud security architecture thing. Is there any rough roadmap that you normally recommend to people for how they can approach that? 


Kat Traxler: I mean, not offhand. No. I mean, I hope, I hope that’s what I’m building, , Ashish, I hope that’s what I’m building as a roadmap. I feel like, in that roadmap, I hope that people take [00:45:00] away more about what to retain about , their intuition around. Mitigating risk and designing for confidentiality, integrity, and availability. 


I hope within that roadmap that I create that what people, their takeaways is that they already have that intuition in them from the on-prem world. They just need to know how to translate it. 


Ashish Rajan: Yep. Yeah. And that’s a good way to put put it as well, cuz whatever they know, know right now is still very important. 


One more question coming from Roderick. What is the most difficult thing about cybersecurity when related to architecture? 


Kat Traxler: Oh, the most difficult thing about security as it relates to architecture. , I think it is probably staying humble, and understanding that, , as security professionals, as security architects, We’re there to identify risk, mitigate risk, but we’re also there to help the business with whatever that application is there to do. 


So you have a team of developers that have developed this [00:46:00] architecture and they want to deploy it onto the web because it’s going to make your business X amount of dollars. Your job isn’t to put all the security on top of it and just security it up. It’s to walk alongside of them and to understand, , what is it doing, what purpose does it serve, who its users, what’s the business value? 


And all of that requires a lot of like, humility. It requires a lot of shaking hands and kissing babies. It, it requires just a lot of like getting to know people and what. What they’re trying to accomplish. So I think the, the really easy default thing is to just, , plop security on something and just say it’s, call it a day. 


Mm-hmm. . But we really just need to, we need to understand what the purpose of this thing is to understand what needs to happen to it. 


Ashish Rajan: Yeah. The way I put that as well, it’s very well said as well. I think the way I put that across is when we are all starting off in cyber security, we wanna to quote you, security, everything, [00:47:00] because hackers are out there. 


Yeah. But once you start having a bit more experience, you realize actually we are in a role in a company because the company’s paying us money to get our advice and guidance on what our risk exposure is. How can you manage it? How can you mitigate. It is not to securitify everything as much as it is like a, byproduct of identifying the risk. 


It is not the goal, just that it unfortunately, and it takes you some time to realize. So I, I’m sure, I’m not sure how much experience Roderick has but as you kind of go on the journey of becoming an architect, what you realize slowly is that the whole shaking, hand, kissing babies thing, which is true cause you may decide that, oh, these 10 things are in that list. 


If I do all of these, this application be secure and best scale and everything. But out of that, those 10 things, only three or four can actually be. Implemented practically, and people may say yes to everything else would be a no. How do you deal with that? How do you even check your ego while people are [00:48:00] like, You’ve spent so much time and research looking at the 10 things and now suddenly like, I can only do four. 


Like, are you serious? So I, I, I normally find that was very humbling for me when I was an architect though, I had to all consistently check my ego for that’s okay. They understand what they doing. I’ve done the right thing. Move. I’ll move on from this. What do you think? What do you think about that? 


Kat Traxler: Oh, no, that’s perfect. 


Yeah. Check. Yeah. Being very conscious of the ego. I mean, it’s gonna come up, it’s gonna happen. You’re gonna feel like, Oh, somebody’s not respecting my authority. ? 


Ashish Rajan: So much research. I know all of this. I know. Certificate . 


Kat Traxler: Yeah. What do you mean you can’t do that? What do you mean that’s gonna take, , six 


Ashish Rajan: months in? 


Yeah, they’ve a lot of that, a lot of brain power spent on kissing babies and shaking hands. I just say that. Yeah. 


Kat Traxler: So really being very tactical about what you ask for and making sure it has the biggest impact on that. Risk mitigation. Pretty much it, 


yeah. 


Ashish Rajan: That’s, and this is where the alignment of business goal comes in as well to, to your point about tactical [00:49:00] part. 


As long as your tactical steps are toward, What the business wants. It would be an automatic yes. Yeah. The moment it’s like slightly off what business want, Like, oh, let’s look on it next time, or let’s, , find another way to do this or something. So, but I loved how both you and I were able to kind of like come up with a great answer for Roderick. 


If you have any further questions, you able to answer that as well. But thank you for that question. That was a great question. Yeah, that was a great one. Yeah. All right. That was like pretty much the end of my technical question. I’ve got three fun questions and it won’t take that long. And also it’s more just to get, for people, know a bit about yourself. 


First one being, where do you spend most time on when you’re not working on cloud or technology? 


