Hiring the right personnel is key to properly securing a cloud deployment
Organizations are increasingly moving to the cloud for data storage and processing. The cloud offers a number of different advantages to businesses, including scalability, faster processing, and the cost savings associated with renting shared infrastructure rather than deploying and managing solutions on-premises.
However, the cloud also comes with its downsides. The cloud is very different from the other on-premises deployment that most organizations are accustomed to. This can cause significant issues when trying to lift on-prem applications to cloud environments.
Another significant concern is cloud security. Security solutions and cyber defense methodologies that are best practice in on-premises environments are often less effective in cloud computing environments. A failure to appropriately adapt policies, procedures, and tools to the cloud has caused numerous organizations to suffer security breaches.
However, accomplishing this shift to cloud-focused security requires personnel that is skilled in cybersecurity in general and cloud security in particular. With an ongoing shortage of skilled cybersecurity personnel, many organizations are finding it difficult or impossible to both find and retain the talent that they need to secure their new cloud deployments.
The cybersecurity skills gap
Cybersecurity is a field with rapidly growing demand. As cyber threats grow more sophisticated and the number and cost of data breaches increase, organizations require access to trained cybersecurity talent to secure their network infrastructure and help them to achieve and maintain compliance with a growing number of data protection regulations.
However, the supply of trained cybersecurity professionals is not keeping up with the demand. The cybersecurity field is experiencing a large and widening skills gap. In 2019, over 4 million cybersecurity jobs are left unfilled due to the inability to find employees qualified for the position. As a result, 60% of organizations feel that they are experiencing moderate or severe risk due to their inability to fill necessary security positions.
While the cybersecurity skills gap is significant in general, organizations may find it even more difficult to fill positions requiring specific skill sets. The field of cybersecurity includes a wide variety of specializations, including everything from a cybersecurity generalist who may fill an analyst role in an organization’s Security Operations Center (SOC) to a malware reverse engineer to a digital forensics investigator.
While a wide range of specializations exist (and there is high demand for many of them), some specializations have become a near-universal need for modern businesses. As organizations continue to move sensitive data and core business operations to the cloud, they require the ability and the skills to secure their new cloud-based resources.
Lacking skills in the cloud
While the cybersecurity skills gap is bad enough, a lack of cloud security skills can be even more dangerous for organizations. With 57% of organizations using cloud-based services for at least some of their computing infrastructure, they also need the expertise to secure these new deployments.
The advent of cloud computing has exacerbated the issues caused by the cybersecurity skills gap. While many organizations’ security teams have become comfortable and competent at securing their organizations’ networks, the cloud represents an entirely new and different environment to secure.
In cloud environments, an organization’s security team must protect a network that is not contained within a traditional perimeter. The cloud network infrastructure is also hosted on systems that are not under the organization’s control and on servers that may be shared with other, untrusted third-parties.
Effectively securing cloud deployments requires specialized knowledge and understanding of security in cloud environments. A security team must understand the shared responsibility model that governs security in the cloud, where the CSP is responsible for some parts of the infrastructure, the customer is responsible for others, and they may share responsibility where these two regions meet.
Securing the cloud is also a high-stakes challenge, where sensitive data is stored in an environment that is easily accessible from anywhere and where an organization may lack visibility into whether or not data or functionality has been accessed without authorization. Since many traditional cybersecurity tools do not work at top effectiveness in the cloud, organizations must seek out cloud-specific security tools and the cloud-specific cybersecurity knowledge necessary to properly deploy, configure, and operate them.
As the use of cloud computing grows and the pool of available cybersecurity talent shrinks, organizations may have difficulty finding the cloud security talent that they require. The growing cloud IT skills gap has already caused many organizations to outsource security functions for cloud computing and is driving increased investment and interest in cloud security.
Securing the cloud
Securing a traditional on-premises deployment and a cloud-based one are two very different problems. In general, an on-premises deployment can be approached by starting with the traditional perimeter-based model. If any organization fortifies their network perimeter and then deploys additional protections to detect and defend against threats that defeat these perimeter defenses, it is fairly well-positioned to protect itself against attack.
An organization’s cloud deployment is outside of their network perimeter and running on infrastructure that they don’t own or even have complete visibility into or control over. Securing this type of operating environment takes a different set of skills and tools than a traditional on-premises deployment. Before moving sensitive data and valuable functionality to the cloud, an organization needs to take the time to ensure that they have the necessary knowledge and skills to secure a cloud deployment and the proper cloud-focused security tools needed to do it properly.