ISC(2) recently surveyed the attitudes of infosecurity professionals to cloud computing in our Global Information Security Workforce Study and the implications were clear - despite growing cloud adoption, concern over cloud security remains very high.
In a significant reversal in infosecurity professionals’ views on future cloud use, far more expect to see cloud use at their organisations increasing over the next two to three years than when we last polled the industry in 2013. Yet this does not appear to signify a corresponding increase in confidence in cloud security.
Cloud-based services are cited as the biggest security concern by 49 percent of professionals and are ranked above cyber-terrorism as a top 10 security threat. And concerns are high among infosecurity professionals across every major vertical; 68 percent of those in telecoms, 55 percent of those in banking, 50 percent of government, 40 percent in defence and 60 percent in utilities say cloud security remains a paramount concern.
Growing levels of cloud adoption are clearly going to require more specialised cloud security skills. And the need for training and education will only grow further as an organisation’s IT footprint is increasingly splintered among a mushrooming array of cloud providers and service models.
It is therefore no surprise that 73 percent of the infosecurity industry report that cloud computing is the area where they see greatest demand for training and education over the next three years.
Professionals say that the top ten skills most in demand include the ability to audit cloud infrastructures, develop better ‘service-level agreement skills’ and identify which supplemental security mechanisms should be implemented by cloud tenants.
This is critical; confidence in cloud suppliers cannot improve until customers are trained to accurately assess the security credentials of prospective cloud models and negotiate good contracts that guarantee excellent security. To do this, they have to understand what good cloud security entails in the first place, and consequently what sort of questions to ask when negotiating service-level agreements.
Infosec professionals also need to be trained to identify which aspects of cloud security fall within the remit of the cloud tenant so as to ensure everyone has clarity over which aspects of cloud security are their responsibility. This would also boost confidence in public clouds by preventing an exploit that compromises one tenant’s data from contaminating everyone else who shares the cloud.
Towards A Common Standard
The only way for organisations to develop the skills needed both to validate the security mechanisms of cloud providers and validate their own cloud security mechanisms is to develop a common understanding of best practice in cloud security.
The best way to achieve this is for the industry to develop an international gold standard for professional-level knowledge in the design, implementation and management of cloud environments developed by consultation within the industry, which would define and standardise best practice across cloud hosts and tenants alike.
This would give all infosec professionals the skills to negotiate good service-level agreements, assess the security credentials of competing cloud hosts and work out what supplementary security mechanisms they need to adopt. It would also inculcate a common level of cloud security skills and knowledge across every industry sector, driving out bad practice and enabling organisations to secure their IT footprint across the ballooning array of cloud service models and providers.
The Cloud Security Alliance recently partnered with (ISC)2 to develop a professional level cloud security program, establishing the first international standard for cloud security training and education created in consultation with the global infosecurity and cloud security workforce.
The new CCSP certification brings industry knowledge together to solve the cloud security skills deficit, standardise best practice across the industry and assist organisations as they take the leap into the cloud.
Adrian Davis, European MD at (ISC)2