The Challenge of Technical Translation

As cloud security experts, we’re accustomed to discussing concepts like “IAM policies,” “VPC peering,” and “zero-trust architecture.” We often face blank stares or confused nods when we use these terms with executives. The same happens with clients or colleagues from other departments. This disconnect can lead to misunderstandings, misaligned priorities, and even security vulnerabilities.

The Power of Simplification

The key to overcoming this challenge lies in our ability to simplify complex ideas without losing their essence. Here’s a practical approach:

1. Find the core concept: Before you start explaining, distill the technical idea. Focus on its fundamental purpose. Consider its impact. Now that you have that, incorporate step two.
2. Use analogies: Draw parallels between the technical concept that you simplified and everyday experiences. These should be experiences your audience can relate to. As you do this, don’t lose sight of point number three.
3. Focus on outcomes: Okay, for this part, you need to emphasize the business impact. Discuss the risk implications rather than the technical details. The business impact or the risk to the business is the language most non-technical folks are going to connect with. It’s about how your job and the information you convey relate to their job. This connection impacts what they are focused on.
4. Avoid acronyms: Finally, spell out any abbreviations unless you’re 100% certain your audience is familiar with them. Explain these abbreviations that you would use with your peers. Be sure to clarify their meaning. Sometimes they will nod as if they know what it means, but they don’t. Just explain it, but do so in a way that isn’t demeaning to the listener. This is something you need to practice.

Putting It Into Practice

Let’s take a common cloud security concept: Multi-Factor Authentication (MFA). Here’s how we explain it to a non-technical executive:

“Imagine your house has a front door with a standard lock. That’s like a password – it’s good, but if someone get past that lock, and opens the door, they’re in. Multi-Factor Authentication is like adding an alarm system. Now, even if someone gets past the front door, they must enter the code to disarm the alarm. This prevents triggering other security measures. In our cloud systems, this drastically reduces the risk of unauthorized access, even if a password is compromised.”

Pretty simple right?

The Impact of Clear Communication

By giving some extra focus to the art of translating technical concepts, you can:

• Secure buy-in for critical security initiatives more easily
• Improve collaboration with non-technical teams
• Enhance our professional reputation and influence

A Challenge for You

I want to leave you with something that you can try and will help you get better at this. So, this week, try this exercise:

Choose a complex cloud security concept you’re working with. Explain it to a non-technical friend or family member in under two minutes. Ask them to explain it back to you. If they can grasp and articulate the main idea, you’re on the right track!

Remember, how we communicate can be just as important as what we know. By honing our ability to translate technical terms into clear, relatable language, we become more effective in our roles. This practice also elevates the overall security posture of our organizations.

The post Simplifying Cloud Security for Non-Tech Stakeholders appeared first on Brandon J Carroll.

Technical Topic

• How to securely transfer files with presigned URLs | AWS Security Blog – Securely sharing large files and private data is critical in today’s distributed work environments. This article explores how presigned URLs offer a powerful solution by enabling temporary, controlled access to Amazon S3 objects without exposing long-term credentials. It provides prescriptive guidance on best practices for generating and distributing presigned URLs securely, including implementing safeguards against inadvertent data exposure. The article goes into key technical considerations like using unique nonces, access restrictions, and serverless architectures for generating and validating one-time presigned URL access. It even offers a downloadable code sample illustrating how to implement these secure practices. It also emphasizes the importance of governance, continuous monitoring, and automated revocation procedures to maintain effective oversight and control when sharing presigned URLs broadly. By following the guidance outlined in this article, you can unlock the collaborative benefits of presigned URLs while protecting sensitive data. I encourage you to explore the full post to learn how to strike the right balance between secure data sharing and collaborative efficiency using this powerful architectural pattern.

Career Corner

• Guide to Becoming a Cloud Security Engineer: Roadmap (2024) – As businesses adopt cloud computing, the role of cloud security engineers has become more important and more sought after. This guide digs into the exciting world of cloud security, exploring the responsibilities, skills, and career path. In the article you’ll discover how cloud security engineers safeguard sensitive data and implement robust security measures to prevent breaches and cyber threats. You will also gain insights into the various types of cloud security attacks they combat, such as DDoS, hypervisor attacks, and malicious insiders. The article also explores earning potential, certifications, and has a roadmap. Yes, they are promoting a Cloud Security Master’s Program that they sell, and I am not recommending you jump into that. But overall for someone that needs an overview and a roadmap, it’s a start. And yes, I know, some of this you probably already know, but its good review! If you feel good in this area, just skip it!

