Kevin Kloft is a graduate of the RUB and now works as a Security Solutions Architect at the cybersecurity consultancy carmasec in Cologne.
Tell us about your time at university: Why did you decide to study at the RUB? What subjects were you particularly interested in? To whom would you recommend your studies today?
I chose the RUB because it is considered the best university in Europe for studying IT security. The choice of topics also influenced my decision at the time: From network security to cryptography, the curriculum contains a very good selection of subject specialisations, which I frequently fall back on in my job today.
During my studies, I was particularly interested in the topics of network security and system security - two subject areas in which my everyday working life is today. Basically, I would recommend the degree programme to anyone who is interested in information security and IT security. The wide range of security topics opens up many possible career paths for graduates, in which they can orient themselves after graduation.
What advice would you give to current RUB students regarding the choice of topic for their final thesis?
My first and most important advice is: Take your time when choosing your final thesis topic and don't start looking at the last minute. I didn't follow my own advice at the time and had to choose a topic in the field of hardware security. That was OK, but other topics would have been much more fun for me.
That's also my second tip: find an area that really interests you. You might even develop your own idea for a project or a paper.
Then - and this is my third advice - look for a partner company that will supervise and support your thesis. This way you work directly on a project with practical relevance, make your first contacts in industry and have the chance to get a taste of the professional world outside of your topic.
What were your first steps after graduation? What criteria did you use to choose your first job?
My first step was to choose my dream city: Cologne. I already knew relatively well during my studies that I wanted to go into IT security consulting with a technical focus, so I looked around for relevant jobs in Cologne and the surrounding area and applied. Since IT security experts are currently being sought everywhere, this approach can still work well.
Today, I have specialised in the topics of cloud and container security as well as DevSecOps. Due to my studies, I can deal with these focal points without having to undergo further training.
You work as a Security Solutions Architect at carmasec. What exactly do you do there?
I'm an IT security consultant, which means I spend a lot of my time working directly on customer projects. I spend 50 percent of my time in direct contact with customers, planning projects and training employees. The rest of the time I spend implementing projects, solving challenges and training myself.
My main topics are cloud security and DevSecOps. For my clients, I primarily examine cloud architectures from large service providers such as Azure, AWS and GCP and evaluate the use of security services. In doing so, I not only make sure that best practices of the service providers are applied. I check the cloud environments and also the application of the guidelines and standards defined by my clients.
I also deal with the question of how cloud architectures can be tested for security before deployment. To do this, I build automated pipelines that check the corresponding infrastructure code (IaC - Infrastructure as Code) for security errors. We also use the Policy as Code (PaC) concept to automatically check the code against existing policies. I find it particularly exciting that rules and policies are also mapped by code.
A third focus of my work is containers and Kubernetes security: Here I deal with the question of how I can operate my workload securely in an orchestrated environment.
Can you give us one or two examples of typical projects you are involved with?
For a client in the field of digital commerce, I am currently checking the organisation's cloud architecture and landing zone for vulnerabilities and threats. I also check the compliance of individual productive environments.
In another project in the field of logistics, we have built a central cloud platform for the organisation - including pipeline, terraform and security automation.
Do you feel that your studies prepared you well for your current job? What did you bring with you from your studies, in which subject areas did you continue your education after graduation?
Today I am very satisfied with my decision to study at the RUB. The baseline of the degree was very good, i.e. a lot of basics were taught that I can build on. Today, I have specialised in the topics of cloud and container security as well as DevSecOps. Because of my studies, I can deal with these focal points without having to undergo further training. Since I am interested in these topics, I first familiarised myself with them and later acquired the relevant certificates such as AWS Practitioner and Azure Administrator.
Today, I know that "training on the job" during or after my studies is very valuable. Due to the diverse projects, I have been able to further educate myself in the most varied areas and methodologies, and I learn more every day.
To whom would you recommend your job? What kind of education and affinity do they need to have?
The person should be IT-savvy and enjoy technical challenges. He or she should be willing to learn something new every day. This includes a large portion of curiosity.
carmasec is a cyber security consulting boutique founded in Germany in 2018. As a "trusted advisor" in the field of cyber resilience, the company offers its national and international clients professional consulting services and solutions. Its expertise lies in the areas of cloud security, information security, DevSecOps, identity & access management, risk management, security architecture, security awareness, security automation and data protection. The team of experts has already successfully implemented over 100 customer projects in the telecommunications, logistics, financial services, healthcare and energy sectors.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.