
(Reading Time: 2.5 minutes)
Cloud migrations require a diverse set of skills. The skills matrix I use to help ensure teams migrating to the Cloud have what they need to succeed covers 14 categories of skill ranging from Agile through Operations.
I think Security skills may be in shortest supply and most difficult to acquire.
Today, I’ll share resources you can use to build Security skills throughout your engineering team and to integrate your Security Engineers with greater leverage.
This will help you:
- reduce the pressure on people with strong security skillsets by increasing the total number of people with the most commonly-needed security skills
- integrate security throughout your delivery process
- engage Security engineering specialists at the right times
Every individual has a unique set of skills and experiences, so this guidance should be tailored to the individual as well as the team’s goals.
Update: We built k9 Security to help Cloud engineers understand and improve their AWS Security policies quickly and continuously. Check out how k9 can help you Go Fast, Safely.
Security for non-Specialists
Information Security is a rich and nuanced field. Sometimes it feels like it’s dominated by specialists with dramatic exploits and that the information you need is “in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.'” (Douglas Adams)
However, you can learn a lot about the fundamentals of security in general and AWS security in particular with a week or two of investment using free, public resources at your own pace.
Here are some Security resources you can start with:
- Cyber security design principles from UK National Cyber Security Centre
- Microsoft Security Development Lifecycle Core Training Classes (includes an ‘elusive’, pragmatic introduction to Threat Modeling)
- Mastering Identity at Every Layer of the Cake from AWS re:Invent 2018
- AWS Security Fundamentals from AWS Training
By the end of this, engineers should be able to:
- identify the components in the system that need to be secured and trust boundaries
- organize and implement identity and access management controls
- integrate AWS security features in the account, network, identity, and storage services into designs
And most importantly…you should know when to pull in a security specialist and have a well-informed and precise discussion about design and implementation details.
Modern Delivery for Security Engineers
Security Engineers joining Cloud migrations may also feel like salmon swimming upstream in a churning river of new tools, delivery processes, and ‘platform’ technology while simultaneously keeping on top of the the existing security responsibilities.
I suggest starting with concepts and practices central to modern delivery practices that might not be in your toolkit yet:
- Continuous Delivery from Jez Humble
- Source Control with Git & GitHub from Udacity
- Scripting with Bash or Python / Ruby from Udemy, the most common languages for CI/CD and delivery tool development (Note: the Python course is rated 10/10 on Coursemarks)
- An Introduction to Configuration Management from Digital Ocean
- most of an Infrastructure as Code resource, e.g. Terraform from Beginner to Advanced from Udemy
Then learn and apply the basic workflows and security concepts of the team’s primary automation tools and platforms, e.g. Jenkins, Terraform, Ansible, AWS, Docker. Pairing with your teammates is a great way to accelerate this journey and build relationships.
Together, these skills will help you participate in and enhance the normal development and delivery process. Design and code reviews are much easier and valuable when you are “in the right place at the right time” and comfortable with the languages and tools. You’ll probably field a lot more questions and start with better implementations when you’re regularly present in standups, reviews, group chat, and automation conversations.
Hit me up if you’d like the full skills matrix, a question/suggestion, or an experience to share!
#NoDrama