Do UK IT professionals have the skills to help their companies implement cloud computing securely?

Majority opinion is that skills are lacking John Colley MD EMEA, (ISC)2 An overwhelming majority of our members participating in the current edition of the (ISC)2 Global Information Security Workforce study have told us that the answer to this question is "no".

Majority opinion is that skills are lacking

John Colley MD EMEA, (ISC)2

An overwhelming majority of our members participating in the current edition of the (ISC)2 Global Information Security Workforce study have told us that the answer to this question is "no".

Given the rapid move to cloud, we decided to delve into this topic as one of three clear trends that are significantly changing the way companies do business: cloud, mobility and social networking.

We learned that more than 70% of the 7,500 member participants believed new skills were required for cloud computing. This isn't just a desire for an incremental update of their knowledge. They are keen to better their detailed understanding and technical knowledge of the subject while also looking at softer skills such as contract negotiation. They are admitting that there is a lot to get to grips with and much has yet to be defined.

Part of the problem is that many of the decisions are being made beyond their influence, without the knowledge of security, or even IT, where the cost of securing or leaking data isn't on the radar. Security professionals' efforts would be well placed in elevating this as an IT or operational governance issue.

Cloud computing is becoming mainstream at a very early point in its development: There are few established standards and huge quality variances across providers, while services are highly accessible because they do not require IT knowledge. There is little known, because the hard questions are all too often not asked about the robustness of the systems, particularly the software behind the plethora of services that are coming online. Even private clouds, which use cloud technology over infrastructure owned by the organisation, require solid assessment.

Security people are very good at picking up new technologies and trends. I have no doubt that they have the ability to grasp what is required and there is an overwhelming feeling that they must. But as our survey says, they don't have it at the moment. The full report will be available to the public from February 17.

Cloud could make once-essential skills redundant

Raj Samani, Cloud Security Alliance

Technology has a remarkable habit of making previously essential skills completely redundant. Take map reading for example; modern smartphones are able to pinpoint your exact location and provide walking or driving directions to your destination. Consider the last time you used a map, or even asked someone for directions; and more worryingly, how lost would you be without your phone or satnav?

The erosion of previously essential skills is also likely to be felt by technology professionals through the widescale adoption of cloud computing. Previously, nearly every organisation, regardless of size, was forced to install a computing facility of some description, whether that equipment was in a dedicated room or under a desk. Equally, all organisations would allocate full or part-time resources to be the "IT geek", or another insulting job title. Cloud computing is changing that.

Organisations can simply pay for their technical requirements through a service contract, much as they pay for electricity or toilet paper. It doesn't matter who they go to, so long as the Cloud Service Provider (CSP) meets their requirements (including security), the lowest price wins. What does this mean for the security professional?

Technical skills are likely to be concentrated at CSP locations and organisations which need to maintain security teams with deep technical expertise. Skills for security professionals will have to adapt to manage the CSP contract and monitor compliance against established SLAs. Equally, skills for security professionals will have to adapt from deep technical expertise to a much broader technical competence.

Moreover, the need to develop strong communication skills and, of course, report writing will be of paramount importance.

As we migrate to this new world, many security professionals globally are beginning to adapt and develop these new skills. Equally, the introduction of new control frameworks such as CAMM, the CSA control matrix v2, etc will empower security professionals to help their organisations implement cloud computing securely.


Investment needed to keep up to speed

Tom Scholtz, vice-president and distinguished analyst, Gartner

Some organisations lack security resources that are sufficiently up to speed with all the technological implications of cloud-based technologies. This could be remedied by some targeted investment in research and training on the security characteristics and requirements of massively scalable virtualised platforms.

Many traditional and more specific technologies (eg, data loss prevention, federated identity management, privileged account management, virtual firewalls, secure hypervisors) can help to provide adequate security control for cloud computing. Some of these tools are complex and require specialist skills to manage.

However, when considering public cloud services, it is not just a question of the security professionals having the requisite skills, but also whether the context will allow the security professionals to perform an adequate assessment of any cloud services under consideration. Specifically, will the security professionals have adequate access to the environment of proposed providers to assess the security processes and controls that the provider has implemented? And once a public cloud service is acquired, will the security professionals be able to perform periodic assessments to ensure that trust in the provider is maintained? This access is a function of both the number of security staff that the client organisation has to perform such assessments, as well as the transparency and accessibility provided by the cloud vendor.

Once access has been agreed with the cloud provider, security professionals should focus on the policies and controls of the provider, as well as the management of the controls, eg, processes to vet staff, provision identity, and monitor and respond to security events. Given the frequency and depth of security assessments that will be required for public cloud engagements throughout the engagement life cycle, demand will increase for third-party assessment and certification of public cloud services.

Another potential challenge is the ability of the security professional to articulate the residual risk of a cloud environment in a non-alarmist manner that the business will understand. The security implications of, for example, virtualisation, multi-tenancy and maintaining trust assertions across dynamic infrastructure and locations, must be explained in non-technical terms.

Security professionals have a duty not to be obstructionist, but rather to be a key team member in any cloud computing initiative. Just saying "no" to cloud computing will typically result in the security manager being bypassed in any strategic decisions.


