Shifting Left on Security

I am now a Microsoft certified Azure Security Engineer Associate. But why a security certificate?

As we are increasingly going towards digitalization and cloud technologies, the importance of cyber-security is becoming more prominent.  

Reactive security practices are becoming costly and not acceptable in organizations. A change of mindset in the organizations is needed. Shift left on security means addressing security concerns as early as possible in the life cycle of software and infrastructure.  

Personal Motivation 

I work with customers with different requirements on end-to-end cloud projects. From gathering requirements, designing the architecture and implementation, monitoring, and support. It is also my responsibility to consider non-functional requirements such as security. Even though we have security specialists in my organization and well-defined security policies and practices, I believe that security is still everyone’s responsibility. This is why I decided to invest in learning security best practices and putting it into use in everyday projects.

AZ-500 Exam 

Azure certifications are one the best ways to upskill. There is a concrete learning path and a validation of the skills in the form of an exam. Upon passing the AZ-500 exam, you will receive the Azure Security Engineer certificate. In my experience with Azure exams and certifications, hands-on practice is required. I practice what I learn during work projects as well as hands-on labs. Some exams provide hands-on labs and provide a sandbox Azure environment to practice. Unfortunately, AZ-500 does not have labs practice. However, I found it very useful to practice on my own to cement the knowledge.  

Key Learnings 

Some of the most important topics which I learned in this journey are:  

  • Misconfigurations and default settings: According to Gartner, customer misconfiguration of cloud resources is the leading cause of data loss in the cloud environment. I learned about best practices on cloud resources (e.g., network, storage, key vault, Azure SQL, containers) configurations in different contexts and scenarios.  
  • Identity and zero trust: There is a shift towards remote working and hybrid working and the new normal of users accessing applications and data anywhere and anytime. Zero Trust strategy is focused on user’s identity and context information (device, application identity). We should assume zero trust and validate the access rights of each user at the time of access. This strategy requires a good identity foundation in place.  
  • Defense in depth: Like cyber-attacks which can exploit different vulnerabilities in different layers (network, application, data, etc.) of the infrastructure, defense can also be applied to each layer. For instance, in the infrastructure network layer, we can limit the communication between different resources by segmentation or restrict the inbound internet access where appropriate.  
  • Cloud-native tools: Azure provides many tools to manage and monitor security posture. It is crucial to learn about available tools and put them into use. 

Learning and applying the knowledge is a continuous process. I hope this certification will be a good step in the long-term journey of cloud security.