Cloud Concerns from IT Professionals
In a Dark Reading article (here), they listed concerns that a panel of IT professionals had about cloud technology. In this entry, I’m going to break down select findings of the biggest concerns and cover what companies can do to address them.
Security – 73%
I will always stand by the statement that cloud services from large providers (e.g. Amazon AWS, Microsoft Azure, Google Cloud, Salesforce, Workday et al) are infinitely more secure than the “average” company. Now, it’s important to remember the “average” company may very well have one or two IT people or outsource the security function to a Managed Security Service Provider (MSSP) that may offer Managed Detection and Response (MDR) services as well.
Are cloud providers infallible? Absolutely not. Even AWS and Microsoft have had security issues come to light. However, in the vast majority (like 99.999%) of the security incidents, it is the cloud customer that messes up security. No service model (SaaS, PaaS, IaaS) has the customer outsourcing all security. Do you have recently departed employees or contractors that still have access to a critical SaaS application? I’ll bet you do, especially if you don’t have Federated Identity Management established with your providers.
Despite what the average executive may think, cloud security isn’t fully outsourced and it sure isn’t easy. Yes, the provider has “security of the cloud”, but the consumer has responsibility of securing “usage of the cloud” according to your policies and procedures. Who is determining cloud policies, how are these funded and assessed?
To properly address cloud security, your staff need to be aware of both strategic and tactical security issues. This is covered in greater detail down in the skillset section, but for now, you need a team that understands the complete cloud security picture, from what the responsibility shift is in cloud through to the operational implementation of security controls on a per-platform basis.
Cost – 58%
Cost is an interesting finding. I sometimes liken cloud service providers to crack dealers. Many providers will do the “start for free” or issue “service credits” that hide the true cost of their service until it’s too late and you are locked-in (or addicted) to their service once the bills start coming in. At this point, the average company has no choice but to accept the charges.
Not having a mature cloud service onboarding procedure can be devastating from a cost perspective, and it’s due to shadow SaaS adoption. Do you have 5 CRM’s today? Do you know how many? If the answer is not, it’s time to collect an inventory of your cloud assets. This is a subject that we discuss in our Cloud Security Bootcamp offering.
From an IaaS perspective, architectural and Business Continuity and Disaster Recovery (BCP/DR) decisions can be very costly. Copying data from one region to another generates charges for both data storage and network traffic.
Reliability/performance – 50%
You get what you pay for. There are no rules or regulations that force any cloud provider to do things in a proper fashion. Is your SaaS provider comprised of two people in their garage? Did your company review them prior to on boarding them? Is the service unsanctioned by the IT function (a.k.a. Shadow IT)? Cloud providers range from companies with less than 10 people all the way to multi-billion dollar publicly traded companies. This is especially true for SaaS providers. Spend the time in assessing providers from both risk and financial perspectives. The Cloud Controls Matrix and Consensus Assessment Initiative Questionnaire by the Cloud Security Alliance is an excellent starting point that is used by many enterprises and government agencies around the world to assess potential cloud service providers.
Staff skillset on dealing with cloud computing – 26%
This is where training comes in. As you are very well aware, there are two main types of training that you can send your staff to. There’s pre-recorded sessions that are available on-demand 24/7, then there’s live instructor-led training that can be attended virtually or in-person.
Pre-recorded training is a cheap way to allow employees to pursue knowledge on their own. In my opinion, employees are happy with the option of having a library of training at their disposal, but chances are they aren’t going to use it. They may begin in earnest, but eventually they’ll just quit due to projects or life in general just getting in the way. There’s no set schedule, so there’s no deadline. Nothing causes action like a deadline. Subscribing to a service and calling it a day is a sure-fire way to fail at training your staff.
Instructor-led training can be expensive, especially if you want effective training. However, this approach does ensure delivery in a set amount of time. If you go cheap, you’ll wind up with an instructor that is teaching CISSP this week and Excel fundamentals the next week. If you go with an unauthorized training company, you’ll likely wind-up getting photocopies of a book (true story!) or books that are purchased from Amazon. Again, the instructor likely won’t be a professional in the field because quite frankly, great trainers are expensive.
Now, the question you should be able to answer is what level of training do you want? I like to use three levels as a rough guide. These levels are Executive, Strategic and Tactical. Since we are solely focused on Risk and Security Management, I’m also throwing in an example for each.
These would obviously cater to the executives. This would typically be short sessions without any acronyms or keyboards involved. An example would be a session on the risks companies face in a particular industry, or new regulations that have been introduced that impact the organization.
I like to classify strategic training as the What, Where, Why and maybe When (prioritization) of technology. As far as the How goes, this training would consist of “How does this address mitigating risks the business is facing”. Examples of strategic training are CISSP, CCSP by ISC2 and CCSK by the Cloud Security Alliance. Personally, you want all team members to have exposure to this level of training. Why does the firewall administrator need this training? They’ll have a better understanding of the “Big Picture”, drive home that security is there to support the business and it will help them progress in their career. This of course makes for a better overall risk and security function across your entire organization.
This is training on the technical aspects, or operation of a platform. What buttons need to be clicked to make this thing work is the way I like to think of tactical training. Examples of tactical training would be Security+ by CompTIA and CEH by EC-Council and most vendor training (e.g. AWS, Microsoft Azure, etc).
We have no concerns; we’re happy with the services we use – 2%
All I can say here is that ignorance is not a defense.
I hope this entry has helped you identify some of the main concerns shared by IT professionals regarding cloud services and gave you some ideas of what you can do to address them in your organization.