Learning and Education

Want to learn something new? Here you go!

• Community | What is the Get AWS Certified: Data Engineer – Associate Challenge? – Sometimes you need to be challenged to make progress. If that’s you, here’s a challenge you might be interested in.

Community Voice

A quick note before I get into this weeks share. The articles I share here are mostly posted by AWS Hero’s and AWS Community Builders. With that said, I do my best not to do two things: 1\ Share posts from Medium because putting content behind a pay wall is not accessible to everyone and I don’t want to encourage people to pay for another service. 2\ Drive traffic to LinkedIn. There is a TON of content there and lots of Hero’s and Community Builders share their stuff there. If you want that content please follow them directly on Linkedin. You can find a directory of Hero’s and Builders to follow here and here. If you’d like to contribute content to the newsletter, please reach out to me directly!

So, here is a roundup of a few posts from the community this week:

1. AWS Managed KMS Keys and their Key Policies: Security Implications and Coverage for AWS Services – Are you curious about the AWS Managed KMS Keys and their potential security implications? This blog post provides an insightful overview and introduces a handy tool from Fog Security that scans and lists all AWS Managed KMS Keys along with their corresponding key policies. With visibility into these keys being a challenge, the post highlights the importance of understanding their usage across various AWS services. It also discusses the pros and cons of using AWS Managed KMS Keys, encouraging readers to make informed decisions. The accompanying GitHub repository offers a comprehensive listing of AWS Managed KMS Keys and their key policies, regularly updated through an automated scanning process. Quick statistics and repository contents are also provided, giving you a glimpse into the valuable information available. If you’re interested in cloud data security or have feedback on the tool, the author invites you to reach out to Fog Security. Don’t miss the opportunity to explore this resource and gain insights into AWS Managed KMS Keys and their potential impact on your cloud environment.
2. Setting up AWS IAM Identity Center as an identity provider for Confluence – DEV Community – This detailed guide walks you through setting up single sign-on (SSO) for the popular collaboration tool Confluence, using AWS IAM Identity Center. By integrating Confluence with AWS IAM Identity Center, you can centrally manage access for your users across multiple AWS accounts and Confluence itself. The step-by-step instructions cover everything from configuring the Confluence application in IAM Identity Center, to verifying domain ownership in Atlassian Admin, creating the identity provider, and enforcing SSO in Confluence’s authentication policies. While the process involves several steps across AWS and Atlassian’s interfaces, the guide provides clear directions and troubleshooting tips to ensure a smooth integration. If you’re looking to streamline authentication and account management between your AWS environment and Confluence, this comprehensive walkthrough could save you a significant amount of time and effort. The ability to leverage AWS IAM Identity Center for SSO with third-party apps like Confluence also highlights its versatility as an identity provider solution.

That’s it for this week. I encourage you to subscribe, share, and leave your comments on this edition of the newsletter.

Also, if you will be attending the AWS Summit New York, please let me know. I will be there as well and I am planning on doing some videos with community members. If videos aren’t your thing, lets at least have a chat!

That’s it for now!

Happy Labbing!

The post Securing the Cloud #32 appeared first on Brandon J Carroll.

Technical Stuff From CiscoLive and re:Inforce

• Unleashing Cloud Power with Cisco and AWS – Du’An and I presented this 20 minute talk at the AWS booth last week in Las Vegas. We were really excited to help people like us, with a background in Cisco Networking, to bridge that knowledge to the Cloud. Enjoy the video!
• Introducing Amazon GuardDuty Malware Protection for Amazon S3 | AWS News Blog – Amazon GuardDuty Malware Protection for Amazon S3 now detects malicious file uploads, adding to its existing capabilities for Amazon EBS volumes. This was an announcement made at re:Inforce this week in case you missed it. Users can easily enable this service in the GuardDuty console and configure advanced malware protection measures such as object tagging and event-based actions. For more details on how to enhance your organization’s security with GuardDuty Malware Protection for Amazon S3. Check out the article for the full details.

