Ashish Rajan: [00:00:00] Hey, welcome Chris!

Christopher Hughes: [00:00:02] Thank you. Thank you for having me. .

Ashish Rajan: [00:00:05] I love to have you here. I’m glad it took a time, but I’m here and you’re here as well. So we want be made it happen and just to make it the right team for the show. I have my coffee.

Christopher Hughes: [00:00:16] Yep.

Ashish Rajan: [00:00:19] No good. Chris. You’re you’re hearing the first time. And so if anyone looks at your profile, see SSP cloud security engineers.

I was the QT professor. And I can, the list keeps going on. So I’m not gonna, I guess, do injustice to your description. So, but for people who haven’t heard of you before, who is critiques?

Christopher Hughes: [00:00:40] Yeah, I’d say professionally, I’ve been in the it slash cybersecurity career field for a while. Over 12 years, you know, I’d say closer to 14 years at this point. , both, you know, with the military and the private sector and public sector and federal government in the United States. So a little bit of everything in that regard, and a lot of different roles, you know, around the system administration, [00:01:00] cyber security, cloud security, you know, project management.

And as you mentioned, like in addition to working full time roles, I also teach as an adjunct at a couple of different universities as well.

Ashish Rajan: [00:01:11] Wow, man. Oh, thank you for your service by the way, under like your military as well. The obvious question then how did he get into cyber security? Was it through the military or what got you into cyber security?

Christopher Hughes: [00:01:22] Yeah, it was actually the military I joined in, in 2008 and got put into that kind of a, an it system administration role. And from there it got more, you know, more focused on cybersecurity and ever since then, you know, I’ve just stuck with it and seeing that something I was interested in, something I was passionate about and seeing that as a career field that has, you know, as you hear constantly like ample opportunities.

So it’s just something I’ve stuck with for a lot of reasons. Oh, right.

Ashish Rajan: [00:01:45] And, and you currently work at the calc security engineer that right?

Christopher Hughes: [00:01:48] That’s correct.

Ashish Rajan: [00:01:49] Yep. So please demystify that for us. What is a cloud security engineer?

Christopher Hughes: [00:01:56] so, you know, I know it can be a convoluted term and can be confusing, [00:02:00] but honestly, it’s, it’s very similar to, you know, traditional cybersecurity engineering in terms of like identifying threats and vulnerabilities with systems and software.

but in the context of, on a cloud platform, you know, whether it’s like infrastructure as a service platform, as a. Platform as a service or software as a service, and being familiar with those cloud platforms and different software, that services that are being consumed and just kind of applying those traditional concepts of, you know, confidentiality, integrity, availability, but in the cloud context,

Ashish Rajan: [00:02:27] Right.

Okay. So does it change? Cause you mentioned in, for the chest cord as well as, patches as well. So is it different, like, so is the cloud security engineer focused on a particular kind of, I guess cloud side with Alexa exercise or a pass or AWS versus Azure or.

Christopher Hughes: [00:02:45] Honestly, it depends on the organization or organizations you’re working for, you know, say you’re working for a traditional corporation or organization.

You might be working with one cloud provider or multiple cloud providers. If they have a multiple, you know, a multicloud environment or hybrid cloud where you have an on [00:03:00] premise footprint, and then you also have a cloud footprint as well. and then honestly, many organizations are consuming. Yeah, several softwares and services at this point.

so you’re securing those and you’re kind of vetting those to see if you want to integrate with them and send data to them and vice versa, let them into your environment possibly. so yeah, there’s a lot to it.

Ashish Rajan: [00:03:19] All right. And so with your focus has been since you’ve been in this role, I guess.

Christopher Hughes: [00:03:24] so initially I I’ve been in this kind of cloud security centric role for five years now at first, started off with, the military when I was working at the Navy.

And a health agency here in the United States and kind of, it was more compliance, focused, like trying to take systems and move them into the comply. Cloud a beat, but being compliant with like federal U S you know, regulations and department of defense regulations, things like that. but then I got more interested in the technical aspect and kind of, from that, you know, pivoted into more of a technical role, working as a cloud security engineer and cloud security consultant, you know, helping configure platforms and helping organizations, safeguard data, you know, [00:04:00] analyze what services they want to use and kind of helped them modernize their infrastructure in a secure way.

Ashish Rajan: [00:04:06] Oh, and to your point it’s, it, so good. Sounds like you had a mix of compliance. You had a mix of, not just, well, not just compliance, but he had a mix of engineering aspects as well. So with the experience that you’ve had and I’ll. We have a few students in the mix as well. And some people who are transitioning into cyber security, some of them have been to sat admins for traditional infrastructure for a long time.

Some of them are developers. And the, one of the questions I get is, I mean, I guess the title is, well, how do I become a cloud security engineer? Do I get a certificate or wait, how do I. Go about approaching this. So anyone who’s listening from that perspective, what’s your experience been? I know you have a lot of certificates for people to check out their LinkedIn profile and your professor as well as probably from that perspective, you can give that insight into where does it, how would you, ask anyone to [00:05:00] prepare, to get into a cloud security field, a particle engineering field?

Christopher Hughes: [00:05:03] So there’s a lot of different angles. You want to look at it. Potentially look at the industry you’re in and seeing like, you know, what, cloud service provider or providers are the most prevalent, you know, in that career field, like say you’re working in healthcare or, you know, federal government, or, you know, what are banking, you know, those kinds of things.

and see what kind of cloud service providers and most prevalent and part of the focus on I’d recommend starting focusing on one, you know, with the big three being obviously Amazon Azure and GCP, focused on, you know, one of those initially just to get familiar with like, you know, what is cloud computing.

how does infrastructure as a service work, where other cloud services that those cloud service providers provide and then kind of take that angle and see, you know, how does it fit into what you’re doing currently and how are organizations using those platforms? Do things differently. Like say I’m a developer.

