r/CloudSecurityPros

Cyber Sec To Cloud Then Cloud Sec

Hello , i am a 24y female, i have been feeling really lost and confused on how to start, i have a basic level of cyber sec knowledge no experience and i have decided i want to get into cloud then cloud security longterm , i have yet to decide whether to start with aws or azure. Moreover, i really want advice on a roadmap starting from IT basics to getting a cloud job whether is adminstration or support to then continue to cloud sec further down the line.

I would really really appreciate advice!

reddit.com
u/NoNeedleworker546 — 4 days ago

What are best observability tools in 2026

Been dealing with the gap between what our iam stack governs and what’s actually happening across our application estate for the past year. Identity dark matter is real and much bigger than most teams realize: unmanaged apps, hardcoded credentials, service accounts operating outside any lifecycle process, and agentic AI systems moving at machine speed with no owner attached.

The core problem most orgs are misdiagnosing: it’s not primarily a governance problem, it’s a visibility and identity observability problem. IAM policies are often configured correctly for the applications they know about. The risk lives in everything they don’t see, unmanaged applications, shadow IT, legacy systems, and AI agents acting as identities.

Here’s what I found evaluating tools built to close that identity observability gap:

  1. SailPoint Governance‑centric with deep IGA capabilities, built for large complex orgs. Strong at managing identity lifecycle and access policy across formally onboarded applications. AI‑driven access recommendations and role management have matured significantly. The gap: observability depth is largely limited to what’s been formally integrated, so shadow IT and unmanaged environments still need supplementary tooling for coverage.
  2. Orchid Security Instruments at the application layer rather than pulling only from IAM logs. Continuously discovers apps across the estate, reads auth and authorization logic directly from source, and surfaces identity dark matter that governance platforms can’t reach. Stands out for unmanaged, legacy, and shadow applications where traditional IGA and PAM tools have little visibility.
  3. CyberArk PAM‑first heritage expanded into broader identity security through acquisitions like Venafi and Zilla Security. Covers human, machine, and agentic AI identities under a single platform. Observability depth is strongest where environments are formally integrated; shadow IT and unmanaged legacy apps still require supplementary identity observability tooling.
  4. Saviynt Converged IGA and PAM in a cloud‑native architecture. Goes deeper than directory‑layer governance for supported enterprise platforms including SAP, Oracle, and Salesforce. Coverage depth varies significantly by application: strongest where prebuilt connectors exist, weaker for custom, homegrown, or long‑tail applications that often make up identity dark matter.
  5. Okta Identity platform of record for a large chunk of the enterprise market. Delivers SSO, MFA, and lifecycle management at scale, with identity security posture features layered on for managed apps. Hard limit: coverage is constrained to what’s connected to the Okta tenant and largely relies on logs rather than true real‑time application‑layer telemetry.

Anyone else been through an identity observability evaluation recently? How are you handling unmanaged application coverage and identity dark matter in practice, especially with agentic AI identities creeping into your estate?

reddit.com
u/Curious-Cod6918 — 10 days ago

What is continuous compliance monitoring in the cloud?

It's the difference between knowing your posture passed an audit six months ago and knowing it's compliant right now. Cloud environments change constantly,  a passing configuration on Monday can drift into a failing one by Wednesday.

Continuous compliance monitoring tracks posture in real time against frameworks like SOC 2, PCI-DSS, or ISO 27001, automatically collecting evidence as infrastructure changes rather than scrambling before each audit cycle. Has your team made this shift? What did it take to get auditors on board?

reddit.com
u/Ana_Tangelo — 14 days ago