Career Corner

• AWS re:Invent 2024 All Builders Welcome | Amazon Web Services – Ok, this share is in the Career Corner today because I realized many of you may not be familiar with the program. At AWS re:Inforce we had several builders early in their career that were mentored and brought to re:Inforce with the All Builders Welcome program. This is a program where AWS is empowering underrepresented technologists in the early stages of their careers by providing grants to attend certain events. AWS is also doing this for AWS re:Invent in December 2024, offering opportunities to learn, network, and grow in the tech industry. Read the landing page for the re:Invent specific program where it describes the AWS commitment to fostering diversity and inclusion while bridging the gap in the tech space, inviting those interested to apply for the grant and join the next generation of technical leaders. It’s a pretty cool opportunity that you might want to give a shot.

Learning and Education

• Exam Updates, Beta Exams, and New Certifications | Coming Soon to AWS Certification | AWS – Ok, this normally wouldn’t be in this section because it’s not really an article that teaches you something. It’s here because it shows the two new certifications that AWS announced at re:Inforce and I couldn’t find an article that went into more details. Anyhow, check them out. They aren’t availabe yet, but keep them on your radar.
  • AWS Certified AI Practitioner beta exam
  • AWS Certified Machine Learning Engineer – Associate beta exam

Community Voice

Here are a few things going on in the community.

1. Incognito Authentication | CarriageReturn.Nl – Learn how to implement a shared password authentication for a web service using ALB and Lambda from this article, which details the challenges faced and solutions adopted in a step-by-step manner. Explore the author’s journey in setting up secure authentication in the cloud and the insights gained along the way.
2. MITRE ATT&CK Cloud Matrix: New Techniques & Why You Should Care. Part I | Mitigant – The MITRE ATT&CK Framework v.14, released in October 2023, introduces over 18 new techniques crucial for modern cybersecurity defenses, with two notable additions in the IaaS section for enterprises. Exploring these techniques sheds light on how attackers exploit vulnerabilities in cloud systems and emphasizes the importance of staying updated and implementing effective detection strategies. For a deeper dive into cloud threat detection and mitigation strategies, read more at https://www.mitigant.io/sign-up.
3. MITRE ATT&CK Cloud Matrix: New Techniques & Why You Should Care – Part II | Mitigant – The MITRE ATT&CK Framework v.14 introduces new techniques like Log Enumeration to address challenges in cloud attack detection. Explore how the framework, along with suggested mitigation strategies, can help defend against evolving threats in cloud environments in the full article.
4. Learn to Build RAG Application using AWS Bedrock and LangChain – Explore the world of Retrieval-Augmented Generation (RAG) in natural language processing and machine learning. Discover how RAG enhances language models by bridging gaps in data sources, offering accurate responses, and fostering innovation, as demonstrated through a step-by-step guide to building an RAG application in this insightful article.

Thanks for reading this weeks edition. We encourage you to subscribe, share, and leave your comments on this edition of the newsletter. Happy Labbing!

The post Securing the Cloud #31 appeared first on Brandon J Carroll.

Technical Topic

• How to Apply GitOps to Everything Using Amazon Elastic Kubernetes Service (Amazon EKS), Crossplane, and Flux | AWS Open Source Blog – This post provides a detailed walkthrough on using GitOps, Crossplane, and Flux to provision and manage cloud infrastructure and applications on Amazon Web Services (AWS). It explains how GitOps enables declarative management of cloud-native stacks, while Crossplane allows using Kubernetes APIs to provision and manage resources across different cloud providers. By following this tutorial, you’ll gain practical experience in leveraging the power of GitOps, Crossplane, and Flux to streamline your cloud infrastructure and application deployments on AWS. You’ll learn how to version your desired state in Git, automate deployments, and consistently manage resources across environments.

Career Corner

• Reddit – Dive into anything – Are you someone who works with Infrastructure-as-Code tools like Terraform? If so, this thread goes into an interesting debate – what exactly do you identify as professionally? Are you a developer since you’re writing code? An infrastructure engineer since you’re provisioning infrastructure? Or perhaps both roles blend together in the world of IaC?