I might start looking at some of the developer tools that AWS offers and see like, you know, how are those being leveraged? How can I leverage those to do. No development in the cloud environment versus the on premise environment, if that makes sense.

[00:06:00] Ashish Rajan: [00:06:00] Sure. And two-point development, is that more coding or is that more infrastructure scored or like, so, you know, you talk about coding.

What does that coding mean in a cloud security engineer life, I guess.

Christopher Hughes: [00:06:13] Yeah, it’s a, it’s an interesting question because you’re starting to see, you know, with efforts such as like dev sec ops and dev ops and things like that, you’re starting to see kind of a, an integration of those roles and they’re starting to mix and kind of be very fuzzy in a sense, like when it comes to cloud security, even you can have like, compliance’s code or policy as code, you’ll hear it called, where you can start to work with in those cloud environments and using things like cloud formation and other, other things to kind of enforce a security.

Requirements in the environment, but they’re in a, in a code format, you know, more so than the traditional formatting and kind of approaches that you’re used to on premise. Oh,

Ashish Rajan: [00:06:49] right. And so, okay. Cause you can basically make it what you want it to be. So to your point, if I’m, I guess a student, or if I’m already looking at an organization and I see that are these security products [00:07:00] or not security products, but security things being done in a, in a manual fashion are automating that could also be considered a cloud security engineer.

POS that’d be. Yeah,

Christopher Hughes: [00:07:12] no, I mean, that’s, that’s definitely accurate. Like I’ve seen many use cases in the cloud environment, you know, in my opinion, where we’re cloud really provides some value around security is, you know, we hear you’re often around, there’s a shortage of cybersecurity, talent. You know, organizations are struggling to find cyber security experts.

so when you move to the cloud environment, you can have what’s called event driven security. So you can, No things are triggered via API and things like that. You can have, actions that occur that immediately set off kind of an automated response, automated incident response type scenario, and those, and those can not only help, you know, with having a shortfall of staff, but they can help you respond to and remediate and kind of containing an incident, faster than you would traditionally.

Ashish Rajan: [00:07:49] Oh, right. And that’s the whole threaten or not detection response kind of area kind of just exploded everyone. It just even drew insecurity. And how do [00:08:00] I, I guess, know the alert before I can do this or whatever, is that, is that kind of where it kind of came out from.

Christopher Hughes: [00:08:05] Yeah, exactly. And then like, if you look at the, you know, say like AWS, for example, they just released a, an updated AWS incident response security guide.

And if you take a look at that, automation is kind of thread throughout that entire, that white paper. And because, you know, like I said, not only for like a shortfall of staff reasons and kind of augmenting staff from an automated perspective, but also just being able to respond quicker to an incident, identify an incident faster, contain it and potentially remediate it.

No, and that’s where cloud can really put you ahead of what you can do traditionally.

Ashish Rajan: [00:08:34] Oh, and so I definitely want to get into a bit more about the maturity of cloud that you’ve seen. And, but before we get into that, is there a certification that I should be looking at? if I’m trying to get into the cloud security field and the question, imagine me being a, I guess, a cybersecurity student or a developer, to your point about.

AWS is a great example. They have a [00:09:00] special security specialty exam as well, which I didn’t realize there was like, there was like a jump as well. You can’t just go straight off for security specialty exam. You kind of have to give something in between, from what I understand.

Christopher Hughes: [00:09:10] actually I think they may have waived it at one point you had to get the associate level of certifications, like solution architect or something first, but I think they waive that requirement.

Now you can jump right to security, but I don’t ever really tend to recommend that to folks just because you’re going to be jumping into it without having like. The baseline foundation of what AWS is, are the services you kind of want to build up to that?

Ashish Rajan: [00:09:31] Also. So what would you like? So if any, for, for students who have not done any work in cloud, how are you going to reckon, like, what should they be moving forward as like, what does that stepping stone for them before they get into that thing?

Christopher Hughes: [00:09:43] So, I’ll lay out the, the kind of the approach I took and not necessarily saying it’s the best approach, but I think it was a good way to approach it is like, rather than jumping right to a specific vendor like AWS GCP or Azure. what I did was I took the CCSP, which is a cloud certified security professional from ISC [00:10:00] square.

the same organization that, you know, your CIS has P comes out of. It’s just a center, it’s a cloud centric version of that. so like that lets you take combo vendor agnostic approach instead of like one specific cloud platform, you learn the fundamentals, like what is cloud computing? What are the five tenants that.

That make up cloud computing, you know, what are some of the key security considerations that you would want to look at when you, when you’re trying to secure a cloud environment or help an organization migrate to the cloud. And then there’s also another very popular one is called CC S K a and that’s from cloud security Alliance, which I know you’re, I think you’re familiar with secure cloud security Alliance.

That’s their kind of vendor agnostic approach to cloud security too. So those are two good starting points just to get familiar with what is cloud, you know, what are big things within cloud that you should be looking at from a security

Ashish Rajan: [00:10:44] perspective? And does it cover overall security as an incident detection?

