By Raj Samani, chief technology officer, EMEA, Intel Security Group
Hybrid cloud models offer many well-documented benefits, but they also introduce more complexity for securing data and applications across the enterprise. And this added complexity requires an increasingly diverse skill set for security teams. That’s a challenge, considering the growing cybersecurity skills shortage. In one recent study, 46% of organizations said they have a “problematic shortage” of cybersecurity skills – up from 28% just a year ago. One-third of those respondents said their biggest gap was with cloud security specialists.
Modern security teams require a broad and deep mix of technology skills, ranging from twists on the traditional network and OS technology all the way to security on data itself, to address a rapidly evolving threat landscape. But they also need “softer” expertise, such as knowledge of compliance regulations and vendor management skills. Driving this dual focus is the public cloud’s “shared responsibility model,” in which service providers and enterprises divvy up various levels of protection across the IT stack. These responsibilities – and the requisite skills – vary depending on the type of public cloud service.
Certain skills are required across all users of the public cloud. For example, you’ll need in-house expertise with encryption and data loss prevention controls for content-rich cloud applications. Your IT teams need to know (and track) where your enterprise data resides in the cloud, what offerings your cloud service providers offer for data protection, and most importantly, how to integrate data protection policies in the cloud with your own company policies. On a similar note, your team will need sophisticated identity and access management (IAM) and multifactor authentication, including tokenization, regardless of whether you’re deploying SaaS, PaaS, IaaS, or a combination of those services.
For SaaS, your security teams need to be familiar with the various applications in use and how to use logging and monitoring tools to detect security violations and alert appropriate IT staff. The post-incident analysis is a critically important skill for mitigating active threats and improving your security posture for future threats.
For PaaS deployments, you will also need to add skills to ensure that native cloud applications are being developed with security built-in at the API level. Adoption of open security APIs can help to bridge the gaps among proprietary cloud environments.
For IaaS environments, the ability to provision software-defined infrastructure carries the need for highly technical security professionals who can create policies for server, storage, and network security on AWS or other platforms. These skills include the ability to monitor the usage of computing, storage, networking, and database services, as well as the ability to manage security incidents identified in the cloud platform you’re using.
Audit and Compliance Skills
Many of the softer skills needed for cloud success stem from the need for organizations to gain more visibility into hybrid environments that are becoming more complex as SaaS, PaaS, and IaaS services are cobbled together with each other and private clouds.
Audit rights can be built into a service level agreement (SLA) as a way to make sure the provider complies with corporate security policies and the industry or government regulations. This is one reason why the ability to develop comprehensive SLAs with service providers is an increasingly important skill. IT and security teams will need to work together to negotiate terms that provide maximum protection and visibility into third-party services, to ensure that data, applications, and other components of your cloud environment are secure and compliant.
In addition to formal audits, security professionals require skills (and tools) for continuously monitoring compliance and threats across SaaS, PaaS, and IaaS deployments in two key areas: threats and applications. Starting with threats, achieving (or maintaining) visibility to specific threats across these environments so your organization has a full view of attacks is critical. That visibility needs to extend across endpoint, infrastructure, and network elements in order to recognize and respond to coordinated, multi-angle attacks.
Second, application security experience with cloud access security brokers (CASBs) will help security professionals increase the visibility into user behavior and their needs across public cloud service providers.
That said, we see a convergence between the need for application visibility, threat visibility, and data security for SaaS applications, so look for skills that bridge those three areas as you build an organization for the future. The same need for a blended skillset will increasingly be true as threats and application needs converge.
Organizations in highly regulated industries also need to devote resources to tracking how third-party providers handle data and applications to ensure compliance with industry-specific regulations. The same goes for global players: Requirements around data storage can vary dramatically by country, requiring in-depth knowledge of local regulations regarding where data resides and how it is transmitted for any geography in which you do business.
Skills for Hybrid: the New Private Cloud
Security practices for a private cloud deployment – which enables enterprises to keep data and applications under their control – would seem to be more traditional than public deployments. But the virtualization technology that is inherent in the private cloud model creates a need for new security skills beyond those for traditional on-premise environments.
The first is understanding the difference in the infrastructure itself, for example between a traditional virtual machine and a framework like OpenStack. Second, as organizations explore software-defined networking (SDN), they see a need for more automation skills, as security policy must co-exist with the orchestration to fully exploit an SDN environment. Third, the security operations center will need more network insight as the east-west traffic becomes more material to threat analysis. These skills become especially important as virtualization expands beyond servers and into networks and storage.
That said, most private clouds are truly hybrid clouds – and these will be the default moving forward. Hybrid clouds demand cross-domain threat visibility, along with the skills across the various cloud types to prioritize and respond to them. This requires both a broader level of technical depth but also more cross-team facilitation and leadership to analyze and respond to critical threats. Revisiting the soft skills points made earlier, this also includes leadership not just within the organization but across the set of SaaS providers relevant to a given situation.
The Bottom Line on Cloud Skills
The takeaway for security leaders: It’s time to optimize the skills of your team to the different types of cloud. Public cloud security – spanning SaaS, PaaS, and IaaS environments – is (a) more about policy, audit, analysis, and teamwork skills rather than pure technical depth, and (b) will include more cross-domain skills than are required in the more silo’d on-premise structure. Creating the proper mix of skillsets for all of these scenarios will help build your confidence as you build out your hybrid cloud model.
About the Author
Raj Samani is an active member of the Information Security industry, through involvement with numerous initiatives to improve the awareness and application of security in business and society. He is currently working as the EMEA Chief Technical Officer for Intel Security, having previously worked as the Chief Information Security Officer for a large public sector organization in the UK. He was inducted into the Infosecurity Europe Hall of Fame (2012), won the Virus Bulletin Péter Ször Award for the paper/investigation he co-authored on the takedown of the Beebone Botnet and was named in the UK’s top 50 data leaders and influencers by Information Age.
He previously worked across numerous public sector organizations, in many cybersecurity and research-orientated working groups across Europe. He is also the author of Syngress books ‘Applied Cyber Security and the Smart Grid’, “CSA Guide to Cloud Computing”, and technical editor of “Industrial Network Security (vol2)” and “Cyber Security for decision-makers”.
In addition, Raj is currently the Cloud Security Alliance’s Chief Innovation Officer and previously served as Vice President for Communications in the ISSA UK Chapter where he presided over the award of Chapter Communications Programme of the Year 2008 and 2009. He is also a Special Advisor for the European CyberCrime Centre, also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, and expert on both searchsecurity.co.uk, and Infosec portal, and a regular columnist on Help Net Security. He has had numerous security papers published, and regularly appears on television commenting on computer security issues.