Learning and Education

• A Beginners Guide to GitOps – GitOps takes the tried-and-true DevOps best practices used for application development, such as version control, collaboration, compliance, and CI/CD, and applies them to infrastructure automation. By leveraging the principles of Git, the widely-adopted version control system, GitOps empowers teams to manage and automate their infrastructure with the same level of rigor and efficiency as they do with their application code. Dive into this beginner’s guide to GitOps and discover how this powerful framework can transform your infrastructure automation journey.

Community Voice

1. Mastering the AWS Security Specialty (SCS) Exam – A Quick Guide – DEV Community – Want to ace the challenging AWS Certified Security Specialty exam? This guide shares invaluable tips and top resources that helped Damien pass on their first attempt. Get an inside look at must-use study materials like Stephane Maarek’s comprehensive Udemy course, Whizlabs’ hands-on labs for practical experience, TutorialsDojo’s realistic practice exams and cheat sheets, and Becky Weiss’s session on AWS cloud security fundamentals.
2. Enable GuardDuty the Right Way – In this article, Rich Mogull takes readers on a journey through the importance of GuardDuty, AWS’s Intrusion Detection System for the cloud. With his signature storytelling flair, Mogull transports us back to the “dark days” of the early cloud era, highlighting the significance of visibility tools like CloudTrail and GuardDuty.
3. Tactical Cloud Audit Log Analysis with DuckDB – AWS CloudTrail – DEV Community – Have you ever needed to analyze CloudTrail logs but found yourself without a convenient search interface or had to temporarily enable CloudTrail for troubleshooting? This article demonstrates how to leverage the capabilities of DuckDB, a powerful open-source SQL database, to query CloudTrail logs directly from Amazon S3.
4. AWS Cloud Incident Analysis Query Cheatsheet – Securosis – This post provides a comprehensive cheatsheet of essential CloudTrail log queries for cloud incident analysis and response.
5. Publicly Exposed AWS Document DB Snapshots – High Signal Security – YAIB – Security researcher Dylanjacob discovered a massive public exposure of over 3.5TB of sensitive customer data. Here is the story!

Conclusion

Thanks for coming along for this weeks journey. I encourage you to subscribe, share, and leave your comments on this edition of the newsletter. Please share with your colleagues and if you have any requests please send them my way. I hope you found this useful. Happy Labbing!

The post Securing the Cloud #30 appeared first on Brandon J Carroll.

Technical Topic

• Building a modern application development mindset | AWS Training and Certification Blog – In today’s digital landscape, modern applications need to meet demanding requirements – handling millions of users, managing massive data volumes, and delivering lightning-fast responses. This article outlines how modern application development practices can help businesses rapidly innovate and create robust, secure, and scalable applications that delight customers.

Career Corner

• How to Become a DevSecOps Engineer-DevSecOps Career Path – As the demand for skilled DevSecOps engineers skyrockets, this comprehensive guide unveils the exciting career path that awaits those who embrace this innovative field. Delve into the essential skills, tools, and technologies that define a successful DevSecOps engineer, and discover how you can equip yourself with the knowledge and expertise to excel in this rapidly evolving domain. From understanding the roles and responsibilities of a DevSecOps engineer to mastering the art of continuous integration, continuous delivery, and continuous monitoring, this article provides a roadmap to navigating the challenges and opportunities that lie ahead.

Learning and Education

• Episode 3: Building Secure Code | AWS Public Sector Blog – This post provides a comprehensive overview of common application security vulnerabilities and best practices for building, testing, and deploying code securely. It highlights the importance of addressing security concerns throughout the entire application lifecycle, not just during the architecture phase.