Christopher Hughes: [00:10:52] if I recall, I don’t have it on the exam outline in front of me, but it’s broken down by focusing on like data security, you know, [00:11:00] a lot of different domains basically. And then it kind of gives you a cumulative view of cloud computing and cloud security and the key considerations to be cognizant of.

Ashish Rajan: [00:11:09] All right. So it will help you basically kind of. Yeah, because I feel like the thinking of security slightly different in cloud, where if you’re trying to focus just on an application, then yeah. You can find out okay. For an application in front of, about wanting to do X, Y, and Z. But when you put that in a cloud context and you have these concepts of IAM user SES credentials, and there’s so many layers just to identity, do you do, to your point, you kind of like, Oh, actually I need to think about this a bit differently.

So. Do you find you’re not getting as good for those foundational things where may not be specific to AWS or Azure, but it gives you that thinking mindset that in a cloud environment, this is how you should be thinking about security. Is that a fair explanation?

Christopher Hughes: [00:11:48] No, it is. And actually just pulled it up.

So just to give a rundown, like, you know, it kind of focused on six domains. So in this context is going to be that cloud architecture and design cloud data security cloud platform and infrastructure security [00:12:00] cloud application security. Cloud security operations, and then of course, legal risk and compliance.

So it gives you that kind of holistic view of operations in a cloud environment. And like you said, identity being definitely one of the big ones to consider, but you have the infrastructure, the data, you know, you have your operations and then you have the compliance aspect as well.

Ashish Rajan: [00:12:16] Sure. And I think no.

We’ve kind of covered, stuff for people who are trying to become a caretaker engineer. And I do want to take it up a notch as well. cause I know this is just fairly basic question for you. I do want to take it up a notch as well. but before I jumped into that, I wanted to ask you, because you’ve given security specialty exam for people who may have.

Worked in the AWS space for some time. Is there a recommendation on how can they prepare for what was your approach to preparing for the edible security specialty exam?

Christopher Hughes: [00:12:48] So in that case, there’s actually an individual called zil Vora. So Z E a L V O R a. He has a massive presence on new Demi if you’re familiar with [00:13:00] Udemy.

Yep. Yeah, yeah, yeah. I mean he covers every technology and, you know, cloud provider, everything you could think of. But anyways, he has a, he has a great course on there and he also has a book, for the exam specialty. Let me see if I can grab it. It’s actually right here.

Ashish Rajan: [00:13:16] Yeah. There was a guy. Yes.

Christopher Hughes: [00:13:17] Yeah.

So he, I mean, he’s really great. He breaks down topics really well. And then there’s also, you know, various websites like Linux academy.com of course, you know, in a cloud guru are the two big ones. Yeah. I use both of those in that case. I use both of those, training platforms in my case to kind of run through the content and then also, you know, spin up virtualized lab environments and kind of run through some of the key services and key things you need to be familiar with.

and then also, you know, w with AWS exams, and I’m sure it’s probably the same from Azure, from what I’ve seen and, and Google as well is jump on YouTube and, you know, start listening to some of their conference videos, like where they go through deep dives on certain services, you know, certain use cases, things like that.

Ashish Rajan: [00:13:55] All right. Okay. And so did you say that because someone’s asking in the comments section actually, , [00:14:00] I’m like, who is this guy? So coffee is awesome. The comments, you should be able to see it, or you may not see it, but I’ll just put post link in the show notes later on for Karthik. That’s letting you know, just cause he’s asking for a link to the course.

So we should be, would find that link and share that in the show notes. So it was a zeal. Did he fit, what was the last name again?

Christopher Hughes: [00:14:18] Vora Laura.

Ashish Rajan: [00:14:21] Yup. Sweet. Alright. I’ll we’ll, we’ll definitely get to that as well. A lot, a lot that in the show notes and the comment when you get to it, the next obvious question.

So I’ve done all this great things. I’ve done. All the certifications have been working in AWS, but there might be a mix of people who are in AWS and maybe doing some sack, some kind of security already. And we spoke about automation. What is kind of like the maturity level that you’ve kind of worked with in different, like what do you see as the basic foundational stuff that I have a small environment, I manage the cloud over there and I want to have these basic boxes ticked off.

Right? Like you may consider it as [00:15:00] one Oh one in like. You should at least have Clark realtor known, like you should at least have external things like that. Do you have like a, it doesn’t have to be like a full list. Like what’s the, what’s the three things that you think from the top of your head that people shouldn’t have as a basic to start off?

Christopher Hughes: [00:15:15] Yeah, I would say like, you touched on identity and I am earlier. I see. That’s absolutely like a key critical piece that individuals need to get. Right. You know, not who has access to the environment, you know, what services do they have access to? What can they do within the environment? No. Are you given like a least permission approach, at least permissive approach to the environment?

you know, absolutely look at like encryption, you know, is your data encrypted, you know, who can access the keys? Do you have control of the keys? Are their cloud provider have control those keys? and then obviously, misconfigurations within the environment and around like storage buckets and things like that, you know, we see all the time or another AWS breach and you look at how it occurred.

It’s an S three bucket that we had public access enabled. So some of those things are some of the key considerations definitely look at Ralph the gate. I mean, there’s definitely much more than that, but those are some of the [00:16:00] easiest things to look at now that easiest, but you know, some of the major things to consider and definitely take a look at right out the gate.

Ashish Rajan: [00:16:07] All right. To your point, it makes it makes sense as well, from a perspective of identity being the new gateway into. Anything online though, right?

Christopher Hughes: [00:16:17] Yeah. I mean, the way I’ve heard it phrased is, you know, when you look at things like zero trust, like you’ll hear people say identity is the new perimeter. And I like that.

