This blog was written by Brian Dye.
With enterprises moving to hybrid cloud environments, IT architectures are increasingly spread among on-premises infrastructure and public and private cloud platforms. Hybrid models offer many well-documented benefits, but they also introduce more complexity for securing data and applications across the enterprise. And this added complexity requires an increasingly diverse skill set for security teams.
That’s a challenge, considering the growing cybersecurity skills shortage. In one recent study, 46% of organizations said they have a “problematic shortage” of cybersecurity skills – up from 28% just a year ago. One-third of those respondents said their biggest gap was with cloud security specialists.
Modern security teams require a broad and deep mix of technology skills, ranging from twists on traditional network and OS technology all the way to security on data itself, to address a rapidly evolving threat landscape. But they also need “softer” expertise, such as knowledge of compliance regulations and vendor-management skills. Driving this dual focus is the public cloud’s “shared responsibility model,” in which service providers and enterprises divvy up various levels of protection across the IT stack. These responsibilities – and the requisite skills – vary depending on the type of public cloud service.
Certain skills are required across all uses of public cloud. For example, you’ll need in-house expertise with encryption and data loss prevention controls for content-rich cloud applications. Your IT teams need to know (and track) where your enterprise data resides in the cloud, what offerings your cloud service providers offer for data protection, and most importantly, how to integrate data protection policies in the cloud with your own company policies. On a similar note, your team will need sophisticated identity and access management (IAM) and multifactor authentication, including tokenization, regardless of whether you’re deploying SaaS, PaaS, IaaS, or a combination of those services.
For SaaS, your security teams needs to be familiar with the various applications in use and how to use logging and monitoring tools to detect security violations and alert appropriate IT staff. Post-incident analysis is a critically important skill for mitigating active threats and improving your security posture for future threats.
For PaaS deployments, you will also need to add skills to ensure that native cloud applications are being developed with security built in at the API level. Adoption of open security APIs can help to bridge the gaps among proprietary cloud environments.
For IaaS environments, the ability to provision software-defined infrastructure carries the need for highly technical security professionals who can create policies for server, storage, and network security on AWS or other platforms. These skills include the ability to monitor usage of compute, storage, networking, and database services, as well as the ability to manage security incidents identified in the cloud platform you’re using.
Audit and Compliance Skills
Many of the softer skills needed for cloud success stem from the need for organizations to gain more visibility into hybrid environments that are becoming more complex as SaaS, PaaS, and IaaS services are cobbled together with each other and private clouds.
“The challenge has never been about security, but about transparency,” wrote Raj Samani, our Chief Technology Officer here at McAfee’s Europe, Middle East and Africa division, in a recent blog post. To gain visibility into the security posture of a third-party provider, IT teams should at a minimum secure audit rights to examine the provider’s practices and ensure the proper certifications are in place.
Audit rights can be built into a service level agreement (SLA) as a way to make sure the provider complies with corporate security policies and industry or government regulations. This is one reason why the ability to develop comprehensive SLAs with service providers is an increasingly important skill. IT and security teams will need to work together to negotiate terms that provide maximum protection and visibility into third-party services, to ensure that data, applications, and other components of your cloud environment are secure and compliant.
In addition to formal audits, security professionals require skills (and tools) for continuously monitoring compliance and threats across SaaS, PaaS, and IaaS deployments in two key areas: threats and applications. Starting with threats, achieving (or maintaining) visibility to specific threats across these environments so your organization has a full view of attacks is critical. That visibility needs to extend across endpoint, infrastructure, and network elements in order to recognize and respond to coordinated, multi-angle attacks.
Second, in application security experience with cloud access security brokers (CASBs) will help security professionals increase the visibility into user behavior and their needs across public cloud service providers.
That said, we see convergence between the need for application visibility, threat visibility, and data security for SaaS applications, so look for skills that bridge those three areas as you build an organization for the future. The same need for a blended skill set will increasingly be true as threat and application needs converge.
Organizations in highly regulated industries also need to devote resources to tracking how third-party providers handle data and applications to ensure compliance with industry-specific regulations. The same goes for global players: Requirements around data storage can vary dramatically by country, requiring in-depth knowledge of local regulations regarding where data resides and how it is transmitted for any geography in which you do business.
Skills for Hybrid: the New Private Cloud
Security practices for a private cloud deployment – which enables enterprises to keep data and applications under their control – would seem to be more traditional than public deployments. But the virtualization technology that is inherent in the private cloud model creates a need for new security skills beyond those for traditional on-premise environments. The first is understanding the difference in the infrastructure itself, for example between a traditional virtual machine and a framework like OpenStack.
Second, as organizations explore software defined networking (SDN), they see a need for more automation skills, as security policy must co-exist with the orchestration to fully exploit an SDN environment.
Third, the security operations center will need more network insight as the east-west traffic becomes more material to threat analysis.
These skills become especially important as virtualization expands beyond servers and into networks and storage.
That said, most private clouds are truly hybrid clouds – and these will be the default moving forward. Hybrid clouds demand cross-domain threat visibility, along with the skills across the various cloud types to prioritize and respond to them. This requires both a broader level of technical depth but also more cross-team facilitation and leadership to analyze and respond to critical threats. Revisiting the soft skills points made earlier, this also includes leadership not just within the organization but across the set of SaaS providers relevant to a given situation.
The Bottom Line on Cloud Skills
The takeaway for security leaders: It’s time to optimize the skills of your team to the different types of cloud. Public cloud security – spanning SaaS, PaaS, and IaaS environments – is (a) more about policy, audit, analysis, and teamwork skills rather than pure technical depth, and (b) will include more cross-domain skills than are required in the more silo’d on-premise structure. Creating the proper mix of skillsets for all of these scenarios will help build your confidence as you build out your hybrid cloud model.
Here are some tips for training – and retaining – good cloud security employees.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.