Community Voice

1. S3 fixes billing for unauthorised APIs #55 – This comes from AWS Serverless Hero, JONES ZACHARIAH NOEL N. and this issue of Serverless Infrastructure and API provides an insightful look into the latest updates and developments in the world of serverless computing on AWS. Of note, it covers the recent S3 billing issue for unauthorized APIs and how AWS swiftly addressed it within 15 days, showcasing their commitment to customer satisfaction. If you’re not subscribed already I recommend you have a look!
2. June LVAWSUG Meeting/Party – Will you be attending AWS Re:Inforce this year? If so, spend some extra time with the AWS Community in Philly!
3. Getting Your Hands Dirty With RAG: Production Experience With LLM Enhancement – If you’re getting into Generative AI and RAG this could prove to be a really good session. It was shared by AWS Hero, Luc van Donkersgoed.
4. AI: Authoritative AWS – AWS Machine Learning Hero, Noah Gift, shared this edX course that covers SIX certifications at the same time in one mega course. I’m definitely checking it out.
5. The Legend of AWS Warrior: A Free Opensource 3D RPG Adventure Game with Generative AI for learning AWS – AWS ML Hero, Cyrus Wong, shares an innovative approach to learning AWS through 3D RPG gaming at Hong Kong Institute of Information Technology (HKIIT).

Conclusion

As we wrap up this edition of the Securing the Cloud Newsletter, I hope you found the insights, resources, and community highlights both informative and inspiring. Whether you’re into modern application development, exploring a career in DevSecOps, or enhancing your skills in building secure code, remember that continuous learning and community engagement are key to staying ahead in the ever-evolving world of cloud security.

Keep pushing your boundaries, stay curious, and never hesitate to reach out and share your own experiences and questions with our community. Your journey in cloud and cloud security is as much about collaboration and shared growth as it is about individual progress. Until next time, stay secure and keep experimenting.

I encourage you to subscribe, share, and leave your comments on this edition of the newsletter. Happy Labbing!

The post Securing the Cloud #29 appeared first on Brandon J Carroll.

Technical Topics

• Considerations for security operations in the cloud | AWS Security Blog – Cybersecurity teams consist of different functions like Governance, Risk & Compliance (GRC), Security Architecture, Assurance, and Security Operations (SecOps), each working towards securing the business and its workloads, with SecOps focused on operational oversight and responding to security incidents using various operating models like centralized, decentralized, or hybrid approaches tailored to an organization’s cloud environment.
• Securing generative AI: An introduction to the Generative AI Security Scoping Matrix – This blog post introduces the Generative AI Security Scoping Matrix, a framework for understanding and prioritizing security controls for generative AI deployments within AWS, emphasizing the importance of aligning security disciplines with different types of AI implementations.
• Securing generative AI: data, compliance, and privacy considerations – The second in the series, this blog post provides a detailed exploration of data, compliance, and privacy considerations essential for securing generative AI, offering guidance on navigating the complexities associated with deploying generative AI workloads responsibly.
• Securing generative AI: Applying relevant security controls – Finally, the third in the series. this blog post gets into practical strategies for applying security controls to protect generative AI applications, mapping these controls to frameworks like MITRE ATLAS for comprehensive risk management.

Career Corner

• Security Operations Center (SOC) Analyst Salary and Job Description | The University of Tulsa – A comprehensive overview of the role, responsibilities, skills, education, and salary expectations for Security Operations Center (SOC) analysts, emphasizing the importance of vigilance against cyber threats and the rewarding nature of this cybersecurity career path.

Learning and Education

• Security Operations Course by ISC2 | Coursera – This course covers security operations, focusing on actively using security controls, mitigating risks, securing data and systems, encouraging secure practices, understanding data security, encryption, controls, asset management, security policies, security awareness training, and reviewing network operations concepts.

Community Voice

In this weeks edition we have some more insight from AWS Hero Sena Yakut. Sena shares thoughts on resilience and rec:

My key recommendations for resilience and recovery strategies and overcoming disasters in cloud environments:

