Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

1/29/2016
11:30 AM
Kaushik Narayan
Kaushik Narayan
Commentary
50%
50%

Cloud Security: Its Become A People Problem

Now that the cloud is becoming secure enough for sensitive data, are cloud customers ready to hold up their end of a shared liability model?

Fear characterized the early days of cloud adoption – some of it justified and some purely sensational. The concept of sending data off the corporate network and thus outside of existing security technology spooked IT security professionals. But now that cloud has matured, one of the greatest barriers to adoption has become a people problem.  

Times have changed and even former hold-outs in regulated industries have warmed to cloud technology. Last year, US Chief Information Officer Tony Scott called for organizations to “get to the cloud as fast as [they] can” for better security, and a recent survey (registration required) from the Cloud Security Alliance confirmed this attitude among rank and file IT professionals, with 64.9% of respondents describing cloud software as a service as secure or more secure than on-premises software.

This  growing confidence in the security capabilities of cloud providers reinforces Gartner’s prediction that in 2016, 95% of cloud security incidents will be the customer’s fault. Enterprise cloud providers’ entire business model depends on preventing breaches, and they have more resources and top talent to dedicate to security. But now that the cloud is secure enough for sensitive data, can cloud customers hold up their end of the shared liability model?

The Cloud Security Skill Gap

Anyone who has tried to fill open IT security headcount is familiar with the shortage of skilled professionals. There are currently more than 209,000 unfilled cybersecurity jobs in the US alone, and job postings have increased 74% over the past five years. Retaining talent has become just as difficult. As one might expect, salaries have kept pace with budgets, giving rise to anecdotes of security engineers moving to jobs for double their previous salary.

Nowhere is the security skill shortage more severe than in emerging technology areas like cloud. CSA survey respondents specified a lack of expertise as the biggest barrier to effectively detecting and stopping data loss in the cloud. This finding represents a huge pain point for companies; attitudes and technology have advanced to the point that more companies than ever are willing to take advantage of the benefits of cloud, yet the lack of human expertise is still holding back progress.

Given the lag for education to catch up in the workforce, companies struggling with this challenge can turn to stopgaps for the immediate future. Companies can pursue a combination of solutions to compensate for a lack of internal expertise. Third-party experts can help fill the knowledge gaps. Consulting firms have made moves at ramp up their cloud business over the past year, and cloud vendors often serve an expanded role as trusted partners helping to inform organizations’ security practices. Conferences and knowledge-sharing organizations like the CSA can also play an important role in diffusing knowledge through educational programming and sharing war stories.

Enforcing cloud security with a shortage of expertise can also pressure IT security staff to run a tight, efficient ship. Upfront investments in processes and technology can streamline operations. Organizations can automate security through cloud APIs and other vectors for extending existing security infrastructure. Staff should also rely on crowd-sourced information about high risk services whenever possible. The majority of companies (71.2%) have implemented a formal process for requesting and evaluating new cloud services, reducing IT’s workload and increasing user satisfaction and productivity, according to the CSA survey.

Seizing the Opportunity to Make the Rules

Companies who address the cloud security skill gap head on will see other positive side effects in addition to the intended reduction in risk from cloud use. In efforts to retain talent, companies are going out of their way to keep employees engaged with rotating roles, exposure to new technologies, and educational programs.

Experience with cloud technologies is also desirable for security professionals looking to stay on the cutting edge of the industry. CISOs, for example, are under pressure to align security with business objectives, and the tools in demand are frequently cloud services. Like with any area of emerging technology, many of the best practices of cloud security have yet to be defined and are constantly evolving. Progressive IT security departments have the opportunity to become leaders and innovators in this booming space.

Expect cloud security to rise as a prominent area of investment for IT staff’s professional development and education. And for IT professionals, gaining exposure to cloud security initiatives may be one of the best career moves they can make.

Related topics:

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/29/2016 | 7:48:34 PM
Cloud Security Trending in Trainings
I think a good indication that this is true is the level of cloud security training and education that is starting to appear.  In particular, the course content for Black Hat 2015 and 2016 is phenomenal.  As the number of exploits grow for popular cloud infrastructures, employers will be looking for security engineers who not only have the core cloud infrastructure knowledge in hand, but cutting edge and unique approaches to addressing these exploits for good.

Cloud has been fun and engaging since day 1 at the technical level, but now it is time to get serious at the security level, whatever your role in cloud engineering, and possibly be one of those engineers who meet this growing security need.  Time to formulate a 5-year plan!
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29572
PUBLISHED: 2020-12-06
app/View/Elements/genericElements/SingleViews/Fields/genericField.ctp in MISP 2.4.135 has XSS via the authkey comment field.
CVE-2020-29573
PUBLISHED: 2020-12-06
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\...
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.