Infrastructure Security Engineering: The Challenging Role in Cloud-Native Environments
A group of professionals attending a recent cloud-native industry event couldn’t help but laugh when they shared their newest job title: infrastructure security engineers. Amidst the wave of layoffs in the tech industry, this amusing job title highlighted the uncertainty surrounding the expectations and skills required to thrive in this evolving role.
In today’s world of Kubernetes and cloud-native application deployment, infrastructure security engineers are considered highly sought-after hires. However, delving into numerous job descriptions and conducting interviews with practitioners revealed the unique challenges faced by individuals in this field. This role demands a delicate balance of both indirect influence and strong technical skills.
So, what exactly does infrastructure security engineering entail? These professionals are responsible for managing security at the infrastructure layer, focusing on deployment and the running of cloud environments. They operate separately from application-level security teams.
One crucial aspect of this role is understanding the cloud security shared responsibility model. For instance, in the case of managed Kubernetes platforms, which usually follow a general PaaS model, infrastructure security engineers bear significant responsibility. They must handle a wide range of tasks, including configuring the cloud environment and deploying necessary patches to the operating system, runtime, and Kubernetes components. Consequently, Google emphasizes the importance of securing one’s own workload within a Kubernetes environment.
However, the shared responsibility model is just the tip of the iceberg. This role is not isolated; it requires collaboration with other teams within the organization. One of the most commonly cited requirements, apart from vulnerability management, is the ability to promote and implement security best practices across engineering teams. Essentially, infrastructure security engineers are responsible for embedding security considerations into their colleagues’ workflows, ensuring the delivery of secure products and services.
This demand for security integration can create inherent friction within development teams, as it is perceived to hinder the fast-paced flow of new features into production. However, studies have shown that teams incorporating security into their DevOps processes actually achieve faster delivery times.
To excel in this field, infrastructure security engineers must possess certain key attributes. Hiring managers often prioritize hands-on experience with cloud platforms and networking. Proficiency in scripting languages, accompanied by practical knowledge of infrastructure as code (IaC), Terraform, and continuous integration/continuous deployment (CI/CD) pipelines, is also highly valued. This expertise is crucial for effectively disseminating security best practices to developers engaged in daily deployment tasks.
Another crucial requirement is a comprehensive understanding of the end-to-end development pipeline. To adequately manage cloud vulnerabilities and stay updated on cloud advancements, security engineers must comprehend the entire system, its efficiency, and how different elements interact. Prioritization skills are vital within this context, as discipline and methodical approaches help ensure focused problem-solving.
Industry professionals shared additional insights during interviews, offering tips for success:
– The importance of considering Kubernetes as a distinct entity within the cloud environment.
– The need for triage to streamline and prioritize security efforts effectively.
– The potential for engineering teams’ interest in solving security problems if empowered with data and context.
Interestingly, only one job description outlined the task of conducting security reviews, giving security teams the authority to approve or reject development changes. This observation aligns with the role’s emphasis on indirect influence rather than direct decision-making. IaC knowledge is particularly essential for guiding others on its usage rather than performing it directly.
While communication and mentoring skills were not often listed among job prerequisites, around half of the roles placed high expectations on these soft skills, especially for senior positions.
Considering the requirement to influence development teams, knowledge of IaC and automation tools, the necessity for effective communication and mentoring, and the limited emphasis on formal security reviews, the profile of a successful infrastructure security professional becomes clearer. To excel in this field, individuals must possess extensive hands-on experience within the cloud ecosystem. They should also be adept at building credibility and influencing skilled teams who work with cutting-edge GitOps tools daily. Achieving this level of expertise is no easy feat, making infrastructure security engineering one of the most challenging roles in the industry.