How to Become a Cloud Penetration Tester
Cloud penetration tester? Sounds like something to do with whether sunblock protects you on a cloudy day. But cloud penetration testing is at the convergence of cloud computing and cybersecurity — two of the most important issues on the CIO's agenda today. If you had to choose an IT job position to go after, what could be better than one where two massive industry trends coincide?
So let's take a look at the role, the requirements, and the opportunities afforded in becoming a cloud penetration tester. We'll discuss the work experiences that you'll need, as well as the job certifications that will validate your credentials to prospective employers. In this post, we're going to focus our discussion primarily on certs from the vendor-neutral CompTIA.
What Does a Cloud Penetration Tester Do?
To paraphrase an old saying, "the best laid security plans often go astray". No matter how well you think you are set up to protect your network, systems, apps, and data, there's always a chance that some hacker is going to find a hole in your armor. You can never be 100% sure, but one way to improve your chances is penetration testing. That's where an authorized security professional acts as a hacker — a good guy hacker — to test your defenses. Using the same tools and techniques as the bad guys, a penetration tester will seek out any flaws in your security scheme, so you can fix them before they are exploited.
With the increasing emphasis on remote and mobile workforces, cloud computing has become an essential part of most enterprise IT architectures. As the use of public cloud services — Amazon Web Services, Microsoft Azure, Google Cloud, Oracle Cloud, etc. — has become more prevalent, it is no surprise that there are penetration testers who specialize in that arena. Because of the added complexity of working with the various cloud computing architectures, the cloud penetration tester will need knowledge and expertise beyond that expected of a regular penetration tester.
The Cloud Penetration Testing Role
Cloud penetration testers are commissioned by the business owners to probe their cloud-based solutions for vulnerabilities in the security regime. The goal is to anticipate and prevent attacks — phishing, malware, SQL injections, ransomware, denial of service, and more — that are employed by hackers intent on stealing data, or otherwise disrupting operations!
The cloud penetration tester will be expected to aid in hacker-proofing the organization's cloud environment by:
Identifying risks and locating gaps and vulnerabilities in the cloud security regime
Assessing and prioritizing the impact of vulnerabilities
Determining how hackers might exploit identified vulnerabilities
Creating a detailed plan of action to remediate and close-off exploitable weaknesses
Preparing a set of best practices to help maintain the highest levels of cloud security
Among other things, the cloud penetration tester will probe specific cloud configurations, passwords, cloud applications, encryption, access to cloud storage and databases, and application programming interfaces.
Because these cloud architectures are shared services, the cloud penetration tester must understand the specific cloud service provider limitations on what they may and may not test. They must also select the testing tool appropriate for that service provider, as well as the relevant offensive security techniques that can be used to gain access to the target systems.
Becoming a Cloud Penetration Tester
Cloud penetration testing is not for beginners! On the contrary, you'll need hands-on experience in systems, network and application admin and security, as well as in deploying and managing cloud-based solutions. You'll also be expected to be familiar with multiple operating systems and virtualization regimes. In addition, you'll need to be competent with common scripting languages such as Python, Perl, Java, and Ruby.
So where do you start? Training can help you learn the skills you need to get hired as a cloud penetration tester. Most employers will look for candidates who have verifiable time in specific roles, as well as the appropriate certifications.
Network Admin as Starting Point
Your starting experience should probably be in troubleshooting, configuring, and managing networks as a network admin or engineer and you should hold the CompTIA Network+ certification, or equivalent. Now, of course, you'll probably be working with technology from vendors such as Cisco, Palo Alto, Juniper, and others, so it's likely that you'll also have earned one or more of their network admin certs. It's also worth mentioning that virtualization is a fixture in most enterprise IT strategies. For that reason, familiarity with technologies such as VMware, Hyper-V, or KVM, will be extremely valuable.
As you gain more experience, your career trajectory will see you transition into cloud-based networks — perhaps as a cloud specialist or engineer. You'll be expected to earn a professional admin or design certs from one of the major public cloud players (AWS, Google, Azure), or to hold CompTIA's general Cloud+ certification.
Move into Cybersecurity
OK! You're experienced in networking and cloud solutions. Now you can transition into cybersecurity with a role such as cloud security specialist or security analyst ideally in a Security Operations Center.
These positions will help you build the baseline skills in detecting, analyzing, and responding to cybersecurity incidents. You'll also gain an understanding of common vulnerabilities and how to prevent their exploitation by hackers. There are a number of outstanding cybersecurity certifications, starting with CompTIA's Security+, which will assure employers that you have the skills and knowledge to perform your core security responsibilities.
Transition to Cloud Penetration Testing
Finally, after you've established yourself, with 3-4 years of hands-on information security, you can look for opportunities to move into a penetration testing role. You may have to cut your teeth in a general pen testing or vulnerability analysis role, but if you have strong cloud credentials, then you should be able to make a good case to move into cloud penetration testing.
Pen Testing Certifications
There are quite a few penetration testing certifications, ranging from entry-level to expert. At the entry-level, the EC-Council's Certified Ethical Hacker might be a good start, but we favor the more comprehensive intermediate-level CompTIA PenTest+ cert. Of course, if penetration testing is going to be your long-term vocation, then you can follow PenTest+ with an advanced or master-level certification from one of the IACRB, Offensive Security, or the EC-Council.
Online Training to Learn Pen Testing Skills
As mentioned earlier, cloud penetration testing is at the nexus of two of the most significant trends in information technology. This is reflected in the demand for qualified penetration testing professionals.
According to CyberSeek, which tracks demand for cybersecurity professionals, penetration testers in general — and the related position of vulnerability analyst — were among the top nine of the United States' in-demand cybersecurity job titles for 2019-2020. The site estimated that there were over 21,000 penetration tester/vulnerability analyst job openings, with salaries averaging over $100K.
If pen testing is on your career pathway, then you can count on CBT Nuggets for the training resources to help you develop the basic skills. Here are a few online training courses that could help you land that next job in penetration testing:
As you prepare for your certification exams, check out the new CompTIA PenTest+ training course that will help prepare you for the new CompTIA PenTest+ PT0-002 certification exam.