Cloud

Virtualization technologies are often lumped in with cloud infrastructure because of some conceptual similarities and the way virtualization of systems was among the earliest of public cloud services. I began working with VMWare ESX from around 2006 when I found some of my consulting clients using it to virtualize server functions. At this time, my role with Info@Risk was focused on penetration testing these environments and I found numerous opportunities to compromise these systems, due to software vulnerabilities with VMWare, misconfigurations by the customers. I also had one interesting project performing configuration audits for a managed security services provider who offered virtualized services for remote customers, introducing another layer of abstraction, closer to modern public clouds. These technologies also incorporate software-defined-networking (SDN), another feature of modern cloud infrastructure, and one that opens up new possibilities for security exploits. I found that once I had compromised a virtualization environment and accessed host routing tables, I was able to access hosts on networks through the SDN that were not normally reachable.

Beginning with my time at Jackson National Life Insurance from around 2016, migration to public clouds was beginning to take off. My role at this time was Manager Information Security Controls Program and my engagement with cloud services was in writing security policy and standards that addressed the integration of on-premise and cloud-based infrastructures, and baseline security requirements for cloud deployments. I needed to have awareness of the services in use and the architecture of the configured environment to be able to write meaningful standards. I worked directly in Microsoft Azure environments to test related controls.

I got a little further into examining the architecture of the cloud environments when I moved to a vulnerability management role. Here I needed more detail on network topology in order to be able to ensure test coverage for all systems and to work with developers and DevOps staff for application security testing.

Starting with Zoom Video Communications in 2020, I got exposure to working in AWS. Some specific areas of work were around:

• IAM
• S3
• EC2
• Security Groups
• several database services

My responsibilities in this time position included testing application security within the correct AWS environments, ensuring thorough understanding of network topology to facilitate oversight of vulnerability assessment projects, and validating security controls around network segregation, authentication and access for applications and data.

Professional certifications supporting this work include: CISSP, CISA, CISM, GWEB, GPYC