Security is the second biggest challenge businesses face when using cloud computing*. This presents a great opportunity for those aspiring to become cloud security analysts. This means that if you fulfill that aspiration, you will have the skills to meet this critical need. But what is a cloud security analyst and how do you become one? We answer these questions and more in this article.
*Source: 2024 State of the Cloud Report
What is a cloud security analyst?
A cloud security analyst is a professional who specializes in ensuring the security and integrity of an organization’s cloud-based systems, applications, and data. Your main role as an analyst would be to protect your organization’s cloud-based assets from data breaches, unauthorized access, malware attacks, and other cyber threats.
As more organizations migrate their operations to cloud environments, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), the demand for cloud security analysts should likewise continue to grow.
Key Roles and Responsibilities
Depending on the size of your organization, you may be asked to take on one or more of these roles and responsibilities.
Information risk management
As a cloud security analyst, one of your key responsibilities is to develop strategies to minimize cyber risks to your organization’s cloud assets. Part of this responsibility is to identify the threats that are likely to impact your organization’s cloud environment, as well as the vulnerabilities present in that environment. You must then reduce the impact of those threats or reduce the likelihood of those threats by setting up appropriate defenses and eliminating those vulnerabilities.
Given that most organizations operate with limited budgets, another element of this responsibility is to plan a security budget. You must determine which assets would have the greatest impact on your business if compromised and prioritize your security spending accordingly. Higher value assets should naturally have greater allocation. This will enable you to utilize your financial resources more cost-effectively.
Compliance and cloud security posture management
Depending on its location and the industry it operates in, your business may be subject to data security standards, laws and regulations. For example, if your organization is in healthcare and operates in the United States, it’s subject to the Health Insurance Portability and Accountability Act (HIPAA). If it operates in the European Union, it would likely be governed by the General Data Protection Regulation (GDPR). Or if it stores, transmits, or processes credit card information, it may have to adhere with the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
As a cloud security analyst, you may be responsible for configuring and monitoring your organization’s cloud assets so that they’re compliant with those standards, laws, and regulations. You would typically use Cloud Security Posture Management (CSPM) solutions and similar tools to detect misconfigurations and vulnerabilities in your cloud environment that may result in non-compliance.
In this particular role, you may be tasked to submit reports to management, compliance teams, auditors, and other stakeholders. These may include reports for compliance audits, security configurations, vulnerability assessments, risk assessment and management, and CSPM. Since some of these reports are intended for a non-technical audience, this role is best suited for those with good communication skills, who can effectively translate technical findings into clear, concise, and actionable insights.
Threat intelligence
Another exciting role you can fill is threat intelligence. This entails monitoring cyber threat intelligence (CTI) feeds to identify emerging and imminent threats to your cloud environment. CTI feeds contain information about threat actors, malware, and vulnerabilities. It may also include threat actor tactics, techniques, and procedures (TTPs).
You can then leverage that threat intelligence to:
- Set up appropriate defenses,
- Reconfigure security settings (e.g., firewall rules, access control lists),
- Respond to incidents,
- And even recommend changes to your organization’s security policies
Threat detection and incident response
You may also be tasked to monitor your cloud environment for suspicious behavior, which might turn out to be a cyber attack. To be effective in this role, you will have to set up a cloud Intrusion Detection System/Intrusion Prevention System (IDS/IPS) as well as alerts and dashboards to obtain real-time visibility into security incidents.
If a threat is detected, you would be responsible for conducting further investigation, determining root causes, and containing the threat to prevent further damage. In most cases, you would have to work with cross-functional teams to resolve incidents and, when the dust settles, implement preventive measures.
How much does a cloud security analyst make?
Cloud security analyst salaries can vary depending on several factors, with location and experience level being two of the most significant determinants. Here are some very rough estimates of the salary ranges you can find in different countries. For more accurate and up-to-date information, you can check salary research platforms, such as Glassdoor, PayScale, and Indeed.
| Location | Average (annual) salary range (USD) | ||
| Entry-level | Mid-level | Senior-level | |
| United States | $70,000 – $90,000 | $100,000 – $120,000 | $130,000 – $160,000 |
| Australia | $60,000 – $80,000 | $85,000 – $110,000 | $120,000 – $150,000 |
| United Kingdom | $50,000 – $65,000 | $75,000 – $95,000 | $100,000 – $130,000 |
| United Arab Emirates | $40,000 – $60,000 | $60,000 – $90,000 | $100,000 – $130,000 |
| South Africa | $20,000 – $30,000 | $40,000 – $60,000 | $70,000 – $90,000 |
| India | $7,000 – $12,000 | $15,000 – $25,000 | $30,000 – $50,000 |
How to become a cloud security analyst
Becoming a cloud security analyst usually entails a combination of education, skills, certifications, and experience, but not necessarily in that order. Let’s break these down.
