The largest outage in the history of the cloud started with a routine bit of overnight maintenance.
Technicians at the Amazon Web Services (AWS) data center in Northern Virginia, the primary hosting point for data and services in the massive U.S. East Region availability zone (known as US-EAST-1), had planned to upgrade the capacity in the data center’s primary network that night. At 3:47 a.m. they flipped traffic over onto a redundant router to allow them to work on the primary without disruption. But instead of hitting the intended router, the traffic was accidentally redirected onto a low-capacity secondary network, which was almost instantly overwhelmed by the storm of packets coming in.
The failure to deliver the packets to the correct servers disrupted the mirroring function in the nodes, a critical piece of the system that allowed servers to dynamically scale to requests. The afflicted servers began re-issuing requests, putting additional demand on the already overloaded network and throwing even more servers out of service. A failure cascade had occurred, taking out sites reliant on AWS such as Reddit, Quora, and Hootsuite.
Working frantically, AWS workers restored primary functionality to their systems around 36 hours later, but the repercussions of the event continued to affect some services for as long as 5 days. Many of them lost data that was never recovered. Most were surprised to find that, despite assurances to the contrary, the outage had reached across Availability Zones and taken out systems that were, theoretically, completely independent.
In what was largely seen as a defensive post-mortem of the event, Amazon made something very clear to its business customers, which proved to be a rude awakening for many: The company declaimed responsibility for taking down many of the affected websites, instead pointing out that properly architecting the use of its geographically-redundant services was up to the customers themselves.
It became clear to many large business cloud customers that they would have to make their own decisions about security and redundancy instead of outsourcing the work entirely to Amazon.
In Steps Cloud Security Administrators
Cloud system security is essentially an amalgam of traditional network and application security concerns writ large. Cloud-based systems have all the same attack surfaces as the private systems they replace, combined with unique network and shared-service architecture concerns. The Amazon outage had started as an accident, but it demonstrated a susceptibility to attack that customers had not sufficiently contemplated.
In-house security teams at large cloud-computing providers address many of these concerns. Operating on a scale that almost no other network, public or private, can approach, their efforts protect customers against external threats, and from one another.
Cloud security administrators are not just found at cloud service providers, however. Large companies that outsource operations to cloud services still have a vested interest in monitoring the security of those providers, and ensuring that the systems in the cloud that remain under their control are safe and secure. Typically, cloud service providers maintain excellent security standards from the operating system level down to the hardware layer; software and services installed by the users, however, remain their own responsibility.
According to a January 2016 article in CIO Magazine, more than 90 percent of businesses had implemented some level of cloud services in their information technology systems. Though cloud security administration has not yet caught fire to the degree that many other IT security roles have, as the adoption rate of cloud computing continues to skyrocket, security issues are sure to follow and demand for these specialists will surge.
Cloud Security Administrator Job Duties
Cloud security administration is such a new field that many admins have the luxury of defining their own job duties. Although many of these tasks are hands-on matters of configuration and monitoring, much of the work consists of strategizing and coordinating internal information security efforts with those of cloud providers.
This integration is happening at lower and lower levels as cloud services are emerging that can handle more and more of the traditionally on-premises tasks performed by the IT department. This includes outsourcing of directory services and authentication, the gatekeepers of corporate data, in the form of Amazon Directory Service and Microsoft’s Azure Active Directory service. As with many services, these offer more capabilities at a lower cost than running authentication on-premises, but IT data security administrators require expert assistance to link internal and cloud platforms, and cloud security administrators bridge that gap.
Within cloud providers themselves, cloud security administrators are essentially data security administrators and engineers, albeit on networks that dwarf any other enterprise system in existence. But they, too, have unique challenges, primarily in separating different clients’ processes running on the same physical machines and network segments.
A constant challenge in some industries, such as healthcare and finance, is to match cloud provider security protocols to regulatory requirements. Many cloud service providers are reticent to publish their particular security procedures, but auditors are traditionally not receptive to vague assurances of compliance– details are more their forté.
Cloud security administrators are often charged with finding methods to comply with regulations like HIPAA (Health Insurance Portability and Accountability Act), working with or around a provider’s published security principles.
Much of the work behind ensuring a secure cloud deployment revolves around understanding the limitations of the cloud service being used. Understanding instance deployment regions and availability zones, and the mechanisms through which they interact, can be key to developing redundant, scalable, secure services on cloud platforms.
Cloud security administrators may come up with innovative ways to come to this understanding. In a marked counterpoint to the 2011 AWS outages that took some websites down for days, a 2015 disruption at the company barely caused a hiccup for Netflix, a major AWS customer. Cloud security teams at the streaming video service provider learned from the 2011 debacle and gained a better understanding of how AWS handled problems and how to build their own services on top of AWS in a way that is bulletproof. The teams at Netflix put together various simulated disrupters and deployed them against their own code base. Seeing where the cracks appeared, they then engineered around the hotspots. Consequently, when US-EAST-1 went down again in September 2015, Netflix administrators simply shifted traffic to datacenters in other regions.
Cloud Security Administrator Qualifications: Degrees and Certification
Cloud security administrators typically have an extensive background in network operations or in network security consulting. Four years or more in information technology is typically a minimum requirement, and two years or more in network information security specifically is highly desirable.
Earning a Relevant Degree
Most cloud security administrator positions require a four-year college degree, though as a cutting edge field, it is not unheard of to see job ads call for candidates with master’s degrees in cybersecurity. More general degrees in information assurance or information technology are also common.
IT professionals hoping to go into cloud security administration should look for schools on the list of Department of Homeland Security/National Security Agency-designated Centers of Academic Excellence in Cyber Defense (CAE-CD). These schools have been evaluated and found to be preeminent institutions for cyber defense education and are likely to be favored by hiring managers looking for serious cybersecurity credentials.
Earning Relevant Certification
Certification bodies have been fast to accommodate the need for specific cloud-oriented security education. The certifications most favored for cloud security are those focused on network architecture and administration, including:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Information Systems Security Architecture Professional (ISSAP)
- Certified Cloud Security Professional (CCSP)
Because they are tasked with coordinating between internal IT security teams and security teams at cloud providers, cloud administrators should also have proven skills in vendor management. A background in security architecture is also useful, since many of the integrations between cloud and internal systems are architectural in nature.