I like that perspective. Right. Cause you know, you’re kind of narrow things down to the identity and every kind of request for access or, you know, to data or anything within the environment you have to have kind of have that authorization approach, you know, authorization process kinda of occur each time.

Ashish Rajan: [00:16:39] Yup. Yup. And to a point it may make sense also from a perspective of. because I didn’t get the new premier on the parameter. Do you have an opinion on single sign on versus I am uses for AWS.

Christopher Hughes: [00:16:54] so I’ve seen, kind of environments do both. I think, you know, as you, like, you mentioned like a small [00:17:00] environment, I’ve seen small environments kind of use like, Traditional I am, you know, for users and things like that, users, groups, roles, but then as you get into the enterprise environments, they definitely tended to have more of a traditional, like active directory, you know, kind of have that federated identity between on premise and in cloud environments and using a single sign on.

So I think it really just depends on the organization and their maturity and that kind of their, their size to be honest.

Ashish Rajan: [00:17:22] right. And what, I just have another question from Yeshua here. He’s asking, did the AWS. AA, which is, I’m assuming it’s a secure solution architect associate, I think worked a bit with few AWS services now has he’s planning to go into it.

Security aspects of cloud as well. So, what is your thought on the associate exam as well? Cause I think you’ve sat that exam, right. Solutions and cause that’s a good foundational one to get, get used to AWS services. So you can start building on say you mentioned identity.

Christopher Hughes: [00:17:53] Yeah. I think. That tends to be the most popular Amazon, certification, you know, both from like a learning perspective.

And then from an [00:18:00] employment perspective, if you search online, that’s going to be the definitely the highest one that comes up the most often. And it helps you get familiar with like, you know, the, the wide breadth of services that AWS offers and then kind of how. Textures work in the cloud environment in AWS.

but with SF, like, you know, we could talk about like syst admins and developers. that’s where you have the other associate exams, like CIS ops and developer that I’ve taken as well. And those kind of, you know, those kinds of points you more in a different direction based on the, kind of the role you’ll be performing within the environment, you know, where, where your background is and what your interests are.

Oh,

Ashish Rajan: [00:18:30] right. Okay. And to, switch back on to the advanced level and obviously can move back and forth. we’ve kind of spoken about certification. I’ve spoken about identity and. In terms of the platform that’s been good. People have single accounts. People have multiple accounts, enterprise have hundreds of accounts.

in terms of maturity that you’ve seen, how have you seen that vary? Like what, what, what is, where does consider like an advanced, [00:19:00] cloud environment for you? Like something that you’ve worked for or you’re working on or working towards, what does that look like for you? And. Where do you see as maybe start with, let’s start with the advanced and we’ll come back to come back notch out.

I can come bring it back down to a, I guess after that.

Christopher Hughes: [00:19:17] Yeah, absolutely. So, you know, from what I’ve seen, you know, in more advanced environments that are more mature, kind of bigger organizations who kind of have their footing within the AWS and cloud environment, they definitely have a multicolor.

A multicast approach to the environment, you know, with best practices, like say having a security account where you’re filing your logs to, and eliminating access to that to only certain individuals. And then maybe you have different accounts based on the environments, you know, dev, prod, things like that.

And then also maybe different accounts for different business units. And then from there, you, you know, you kind of have that aggregated spend visibility, you use AWS organizations, you know, to see kind of what you’re spending as an organization. but there’s also security value of using AWS organizations where you can like.

Kind of aggregate the groups all underneath one hierarchy and [00:20:00] then apply like what’s called service control policies across the different accounts to control who can use what you know, who can do what within the environment. So it’s a great way to kind of govern, those big multi-cloud,, multi-county environments, basically

Ashish Rajan: [00:20:12] all the suite and again, digging another level.

No. I’ve set up the security account. I’ve also set up organizations. I’ve also set up a CPS. Now, now we flipped over to operation. We’ve done implementation. We’re doing operation. What’s the, how do you find. What’s the best approach for managing, a, like a security across multi, multi account landscape

Christopher Hughes: [00:20:38] in your opinion.

So typically, like I said, of course, you’re going to have like your AWS organizations in place and your service control policies, and then you’re gonna have your grant, your security folks, you know, access to the environment as appropriate to have visibility that they need and then have the logging and telemetry, you know, Kind of coming in from multiple accounts to give them that visibility.

And that’s kind of an AWS centric way to [00:21:00] approach it, but there’s also, you know, third party tools that you can begin to use that I see a lot of organizations using things such as cloud checker and some of those other popular tools to kind of get that governed, wide visibility approach to their environment.

Ashish Rajan: [00:21:13] All right. It’s like a third party tool. I’m not for that type of responsive perspective.

Christopher Hughes: [00:21:18] not necessarily only threat response, but also for visibility purposes. Especially if you look at like, you know, you talked about a more mature organization and say they have, not just only AWS. We say they’re using that using Azure and GCP or whatever, or multiple software and service and know whatever the case is.

using those third party tools is going to let you get that widespread visibility across like your entire cloud ecosystem, rather than just within one cloud provider.

Ashish Rajan: [00:21:43] Oh wait, that’s an interesting one because I’ve also heard in the past as well. Do you see the thing hasn’t happened to you as well?

Christopher Hughes: [00:21:53] So I’ll, I’ll say from the organizations I’ve worked with, you know, they tend to kind of have a big footprint in one more so than [00:22:00] in, in, in many at once. they have, you know, goals and aspirations of getting to that level of, and you’re consuming multiple cloud service providers and some of them definitely have workloads in.

