Careers & People
1/29/2016
11:30 AM
Kaushik Narayan
Kaushik Narayan
Commentary
50%
50%

Cloud Security: It’s Become A People Problem

Now that the cloud is becoming secure enough for sensitive data, are cloud customers ready to hold up their end of a shared liability model?

Fear characterized the early days of cloud adoption – some of it justified and some purely sensational. The concept of sending data off the corporate network and thus outside of existing security technology spooked IT security professionals. But now that cloud has matured, one of the greatest barriers to adoption has become a people problem.  

Times have changed and even former hold-outs in regulated industries have warmed to cloud technology. Last year, US Chief Information Officer Tony Scott called for organizations to “get to the cloud as fast as [they] can” for better security, and a recent survey (registration required) from the Cloud Security Alliance confirmed this attitude among rank and file IT professionals, with 64.9% of respondents describing cloud software as a service as secure or more secure than on-premises software.

This  growing confidence in the security capabilities of cloud providers reinforces Gartner’s prediction that in 2016, 95% of cloud security incidents will be the customer’s fault. Enterprise cloud providers’ entire business model depends on preventing breaches, and they have more resources and top talent to dedicate to security. But now that the cloud is secure enough for sensitive data, can cloud customers hold up their end of the shared liability model?

The Cloud Security Skill Gap

Anyone who has tried to fill open IT security headcount is familiar with the shortage of skilled professionals. There are currently more than 209,000 unfilled cybersecurity jobs in the US alone, and job postings have increased 74% over the past five years. Retaining talent has become just as difficult. As one might expect, salaries have kept pace with budgets, giving rise to anecdotes of security engineers moving to jobs for double their previous salary.

Nowhere is the security skill shortage more severe than in emerging technology areas like cloud. CSA survey respondents specified a lack of expertise as the biggest barrier to effectively detecting and stopping data loss in the cloud. This finding represents a huge pain point for companies; attitudes and technology have advanced to the point that more companies than ever are willing to take advantage of the benefits of cloud, yet the lack of human expertise is still holding back progress.

Given the lag for education to catch up in the workforce, companies struggling with this challenge can turn to stopgaps for the immediate future. Companies can pursue a combination of solutions to compensate for a lack of internal expertise. Third-party experts can help fill the knowledge gaps. Consulting firms have made moves at ramp up their cloud business over the past year, and cloud vendors often serve an expanded role as trusted partners helping to inform organizations’ security practices. Conferences and knowledge-sharing organizations like the CSA can also play an important role in diffusing knowledge through educational programming and sharing war stories.

Enforcing cloud security with a shortage of expertise can also pressure IT security staff to run a tight, efficient ship. Upfront investments in processes and technology can streamline operations. Organizations can automate security through cloud APIs and other vectors for extending existing security infrastructure. Staff should also rely on crowd-sourced information about high risk services whenever possible. The majority of companies (71.2%) have implemented a formal process for requesting and evaluating new cloud services, reducing IT’s workload and increasing user satisfaction and productivity, according to the CSA survey.

Seizing the Opportunity to Make the Rules

Companies who address the cloud security skill gap head on will see other positive side effects in addition to the intended reduction in risk from cloud use. In efforts to retain talent, companies are going out of their way to keep employees engaged with rotating roles, exposure to new technologies, and educational programs.

Experience with cloud technologies is also desirable for security professionals looking to stay on the cutting edge of the industry. CISOs, for example, are under pressure to align security with business objectives, and the tools in demand are frequently cloud services. Like with any area of emerging technology, many of the best practices of cloud security have yet to be defined and are constantly evolving. Progressive IT security departments have the opportunity to become leaders and innovators in this booming space.

Expect cloud security to rise as a prominent area of investment for IT staff’s professional development and education. And for IT professionals, gaining exposure to cloud security initiatives may be one of the best career moves they can make.

Related topics:

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/29/2016 | 7:48:34 PM
Cloud Security Trending in Trainings
I think a good indication that this is true is the level of cloud security training and education that is starting to appear.  In particular, the course content for Black Hat 2015 and 2016 is phenomenal.  As the number of exploits grow for popular cloud infrastructures, employers will be looking for security engineers who not only have the core cloud infrastructure knowledge in hand, but cutting edge and unique approaches to addressing these exploits for good.

Cloud has been fun and engaging since day 1 at the technical level, but now it is time to get serious at the security level, whatever your role in cloud engineering, and possibly be one of those engineers who meet this growing security need.  Time to formulate a 5-year plan!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.