Martin secures cloud environments in Denmark
What are companies’ main challenges regarding the cloud? Martin Bahn Ejvang, Cloud Security Architect, tells all.
Where does your interest in IT come from?
I’ve always had it. When I was a child, my parents bought a Commodore 64 for my brother and me. We used it for games and programming. I was fascinated by the things you could do with a computer.
You made a career in software development. What have been some of your greatest successes?
I think it depends on how someone defines success. For example, I helped build platforms and applications for companies that count over 100.000 users a day. I contributed to smaller applications that saved companies time and increased customer satisfaction. I also helped to build Endomondo, a running app, which, back then, was considered to be a startup.
Since 2017, you’ve specialized in the cloud. How did this change in focus come about?
In 2014, I worked on a project where we used the cloud’s scalability for computing resources. That was the first time I experienced the elastic nature of the cloud. Later in 2015, I was the architect on my first project that was cloud-native. It was for a large Danish news site that wanted live coverage of events (news, sports, etc.). It made me realize the possibilities that lie within the cloud. I later got the certifications (MCSE for Azure:2017) and moved to another company specializing in cloud projects.
You are now Cloud Security Architect, which is still a very new field. How did you develop your skills?
I first learned about the cloud by building solutions. I mainly made a PaaS solution, but also dug into IaaS and SaaS. Then I was given the responsibility to implement security in my code and leverage security in the cloud. After that, I began learning about classic security (on-premise security) and the products from primarily Palo Alto Networks and Check Point.
What does your job consist of today?
I help customers with their cloud journeys and advise them on how to build a secure environment.
What does your everyday professional life look like?
I talk about the cloud to both customers and employees and keep up-to-date with our partners and CSPs. Each day is unique ant’d involves a lot of learning about the new features and roadmaps.
What kind of companies are interested in cloud security in Denmark?
I would say that every company that’s on a cloud journey would be interested in how to secure it. No one wants to end up in the news of a breach. The challenge is that it’s usually businesses that are driving that transition into the cloud with the DevOps team’s help. They are focused on an opportunity that exists and wants to execute it immediately; that leaves little room for security unless it was part of the architecture, to begin with.
Do you work in a team?
Yes, we are a small team that collaborates with our sales and PS (Professional Services) department.
What are our customers’ issues regarding cloud security?
Their primary issues are visibility and misconfiguration. Usually, the DevOps are deploying applications into the cloud, and their goal is to meet business requirements. Their focus is not necessarily secure, and that can potentially create some vulnerabilities. New security features are also added regularly, and these need to be added into the deployment script to take effect. Developers are more concerned about functionalities and use cases rather than the security features of a cloud service.
What are their first questions when you meet clients?
Our clients want our advice on how to deal with the cloud and the challenges it brings. They are used to a ‘static’ environment where they change the network cables and plugging in servers. The cloud is a dynamic environment that changes every minute, and new features are developed quickly. I guess their main question is: ‘How do you go from a classic ITIL approach to a fully agile one?‘
Cloud Service Providers often sell a security layer in addition to a cloud database. Why do our customers still have to turn to an MSSP?
Clients need someone to look at the infrastructure and know what everything means to fine-tune it. Also, what CSPs do not tell is that all the security they are investing in is to protect their infrastructure and not their clients’ applications. Therefore, it’s essential to read their ‘shared responsibility in the cloud’ matrix for their different offerings to understand what the client is in charge of. This is where Orange Cyberdefense can help to secure the customers’ data.
What services do we offer them?
We offer MSS (managed security services), PS (Professional Services), and advice. We also work with partners that can help. Our help depends on the client’s maturity regarding cloud questions and his needs. Some customers are in the lift-and-shift phase, and others are building applications using PaaS offerings.
What advice would you give to someone who wants to pursue a career in cloud security?
Start learning about classic security to understand where we came from. Then move to cloud infrastructure. After that, focus on cloud security to understand its challenges. If you want the DevSecOps route, then you also need to learn about development and application security.