Survival in the Absence of Cloud Security Expertise

Given the government’s severe shortage of cybersecurity workers, recruiting obstacles and scarce training funds, hiring cybersecurity professionals with expertise specifically in cloud environments is next to impossible. While outsourcing may be an option, private-sector partners are facing similar workforce challenges. So, without the required expertise, how will agencies be able to ramp up cloud deployment and not compromise on security?  

The answer lies in a principle long held by another group used to working in heavy cloud cover; as pilots say: You have to trust your instruments.

Even for seasoned information security professionals, cloud migration can be disorienting if they have not dealt with how security products and processes function differently (or not at all) in the various cloud environments. Assets and data deployed in the cloud are certainly not secure by default. The shared responsibility model means that while the cloud provider will take responsibility for the cloud infrastructure itself, customers are responsible for the security, compliance and operational controls of their own applications and data. Government agencies will face several challenges as they migrate familiar security controls into the cloud, including:

• On-premise security tools that don’t support common cloud policies, platforms and technologies.
• Point solutions that work on-premises, or in the cloud, but not both.
• Gaps in monitoring, and data synchronization issues as elastic assets dynamically appear and disappear.
• Deploying and administering multiple management consoles across multiple environments which might include Amazon Web Services, Azure, GCP and private clouds.
• DevOps-related culture and technology changes that often accompany (or drive) moves to the cloud, which can’t accommodate traditional approaches to security and compliance.

Accompanied by a lack of expertise, these challenges can slow agency migration plans and ultimately expose the agency to greater security risks. According a recent Tripwire report, over half (52 percent) of IT security personnel surveyed are concerned that they will lose the ability to stay on top of security flaws as a direct impact of the skills gap. It also found that 88 percent expect they'll need to increase cloud expertise on their teams over the next few years. Other industry studies indicate that IT leaders are slowing cloud adoption due to a shortage of skills. Given the overall global shortage of skilled information security professionals (and cloud security experts in particular), we have to start dealing with the realities that the problem is not going to be solved any time soon.

In the meantime, how can agency personnel minimize the negative impact that the lack of expertise is having on cloud adoption? One key strategy rests in the ability to trust your instruments—to have confidence that your organization’s automated asset monitoring “instruments” or tools provide a complete view of your security controls, across all deployment models. You can start by evaluating your current and planned investments in foundational controls, to see whether you are making selections that are up to the task. Here are a few things to ask:

• Can you administer and assess the same controls across on-premise legacy systems and cloud networks with unified management and reporting?
• Will your solutions be able to support dynamically on-boarding and off-boarding nodes, to ensure continuous coverage in elastic environments?
• Are you able to assess compliance of your cloud assets and cloud management accounts to cloud policies and platforms, in addition to the policies and platforms that you use on-premises?
• Are you able to assess and monitor cloud-oriented technologies like Docker containers, Kubernetes, and CI/CD solutions like Ansible, Puppet and Chef?  
• Can your monitoring tools operate in an architecture that can support physical, virtual, private and public cloud environments?

Give yourself a point for each capability you can cover, and another point for each time you can cover that capability without having to install, deploy, manage and maintain a new point solution. If you didn’t get a perfect 10 and have to bring in more point products specifically for cloud security, that widens the skills gap. The good news is that every day there are more solutions out there that will get you closer to achieving these goals.

It really should be no surprise that, year over year, cloud remains the area that U.S. government information security professionals identify as the highest area of demand for training and education. So, while the government’s training and education offering strengthens in this area, now is the time to learn how to build trust in your instruments.

Keren Cummins is the federal director at Tripwire.