Securing the Cloud: An Ongoing Effort

Reading time: 7 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Two of the more notable trends in IT today also happen to be inter-related: the rapid growth of cloud computing services and the rising need for more effective cyber security solutions.

The growth of the cloud has been so significant that offerings such as software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) are now standard components of many enterprise IT environments.

And the high-profile data breaches, ransomware attacks, and distributed denial-of-service (DDoS) incidents of recent years have placed cyber security high on the list of priorities of not only technology executives, but business leaders and boards of directors as well.

Where the two trends are inter-related is in the fact that many organizations moving to the cloud remain concerned about the potential security threats. As well entrenched as the cloud has become, moving data and workloads off premises still is a cause of concern for security and IT as well as business executives.

The latest Cloud Security Report by online security community and resource site Cybersecurity Insiders shows that security concerns, lack of qualified security staff, and outdated tools remain top issues for organizations.

The report is based on an online survey of more than 1,900 cyber security professionals in the 350,000-member Information Security Community on LinkedIn, and shows that cloud security concerns top the list of barriers to faster cloud adoption. Key concerns include protection against data loss (57%), threats to data privacy (49%), and breaches of confidentiality (47%).

Industry efforts are underway to address such concerns. For example, the Cloud Security Alliance (CSA) has launched a number of initiatives in recent months designed to bolster cloud security, including major updates to its cloud security guidance program.

CSA, an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, announced the release of Guidance for Critical Areas of Focus in Cloud Computing 4.0, the first major update to the Guidance since 2011.

Guidance 4.0, which acts as a practical, actionable roadmap for individuals and organizations looking to safely and securely adopt the cloud model, includes significant content updates to address leading-edge cloud security practices, CSA said.

About 80% of the Guidance was rewritten from the ground up with domains restructured to better represent the current state and future of cloud computing security, said Luciano Santos, executive vice president of research at CSA. Guidance 4.0 incorporates more of the various applications used in the security environment today to better reflect real-world security practices, he said.

The effort was the culmination of more than a year of research and public participation from the CSA community, working groups, and the public at large, according to Rich Mogull, analyst and CEO at Securosis, an information security research and advisory firm.

The landscape has changed dramatically since 2011, Mogull said, and CSA felt the timing was right to make the changes. Researchers worked with the community to ensure that the Guidance was not only updated to reflect the latest cloud security practices, but to ensure it provides practical, actionable advice along with the background material to support the CSA’s recommendations.

Guidance 4.0 integrates the latest CSA research projects, such as the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ), and covers topics including DevOps, the Internet of Things (IoT), mobile technology, big data, software defined networks (SDN), microservices and containers, and new regulatory guidance.

Another recent effort by CSA was a significant update of its Certificate of Cloud Security Knowledge (CCSK) to reflect changes in the cloud and security landscape. CCSK v4, scheduled to be available in November 2017, features new content and will align training with Guidance 4.0.

Launched by CSA in 2010, the CCSK was the industry’s first benchmark for measuring cloud security skill sets. CSA also updated its labs for the CCSK Plus course, developed to provide students with a solid foundation in cloud security, to better reflect “real-world security practices”.

And in August 2017 CSA announced the release of Improving Metrics in Cyber Resiliency, guidelines developed by a group of subject matter experts within the CSA community and designed to help enterprises develop metrics and processes to measure threats before they become cyber attacks and recover functionality lost in the wake of such attacks.

The guidelines introduce two key metrics, Elapsed Time to Identify Failure (ETIF) and Elapsed Time to Identify Threat (ETIT), and propose that the responsibility for measuring and reporting each be transferred from companies whose systems encounter cyber attacks to those in the intrusion detection system (IDS) space. Doing this, the researchers suggest, would encourage the development of superior algorithms needed to detect anomalies and improve cyber resiliency. 

continuous sec