Careers & People
1/29/2016
11:30 AM
Kaushik Narayan
Kaushik Narayan
Commentary
50%
50%

Cloud Security: Its Become A People Problem

Now that the cloud is becoming secure enough for sensitive data, are cloud customers ready to hold up their end of a shared liability model?

Fear characterized the early days of cloud adoption – some of it justified and some purely sensational. The concept of sending data off the corporate network and thus outside of existing security technology spooked IT security professionals. But now that cloud has matured, one of the greatest barriers to adoption has become a people problem.  

Times have changed and even former hold-outs in regulated industries have warmed to cloud technology. Last year, US Chief Information Officer Tony Scott called for organizations to “get to the cloud as fast as [they] can” for better security, and a recent survey (registration required) from the Cloud Security Alliance confirmed this attitude among rank and file IT professionals, with 64.9% of respondents describing cloud software as a service as secure or more secure than on-premises software.

This  growing confidence in the security capabilities of cloud providers reinforces Gartner’s prediction that in 2016, 95% of cloud security incidents will be the customer’s fault. Enterprise cloud providers’ entire business model depends on preventing breaches, and they have more resources and top talent to dedicate to security. But now that the cloud is secure enough for sensitive data, can cloud customers hold up their end of the shared liability model?

The Cloud Security Skill Gap

Anyone who has tried to fill open IT security headcount is familiar with the shortage of skilled professionals. There are currently more than 209,000 unfilled cybersecurity jobs in the US alone, and job postings have increased 74% over the past five years. Retaining talent has become just as difficult. As one might expect, salaries have kept pace with budgets, giving rise to anecdotes of security engineers moving to jobs for double their previous salary.

Nowhere is the security skill shortage more severe than in emerging technology areas like cloud. CSA survey respondents specified a lack of expertise as the biggest barrier to effectively detecting and stopping data loss in the cloud. This finding represents a huge pain point for companies; attitudes and technology have advanced to the point that more companies than ever are willing to take advantage of the benefits of cloud, yet the lack of human expertise is still holding back progress.

Given the lag for education to catch up in the workforce, companies struggling with this challenge can turn to stopgaps for the immediate future. Companies can pursue a combination of solutions to compensate for a lack of internal expertise. Third-party experts can help fill the knowledge gaps. Consulting firms have made moves at ramp up their cloud business over the past year, and cloud vendors often serve an expanded role as trusted partners helping to inform organizations’ security practices. Conferences and knowledge-sharing organizations like the CSA can also play an important role in diffusing knowledge through educational programming and sharing war stories.

Enforcing cloud security with a shortage of expertise can also pressure IT security staff to run a tight, efficient ship. Upfront investments in processes and technology can streamline operations. Organizations can automate security through cloud APIs and other vectors for extending existing security infrastructure. Staff should also rely on crowd-sourced information about high risk services whenever possible. The majority of companies (71.2%) have implemented a formal process for requesting and evaluating new cloud services, reducing IT’s workload and increasing user satisfaction and productivity, according to the CSA survey.

Seizing the Opportunity to Make the Rules

Companies who address the cloud security skill gap head on will see other positive side effects in addition to the intended reduction in risk from cloud use. In efforts to retain talent, companies are going out of their way to keep employees engaged with rotating roles, exposure to new technologies, and educational programs.

Experience with cloud technologies is also desirable for security professionals looking to stay on the cutting edge of the industry. CISOs, for example, are under pressure to align security with business objectives, and the tools in demand are frequently cloud services. Like with any area of emerging technology, many of the best practices of cloud security have yet to be defined and are constantly evolving. Progressive IT security departments have the opportunity to become leaders and innovators in this booming space.

Expect cloud security to rise as a prominent area of investment for IT staff’s professional development and education. And for IT professionals, gaining exposure to cloud security initiatives may be one of the best career moves they can make.

Related topics:

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/29/2016 | 7:48:34 PM
Cloud Security Trending in Trainings
I think a good indication that this is true is the level of cloud security training and education that is starting to appear.  In particular, the course content for Black Hat 2015 and 2016 is phenomenal.  As the number of exploits grow for popular cloud infrastructures, employers will be looking for security engineers who not only have the core cloud infrastructure knowledge in hand, but cutting edge and unique approaches to addressing these exploits for good.

Cloud has been fun and engaging since day 1 at the technical level, but now it is time to get serious at the security level, whatever your role in cloud engineering, and possibly be one of those engineers who meet this growing security need.  Time to formulate a 5-year plan!
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.