By Raj Samani, Chief Scientist at McAfee
Cloud services are nearly ubiquitous, with 97% of worldwide IT professionals surveyed using some type of cloud functions in their organization, up from 93% just one year ago, according to data from a recent McAfee study.
Indeed, this cloud-first strategy has driven organizations to take on many different providers in their cloud ecosystem. As organizations tackle new data use initiatives, intelligence building, new capabilities to store and execute on applications—we have seen an explosion in the number of sanctioned cloud providers that businesses are reporting, each a source of potential risk and management need for the organization. The provider count requires readiness in governance strategy that joins security capabilities and procurement together to protect the data entrusted to each new cloud deployment.
As a consequence, security operations teams will need to have enhanced visibility, that is unified, to compose a picture across so many different environments containing enterprise data and then map this visibility against resources to ensure the organization has the right skills in place to address the security challenges.
Visibility over control
Think of this analogy—poor visibility is one of the greatest challenges to a navigator, preventing them from ever leaving their familiar and well-charted environment unless they can learn to rely on their instruments and expertise. After all, you cannot steer around what you cannot see. The leading adopters of cloud services understand this axiom and are integrating cloud visibility into their IT operations to accelerate business.
Better visibility enables an organization to confidently adopt transformative cloud services sooner, respond more quickly to security threats, and reap the cost savings the cloud provides. It is better to be able to see everything in the cloud, than to attempt to control an incomplete portion of it. Your organization is using cloud services, even if they are not your primary strategy. From a security perspective, there are three best practices that all organizations should be actively working towards:
- DevSecOps processes — DevOps and DevSecOps have repeatedly been demonstrated to improve code quality and reduce exploits and vulnerabilities, while increasing the speed of application development and feature deployment. Integrating development, QA, and security processes within the business unit or application team, instead of relying on a stand-alone security verification team, is crucial to operating at the speed today’s business environment demands.
- Deployment automation and management tools — Even the most experienced security professionals find it difficult to keep up with the volume and pace of cloud deployments on their own. Automation can augment human advantages with machine advantages, creating a fundamental component of modern IT operations. Deployment automation and management tools, such as Chef, Puppet, or Ansible are examples which can be used in both public and private cloud environments.
- Unified security solution with centralized management across all services and providers — Multiple cloud provider management tools make it too easy for something to slip through. A unified management solution with an open integration fabric reduces complexity by bringing multiple clouds together and streamlining workflows.
Mind the gap
While visibility is crucial, the absence of adequately trained professionals can leave holes in many aspects of a modern-day security infrastructure, with one of the widest specifically involving cloud security. The cloud is a nuanced area in technology and securely managing it requires specific knowledge. In fact, according to the same report I cited earlier, more than 25% of organizations using infrastructure as a service (IaaS) or software as a service (SaaS) have experienced data theft from their hosted infrastructure or applications. Furthermore, 20% were infiltrated by advanced attackers targeting their public cloud infrastructures. All too often these attacks originate from user misconfigurations, a lack of updates, or a selection of the wrong technology.
These breaches make one thing apparent—organizations are not only lacking cybersecurity talent, but sufficient cloud security talent, which ultimately puts them more at risk of an attack. Mind you, this talent gap is also delaying enterprise migration to cloud computing.
Security skills vs. cloud security skills
However, it’s important to note that the list of skills required for successful cloud security isn’t precisely a carbon copy of what many expect from a cybersecurity professional. Plugging one gap will not always fill the other. Of course, general security skills such as incident response, data analysis, and threat hunting are still crucial when it comes to securing the cloud. But they’re not entirely sufficient. For instance, cloud security professionals and architects need to come to the table with a deep knowledge of identity access management (IAM), deployment automation, and cloud regulatory compliance.
But just like cloud security is a shared responsibility between vendor and customer, so too is the cloud security skills shortage between the cybersecurity industry and future professionals. While we must hope that professionals pursue the right training, the cybersecurity industry must also do its part in educating both future candidates and current employees on the ins and outs of modern-day cloud security. And this doesn’t just mean teaching the correct configurations for AWS either, but rather helping these professionals learn about the tenets of cloud adoption, including costs, monitoring, potential barriers, and more.
In summary, when trade-off decisions have to be made, better visibility should be the number one priority, not greater control. It is better to be able to see everything in the cloud, than to attempt to control an incomplete portion of it. Once you have visibility, evaluate what security issues your cloud infrastructure has faced and map those issues back to the applicable skills needed to address them.
From there, securing IaaS and SaaS solutions shouldn’t seem so cloudy to your IT team.