• High Available Architectures: We need to always design our cloud infrastructure with high availability. We always consider using load balancers, auto-scaling, cross-account, or cross-regional architectures when needed.
  – Failover Systems: We need to implement failover systems that automatically switch to backup resources in the event of an incident, ensuring continuous cloud services availability.
• Incident Response Plan and Strong Team: We need to develop a comprehensive incident response plan that outlines procedures for detecting, responding to, and recovering from cloud security incidents. This plan should include roles and responsibilities, escalation procedures, and communication protocols to facilitate a coordinated response. There is a great resource to develop and test an incident response plan. Also, it’s important to establish an incident response team trained to quickly identify and respond to security incidents or disasters. This team should have clearly defined roles and responsibilities and be ready to execute the plan when needed.
• Continuous Improvement and Adaptation: We should continuously monitor and assess the evolving threat landscape and emerging security risks in our cloud environments. Regularly update and adapt security policies, controls, and practices to address new threats and vulnerabilities and improve overall cloud security posture.
• Security Automation and Orchestration: We need to use automation and orchestration tools to streamline cloud security operations and incident response processes. We automate routine security tasks, such as vulnerability scanning, threat detection, and incident triage, to improve efficiency and reduce response times during security incidents. You can use AWS security-managed services such as AWS Security Hub, AWS Config, Amazon Inspector, and Amazon GuardDuty for all security automation and orchestration.

And from around the web here are a few articles written by AWS Community Builders you should check out!

1. Semgrep for Terraform Security – High Signal Security – YAIB (Yet Another Infosec blog). – Semgrep is a powerful SAST tool that can be used for detecting security misconfigurations and enforcing secure-by-default patterns in Terraform code, enabling developers to write secure infrastructure as code.
2. My Journey to Passing the AWS Certified Solutions Architect Associate Exam – DEV Community – A detailed summary of how the author successfully prepared for and passed the AWS Certified Solutions Architect – Associate (SAA) exam, including the resources used, study plan followed, practice exams taken, and key tips for exam preparation.
3. From Metadata to Mayhem: Protecting AWS account from SSRF Attacks via IMDSV2 – Server-Side Request Forgery (SSRF) vulnerability allows attackers to manipulate servers into making unintended requests, potentially exposing sensitive data from AWS Instance Metadata Service (IMDS); IMDSv2 mitigates SSRF risks by requiring session tokens, enhancing security for AWS EC2 instances.

That’s a wrap!

Thank you for joining us for the 28th edition of the Securing the Cloud Newsletter. This issue brought you a comprehensive dive into the ever-evolving landscape of cloud security, from detailed discussions on security operations to the intricacies of securing generative AI with AWS’s Scoping Matrix. We explored significant career opportunities within the realm of cybersecurity and shared educational resources to further your expertise. The insights from our community, especially Sena Yakut’s robust strategies for resilience in cloud environments, underscore the ongoing need for vigilance and continuous improvement in our security practices. Remember to stay connected, share your thoughts, and engage with the content as we continue to navigate the complexities of cloud security together. Happy Labbing!

The post Securing the Cloud #28 appeared first on Brandon J Carroll.

Welcome to the 27th edition of the Securing the Cloud Newsletter! In this issue, we dive into the latest trends and insights in cloud security, explore career development opportunities, and share valuable learning resources. Additionally, we feature insightful perspectives from our community members. This weeks edition is focused on Data Security and Cryptography. Is that your area of expertise? If so, join the conversation and share your insights. Here we go!

Technical Topic

• Community | Data Security and Cryptography on AWS – This is a round-up article of sorts. In this article I share some terms related to Data Security and Cryptography and point you to useful resources to help you dig deeper into the topics.

Career Corner

• Specializing in a Cryptography Career – Brandon J Carroll – In this article, I discuss what it might take to pursue a career specializing in cryptography.

Learning and Education

• Questions from Readers: How can I prepare for and take certification exams if I have dyslexia? – Brandon J Carroll – Inspired by one of my LinkedIn connection’s query, I share what I have seen over my years of teaching Cisco networking classes.

Community Voice

1. Ever-changing CNAPP. In this blog, I would like to introduce… | by Shun Yoshie | Mar, 2024 | Medium – In this article, Shun talks about CNAPP (Cloud Native Application Protection Platforms), emerging as a comprehensive approach to ensuring security in cloud-native environments, integrating various previously siloed security functions like container scanning, CSPM, IaC scanning, CIEM, and CWPP.
2. VPC Lattice: yet another connectivity option or a game-changer? – Proud2beCloud Blog – In this article, VPC Lattice, a fairly new AWS service that simplifies secure communication and management of microservices across different AWS accounts and VPCs, is explored through an example deployment highlighting its key components, workflow, benefits, and limitations compared to other connectivity options.
3. Kickstarting Your DevSecOps Career – The 4 Essential Certifications You Need – DEV Community – In this article, my friend Damien Burks summarizes four pivotal certifications for launching a DevSecOps career: CompTIA Security+, CompTIA Linux+, AWS Certified Developer – Associate, and Certified Kubernetes Administrator, highlighting their importance and key focus areas along with emphasizing hands-on experience through projects and lab work. Well that’s it for this week. I hope you’ve found this round-up useful. If so, I encourage you to subscribe, share, and leave your comments on this edition of the newsletter. Happy Labbing!

