Don’t Let the Cyber Skills Gap Slow Your Cloud Adoption
Despite an accelerating talent shortage across the cybersecurity domain, IT organizations can effectively plug vulnerabilities by focusing on the elements that they can control and by partnering with systems integrators and as-a-service providers who are charged with keeping pace with the ever-changing threat landscape.
The accelerating pace of digital is creating an enormous technical skills shortage. Cloud skills in particular are the number-one concern for over 70% of IT decision-makers in large and small organizations per a recent Computing.com survey. But cloud is not the only area enduring skill scarcity. A recent Cybrary report found that 80% of security professionals do not feel adequately prepared to defend against a cyber attack, and that two-thirds of organizations admit that finding cybersecurity talent is a big struggle.
Combining the cloud talent shortage with the cybersecurity skills gap creates an ominous picture for organizations that must move applications, data, business workflow and a myriad of virtual infrastructure to the big server in the sky. As a result, 40% of organizations report that a cyber skills shortage has slowed their cloud adoption. How can organizations already struggling with a backlog of cyber priorities push forward with cloud adoption?
Key to addressing this shortage is maximizing internal security experts while leveraging consultants, systems integrators and service providers to deliver day-to-day cyber operations. More importantly, the strategy can be viewed through a cloud model lens, where the cloud model an organization chooses informs the operational security requirements.
Looking at Cloud Service Models from a Security Perspective
This familiar cloud model running infrastructure (IaaS), platform (PaaS) or software as a service (SaaS) tells us where operational responsibility resides: either with the cloud provider or the cloud customer.
However, the model should not be misunderstood to imply that security responsibility belongs only to the operational owner of each layer. In cloud models, the customer can have security responsibility even if that layer is managed by the cloud provider. For example, even though in IaaS the provider is responsible for virtualization, servers, storage and networking, the customer is still responsible for policy governance on the virtual systems along with access control and event management in those layers. Put another way, while the cloud provider can provide a microsegment and security controls to and from and within that microsegment, the cloud customer still must operate these security controls.
Similarly, in PaaS, while the provider manages the run-time, middleware and OS, the customer still must manage identity and access to the platform. While the cloud provider may offer assurances that a middleware’s application programming interface (API) is secure from known vulnerabilities, preventing misuse of the API is clearly a cloud customer responsibility. Even in SaaS, shared security responsibility exists despite the SaaS provider managing all layers. Consider authentication controls that are embedded in the SaaS application: they may not address the same password complexity, rotation, or multi-factor authentication requirements that the customer requires. And for all of the above, the customer must always maintain some controls around data governance, user access, identity management, monitoring and response.
A better approach to understanding where security responsibility resides is to look at the cloud models not from an operational perspective, but instead from a security controls viewpoint. Consider the following model (areas of security responsibility are a partial list for illustration):
By understanding where sole or shared responsibility for security resides within each control layer, an organization can then identify whether existing skills and capability exists to extend enterprise controls to the cloud. While security maturity is not always transitive from enterprise to cloud, high security maturity around a particular cyber domain often means that the enterprise has sufficient cyber people, process and technology to secure the cloud endeavors. In short, existing cyber knowledge, frameworks, governance, and related cyber discipline can act as a foundation for cloud adoption. Start by assessing capabilities at each control layer within the desired cloud model.
Address the Skills Gap by Identifying the Business Benefit
Even organizations with limited cyber capabilities can successfully secure complex cloud environments regardless of the state of their cyber maturity or talent because cloud adoption lends itself to a phased deployment approach. The relative cost and time to deploy and secure a cloud deployment is significantly less compared to traditional on-premises approaches. As such, the business benefits, costs and IT drivers behind individual projects can be analyzed separately from legacy security considerations in which security-related decisions impact other areas of the business.
To identify the IT drivers favorable to cloud deployment, start with a cloud readiness assessment. Questions to ask include not only an organization’s capabilities related to operating in the cloud, but also the strategic drivers behind why IT services should move to the cloud. At a high level, everyone recognizes the benefits of rapid time-to-market, lower total cost of ownership, benefits of colocation and flexibility for future expansions and pivots. But the key is to identify these strategic drivers with metrics that can be applied to every new IT project.
Once these IT drivers are identified, then adopt a cloud-first approach. For every new IT project, ask if those IT drivers are better served in the cloud. If so, the requirements needed to enable that model will usually be secondary to the strategic business benefit. In other words, the ultimate question to answer around cyber readiness for cloud adoption isn’t whether an organization can do it, but whether the business benefit overwhelmingly justifies doing it.
The skills gap in execution of a security strategy or securely operating cloud environments can come from systems integrators, service providers and third-party consulting experts as needed. Managed security services can also act as a bridge between current and desired state of internal security capabilities.
By knowing the IT drivers, understanding cloud security responsibilities within each control layer, shifting perspective to business outcome, and asking for help from partners (i.e., systems integrators and service providers), the cyber skills gap becomes a non-issue. Instead of being a constraint on cloud adoption, security becomes an essential, enabling the cog in the digital transformation engine.
This article was written by Tom Le, CTO, and Sudhakar Kamalanathan, Principal Architect of the Cognizant Security Practice.