Do not index
Do not index
Cloud Computing is no longer novel. If you are a security professional you should not ignore cloud. Or put another way, gain cloud security skills fast or risk irrelevance. Cloud is now essential for the vast majority of security professionals.
 
“It’s just another phase, they’ll get past it”.
 
The best case scenario is that your long held analysis does not limit your future employment opportunities for a few more years. You may laugh at the businesses running code on other peoples computers, but the odds are that yours does to.
 
It’s time to update your internal script: Cloud Computing did turn out to be a huge deal. It took off and got further accelerated further by a pandemic.
 
What has this meant for private data centres? What does this mean for your day job?  Far fewer in-house servers to secure?  Less in-house security operations to deal with? Rare in-house penetration tests to run? Vulnerability assessment tools that don’t speak cloud? No incident response where you can physically pull a disk to image?
 
One common scenario today is finding yourself on a constant round of conference calls with 3rd parties trying to ‘pin down’ security in the cloud…  If you thought handling security issues associated with outsourcing was painful and slow, the Cloud brings a new set of challenges for decision makers and business security policy.
 
If you are the person responsible for your employer’s security arrangements, you may want to consider these 5 reasons for not dismissing Cloud Computing out of hand:
  • Unless you work for an IT company, your employer did not go into business to ‘do IT’.  They are in business to sell a product or a service - in-house IT may have enabled that, but it was out of need rather than desire. Cloud has been on the radar of every CEO for years now, especially when they ask ‘where can I cut headcount?’, ‘how can I get to market faster?’. It’s certainly true that many did not switch overnight, but there are few organisations NOT on a cloud journey. In any industry vertical, once the first goes cloud, the rest follow.
  • The temptation to contractually outsource security responsibility. ”Our customer data got stolen from a cloud storage provider - not us - we don’t run IT!”. Sure the buck stops with the org from a legal and regulatory perspective but blame for data leakage or theft involving 3rd party providers continues to garner a mixed reaction. Security Pros say “see, you can’t trust 3rd parties”, but sadly for many the reaction has shifted to “not again” since their PII was already breached multiple times.
  • The skills you need to deal with Cloud Security may be different from the skills you have today. Your visibility window on Cloud security is what your Cloud Provider gives you. Beyond that you may be able to do an on-site audit from time to time (if you’re big enough), but its a shared facility so no monkey in a cage pen-testing, scanning or drive level forensic analysis. But learn how to use cloud instrumentation and your ability to troubleshoot services your employer cares about skyrockets.
  • There’s a large cloud forming over the horizon. The level of capital and people investment by CSPs cannot be ignored. Amazon, Microsoft, Google and others continue to plough millions of dollars to build out Cloud data.
  • You may just end up working for the Cloud Provider! This is something we have already seen. The CSPs have headhunted some of the best cyber security talent. Haven’t you noticed?
 
The hype train left the station a long time ago. Whatever your personal feelings about cloud and cloud security, I strongly encourage you to read the writing on the wall.
Craig Balding

Written by

Craig Balding

Independent Cloud Security Consultant. Advisor to Cloud Security Alliance. Former Group Security CTO at Barclays. Founder of GE Red Team


Are you curious about artificial intelligence and cyber security? Join my Threat Prompt newsletter to stay up to date.