Martin secures cloud-environments in Denmark

I’ve always had it. When I was a child, my parents bought a Commodore 64 for my brother and me. We used it for games and programming. I was fascinated by the things you could do with a computer.

I think it depends on how someone defines success. For example, I helped build platforms and applications for companies that count over 100.000 users a day. I contributed to smaller applications that saved companies time and increased customer satisfaction. I also helped to build Endomondo, a running app, which, back then, was considered to be a startup.

In 2014, I worked on a project where we used the cloud’s scalability for computing resources. That was the first time I experienced the elastic nature of the cloud. Later in 2015, I was the architect on my first project that was cloud-native. It was for a large Danish news site that wanted live coverage of events (news, sports, etc.). It made me realize the possibilities that lie within the cloud. I later got the certifications (MCSE for Azure:2017) and moved to another company specializing in cloud projects.

I first learned about the cloud by building solutions. I mainly made a PaaS solution, but also dug into IaaS and SaaS. Then I was given the responsibility to implement security in my code and leverage security in the cloud. After that, I began learning about classic security (on-premise security) and the products from primarily Palo Alto Networks and Check Point.

I help customers with their cloud journeys and advise them on how to build a secure environment.

I talk about the cloud to both customers and employees and keep up-to-date with our partners and CSPs. Each day is unique ant’d involves a lot of learning about the new features and roadmaps.

I would say that every company that’s on a cloud journey would be interested in how to secure it. No one wants to end up in the news of a breach. The challenge is that it’s usually businesses that are driving that transition into the cloud with the DevOps team’s help. They are focused on an opportunity that exists and wants to execute it immediately; that leaves little room for security unless it was part of the architecture, to begin with.

Yes, we are a small team that collaborates with our sales and PS (Professional Services) department.

Their primary issues are visibility and misconfiguration. Usually, the DevOps are deploying applications into the cloud, and their goal is to meet business requirements. Their focus is not necessarily secure, and that can potentially create some vulnerabilities. New security features are also added regularly, and these need to be added into the deployment script to take effect. Developers are more concerned about functionalities and use cases rather than the security features of a cloud service.

Our clients want our advice on how to deal with the cloud and the challenges it brings. They are used to a ‘static’ environment where they change the network cables and plugging in servers. The cloud is a dynamic environment that changes every minute, and new features are developed quickly. I guess their main question is: ‘How do you go from a classic ITIL approach to a fully agile one?‘

Clients need someone to look at the infrastructure and know what everything means to fine-tune it. Also, what CSPs do not tell is that all the security they are investing in is to protect their infrastructure and not their clients’ applications. Therefore, it’s essential to read their ‘shared responsibility in the cloud’ matrix for their different offerings to understand what the client is in charge of. This is where Orange Cyberdefense can help to secure the customers’ data.

We offer MSS (managed security services), PS (Professional Services), and advice. We also work with partners that can help. Our help depends on the client’s maturity regarding cloud questions and his needs. Some customers are in the lift-and-shift phase, and others are building applications using PaaS offerings.

Start learning about classic security to understand where we came from. Then move to cloud infrastructure. After that, focus on cloud security to understand its challenges. If you want the DevSecOps route, then you also need to learn about development and application security.