Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

1/29/2016
11:30 AM
Kaushik Narayan
Kaushik Narayan
Commentary
50%
50%

Cloud Security: Its Become A People Problem

Now that the cloud is becoming secure enough for sensitive data, are cloud customers ready to hold up their end of a shared liability model?

Fear characterized the early days of cloud adoption – some of it justified and some purely sensational. The concept of sending data off the corporate network and thus outside of existing security technology spooked IT security professionals. But now that cloud has matured, one of the greatest barriers to adoption has become a people problem.  

Times have changed and even former hold-outs in regulated industries have warmed to cloud technology. Last year, US Chief Information Officer Tony Scott called for organizations to “get to the cloud as fast as [they] can” for better security, and a recent survey (registration required) from the Cloud Security Alliance confirmed this attitude among rank and file IT professionals, with 64.9% of respondents describing cloud software as a service as secure or more secure than on-premises software.

This  growing confidence in the security capabilities of cloud providers reinforces Gartner’s prediction that in 2016, 95% of cloud security incidents will be the customer’s fault. Enterprise cloud providers’ entire business model depends on preventing breaches, and they have more resources and top talent to dedicate to security. But now that the cloud is secure enough for sensitive data, can cloud customers hold up their end of the shared liability model?

The Cloud Security Skill Gap

Anyone who has tried to fill open IT security headcount is familiar with the shortage of skilled professionals. There are currently more than 209,000 unfilled cybersecurity jobs in the US alone, and job postings have increased 74% over the past five years. Retaining talent has become just as difficult. As one might expect, salaries have kept pace with budgets, giving rise to anecdotes of security engineers moving to jobs for double their previous salary.

Nowhere is the security skill shortage more severe than in emerging technology areas like cloud. CSA survey respondents specified a lack of expertise as the biggest barrier to effectively detecting and stopping data loss in the cloud. This finding represents a huge pain point for companies; attitudes and technology have advanced to the point that more companies than ever are willing to take advantage of the benefits of cloud, yet the lack of human expertise is still holding back progress.

Given the lag for education to catch up in the workforce, companies struggling with this challenge can turn to stopgaps for the immediate future. Companies can pursue a combination of solutions to compensate for a lack of internal expertise. Third-party experts can help fill the knowledge gaps. Consulting firms have made moves at ramp up their cloud business over the past year, and cloud vendors often serve an expanded role as trusted partners helping to inform organizations’ security practices. Conferences and knowledge-sharing organizations like the CSA can also play an important role in diffusing knowledge through educational programming and sharing war stories.

Enforcing cloud security with a shortage of expertise can also pressure IT security staff to run a tight, efficient ship. Upfront investments in processes and technology can streamline operations. Organizations can automate security through cloud APIs and other vectors for extending existing security infrastructure. Staff should also rely on crowd-sourced information about high risk services whenever possible. The majority of companies (71.2%) have implemented a formal process for requesting and evaluating new cloud services, reducing IT’s workload and increasing user satisfaction and productivity, according to the CSA survey.

Seizing the Opportunity to Make the Rules

Companies who address the cloud security skill gap head on will see other positive side effects in addition to the intended reduction in risk from cloud use. In efforts to retain talent, companies are going out of their way to keep employees engaged with rotating roles, exposure to new technologies, and educational programs.

Experience with cloud technologies is also desirable for security professionals looking to stay on the cutting edge of the industry. CISOs, for example, are under pressure to align security with business objectives, and the tools in demand are frequently cloud services. Like with any area of emerging technology, many of the best practices of cloud security have yet to be defined and are constantly evolving. Progressive IT security departments have the opportunity to become leaders and innovators in this booming space.

Expect cloud security to rise as a prominent area of investment for IT staff’s professional development and education. And for IT professionals, gaining exposure to cloud security initiatives may be one of the best career moves they can make.

Related topics:

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/29/2016 | 7:48:34 PM
Cloud Security Trending in Trainings
I think a good indication that this is true is the level of cloud security training and education that is starting to appear.  In particular, the course content for Black Hat 2015 and 2016 is phenomenal.  As the number of exploits grow for popular cloud infrastructures, employers will be looking for security engineers who not only have the core cloud infrastructure knowledge in hand, but cutting edge and unique approaches to addressing these exploits for good.

Cloud has been fun and engaging since day 1 at the technical level, but now it is time to get serious at the security level, whatever your role in cloud engineering, and possibly be one of those engineers who meet this growing security need.  Time to formulate a 5-year plan!
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11873
PUBLISHED: 2019-05-23
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, to...
CVE-2019-12295
PUBLISHED: 2019-05-23
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.
CVE-2019-12293
PUBLISHED: 2019-05-23
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...