creative soul - Fotolia
As cloud complexities increase, cybersecurity skills gap worsens
Concerns about the lack of security expertise persist, according to respondents in a new CSA survey of IT and security professionals on complexities within native cloud, hybrid and multi-cloud environments.
The rapid rate of advancement in cloud computing technology places new pressure on security professionals' skills and resources. The results of a recent study from the Cloud Security Alliance revealed a need in the industry to prioritize professional security expertise when using cloud services.
When asked to rank their concerns when switching or adopting cloud structure, 81% of respondents identified security as No. 1. Growing cloud complexities will not make security challenges easier.
The study, conducted by the Cloud Security Alliance along with network security provider AlgoSec, found common security challenges with regard to native, hybrid and multi-cloud architectures. The Cloud Security Complexity survey of 700 IT and security professionals identified areas of improvement and the state of adoption of private, public and combination cloud environments.
Cloud complexities exacerbate the cybersecurity skills gap
Yitzy Tannenbaum, product marketing manager at AlgoSec, based in Ridgefield Park, N.J., said the cybersecurity skills gap correlates with growing complexities in infrastructure. In the past, one on-premises security team oversaw security end to end. Today, the conditions are a lot different.
"We have the public cloud and the private cloud, and inside the public cloud you'll have many different security controls -- cloud-native security controls or third-party and firewalls in the cloud," Tannenbaum said.
Cybersecurity skills and resources are stretched, which leaves room for human error. More than 200 respondents had experienced an outage within the past year, and the most common cause was identified as human error. Because of the breadth of options and because large organizations use multiple platforms -- not to mention the cloud complexities of each -- it is difficult for security professionals to specialize in everything. This has led to security teams comprised of individual security staff trained in different infrastructures.
Many organizations have dedicated personnel for each platform. Cloud developers, cloud security teams, traditional security teams, CISOs, information security and security operations can all potentially make changes to the environment without communication with the others. Failure to notify others about changes made can lead to preventable security consequences and more labor in damage control.
Security should be the driver at every level
As much as business objectives determine priorities across the company, security should be in the driver's seat. Too often security is considered an afterthought in business and in development. Compromised businesses held to account in the news have placed new emphasis on the importance of a cloud security strategy. Researchers hope businesses will be practical about building in security measures at every level before an incident happens.
"As we migrate to that new complex environment, let's make sure security is an enabler and not behind the capabilities and other functionality we have in the cloud," said John Yeoh, global vice president of research at Cloud Security Alliance.
As cloud computing technologies become more popular and complex, neglecting security becomes a business risk, Yeoh said, noting companies that had landed in headlines and worse when breaches happen.
"If a human makes a mistake and a business's records or sensitive information are exposed, it doesn't just reflect on the business, but also on the cloud services in that supply chain," Yeoh said.
He added that awareness should be emphasized and incorporated into company culture, but this isn't necessarily standard practice today. Researchers encouraged organizations to raise the education level of employees -- internally and the cloud supply chain -- about cybersecurity, and the potential for harm is a smart preventative measure.
"Security shouldn't be limited to the security team. It should be a business thing," Yeoh said.
Cloud security teams will face complex problems in near future
As cloud environments become more complex, the problems security teams face today will do the same, according to the study. Complex problems of the future require preventative actions today, the researchers suggested.
John YeohGlobal vice president of research, Cloud Security Alliance
"If we think about the scalability of cloud that we love to embrace, as that's one of the advantages of cloud, your vulnerabilities can also scale. That's why it's so important to have a hand on security early," Yeoh said.
Most survey respondents (66%) use multiple cloud platforms, also known as a multi-cloud environment. The survey also found 35% of respondents use more than three cloud platform vendors. On top of that, 55% organizations may use both public and private clouds, known as a hybrid cloud environment.
This is where the survey gets its "cloud complexity" title. It reflects the reality of cloud use today, which the researchers predict will only get more complex. It is estimated the percentage of organizations using hybrid and multi-cloud combinations -- 36% of respondents today -- will increase rapidly in the next three years.
How to handle cloud security complexity
As complexities evolve, researchers found visibility into the environment is critical, as is expertise of internal staff and cloud providers. Automation is going to help with accessibility into the cloud and with the cybersecurity skills gap.
"You're not only eliminating mistakes, but in many cases you eliminate the need for specific expertise on different platforms," Tannenbaum said.
This also addresses the survey's finding that human error was the most common cause of outages. One-third of respondents experienced outages for over three hours, and 10% answered more than one day. For Tannenbaum, this put a Gartner report on the subject into perspective. The report estimated the average outage cost the organization $5,600 per minute.
"Imagine a bank, imagine a hospital, imagine a credit card company whose services are down for that long of a time," Tannenbaum said. "Out of this whole report, that's what shook me the most. In the cases of hospitals and healthcare, it's not even an issue of time or money alone; it's lives."
Overall, the AlgoSec and Cloud Security Alliance survey outlines industry shifts and challenges as a result of cloud complexities and changing technology. Not only is it a peek into the experiences businesses have with cloud infrastructure, but a roadmap to the intricate challenges security teams must inevitably face in the future. In the midst of the current cybersecurity skills shortage, the survey is a timely reminder that evolving enterprise IT environments call for evolving cloud security strategies.