So, here are some different thoughts that I have compiled where I think that my broad experience has benefited me greatly and the notion of just jumping into the cloud seems problematic.
Azure Global Bootcamp 2019
One of the presentations at my local Azure Global Bootcamp in April was covering DevOps. The presenter was very enthusiastic (most presentations on DevOps are) and he even shared a challenge that he had when setting up a Linux VM in Azure IaaS. He said that he chose a public IP address for the machine, but when he SSH’d into the machine and ran
ifconfig he did not see that IP address. He that it was a “peculiarity” and something to keep in mind when working with Linux VMs.
In my mind I was screaming. This has nothing to do with Azure or Linux. I think that many experienced folks get this right away. This “peculiarity” is exactly the behavior that should be expected. It comes down to a high level understanding of network topologies. That public IP address would never exist on the VM itself, not unless you were placing that machine directly on the Internet… the physical host would need a NIC connecting it to a public router directly without NAT for this to happen. The IP address sits on the device(s) performing NAT. In this case, it would be in the Azure perimeter infrastructure. That device maps the available ports on that IP address to an internal IP address (and port… and it could be to different IPs per port, even).
That causes me to consider how someone arrives at this point in their IT career without having the requisite experience to know this. I am sure it is not an isolated situation.
I think the InfoSec community has a lot more of this, in particular. In this community there seem to be far more folks that went to school for this discipline and went right into a career without getting broader IT experience. This is extremely disturbing to me. To be highly effective at securing an organization’s information estate, you need to have a fairly good understanding of what you are security. A common response I have heard is, “Would you expect me to have some construction experience for performing physical security?” The answer really is yes… yes I would. This does not mean that you need to go spend 5-10 years working in construction before working physical security, but you should get yourself well acquainted with how construction is done. And folks in InfoSec that I respect have done this. They get familiar with the inner workings of locking mechanisms, doors, windows, and even the construction of the walls that these devices are incorporated into. What good is the best lock in a steel reinforced door when I can easily take a dual-saw and cut through 1/4” of oriented strand board (OSB) next to the door (or somewhere less conspicuous) and make my own opening? Or make a smaller opening through drywall so that I can reach inside and unlock it with my hand? Or understanding that the wall stops a few inches above the drop ceiling and I fish a cable with a loop at the end through the ceiling tiles and pull on the door lever?
It is important to understand what you are securing, bottom line.
How Does Someone Enter IT Today?
This is a question that I would not necessarily trust my answer. This is more of a thought experiment. When I wanted to get into more Microsoft focused work, I decided it was time to sit for the MCSE exams. When that happened, it was a simpler time; there was one MCSE and you covered Windows client and server operating systems, networking and networking services that are needed to operate an organization that uses Microsoft’s directory infrastructure for identity management.
Today, exams exist that are very specialized. When reviewing the Azure certifications, they don’t have any of the more fundamental concepts covered. They focus on identity centric to Azure AD, but most organizations are going to still have hybrid identity and be very dependent on the on-premises infrastructure… not just synching to Azure AD and forgetting that there are domain controllers, DNS services, Group Policy, sites and replication to worry about back on-premises. Networking focuses on the necessary concepts that are specific to Azure, not an understanding of the OSI model, physical media, the evolution of layer 2 technologies over the years that were covered even in the MCSE curriculum, but even more in-depth in the Cisco Networking Academy when I attended it.
When I was asked “should I study for the AZ-103 exam” by someone without an IT background, these were the things that I thought about. I do not know the right answer, but I believe it includes getting familiar with these concepts. I do not know if it means you should endeavor towards a more traditional approach and then adopt cloud knowledge, or if there is a way to go through both. This might mean that certifications that I have short-changed in the past actually present some value today, like the CompTIA A+ and Network+ (and for the record, I have sat those in the past, too; before I get any comments about anyone being offended that I have not really valued those certifications in the past). Maybe CompTIA or another independent organization could offer a cloud certification that is geared towards providing fundamentals that were developed in traditional IT in addition to the broad understanding of cloud computing? Is anyone aware of such a thing?