In several places. but they tend to just try to get their funding in one place before they branch out from there. And I think that’s honestly a smart way to approach it. You know, we look at, you know, things like is Sans cloud security, study that comes out and some of the leading causes are always misconfigurations.

So like, as you increase that footprint across multiple cloud providers, you also increase that complexity and those things that you need to try to. Keep an eye on, in multiple places at a time and keep everything configured correctly. And it kind of leads to the complexity issue that, you know, I think leads to a lot of security incidents basically.

Oh,

Ashish Rajan: [00:22:40] and yeah, I, my pet peeve with compliance or configuration management is the fact that, the auto remediation part, which is kind of like the next level of maturity, like it’s easy to, for us to go find it, the third party tool, put it in. Next thing, you know, I’ve got a dedicated person looking at this.

[00:23:00] And if it’s like a hundred plus AWS account, someone has to be on it 24 seven. Is that how you feel done in mature organizations? Curious to know your example in terms of how does the mature organizations approach say drift from compliance and cloud?

Christopher Hughes: [00:23:15] so honestly I think that’s where you start to get in things like infrastructure as code, you know, and you want to kind of have that, that code, source control.

A configuration management approach like that, like look at, you know, for example, I’ve been diving in a bit on Terraform for example, but you know, you can also use the cloud vendor offerings, like Azure arm templates or AWS cloud. Yeah. And as you start to kind of govern your environment in that cloud perspective, it’s a lot easier to kind of manage the configuration drift versus trying to do everything manually through the council.

For example, you know, you have, you can kind of imagine it as code and it’s, and it’s a lot easier to control the configuration and keep things from drifting.

Ashish Rajan: [00:23:54] And it’s interesting. You mentioned about Terraform and cloud formation that you’re actually working towards that. Cause a lot of the [00:24:00] questions and I’ve tried, I’ve tried having this conversation with a lot of people that I’ve been trying to ask security folks to go.

People like us have to start courting. It is like, and it doesn’t have to be like, I don’t have to develop an app, but I need to be able to go. How do I automate this enough that I don’t have to do this again manually or maintain a spreadsheet for it over that would maybe, do you see that as getting important?

And is that why you moved down the bed of home, but

Christopher Hughes: [00:24:25] yeah, no, absolutely not just a, you know, from the infrastructure infrastructure perspective, like with Terraform, for example, our cloud formation. but you know, using cloud formation as an example, like when I got into this space, I started to see that some of the automation, Opportunities that are there.

Let’s say you have a Lambda function. You know, you have something in your environment that gets triggered from a CloudWatch event that’s that’s anomalous or, you know, breaks out in your security policy or something like that. And you want to take an automated response to that. Well, you need to be able to have a function or something that can take action, like Lambda, and then you’re going to have to write some code.

and, and I’ll be honest, you know, I didn’t come from a development background, so I’m not, you know, I’m not an application developer. So, you know, [00:25:00] that was a pain point for me is seeing like, okay, well I need to learn. Maybe a little bit of Python, I need to learn, like I understand architecturally how it works, but I need to actually be able to create something that can take action in that environment.

And that’s where I, like I mentioned earlier, you’re seeing kind of that congruence between the lot of different roles in development and security and system administration, operations, things like that. It’s kind of all coming together. And I think that security security professionals are definitely going to have to start learning to code if they don’t already know how to do so, you know, to maximize their capabilities in the cloud.

Ashish Rajan: [00:25:29] Yeah. And I think a lot of people get confused in the sense that, Oh, I’m not a developer. And to your point, I’m not a developer either. I didn’t. I mean, the last time I did Java was in like when I was in uni, universities are in college and it was my doing my bachelor’s, I, that was a while ago could have grown a beard by now as well as, but, and I don’t consider myself.

Like I used to one of those guys who were a copy paste from stack overflow.com and hopefully that works. And I definitely don’t want to bring that code onto like a production environment. I kind of [00:26:00] always ask people that your point, you don’t have to be an application developer. You just need to have enough according experience to see, I guess, or hot, right.

A minimum script, I guess, or to your point, right. The Lambda function, which you can get another developer in your organization to review, I guess, but it’s definitely becoming important. So if a student is listening to this, the Terraform cloud formation, any, do you have like a favorite or are you exploring both at the moment?

Christopher Hughes: [00:26:25] so I’ve definitely done my fair share of cloud formation, you know, from an AWS perspective, but knowing things are kind of moving towards that multiple I’m sorry, multi-cloud environment. That’s where you start to look at kind of the vendor agnostic approach. And that’s where, you know, things like Terraform, for example, were very valuable because you’re not tied to a single cloud provider.

You can kind of provision and manage infrastructure across multiple environments, with a single tool. And that’s where I think Terraform is so popular. Oh,

Ashish Rajan: [00:26:50] sweet. And I’m going to shift gears a bit as well. we kind of spoke about the Maconomy for different maturity levels. One thing that [00:27:00] I ask my guests, and I don’t know what your opinion would be on this, but I’m curious what’s the most common cloud security myth or misconception.

You hear people don’t go.

Christopher Hughes: [00:27:08] I honestly, I th I definitely think it, ironically enough, it, and, you know, we talked about how to get into cloud security. Ironically enough, the biggest misconception I think, is with the shared responsibility model, you know, people like look to cloud and think that, Oh, you know, I don’t have to worry about that.

