Julie Peeler, Foundation Director, (ISC)²
For many organizations, cloud adoption is no longer a question of if, but how much. Several factors are contributing to rapid growth and change in the cloud computing market. The cloud provides multiple business and consumer benefits, many of which relate to business agility and cost of ownership. In the coming years, cloud computing will grow largely at the expense of traditional IT. As organizations replace traditional IT architectures with cloud models, cloud expertise will move from a “nice to have” capability to a “must have.”
"The growing adoption of cloud services will increase the demand for security professionals who can apply the proper controls to public, private, community and hybrid cloud models"
In fact, of nearly 14,000 respondents from the 2015 (ISC)² Global Information Security Workforce Study (GISWS) by Frost & Sullivan, 43 percent state that cloud is a priority for their organizations and 57 percent of total respondents state it will become even more of a priority over the next two years. Cloud computing was also identified as the top area of information security with growing demand for education and training within the next three years. Further, 73 percent of respondents believe it will require information security professionals to develop new skills.
According to the 2015 Cloud Security Spotlight Report—a survey of over 1,000 cyber security professionals—cloud computing is delivering on the hype in terms of flexibility, availability and cost reductions. However, security and compliance remain the biggest concerns. Security is still the biggest perceived barrier to further cloud adoption, and nine out of ten organizations are very or moderately concerned about public cloud security.
Cloud computing has emerged as a critical topic area within IT that requires further security considerations. Despite growing cloud adoption rates, information security professionals are concerned over data breaches, data loss and other security risks. Specialized skills will be required in cloud security to close the gap between increasing cloud adoption and high levels of security concerns.
The growing adoption of cloud services will increase the demand for security professionals who can apply the proper controls to public, private, community and hybrid cloud models. With more organizations moving infrastructure to the cloud, protecting and securing data has become increasingly complex. Cloud service providers, organizations adopting cloud services and professional service firms assisting with cloud management and implementation will all need qualified cloud professionals.
Many long-standing information security best practices are appropriate for cloud computing environments. However, managing and utilizing cloud computing introduces new complexities and challenges that cannot be addressed with traditional information security approaches. The industry needs professionals who understand and can apply effective security measures to cloud environments.
For instance, consider the architecture: Cloud computing not only uses multiple layers of virtualized computing, it automates “on-demand” provisioning and configuration of those layers, enabling extremely dynamic systems whose resources can appear and disappear in seconds and minutes. Now, it is often the case that critical communications data relevant to information security no longer traverses a network topology, instead using a hypervisor backplane. With the physical infrastructure dynamically divorced from the server, application and networking functions, security practices must adjust. Further complicating the security challenge are the many variations of cloud models, each with its own risk profile. Detailing the prevalence of various cloud models, the 2015 (ISC)² GISWS found that cloud is primarily used for Software as a Service (SaaS)(44 percent of respondents), followed by Infrastructure as a Service (IaaS), and the least common is Platform as a Service (PaaS)(24 percent).
The largest proportion of cloud usage centers on private cloud usage (52 percent of respondents), while other uses comprise less than half of total cloud usage – public cloud computing services (22 percent), hybrid cloud computing services (16 percent), and community cloud computing services (10 percent). So what methods should information security professionals employ to increase cloud assurance? Further from these findings, the largest proportion of information security professionals believes that data encryption (18 percent of respondents) is the surest path to elevating cloud assurance. The second and third methods include continuous monitoring (11 percent) and incorporating security into design and implementation (9 percent), respectively. In addition to the model and cloud assurance consideration aspects, when organizations consider cloud adoption, the people aspect should be a crucial component of the evaluation and ultimate decision making processes. Having qualified people lead a thorough evaluation process can help organizations responsibly take advantage of cloud services. IT professionals who understand how cloud services can be securely implemented and managed within their organization’s IT strategy and governance requirements are essential.