Suryansh Rastogi, a graduate from BITS Pilani (Pilani '17) with a BE degree in Manufacturing Engineering, began his journey into the realm of computer science. Despite his formal education, his passion for technology led him to contribute to projects like the Infobits library site during university. With a focus on Android development and cloud computing, especially in security, he honed his skills in platforms like Google Cloud Platform and Azure.

Joining Deloitte US as a cloud security specialist, he navigated complex cloud landscapes and implemented robust security practices. This experience paved the way for roles at Oracle and Microsoft as a cloud security architect, where he further solidified his expertise in safeguarding cloud environments and driving advancements in security practices.

What's the most interesting project you've worked on?

“I've been involved in instances where I had to wake up at 2 am to deal with an attack. We once discovered a new service vulnerable to a privilege escalation attack, allowing unauthorized access to sensitive data. This breach was particularly alarming as it mirrored our own organization's security protocols, evading detection from the organization's security system. The attack, orchestrated by an enemy state targeting a government client, necessitated tracing through multiple countries to pinpoint the source. Working tirelessly for 36 hours, we contained and neutralized the threat, safeguarding data integrity during the sensitive midterm elections period.”

What are the expectations and tasks of a cloud security architect?

“A security specialist is expected to understand the current security landscape along with tools and services, in addition to frameworks like the software development lifecycle. I'd say it's very important to know system design as well - like when you want to design a building you need to know the mortar, brick, etc. that’s needed for it. It's necessary to be familiar with the OWASP top ten, which is a maintained list of top 10 vulnerabilities for different environments, aggregated based on reported incidents.

Basically the expectations are to know what services are in the market and how to protect them from an attack - which is the best service with respect to performance, cost, functionality and time factors which are from a development perspective.”

What aspects are considered when thinking about security of a service?

“There are two major aspects to think about - data security and application security. Data security only focuses on what data you are getting, and how you are securing it. Application security refers to the actual code and libraries involved in building an application, making sure no critical vulnerabilities are identified in the code. Using the latest versions of libraries could even be hazardous as they have not been tested in the environment and may have new vulnerabilities you are not aware of.”

What can the early developer keep in mind about incorporating security considerations into their code?

“It's very important to grasp the implications of what you're trying to develop. Platforms like Facebook and Instagram wield immense power, handling users' chats, photos, and more, which entails significant responsibility. Neglecting security could lead to colossal fines and harm consumers. As developers, it's crucial to acquaint oneself with OWASP's top ten vulnerabilities and guidelines for handling sensitive data. Additionally, exploring the option of acquiring certifications from cloud providers like Azure and Google, and diving deep into language documentation is beneficial. Following security blogs from industry giants such as Netflix and Microsoft can also help keep you updated on evolving threats and solutions.”

What were the requirements to transition into a cloud security oriented role, and would you say higher education (like a masters) is necessary?

“For me, transitioning into a cloud security-oriented role wasn't about having a specific degree but rather about having a hunger for knowledge. Higher education isn't always necessary; what really matters most is your drive to learn. Self-study is entirely feasible, and there's no need to shell out hefty amounts for formal education to get into this field. Seek guidance where you can. It can be very difficult to get a roadmap on how to get into this field on the internet, so anyone interested feel free to reach out to me on LinkedIn. Big organizations invest heavily in security, making it a rewarding career path for those willing to learn and adapt. Young developers should prioritize security and embrace the learning journey.”

What areas of cloud security architecture are most likely to become important in the future, and what are companies most interested in?

“Security from the company perspective can't be thought of as unidimensional - companies have to think about ‘defense in depth’ (a strategy that leverages multiple security measures to protect an organization's assets). While individuals would think about security from a software perspective, like firewalls for example, companies have to think about not only the software but also where the code is being used, where the code being run, even the chipset and hardware of that machine - even discarded hard drives and old infrastructure can still contain a great deal of data, and source code can be reverse engineered from that, which has happened in the past. There is also the method of social engineering, where malicious attackers befriend people working at these companies and use this data to reverse engineer their way into the system. Companies will have to retain a holistic view on their security in the current landscape.”

Is there scope for growth in the field for an interested individual?

"Tremendous, tremendous scope. At the executive level, the existence of the CISO (Chief Information Security Officer) alongside positions like CEO, CSO and CFO underscores the significance of security in organizations. While companies may not always prioritize roles like Python or Java developers, the demand for security specialists remains constant. Opportunities abound, even in startups, as evidenced by a recent startup reaching out to me for a security specialist position, before they were acquired for $100 million. The potential for growth in the security space is simply insane.”

Any final thoughts or comments?

“Security is something I would encourage developers, especially BITSians, to think about - BITSians especially are a hub of entrepreneurial ideas, and there is definitely a lot of scope in the startup space for security work. It’s an exceptionally rewarding career, in close knit teams. Like how countries have their divisions of the air force, army and navy, we have people and departments that specialize in different aspects of security. Stories from the field are never really published due to security implications and the reputation that we need to have, but it is something that we internally know and are very proud of.