The cloud service provider is doing that for me. And that’s a big, big issue because in a lot of cases, that’s not the case. You need to be. On top of, you know, things, yourself and understanding what you’re responsible for, what they are and are not doing. and then, and then in those cases, that’s where folks get in trouble as they, you know, kind of assume that the cloud service provider is taking care of something and it’s not being done.

And, you know, that’s where things get left vulnerable.

Ashish Rajan: [00:27:44] So, do you see this happen across the clientele that you work with?

Christopher Hughes: [00:27:48] Yeah, it’s a, it’s very honest. It’s a very common issue. Honestly, folks, you know, they, they know a little bit of cloud or why it’s enticing, why organizations are willing to it, but they don’t truly thoroughly understand that shared responsibility [00:28:00] model.

And that’s where a lot of oversight kind of occurs.

Ashish Rajan: [00:28:03] So there’s a bit of, a bit of a gray area. And I, it’s funny because, some of the product companies that I’ve worked with. as well, there’s almost like a gray area there as well, but like, Oh, I host my product on AWS or to their responsibility, but the customer who use the product, they’re like, no, no, but I talked to you guys.

I don’t know if you’re AWS, so I know what you’re talking about. It’s really interesting with that dynamic as well.

Christopher Hughes: [00:28:23] Yeah. Yeah. Especially when you start to, like you said, you get into like softwares and service, for example, when you’re using software as a service and you know, they say, well, we run on AWS and you know, they kind of leave it at that.

And it’s like, well, we get no more than that. Like, you know, how are you guys managing. The infrastructure needs its application. You know, what is being done on your end and versus AWS is, and like, you got to see the risks that are involved with consuming that

service.

Ashish Rajan: [00:28:44] Yup. Yup. And is there, if there’s something that people are not talking enough about in cloud security, according to you,

Christopher Hughes: [00:28:52] honestly, and you know, this is just me, you know, maybe from an educational perspective, but I see a lot of organizations come up with these big, you [00:29:00] know, cloud migration plans and.

And maybe even a cloud center of excellence or something like that, that’s the best practice, but they, you know, they’re looking for the latest tool, the latest software to service, they can use the latest third party tool that can use to help manage their environment. But they’re not investing enough in their people.

They’re not, you know, so you look at the leading causes of breaches and misconfigurations right there at the top. Now you need to invest in your people. If you’re going to move to the cloud, you know, your, your team, your folks need to understand how cloud operates and your, how can I, how can I govern this environment?

How do I configure this environment? You have to invest in your folks. And honestly, You know, what happens is like either you fail to do so and something occurs or you fail to do so. And you lose the folks that, you know, you could have kept that were valuable because you didn’t invest in them, you know?

And yeah. So that’s a big oversight in my opinion, that a lot of organizations go do

Ashish Rajan: [00:29:44] this training in general is a training in cloud.

Christopher Hughes: [00:29:47] Yeah, absolutely. Like I said, they’re looking for the latest tool or third party integration that can do things for them, and those are valuable. But you know, at the end of the day, you have to have a team that’s competent, you know, and to run things internally for you as well.

Ashish Rajan: [00:29:57] Do you feel like there’s a gatekeeper approach to [00:30:00] the whole knowledge of cloud security?

Christopher Hughes: [00:30:02] I, I personally, I don’t, you know, like I mentioned earlier, Linux Academy, a cloud guru, you Deming, I mean, there’s just on and on and on. Like, you know, I feel like there’s this broad array of, knowledge that’s just out there for cheap or free in many cases.

And you just gotta be willing to go out there and either find it yourself or talk to the right people that are putting you in the right direction. No, I, I of caught on cloud and now I just started looking out there and see what kind of training providers are, are there. And I found myself in certain situations where like I was with an employer who, you know, that when they invest in you, you know, your provisional professional development, your education now that’s where you go out and see like, what, what can I obtain?

What can I learn? And you find out that it’s very cheap in many cases to go out there and kind of Uplevel. Yep.

Ashish Rajan: [00:30:42] Yep. And most of those providers actually have a 30 day free trial as well. So you can actually use them for 30 days and go, ah, I don’t really like it. I’m going to move on to something else. But so there is a free option as well.

People really want to just explore and not waste their money on it. but it’s becomes, I feel like. Because cloud security [00:31:00] has not been, I guess it’s been there for some time. It’s been there for about five, six years now. It’s hard that aura, that people can actually have a good advocate approach, gated approach, but it’s that new as well, that new things keep adding up.

Like, I think. Some of the comments over here, Yasha has mentioned Ansible conflicts mentioned how she goes, like so many people have developed tools around cloud as well. She’s a point that you’re not just learning cloud, but you have to kind of learn the tool, how to apply a tool, which is applicable and where it’s not applicable for your environment.

There’s so much complexity to it. And yeah, to your point, there’s so much for your OCD resources for anyone who wants to pick it up. yeah. I love the answer that it is not, I didn’t want to say it, but I’m glad you said it. So there is no gated approach for sure.

Christopher Hughes: [00:31:45] Yeah. I just wanted to add on that, you know, like it’s double like short in the sense, like everything is out there.

You can kind of go out there and obtain it and learn things yourself. But at the same time, it can be overwhelming. There’s such a vast ecosystem of tools and vendors involved that, you know, it can be overwhelming for someone just starting out

Ashish Rajan: [00:31:59] too. [00:32:00] Oh, yeah. She’s that? That’s true. Yeah. It’s for people who have already started and been working kind of like you and I, where it’s a bit like, Oh, you kind of know what to trust and what not to do.

