Why Cloud Security Credentials Really Matter in a Dynamically Changing 'E'vironment
As members of the Cloud Security Resource Community are aware, it is cloud security report season. Indeed, a sampling of recent surveys and reports that are worth reviewing have been published by the Bitglass, IDG, Berkeley Research Group, Alert Logic, MessageOps and Ponemon Institute. There are several others to keep an eye out for as well.
Interestingly, there are common themes behind almost all of the reports about cybersecurity overall and cloud security. These are amplified by the seemingly daily data breaches, along with the reported increasing sophistication and frequency of cyberattacks involving public, private and hybrid clouds as attractive vectors of vulnerability for creating havoc. These themes are:
- 2015 was a very good year for the bad guys; and 2016 looks even better as attackers seek to utilize the cloud’s increasing use, along with other capabilities, to not just exploit organizational weaknesses, but to monetize them.
- Enterprises remain concerned about moving “mission critical” parts of their businesses to the cloud because of security concerns.
- IT security professionals believe their organizations are under-investing in cybersecurity in general and cloud security specifically.
- There is a shortage of certified cloud security professionals who know how to deal with today’s threats and have the knowledge and tools to be proactive about future threats. The shortage is growing, putting organizations at even greater risk.
Recent comments from David Shearer, CISSP, PMP, Chief Executive Officer (CEO), (ISC)2, are extremely timely as they address the challenges cited above and more.
Mitigating cloud security risks—the need for advanced training and certifications
The undeniable fact is that the cloud is not just here to stay, but gaining momentum. This is due to the multiple facets of its operational and business advantages. Thus, it’s not surprising that those with malice have targeted the cloud as a place to look for weaknesses they can exploit. However, as Shearer explains:
“I don’t see cloud-based solutions and services as inherently worse or better. I will say that many cloud providers are far more mature in their processes and their overall cybersecurity programs than the organization acquiring their solutions and services.
An argument can be made that operating in a multi-tenancy environment like many cloud provider configurations can pose more risk. However, there are offsets for these risks given cloud providers’ advanced monitoring and cyber resilience capabilities.
The bottom line is that not all cloud providers are the same, and organizations acquiring cloud services can actually be the weakest link in the overall cybersecurity posture. It’s a shared risk business relationship. The crucial part of the relationship is for organizations to understand those risks in order to determine their acceptable levels of risk that should then be addressed pragmatically.
We need not fear the cloud; but we do have to make wise decisions about our implementation, ongoing oversight and operations. Just because you move something to the cloud doesn’t mean you can get rid of all of your staff. There are still ongoing security responsibilities and cloud provider oversight functions. The only way to successfully address the inherent shared risk model is to establish a very collaborative arrangement between the acquirer of cloud solutions and the provider.”
The recognition that moving to the cloud does not mean getting rid of your staff is a major myth that (ISC)² would like to dispel. It is also the reason why it has teamed up with the Cloud Security Alliance (CSA) to address the need to establish a common international understanding of professional knowledge and best practices in design, implementation, management and service orchestration of cloud computing systems. CSA’s Certificate of Cloud Security Knowledge (CCSKTM) provides a very solid baseline of cloud security. Working together, (ISC)² and CSA developed a cloud security credential, the Certified Cloud Security Professional (CCSPSM), for those requiring a deeper understanding and demonstrated experience.
Unlike other many other cloud-related certifications, both the CCSP and CCSK are vendor-neutral. They reflect overall industry best practices for securing cloud environments.
It is also important to note that because of the extensive knowledge needed, obtaining a CCSP is not easy; but will be extremely valuable. As Shearer outlined, CCSP is an advanced professional credential, “It focuses on assessment and reflects more than the knowledge needed to pass an exam. It includes: a) exam and testing meeting ANSI requirements; b) legal commitment to code of ethics; c) endorsement from appropriate certified professionals; and d) commitment to continuing professional education – all of which demonstrate that CCSPs are qualified and committed to tackling the cloud security challenges of today and tomorrow.”
To attain CCSP, applicants must have a minimum of five years of cumulative, paid, full-time working experience in information technology, of which three years must be in information security and one year in one of the six CBK domains:
- Architectural Concepts & Design Requirements
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Legal and Compliance
Plus, the good news for cyber, information, software and infrastructure security professionals with the CISSP credential is that they already meet the entire CCSP experience requirement.
With regard to what cloud services attackers may be targeting, Shearer commented that: “In my professional opinion, bad actors make no special consideration or change in attack approaches to in-house verses cloud-based solutions and services. I do think it’s likely that bad actors will look to exploit the weakest link between the acquirer and the cloud provider.”
Organizations are looking to hire and keep IT cloud security professionals who not only have technical capabilities, but also organizational skills. This means having the ability to get C-level understanding and buy-in about the need to understand that cloud security is about shared risks and responsibilities with obligation assumed by the both buyers and sellers. As Shearer says, “As much as organizations are concerned about securely leveraging cloud solutions and services, cloud providers need to be concerned about the possibility of their customer introducing vulnerabilities into their cloud environments.”
Finally, with regard to certification, Shearer had this to say: “I’m naturally biased, but I would say there are thousands of job openings that companies have posted for which CCSP would be a logical hiring differentiator. We believe that the CCSP is a natural next step for many people who hold CSA’s CCSK. “Burning Glass Technologies research indicates there were 49,765 jobs posted globally in 2014 that required the CISSP. Over time, we believe the industry will also value CCSP holders the same way they have come to value our CISSP credential holders.”
In short, as the headline says, cloud security certifications really do matter. And, for IT professionals going forward, there is little doubt these certifications are going to be critical for their careers and their organizations.
Edited by Stefania Viscusi