• United States



Contributing Writer

Cloud security still a work in progress

Mar 21, 20174 mins
Cloud SecurityData and Information SecurityNetwork Security

Cybersecurity professionals admit that they still don’t have the right skills, processes and monitoring capabilities for cloud security. Suggestions?

A few years ago, ESG (and other) research indicated that security concerns posed the biggest impediment for more pervasive use of cloud computing. What happened next?  Business executives and CIOs found that cloud agility, flexibility and potential cost savings were too good to pass up, creating a “cloud or bust” mentality. Naturally, CISOs had to do their best and go along for the ride whether they were ready or not.

+ Also on Network World: The top 12 cloud security threats +

So, how’s cloud security going at this point? ESG research indicates it is still a work in progress. As part of a recent survey, cybersecurity professionals were presented with a series of statements about cloud security and asked whether they agreed or disagreed with each one. Here are some of the results:

  • 69% of cybersecurity professionals strongly agree or agree with the statement: “My organization is still learning how to apply its security policies to public/private cloud infrastructure.” 
  • 62% of cybersecurity professionals strongly agree or agree with the statement: “It is difficult to get the same level of visibility into cloud-based workloads as we have on our physical network.”
  • 56% of cybersecurity professionals strongly agree or agree with the statement: “My organization’s current network security operations and processes lack the right level of automation and orchestration needed for the cloud.”
  • 52% of cybersecurity professionals strongly agree or agree with the statement: “The security team does not have the appropriate staff level to manage network security operations for cloud infrastructure.”  

Taken together, there are still wide cloud security gaps associated with people, processes and technologies.

What can CISOs do to bridge these gaps? Based upon lots of qualitative and quantitative research, here are a few tips:

1. Get training. Many of the deficits described above are a consequence of on-the-job cloud security training. Yes, cybersecurity professionals will pick things up, but by the time security pros figure things out, cloud security will lag way behind where it should be. Since cloud computing demands a new attitude and skill set, it’s worthwhile to invest in appropriate hands-on security education up front. Ambitious members of the cybersecurity staff will recognize the career opportunity and pursue cloud security training with gusto.

2. Use cloud security as an organizational change agent. CISOs have long lamented about their desire to drive information security closer to the business. Well, cloud computing provides a perfect opportunity to force this change. Cloud security polices, controls and even application security can be far more effective if they are integrated into early stages of business planning and application development lifecycles. ESG has found this to be true in practice—cloud computing leaders tend to have security baked into disciplines like DevOps and data center operations rather than bolting on security controls once cloud-based workloads are already deployed.

3. Consider cloud security as a tabula rasa. ESG has noted that organizations tend to struggle when they try to force fit traditional security controls into cloud computing. Often, they end up wasting time, scrapping these efforts, replacing traditional controls with cloud-centric controls and then struggle to catch up with cloud proliferation. Yes, it’s worthwhile to try to emulate existing best practices with cloud security, but smart CISOs will approach this with an open mind and look for the best security controls that gracefully support the nuances of cloud security out of the box.

4. Look for help. While the cloud is still new and scary to a lot of cybersecurity professionals, cloud popularity has produced a growing population of cloud security specialists. CISOs should do a lot of background checks on their vendors by grilling management, field engineering and reference accounts. With the right level of due diligence, you’ll be able to separate the helpful and real cloud security specialists from a long line of posers. 

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author