The post Securing the Cloud #27 appeared first on Brandon J Carroll.

Mathematics:

Cryptography heavily relies on abstract algebraic concepts such as groups, rings, and fields. For this you would need to learn Abstract Algebra. Also, understanding the properties of integers, prime numbers, and modular arithmetic (Number Theory) is important in cryptography. And cryptanalysis often involves statistical analysis and probability theory. Personally, this is why I’m not specialized in cryptography. I know it. I understand things like Diffie-Hellman and IPsec and so on. But too much math hurts my little brain, so I leave this to the smart people!

Computer Science:

Efficient algorithms and data structures are essential for implementing cryptographic systems. You would pick this knowledge up in most computer science programs. You would likely also pick up a programming language. Python is common. Others are as well, but I like Python. You would need some programming skills if you are planning to develop cryptographic software. ANd I think last, but not least in this area is having an understanding low-level hardware and software principles. This is beneficial for optimizing cryptographic implementations (something else I cannot do).

Information Security:

Now we’re talking! Cryptography is a core area of information security, covering symmetric and asymmetric cryptography, hash functions, digital signatures, and cryptanalysis techniques. This is the stuff I’ve gotten just good enough at to be dangerous. My favorite books on the topic are IPSec, Second Edition and Applied Cryptography: Protocols, Algorithms and Source Code in C.

Along a similar vein, you need to have knowledge of areas like access control, authentication, and intrusion detection are relevant for designing secure systems that incorporate cryptography.

So what does a typical career path for someone in Cryptography look like?

A typical career path in cryptography

A typical career path in cryptography might look like this:

1. Get your education. This might include a bachelor’s degree in computer science, mathematics, or a related field, with a focus on cryptography-related courses. Some universities offer specialized programs or concentrations in cryptography and information security, but math is also an option.
2. Get an Internships
3. Graduate Studies: You might consider pursuing a master’s or doctoral degree in cryptography, computer science, or applied mathematics, depending on your interests and career goals. Personally, this was not for me, however for a focus in this space graduate studies provide opportunities for advanced research and specialization.
4. Get an Entry-Level Position. And this part kinda stinks. You may have the degree and some practical experience if you’ve interned, but not everyone comes out of college and starts a new tech company or joins one of the big cloud companies. You can seek entry-level positions as a cryptographer, security analyst, or software engineer in various industries, such as technology companies, financial institutions, government agencies, or research organizations and this will give you real-world experience and start building your career capital.
5. Keep seeking professional development opportunities and certifications. You need to do this to update your knowledge. Attend conferences, workshops, and training programs whenver you can. Obtaining industry-recognized certifications, such as the Certified Encryption Specialist (EC-Council) or the Certified Information Systems Security Professional (CISSP), can enhance your credibility and career prospects.
6. Keep looking for advancement opportunities. This will come with time. And as you gain experience and begin to stand out in your specialty, you can progress to roles such as lead cryptographer, cryptography researcher, security architect, or cybersecurity consultant. Some cryptographers also transition into academia, teaching and conducting research at universities or research institutions if that’s your thing.

Whatever you decide, it’s important to recognize that cryptography is a highly specialized field, and career paths may vary a lot depending on the industry, organization, and your interests and goals. In fact, you may head down this path and decide it’s not for you. Still the knowledge you gain will invariably help you in adjacent areas. That being said, I think that continuous learning, staying updated with the latest developments in cryptography, and maintaining a strong understanding of evolving security threats and countermeasures will be your key to a successful career in this field. I hope you found this useful. Happy Careering!

The post Specializing in a Cryptography Career appeared first on Brandon J Carroll.