Like, you kind of have like a, almost like a spam alert in your head, like, Oh yeah. I don’t want to care about that. So all you could do you find, do you find that you’re doing yourself as well, that you have that almost like a filter come up every time you see something that’s bullshit.

Christopher Hughes: [00:32:22] Yeah, absolutely.

And you know, like, like there is the value of cloud that lets you kind of spin things up quickly. It’s very keep in that sense, but it also opens opportunities for folks to kind of go out there and use it as a business venture. Like, you know, I’m gonna start something and try to create some kind of training or some kind of a tool for people to use.

And like, so it’s, it’s a, a vast system of folks trying to. No, utilize it for business purposes as well. And you gotta be able to kind of sift through the B assets. You said, see what is valuable to me, where it’s relevant to me, you know, what’s actually going to benefit me. Yeah,

Ashish Rajan: [00:32:49] you have no cool, man. this was really interesting.

I was able to kind of like explore a lot of the possibility if you are able to talk about the pathway in the classical engineering as well. [00:33:00] I do want to switch over to almost like the fund round where we kind of go into a bit more about who is Chris, but is there something that you want to, I guess, touch upon?

We talk about water. We will not talk much about security, but is there a theme that you see around yourself in the people who are trying to go get a job in cloud security? is there something obvious that they’re missing that you may have seen, like maybe people around you, especially now with Colbert, I guess because no, everyone’s remote.

I don’t know how you’re dealing with remote work, but, but we can get into that as well. is there something that you feel people should, we spoke about the approaches that do I think people should do something about the way they’re approaching cloud security engineer? Like what would you give a brief introduction on it earlier?

You can go deeper. You kind of have chosen AWS. Is AWS a good, like, have you been happy with that AWS decision? And, the reason I’m asking this is because everyone just wants like a straight hardware magic bill, and unfortunately there is no magic pill. So, AWS, [00:34:00] Azure or GCP, is that a preference between the three that you would ask people to go for?

Christopher Hughes: [00:34:04] honestly, I, you know, I look at the market if, you know, from an employment perspective, like what’s the largest use one, right. And it’s going to be AWS in almost all cases, you know? So I tend to stick with AWS just cause it has the largest footprint, large adoption and largest utilization by businesses.

but the other two are definitely picking up steam, you know? And, and so they’re all valid, you know, definitely to check out and then, you know, from an employment perspective, you know, being able to. Cover a multiple multi-cloud environment, you know, that makes you even more, versable more valuable, from an employment perspective., you know, I will add this there’s, you know, for people just starting out there can be a sense of imposter syndrome. If you’re familiar with that term, you know, like maybe I don’t belong here. Like I don’t. And I feel that, you know, even after as much as I’ve learned, like maybe I don’t know enough, maybe I don’t belong in this field, you know?

And it’s just, you gotta be willing to keep going, keep learning and know that you’re never going to know it all. And that, not that you won’t know it all, but. Most people you are encountering. They don’t know it all. Either everyone, you just gotta be willing to continue to learn, you know, and never get discouraged.

Ashish Rajan: [00:34:58] Everyone’s pretending to be like, I [00:35:00] belong here and there had Dennis shit scared, but they’re like, Oh my God.

Christopher Hughes: [00:35:06] Yeah. You just gotta be willing to get out there and learn it. And, you know, just show that willingness to learn is like, you know, that’s a huge thing from an employment perspective, if you interview and they ask you something and you don’t know what to say, I don’t know, but I’m willing to go learn that, you know, I’m willing to look it up and, and, you know, become proficient in that area.

Ashish Rajan: [00:35:20] Yeah. And I think funny because people forget that I see cloud and like, as a cloud, as a popular concept did not exist until like five, six years ago.

Christopher Hughes: [00:35:28] Yeah.

Ashish Rajan: [00:35:28] Like Docker container didn’t exist. I mean, I guess there were versions of containers, but no one was like, I want to do everything humanities. I want to, I don’t want to everything gone containers and ECS and all that, but now people are just assuming that needs, they need low.

All this we’re like, well, most of the I’m pretty sure a lot of people don’t know still. They’re all learning. Some of them just let them know the job. That’s the only difference.

Christopher Hughes: [00:35:47] Yeah. And then you have a lot of organizations that are just trying to jump, you know, from legacy approaches to doing things right.

To like containerization and, and, and your Docker and Kubernetes and things like that. And that’s where, you know, sometimes that gets them in trouble. Cause they don’t have the staff in [00:36:00] place to kind of manage that or they don’t even know how to utilize it or security, you know? So yeah, it’s, it, you know, not only from the employment and like as an individual, but organizationally you have to have that knowledge through, you know,

Ashish Rajan: [00:36:09] Yep.

A hundred percent, man. All right. I’m going to switch gears. We’ve been talking about a lot of technical things as well. So I’m going to switch gear. This is some fun, fun questions. There’s only three. Where do you spend most time on, but in North working on cloud technology.

Christopher Hughes: [00:36:21] so I have three kids here are six, four, and two, and they take up a lot of my time, but we’re not, not doing the family thing.

you know, I’m a pretty passionate about exercise and exercise a lot, like five, six days a week. And I also need to get some three, four times a week as well. So

Ashish Rajan: [00:36:36] did he go to the yet or you don’t have them.

