It was a great opportunity where I was able to expand my knowledge and get a deep understanding of technology, operations, and how to construct a data center to meet customer/application requirements.

Knowing how systems work from the hardware level, through the virtualization layer, networks, data storage, and all the way to the application services, databases, and front end UI has been an invaluable tool in my career as a security professional.

When I first heard about cloud computing and Amazon Web Services (AWS), I was biased and confused. To me the cloud was just a way to outsource your data center. And I didn’t really understand why they called this “cloud” computing anyways. 

On my first public cloud migration project I got the opportunity to own and manage our policies and processes around AWS Identity and Access Management (IAM). 

I’m a little embarrassed to write this, but with my old thinking (that the cloud was just another data center), I embarked on this journey using a spreadsheet to track which roles we wanted to create and what permissions each role should have. 

I also chaired a painful meeting where we reviewed this spreadsheet on a weekly basis with various stakeholder for any updates on the roles and then manually updated the IAM policies with the changes in our AWS account. (Yes we only had 1 account).

After a while, I felt frustrated. Curating a spreadsheet stored in a wiki page that contains the way our access control “should” be setup felt meaningless and out of touch with reality. We could never keep up with the changes and need of development teams that were iterating rapidly while migrating projects to the cloud. 

I was missing something. 

I spoke with the development teams to understand the business problems they were trying to solve and how the cloud would help them achieve better solutions that what we could ever have on-prem. 

And then it clicked. 

That’s when I realized that the cloud is not just another data center, but by giving you the ability to control every aspect of your environment through an API, you’re empowered to automate every aspect of your development, operations, and security workflows. 

Realizing these benefits requires a mind shift though. 

• Everything you do should be captured as code. 

• Security and operational guardrails should be integrated into the environment by default. 

• Workflows that require a human decision point should be the exception and not the norm.

•  The rapid rate of innovation requires you to always be learning. 

• Your best solution and architecture today, will not be the best solution tomorrow.

At Cloud Security Musings, I’ll share with you lessons learned, tools, strategies, thoughts, and experiments on more than 6 years working on public cloud environments. 

The opinions in this blog are my own, do not necessarily represent the opinions of my employer, and have not been sanctioned by my employer.

Thanks for reading!

- Cesar