1. Educational foundation
As of this writing, we couldn’t find any degree tailored specifically for cloud security. However, the concepts and skills essential to a cloud security analyst’s roles and responsibilities are taught in certain degree programs. If you want to acquire the required attributes through formal education, you can focus on the following degrees:
- Computer Science
- Information Technology
- Cybersecurity
- Cloud Computing
That being said, education is probably the least important among all four factors if your goal is to land a job. While it does provide you a solid foundation, and some companies do require a degree, most companies put more emphasis on hands-on experience, relevant skills, and certifications when hiring a cloud security analyst. This will become clearer as we explore the other factors.
2. Certifications
Potential employers will want some tangible proof of your knowledge and expertise in cloud security. If you haven’t completed any of the degrees mentioned above, relevant certifications should suffice. In fact, because dedicated cloud security degrees are not being offered yet, cloud security certifications issued by industry-recognized organizations tend to be more highly regarded.
Some of these certifications include:
- AWS Certified Security – Specialty
- Microsoft Certified: Azure Security Engineer Associate
- Google Professional Cloud Security Engineer
- Google Cloud Cybersecurity Professional Certificate (Note: This is a beginner level certification)
Alternatively, you can combine cybersecurity certifications and cloud computing certifications such as:
- CompTIA Security+
- AWS Certified Cloud Practitioner
- Microsoft Azure Fundamentals (AZ-900)
- Certified Ethical Hacker (CEH)
- Certified Information Systems Security Professional (CISSP)
If you have zero experience in either cybersecurity or cloud computing, you can use these professional certificate programs at Coursera as jump-off points:
Cybersecurity
- Google Cloud Cybersecurity Professional Certificate
- Microsoft Cybersecurity Analyst Professional Certificate
- IBM Cybersecurity Analyst Professional Certificate
- IBM and ISC2 Cybersecurity Specialist Professional Certificate
We wrote overviews of these four certificate programs in our blog post: 4 Coursera Cybersecurity Courses with Professional Certs for Beginners
Cloud computing
- AWS Cloud Technology Consultant Professional Certificate
- Google Cloud Digital Leader Training Professional Certificate
- Microsoft Cloud Support Associate Professional Certificate
3. Relevant skills
To be an effective cloud security analyst, you need to possess skills that would enable you to secure your organization’s cloud-based assets. Of course, before you can secure those assets, you need to be familiar with the environment where those assets reside. So, first of all, you should know how to use AWS, GCP, or Azure, or whichever cloud platform your organization is hosting its applications and data.
At the minimum, should know how to:
- Configure Identity and Access Management (IAM) systems
- Implement encryption protocols and data protection measures.
- Manage cloud-native tools like AWS Shield, Azure Security Center, or Google Cloud Security Command Center.
The required skill sets will largely depend on your role once hired. For instance, if you’re role involves incident detection and response, then you’ll have to be skilled in:
- Root cause analysis
- Incident triaging, threat containment, and problem remediation
- Security Information and Event Management (SIEM) tools like Splunk and Sumo Logic
Technical assessments, wherein employers actually test your skills, are increasingly being incorporated into the hiring process. These tests may involve hands-on challenges in sandboxed environments, simulated scenarios on incident response or vulnerability risk mitigation, or coding challenges for script-based automation proficiency. Thus, it’s not enough to be familiar with those skills in theory. You should be able to demonstrate proficiency when you’re asked to do so.
4. Experience
As expected, employers value experience more than any of the other criteria. If you have done cloud security in a real-world setting—whether through internships, freelance projects, or full-time roles—you’ll have a much greater chance of getting hired. Unfortunately, cloud security jobs have only become prominent in the last decade, so the chances of having a significant experience in this field is quite low.
Would you like to check out other potential careers in cybersecurity? Scroll back up and select a career from the sidebar.