Is Cloud Network Security Cool?

I had a moment of extreme motivation and inspiration at the end of last year. I was full of optimism after delivering a day-long bootcamp on Cloud Networking 101 for some great people as part of a DevOps Girls event. This was the moment I decided to put in a submission to 0xcc Conference to deliver a 2-day course on Cloud Network Security. Then the world changed…

My role at SEEK is to support a lot of the edge networking infrastructure, which includes a lot of YAML, NGINX and BASH — it also includes a solid understanding of AWS cloud networking resources and the flow of traffic through SEEK’s websites. I’ve developed this knowledge over time, with the excellent support of my colleagues and an active membership with A Cloud Guru.

I staunchly believe in passing on knowledge, especially when that knowledge has been passed on to you. This is what drives me to run bootcamps and workshops as a co-Organiser for DevOps Girls. The sense of giving back and lifting up your community is very rewarding. This is why I set myself the challenge to deliver a 2-day course on Cloud Network Security for 0xcc — but is Cloud Network Security cool enough that people would want to learn?

Cloud Security is a hot topic. Tech folks are seeing more and more vulnerabilities related to s3 buckets and AWS metadata. Most cloud security courses cover these topics. I’ve even been to one of these courses, it was great and I learnt a lot.

However, a topic I haven’t seen come up very often is ‘Cloud Network Security’. I’m talking VPCs, subnetting, load balancers, Security Groups, CDN. Considering this stuff is my ‘bread and butter’, I have a biased opinion that it should be spoken about more often. Makes me wonder how other people transition into edge networking roles? I also wonder, is it the less-cool Cloud Security topic? Do people want to learn this stuff? I decided to put this to the test.

At the end of 2019, I decided to put in a proposal for training for 0xcc Conference. Once my proposal for my course was accepted for 0xcc conference (yay!), I had a plan to build out my content, test out my content, get feedback etc. I presumed I’d have 20+ people in a physical room that I could help get through the practical exercises and see their faces and reactions to my lame jokes. Then the world changed. In-person training was no longer going to be an option and we were going virtual. I worried about how this would impact my course and my ability to teach. I’m going to share some of my considerations that helped me get my course over the line.

0xcc website updated to announce we’re going virtual

Virtual CoC

I believe having a strong code of conduct (CoC) is very important when it comes to running virtual events. You’re less empowered to facilitate interactions when you’re depending on a virtual conferencing tool. If you make it clear how we’re expected to interact, then we can all be held accountable. A friend of mine introduced me to a CoC that worked well for her and was borrowed from the Recurse Centre. My favourite part is ‘no feigning surprise’. It’s a real kick in the gut when you don’t know a technical concept and someone responds with “wow, you’ve never heard of xxx?!”. Our CoC also included how to ask questions virtually and giving air time to people who might be less outspoken.

Robust Content

Most people are either kinaesthetic or visual learners, which is daunting for a course that would be delivered with a heavy reliance on an auditory medium. For anyone who’s been in a meeting to discuss a networking/architectural problem, it’s pretty ineffective without a visual aid like a whiteboard or screen share. Keeping this in mind, I spent a lot of time building out the content for self-guided practical exercises, including visual guides, extra explanations and reiterating the ‘why’.

I also tried to be as granular as possible in the practical components. Networking concepts are abstract and theoretical, so I used a lot of simple network diagrams to reduce the feeling of being lost. All of this was included in a Github Repo for people to revisit in their own time after the course.

Example of a simple networking diagram to help us not get lost

Be Flexible

People would be in their own homes attending my course — this was an important consideration. When we’re at home, we don’t exist in a vacuum. We have people who depend on us, animals that need us to open doors/feed them, distracting sounds of other people in our houses. This made things difficult for my course as the content was linear and you needed to ‘keep up’.

To try and keep things flexible, I allowed for as much catching up time as possible and gave people 1:1 time to work on troubleshooting errors. Also, keeping the content robust meant that people could always revisit the content afterwards and opt for reading through the steps instead. I also reached out to SEEK’s AWS Technical Account Manager to get some AWS vouchers to provide to people (thanks AWS!). This allowed people to keep things running for a day longer if they needed time to revisit some steps. I didn’t want people to have any unexpected AWS costs.

Challenges

No course (virtual/in-person) is delivered without challenges. Here’s some of my challenges that might prove helpful to others:

• Supporting people with troubleshooting was hard without taking time away from the group as a whole. Next time I’d recruit more volunteers that could help in separate channels, which would free me up to continue delivering the content.
• Managing expectations was interesting. The reason I ask “Is cloud network security cool?” is because people may have expected ‘cloud security’, which is a different thing and generally focuses more on the application level. Spoiler alert, ‘Cloud Network Security’ is actually just ‘Good Cloud Networking’ in disguise. Some people may have come in expecting the same content delivered as the more popular Cloud Security courses, but found themselves looking at networking resources.
• Networking and relationship-building was also really hard. This was for a couple of reasons. The first was that a lot of people opted to have their camera turned off. I totally get the reasons why this would be the case. Messy house, distracting background, wanting to disengage without being rude — lots of reasons! As a trainer, this was hard for me to make connections. Secondly, due to the hours we had all committed to being in front of our computer screens, I encouraged people to get away from the screen on our break times (including myself). This meant any down time we would use for networking was used battling virtual fatigue.
• Overall, there are pros and cons to going virtual. Accessibility would’ve been easier, but for people with hearing impairment it would’ve been really challenging. For people who draw energy from groups, staying engaged would’ve been quite difficult. For people who love focused solo work, then they may have really loved this training format.

So, is Cloud Network Security cool?

I think so! Would I run this course again? Absolutely! Will everyone enjoy it, probably not but there will be some who will totally dig it. Based on the anonymous feedback from participants the course was a success!

For some people who were told networking wasn’t the right career choice for women, they left feeling more empowered to pursue their interest in this area. For a developer who had never had exposure to the broader cloud ecosystem, they now had a deeper technical appreciation of how their applications are protected in the cloud. I get it, a lot of people want to build things and expose them to the internet for people to interact with. Cloud networking is more abstract. It’s not something you knowingly engage with. However, without it, secure and resilient applications can’t be possible.

My goofy grin — the face attendees saw for 2 days straight!

Massive Thank You

I had some great support getting this over the line. Buffy, AKA Bec, AKA Errbufferoverfl was with me the whole two long days and delivered a great session on threat modelling. Lidia, AKA Cyber Mum, helped me with my submission and generally encouraged me along the way. Angel Abad Cerdeira (Edge Network Engineer at SEEK) helped as a technical sounding board for my content and just generally being a great technical mentor. My partner, Lachy, for letting me take over our home office for 2 days and proofreading my content.

Shout out to the 0xcc conference. It’s mostly a one-woman show run by Alannah Guo. There was a lot of attention to detail for people to really feel like they were getting the full conference experience. An example of this was the swag boxes that were sent out with stickers, merchandise and conference snacks. This also gave conference sponsors an opportunity to distribute their wares. The line-up for the conference was really inspiring. Women from various fields in security generously sharing their knowledge and time(at no cost). I’d highly recommend people follow @0xcc_sh on twitter to be part of this fantastic conference in 2021, which will no doubt be even bigger and better.