Kat Traxler: My yoga studio. . Yeah. Every, every minute. I mean, that’s, that’s how I recharge right now. I, right now I’m exceptionally busy and where I recharge is the yoga studio. It was some long covid times when it was closed. 


It was real tough. But it’s open again. And that’s, and that’s where I, I find my energy. Wait, is 


Ashish Rajan: this one of those yoga places they give you, they give you [00:50:00] wine and tea as well, or No? No. 


Kat Traxler: Thats lovely. No, 


Ashish Rajan: that I’ve heard. I’ve always wanted to try a yoga place where they give you wine. I don’t know how you do poses with wine in the belly. 


That would be just weird like, Yeah. I think it’ll be weird to do that, but I think I, it’s a fun activity as well, so I’m glad. Thank you for sharing. 


Kat Traxler: I could see some tea, though. Some tea would be 


Ashish Rajan: really nice. Tea would be good. But maybe after the yoga, right? Not in the middle of it. Yeah, because cause a lot of people start during covid, they start the whole, Oh, yoga with wine and, and it doesn’t seem practical at all. 


No, it wasn’t. Like, so you do a fews, you stop, you drink alcohol or, or alcohol and you drink wine which is lot alcohol, but, and then you go back into poses again. I’m like, Oh, by the time, by the end of it, are you even able to do your poses? Is just an Australian thing. Maybe an Australian thing. 


But we, we definitely came up with interesting ways to drink, I guess. But it definitely flew, , got a lot, got a lot of popularity cause of it. That’s why a lot of people helped us get through the [00:51:00] covid times when we are in lockdowns. Next question. What is something that you’re proud of, but not on your social media? 


Kat Traxler: Something that I’m proud of that’s not on my social media. Oh man, that’s a hard one. I okay, I’m gonna get real personal here, but this is, this is a safe space. My my sister is 13 years younger than me. So she was , like a daughter, right? And actually as we grew up, I ended up having legal custody of her. 


So she is a little bit like my daughter, and she is just like, blossomed into this like, wonderful woman mom. She graduated nursing school. She like has her own house now. She’s just like kicking ass at life and, and being wonderful. So I’m most proud of my sister. 


Ashish Rajan: That is a great answer, and I’m really proud of your sister as well. 


That’s pretty cool that you’ve all gone through all of that and made an amazing person of herself. Awesome. And just on that maybe so so Zinet , they’re doing yoga with goats as well. 


Kat Traxler: I’ve seen that. Yeah. The goats are like walking on [00:52:00] your back. 


Ashish Rajan: Oh, really? Is that what they’re doing? 


Okay. This is well covid has made people weird, I guess. The yoga with wine and yoga with goats, so there you go. Final, I talked about goat and goat cheese. I guess what’s your favorite cuisine or restaurant that you can share? 


Kat Traxler: Oh, I think I said this last time, but I think I said Mexican food, right? 


Like Yeah, absolutely. My favorite. We have like this little like like Mexican bodega down the street and Right. When neither of us wanna cook, we’re just like, let’s go over. , grab some, , a plate of Huevos Rancheros or something. Ooh. It’s like the places a parking lot mess, right? 


Because there’s like every contract pickup truck trying to get into this parking lot. , I think the city probably, , sends them letters about the traffic jam. It causes, but , we love it. 


Ashish Rajan: Oh my God. Well I think I definitely great Mexican food in America. For sure, though. That was probably what we had time for. 


Thank you so much for coming on the show. Where can people find you to know more about cloud security architecture [00:53:00] and the courses you’re working on and stuff as well? 


Kat Traxler: Yeah, so I’m on Twitter and Mastodon. Nightmare JS is the handle on both. I’m on the InfoSec Exchange mastodon Twitter now. Like a lot of people, I’m kind of making the migration over to mastodon. 


I’m liking it so far, , it’s not too bad. I’m also on the, the Cloud Security Forum Slack run by Scott Piper. You can talk to me there. Or , LinkedIn always works. So, 


Ashish Rajan: And the SANS scores that you’re working on, what’s that called again? Yeah, 


Kat Traxler: The San Sec 549 Enterprise Cloud Security Architecture two day course. 


Now beginning of the year it’ll be out to a four day course. 


Ashish Rajan: Sweet. Looking forward to that. Awesome. Thank you so much for that. I’ll leave a links for all your socials over there, including the course as well. But thank you so much for coming in and thank you for everyone else who tuned in as well. 


Ask those questions and we’ll see you the next episode. But thank you so much for your time and hopefully you have a great weekend everyone. Thank you. Thanks. Thanks.

‍