Defeating the 'seven deadly sins'

Steve Durbin, global vice-president, Information Security Forum (ISF)

Purchasing services from one or more cloud providers raises a number of security challenges. Organisations face what we in the ISF call the "seven deadly sins" – ignorance, ambiguity, doubt, trespass, disorder, conceit and complacency – when implementing cloud services. Often, in the rush to drive down IT costs and realise efficiencies, IT, IT security and information security are elbowed out of the way by the business. Thus decisions are made without considering all of the relevant factors associated with the service, possibly resulting in greater risk exposure for the organisation.

Information security professionals need to develop responses to the seven deadly sins. This will involve both enhancing skills they already possess and developing new skills. First, they must enhance and deepen their interaction with the business to reduce ignorance, disorder and complacency. Second, they must learn about the cloud - how it is delivered; how security is implemented; and why it is both similar to and different from IT outsourcing - to clear away ambiguity and doubt. Third, they must modify and apply risk management to the cloud to reduce ambiguity, trespass and conceit.

In the future, new skills such as setting information security maturity levels (to address ambiguity and doubt), analysing service provider reports (to probe for doubt and complacency) and providing relevant, business-focussed, internal reporting (to lessen ambiguity, doubt and conceit) will be needed.

Ideally, an organisation should address the seven deadly sins and adopt standards such as the forthcoming ISO / IEC 27036 and CAMM. The organisation can thus identify and fill skill or knowledge gaps as well as plan and enhance the way in which it procures cloud services in a managed, consistent manner. At a personal level, undertaking professional training (for example the Certificate of Cloud Security Knowledge) and learning from hard-won experience are the way forward.


Major change to the security landscape

Amanda Goodger, Common Assurance Maturity Model (CAMM)

The question raises broader issues. cloud introduces a major change for them in the security landscape, and in the way information is used. Organisations need to continually assess their situation, and where gaps are identified resolve them through business upskilling, continual technical development, and changing mindsets to address the evolving complex situation.

It is imperative that organisations integrate their strategic business aims, with their associated security requirements. In the short-term, professionals need to possess the appropriate business skills. Organisations can overcome shortfalls by establishing a common language; aligning security with its information architecture (including information categorisation and identification; ie critical data etc); and effective business risk management (including information risk management). Traditionally, these areas have not had the prominence, and cloud security has triggered for these to be included.

The emerging cloud landscape emphasises the need for continual technical skills development delivered at an increasing pace, and in a more agile manner. Overall, many existing IT skillsets remain relevant. In the long-term due to the evolving complexity of the cloud, and associated business delivery models (ie, software-as-a-service) - then UK IT security professionals' development needs to expand. Thus, cloud security offers organisations the ability to use the associated business and technical benefits.

Finally in the cloud, information can be viewed, used, manipulated and stored anywhere. This for most organisations and professionals is an evolutionary step change in their mindset. Cloud security has to be viewed from a holistic perspective. In the short and long-term, organisations need to understand their whole information supply chain from end-to-end and from multiple viewpoints.

Increasingly, cloud computing focuses organisations to operate in a holistic manner based on dynamic risk management. In addition, UK IT security professionals need to broaden their skills capability for successful business/security implementation.


An opportunity for new security policies

Dani Briscoe, services manager, The Corporate IT Forum

For some organisations, moving services and data to the cloud may provide a unique opportunity to devise and implement new security policies and processes, use built-for-purpose solutions and access specialist external skills. Rarely does IT have a chance to start from scratch with a clean slate; but cloud computing could offer this possibility.

But for most, the cloud is still a relatively untried place and corporate cloud utilisation strategies remain immature. Security is widely viewed as the most significant barrier to public cloud adoption. The Corporate IT Forum's eCrime Reality Checker (to be published in March 2011) highlights that access rights, data and security governance and assurance over suppliers are perceived as the biggest threats, putting process quality and confidence in third parties as both priorities and major concerns. This isn't a revelation, and it won't come as a new challenge to companies today, who have wrestled with the implications of outsourcing and the opening up of networks and systems to partners and supply chains for years. Risk evaluation and management capabilities are as critical here as they will be for those planning a move to the public cloud.

However, those members moving towards a private cloud set-up do so with confidence. As one member commented "private cloud is as safe as the corporate network" leading the forum to believe that members are keen to exploit private cloud situations to free up both computing time and energy to allow the business to run smoothly and efficiently.

Mike Westmacott, chair of BCS Young Professionals Information Security Group

Broadly speaking, the collection of technologies and services which are now being marketed as "the cloud" do not represent any new technical challenges for a competent IT security professional. What they do is to increase the complexity of solutions where the business determines there is a benefit from delivering IT by outsourcing.

Depending upon the route taken, which may vary from the on-demand provisioning of infrastructure to the dynamic relocation of data and applications, there are a number of issues which may cause problems for the security professional. It may, for example, be that the chosen provider is in some way unwilling, or unable, to provide information on where in the world purchased services and data will reside - causing difficulties with legal and regulatory obligations.

Service level agreements that are on offer will require a degree of negotiation with the provider to ensure that services meet business expectations. Once a solution has been chosen the technical work may begin, with the practitioner going through the normal process of taking security policy and designing a solution that will satisfy those polices and not hinder business operations.

Overall the security professional may find that they are having to develop skills to work with third parties that are less technical and more managerial, while also having to plan, design and implement security within a far more complex environment.

Where organisations are creating this type of environment there is value to be gained by utilising security consultancies who do have experience in Cloud technologies and issues, and who are capable of assisting in the creation of complex solutions and furthermore testing them.

Read more on IT risk management