Encryption at Rest

Encryption at rest refers to encrypting data when it is stored, as opposed to when it is being transmitted (encryption in transit). There are three main approaches for encryption at rest:

1. Server-side encryption: The service storing the data (e.g. Amazon S3) encrypts the data when it is received and decrypts it when requested by an authorized user. This is seamless for developers but allows any role with appropriate permissions to decrypt the data.
2. Client-side encryption: The application encrypts the data before sending it to the storage service, so the service never has access to the unencrypted data. This provides more control over who can decrypt the data.
3. Client-side in-browser encryption: Sensitive data is encrypted in the user’s browser before being sent to the application, protecting it even if it is accidentally exposed by intermediary services.

 Encryption at rest helps protect sensitive data from unauthorized access if it is lost, stolen, or accidentally exposed. It is an important technique for preserving user privacy and preventing disclosure of sensitive business data throughout the data lifecycle, from collection to storage to processing and sharing.

Check out the Protecting data at restsection of the Well architected framework for more details.

Encryption in Transit

Encryption in transit (opposite of encryption at rest) refers to the encryption of data while it is being transmitted over a network from one point to another, typically between a client and a server. The data is encrypted before being sent and decrypted after being received, but it may be stored in plaintext at the source and destination systems

Check out the Protecting data in transitsection of the Well architected framework for more details.

Key Management

Key management is an important aspect of encryption solutions. It involves protecting encryption keys at rest so that the keys can never be used outside the authorized system, and ensuring that the authorization to use encryption keys is independent from how access to the underlying data is controlled. This separation of key access from data access helps prevent issues like overly permissive data access policies from compromising encrypted data.

The AWS Service that handles key management is called KMS and you can learn KMS conceptsin this developer guide.

Cryptographic Services

Cryptographic services refer to the application of cryptography techniques and protocols to secure data, communications, and systems. These services include encryption, digital signatures, key management, and authentication mechanisms, enabling confidentiality, integrity, and non-repudiation of information exchanged over insecure networks or stored in vulnerable environments.

AWS offers a few services specific to Cryptographic Services. You can learn about them here.

Compliance and Regulations

Compliance and regulations refer to the set of rules, guidelines, and standards that organizations must adhere to, ensuring data security and privacy. These standards, such as HIPAA for healthcare organizations and PCI DSS for companies handling payment card data, mandate specific data security and encryption requirements to protect sensitive information and prevent data breaches.

You can learn how AWS services and tools can help achieve compliance here.

Best Practices and Recommendations

When it comes to data security and cryptography on AWS, some key best practices include: Implementing encryption at rest and in transit using AWS services like AWS Key Management Service (KMS) and AWS Certificate Manager. Regularly rotating encryption keys and following the principle of least privilege for access to encrypted data and key material. Leveraging AWS services like Amazon Macie and AWS CloudTrail to monitor and audit data access and encryption activities for compliance purposes.

I encourage you to become familiar with these best practices on AWS. You can read more here.

The post Data Security and Cryptography on AWS appeared first on Brandon J Carroll.

I can’t say I have done it myself. I only know what I’ve seen others do and what they have told me. I know what I have witnessed. I also know that Dyslexia does not reflect an individual’s intelligence or potential.

I am posting this because a connection on LinkedIn told me that studying for and taking certification exams are challenging, because they have to keep re-reading to comprehend technical topics. They asked my point of view. Here are the questions I asked.

Questions

1. Is there assistive technology like text-to-speech software or applications that can help by reading study materials to you that could help?.
2. Do you break down study materials instead of trying to tackle an entire chapter or section at once? If so, does that help with retention?
3. I know Dyslexia can affect visual processing, so would creating visual aids like mind maps or diagrams help you better understand and remember more technical concepts?
4. Some certification providers offer accommodations for individuals with learning disabilities, such as extended time or the ability to use assistive technology during the exam. AWS does this. So does Cisco and Microsoft. Are you asking for these?

Wrap Up

I can’t begin to say I know what it’s like, but it is inspiring to see someone that is faced with a challenge like Dyslexia be successful in their career and certification aspirations. If you have other thoughts or want to share your experience, I really want to hear it. Please post them in the comments.

The post Questions from Readers: How can I prepare for and take certification exams if I have dyslexia? appeared first on Brandon J Carroll.