Cloud computing is transforming the world of information technology before our eyes. Less than a decade ago, IT teams focused most of their time on building enterprise data centers, managing capacity and building custom applications.
Today, times have changed and many organizations are now shifting their focus toward the cloud, moving to a world where automation and integration dominate, and enterprises purchase much of their computing as a service from a number of different providers.
This shift toward the cloud doesn’t only change the world of developers and engineers, it also dramatically affects the work of information security professionals. In the world of cloud computing, assessments rise in importance and contract language becomes as significant a security control as the configuration of the enterprise firewall.
As security professionals seek to reinvent themselves as cloud security experts, they must gain new knowledge and skills and may wish to pursue professional certifications that help them demonstrate this aptitude to current and potential employers.
Security in the Cloud
Perhaps the most fundamental security difference between the old world of on-premises enterprise IT and the new world of cloud computing lies in the degree of dependence that organizations place in their vendors. Certainly, IT organizations have always relied upon vendors to provide hardware, software and services and those vendors have played a key role in enterprise security.
Even in a completely on-premises model, a security flaw in a vendor-supplied product can have dramatic security implications that open holes for an attacker to exploit. In a cloud model, those dependencies grow larger as organizations call upon vendors to provide services in a more active fashion.
The shared responsibility model is the key to understanding cloud computing security. Both vendors and their customers must take responsibility for different elements of security and that division of responsibility depends upon the scope of services provided by the vendor and the agreement between the vendor and its customers.
For example, an infrastructure-as-a-service (IaaS) vendor offering virtualized servers to its customers is typically responsible for providing physical security in their data centers. The vendor is expected to manage network security, and secure both the hardware underlying the servers and the hypervisor that separates virtual instances from each other.
Customers configure the operating system, install applications, manage firewall rules and manipulate their own data. Therefore, the security of those components remains a customer responsibility.
In a software-as-a-service (SaaS) model, on the other hand, the burden of responsibility swings more heavily in the vendor’s direction. The vendor manages all of the servers as well as the application, assuming responsibility for almost the entire security stack. That said, customers may still manage application security settings and control the flow of sensitive information into the application.
As you move services to the cloud, the most important security concern you should have is a clear and documented understanding of the shared responsibility model. You should clearly articulate your security requirements, perhaps drawing this information from the requirements you use for on-premises environments.
Next, you should work with vendors to spell out the technical, physical and administrative controls that satisfy each objective and state who is responsible for the implementation, configuration, operation and verification of each control.
Preparing Yourself for the Cloud
It’s not just organizations that need to reinvent themselves for the cloud. It certainly is true that technologies and business processes will change as we move toward a cloud-centric computing environment.
Those changes will also require a shift in the individuals performing technology-related functions in those organizations, including information security. Current security professionals will need to update their skills to cover the emerging world of cloud computing.
In a cloud-focused world, security professionals must work closely with internal and external customers and suppliers to ensure that security follows the organization’s data wherever it flows or resides. Key skills for cloud security professionals include vendor relations, contract negotiations, security assessments, cloud platform operation and cloud application security.
In addition, cloud security professionals will need to have a deep understanding of the security services provided by their organization’s slate of cloud vendors, and understand how to manipulate those services to achieve the organization’s security goals.
If you’re hoping to reinvent your career as a cloud security specialist, then you may wish to consider earning a cloud-focused information security certification, such as the Certified Cloud Security Professional (CCSP) certification available as a joint partnership between (ISC)² and the Cloud Security Alliance (CSA).
These two organizations, known for providing some of the premier information security certifications available today, partnered to provide an advanced certification that requires a combination of advanced knowledge and practical, hands-on work experience that complements the other certifications they offer.
The Certified Information Systems Security Professional (CISSP) certification offered by (ISC)² is already considered the gold standard certification in the information security field. It covers an extremely broad range of material and only touches on cloud computing topics.
CISSP holders who wish to focus on cloud security may wish to supplement their existing certification with the CCSP as a specialized credential. The good news is that CISSPs already meet the CCSP’s five-year work experience requirement.
The Certificate of Cloud Security Knowledge (CCSK) certification offered by CSA is more of a foundational certification that focuses on a candidate’s mastery of the CSA’s cloud security guidance and has no work experience requirement.
Earning CCSK can smooth your path to CCSP by checking off a portion of the CCSP professional experience prerequisite. If you’re a practicing information security professional, you are probably better off earning the CCSP credential, either as a stand-alone certification or as a complement to the CISSP.
As enterprises continue to move applications, data and infrastructure to the cloud, they will increasingly require the services of information security professionals skilled in securing cloud computing environments.
Building out your skills in the realm of cloud computing and demonstrating those skills by earning the CCSP credential will position you well to take advantage of this trend and find interesting and lucrative employment opportunities.
Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.