(Learn The Cloud Security Interview Questions!)
Are you looking to master the cloud security architect and cloud architect technical interview? If so, this blog is for you. Today we talk about cloud architect security and technical questions to help you prepare for such an interview.
As a cloud architect, it’s going to be a customer facing position. That is why you have to be able to explain your solutions and complicated technologies to the customer. You have to listen to them and learn all about their complex application, network, computing and storage environments.
Then you should be able to take those and design something.
Question 1. “What is a man in the middle attack?”
Security is absolutely critical to any computing environment.
A man in the middle attack is when you have 2 users, User A and User B that are communicating. With this attack, a 3rd user sneaks in between A and B, User C, who pretends to be User B by impersonation. User A talks to User C when they’re thinking they talk to User B.
A man in the middle attack is when you’ve got two people, computers, network systems, or two anything on the environment and something sneaks in between the communication, pretends to be another end point, and communication secrets are divulged.
Question 2. “How do you prevent a man in the middle attack?”
To prevent a man in the middle attack is to do some form of end point verification. This means you know who the sender is and who the receiver is going to be.
The best way to do the verification is by using some form of encryption.
- IPsec does user end point verification.
- HTTPS session, is going to force end point verification.
- Wireless – you can use WPA encryption (WPA3).
- Public Key Pair (PKI) based authentication.
Question 3. “What is data protection when we talk about encryption in transit versus encryption at rest?”
This means – protecting your data.
Encryption at rest, or data protection at rest, is when you encrypt a volume, a hard drive, or an AWS S3 bucket. Thus all the data stored on that entity will be encrypted. If someone were to pick up that server or the storage area where it’s at and get access to your information, they can’t because they don’t have the decryption key.
Encryption in transit is when you send a message from User A to User B, the message is encrypted along the network or along by the host of the receiver via a protocol. F.ex. technology such as VPNs which typically are IPsec, HTTPS.
Question 4. “What’s the difference between symmetric and asymmetric encryption?“
This is for the hiring manager to ascertain whether the interviewee really knows anything about encryption and how it works.
Symmetric encryption is when you use the same encryption key to send and receive your traffic going back and forth. It’s very fast, it’s been around for a long period of time and it works well.
Asymmetric encryption is when you use one encryption key for sending your data and another encryption key for receiving your data.
That would be even more secure, it is a farther security. As we can see, there is a difference, but also challenges associated with asymmetric encryption.
For example – how do you get both keys across in secure environment?
It’s often common that you would actually set up symmetric encryption just to exchange your keys and then after that move to what you really wanted to use, which is asymmetric encryption.
You can send your encryption keys via “Out-of-band”, for example.
With such answers you can show that you actually understand encryption.
Question 5. “What is Nmap?”
Hiring managers like to ask this question because if anybody has done any kind of security in their life at some point, they’ve used Nmap.
Nmap is really just a network mapper – a free open source tool that will scan your hosts for you. That way you can find hosts that are available, open ports in your systems, security risks, and it can help you hack into a system.
It’s used by white hat or ethical hackers to find things that are open to try and use them to penetrate the systems. They will then tell the organization about the possible vulnerabilities and how to mitigate.
It’s also used by black hat hackers, people that want to do ill will to the organization. They use Nmap to basically scan things and vulnerabilities. They will then attack based upon the vulnerabilities they find.
Question 6. “What is IAM?”
Asking this, a hiring manager wants to know that the user knows what is IAM.
If an interviewee says that IAM is:
-Identification of the users that access your system.
-Authorizing them to do things that are related to their roles and only their roles.
-Logging what they did when they’re done, so you can track what they’ve done. Then I know they understand IAM.
When I started out, we used the concept of triple A (AAA): Authentication, Authorization, Accounting.
-Authentication, making sure the user is the user.
-Authorization, determine what the user is allowed to do on their system and letting them do it.
-Accounting, tracking what they did.
That’s what IAM is. When we hear something like that, we know the candidate is familiar with the topic.
Question 7. “What is social engineering?”
The interviewer wants to see if someone truly has a grasp of it, and can they explain it, as well.
Social engineering is the use of deception to elicit information from people that they wouldn’t normally give you. A malicious actor would pretend to be something, maybe to get someone’s password, or other critical pieces of information. Then they’re going to use that information to exploit or attack into the systems.
Question 8. “How would you secure an enterprise?”
The reason hiring managers ask this question, is to see if you really understand security.
People, who only got some AWS certification knowledge, but have no background, would reply – “Network ACL, Security Group and WAF.”
Instead, for a serious security, it is going to be a multi layered approach!
-First and foremost it’s going to start with a policy that will describe what assets are worth protecting, the types of protections that are going to be used, the how and the why and the rationale.
Then you’re going to look at it from a user perspective, an encryption perspective, an IAM perspective, and a tech perspective.
-The following step is to build an impenetrable fort. At the edge of your network, you stick a
firewall. It lets your good traffic go out and then return, but it keeps all your bad guys out. It’s your
But what if the hacker gets in? And at some point they will. You need something sitting right behind the firewall to stop anybody that gets in.
-That’s your IDS/IPS systems – intrusion detection, intrusion prevention systems. These systems monitor for patterns of behavior that don’t look right and they stop them. F.ex. they add a new firewall rule or reset a TCP connection. They’re effective and they stop such events.
-For any web facing component, you need DDoS protection. That’s when you start thinking about things like Cloud Flare or AWS Shield, some type of DNS protection. Obviously you don’t want to be hacked and you don’t want Denial of Service (DoS/DDoS) attack.
-Then you have to protect the subnets and your network. You can do that with ACLs on routers.
You can do them with Network ACLs in a cloud computing environment.
-After that, you got to protect your hosts. With AWS, use will use a Security Group which protects the traffic into the host. On your host, you still want to do some end point protection: additional host based firewall, and malware protection. This is going to give you some good protection from the edge or your network all the way to your systems.
-But you’re still going to have to make sure your data that’s stored is encrypted.
-You’re still going to have to secure the integrity of your physical systems. For example, if you’ve got a router that connects to your cloud in the middle of the room where anybody can plug into it. It would mean anybody can access your cloud and violate pretty much all of your security.
-You have to think about identity and access management.
-You have to think about training your users to avoid phishing attacks and social engineering. That’s what goes into securing an enterprise!
You want to show the hiring manager that you have the technical competency to perform the job by answering these types of questions in a way that proves that you understand the strengths and the weaknesses of each technology and why you would use them.
In this article, we focused on security. Security is a critical part of any solution. Being able to tell the hiring manager about any technology they ask you in the following manner. What is the technology, how does the technology work, and why you would use it.
Do this, and you will prove to the hiring manager that you’re in the top 10th of 1% and you will be hired, and you will get paid more and you will have a wonderful cloud computing career.
Cloud Architect Career Development Program
We’ll send you a nice letter once per week. No spam.