Christopher Hughes: [00:36:39] I I’ve had it, you know, it’s pretty gross, but I’ve had to drain it a couple of times with, I got, you know, it’s nasty, but so, you know, it’s just, you sit in front of the computer, you know, I love technology, I love computers and things like that, cloud computing, but it’s nice to get out there and physically move sweat, you know, exert yourself and, you know, it’s just, you know, you don’t get that when you’re working with technology

Ashish Rajan: [00:36:57] suite now, but my best friend [00:37:00] isn’t, as well.

And I think I called into my thigh just because of that, but yeah, totally combat for it. It’s just very different unless you got hit. Bunch of a punch in the face. I’m like, this is real. This is not a fun sport activity anymore.

Yeah.

Yep. the next question is what is something that you’re proud of, but it is not only a social media.

Christopher Hughes: [00:37:19] I say, it’s my kids. You know, I keep my LinkedIn, you know, pretty professional, like obviously no personal life in politics and those kinds of things. But you know, like I said, I, I’ve a wife and three kids and that’s my, primary goal. And that’s where I’ve pursued talk competing, just because of the opportunities that can provide me and them.

That’s awesome.

Ashish Rajan: [00:37:35] and final question. What’s your favorite cuisine or restaurant that you can share?

Christopher Hughes: [00:37:40] I’d say I’m a big barbecue fan, so I like, you know, any kind of barbecue food is right up my alley.

Ashish Rajan: [00:37:47] Oh, wait 14. Barbecue. So you barbecue, both and you’ll sell barbecue.

Christopher Hughes: [00:37:52] No, no, I’m definitely not efficient auto in that sense, but like, you know, I can consume it quite well.

[00:38:00] Yeah, no, I can eat it quite well and not necessarily cook it quite well.

Ashish Rajan: [00:38:05] Wait, is it a favorite place for you for a barbecue meat or is it just homemade barbecue that you enjoy?

Christopher Hughes: [00:38:10] I like, you know, actually I like know, not trying the big chains for sticking with like local places. Like, you know, places that maybe have been the family business for generations, those kinds of things, like little, little spots you may not hear about, but could be really great when you try them.

Ashish Rajan: [00:38:23] Oh, right. Okay. Now, I mean, I don’t know if you had any recommendation for anyone who’s visiting, but Genea, but any, if you have a recommendation to feel free to throw that in as well, but if you don’t have one, that’s gonna be fine, but I’ll ask people to find our local family barbecue places, right?

Christopher Hughes: [00:38:36] Yep.

That’s that’s the key, right? There is try something that, you know, necessarily a chain

Ashish Rajan: [00:38:39] restaurant. Ah, cool. All right now, thank you, dude. This is amazing. and I really appreciate you taking the time and team to fight hard, to become a cloud secure engineer. The, I loved how you did demystified the sort of, of certification conversation as well.

We didn’t get to, and before I kind of end this, I want to touch upon that cloud [00:39:00] security professor work that you do as well. What subject do you teach and cause. I’m curious. I’m sure people are at as well. Cause you called your professor. We didn’t talk about the, the, what do you do as a professor? We talked about earlier talk secure engineer amazingness, but we didn’t touch on the cloud cyber security professors.

And where do you teach in? Cyber security

Christopher Hughes: [00:39:19] are actually two different universities. in the United States here,, one of my focus more so on traditional cyber security, like the digital forensics incident response and those kinds of things, both defensive and offensive type, cybersecurity focuses. but, another university I teach ag has started about a year ago and that’s specifically teaching cloud security and networking.

So that’s taken folks who have no cloud security or cloud computing background in main cases and exposing them to ironically enough. AWS is the cloud service provider that we tend to choose, just cause like I said, it has the biggest footprint, most organizations, if they’re using cloud tend to be using AWS.

So we expose the students to AWS, you know, the, some of the services, show them how to go in there and start, you know, creating a [00:40:00] VPC, subnets, you know, how to quickly use like elastic Beanstalk to give like a web app out there pretty quickly and just show him, you know, Like how easy it is to use cloud.

And then also, you know, the kind of double edged sword, like how easy it is to misuse it. Just configure it to, so just exposing them to the environment. Yeah. Oh, that is awesome.

Ashish Rajan: [00:40:19] I’m glad you’re doing this because I think, I don’t think that definitely, you know, three is realize. How important cloud is becoming as a course.

And I mean, I, haven’t gone through all the universities myself in terms of all the teaching, but it’s, it’s pretty good to know that it’s not just encryption and cryptography anymore,

Christopher Hughes: [00:40:36] but more than that, no, exactly. I mean, that’s something I like about the cyber security career fair in general. It’s like, you know, you may not have an aptitude for math, for example, but it’s such a vast, like there’s so many different roles, you know, you can play within cybersecurity, you know, offensively defensively, compliance, you know,, The risk management.

There’s just so many things that you can kind of specialize in now that you know, you can come from any kind of background and you can be effective in this, in this [00:41:00] career

Ashish Rajan: [00:41:00] field. Oh, that dude. That is awesome. if anyone has any further questions about certification or AWS security or any of this work and the reach you,

Christopher Hughes: [00:41:09] I definitely say LinkedIn, you know, I haven’t mentioned any that sweater or anything like that, but I’m pretty, I’m pretty active on LinkedIn.

I post quite a bit and you know, I like to share things that are interesting to me that I think folks will find interesting or valuable as well. So yeah. Hit me up on LinkedIn anytime. Sweet.

Ashish Rajan: [00:41:23] Awesome, Chris, thanks so much for your time, man. Really appreciate it. Thank you for this demystifying cloud security engineer for us.

Christopher Hughes: [00:41:29] Yeah, absolutely. Thank you for having me

‍