Chuck Ward has noticed a change in the way companies approach the issue of securing data in the cloud. Once upon a time, data security was the domain of company IT teams. Today, data security is front and center on everyone's agenda.
"Given the number of high profile breaches that are being publically disclosed, the issue is no longer the exclusive realm of client IT teams," said Ward, vice president of Global Channels at Masergy, a cloud network provider based in Plano, Texas. "Company executive teams and board of directors are all actively engaged in the conversation on how to best protect their digital assets while maintaining business agility."
As security takes a more prominent role, and the realities of today's increasingly threatening cybersecurity landscape sinks in, the conversation has shifted.
"Companies' objectives have changed from 'How do we avoid getting breached?' to 'How do we establish a robust security posture and ensure that when we get compromised, how do we detect it rapidly to stop data exfiltration and mitigate damage?'" Ward said.
Securing data in the cloud: An opportunity to differentiate
In today's dangerous cybersecurity environment, cloud service providers (CSPs) must build a security practice that meets the following market demands: an understanding of security products, the ability to categorize data by importance and sensitivity, and the ability to secure data in transit and at rest. Additionally, providing the right specialized IT security skills to deal with growing security threats is another factor that can go far in differentiating a cloud security consulting practice.
Certainly, the constant flow of news that federal government agencies, large corporations and healthcare organizations continue to suffer data breaches is disheartening. A report from PandaLabs that there were 75 million new strains of malware created in 2014, conveys the impression that malware appears unstoppable.
CompTIA, an IT trade association, recently published its Trends in Information Security report. Of the 400 business executives and technology professionals surveyed by CompTIA, 29% of the respondents said they have had a data loss incident in 2014, up from 19% in 2013.
The survey also found that 74% of the respondents said security has a higher priority today than two years ago, and 85% said two years from now security will be even higher on their list of priorities.
Yet another study from Transparency Market Research shows a corresponding growth rate in the global cloud security market which is projected to increase from $4.5 billion in 2014 to $11.8 billion in 2022, according to Shrikant Mahankar, research analyst at the company.
For CSPs, the task of securing data in the cloud offers enormous challenges, but also presents a plethora of opportunities.
"Most of the cloud organizations that I've encountered have seen the value of touting their security expertise. Security has become a unique differentiator; it's a strong point," said Miles Jobgen, director of Trustmarks at CompTIA.
Building a cloud security practice: How partners meet the challenges
As the security environment evolves, CSPs find themselves working with customers that are experiencing greater interconnectivity of systems through the use of mobile devices and the Internet of Things, which increase security vulnerabilities.
Additionally, government laws, regulations and industry standards such as the Sarbanes-Oxley Act, The Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standard call for data to be stored and secured using specific technology, policies and procedures. This has resulted in an increasing customer reliance on CSPs to manage, operate and store data in a compliant manner using skills and expertise that clients often can't afford to provide for themselves.
Working through compliance requirements, such as installing encryption technology, isn't easy, said Spence Witten, director of federal sales at Lunarline Inc., a full-service IT security company based in Arlington, Va. that offers products, services and training.
"Implementing encryption is really difficult in large environments and it can break functionality as certain system components are not set up to handle encrypted data," Witten said. "It can also introduce latency issues that are just not acceptable to cloud service providers."
Spence Wittendirector of federal sales, Lunarline Inc.
Trying to sort through what data to secure, and deciding what information to upload onto cloud platforms, is a source of confusion for many customers, said Jason Parry, vice president, client solutions at Force 3, a network security and data center technology company based in Crofton, Md.
Parry said most customers are still trying to understand how to fully leverage the cloud. He said for many government customers, the challenge is directly tied to sensitive data.
"In those cases, customers are looking for advisory services all the way through architecture, where hybrid cloud complicates things," Parry said. "Many of our customers are not ready to move everything to the cloud and want to understand how they can deploy a seamless hybrid cloud."
Parry said many customers are interested in finding out what types of security assistance a CSP provides. And when the customer, itself, offers cloud services, it wants advice on what security strategies it should pursue for its end customers. Parry pointed to the example of a government agency that provides cloud services to other government customers.
"Government customers that are providing services as a 'shared service' through a private or hybrid cloud model want to understand the security risk of a multi-tenant environment," Parry explained. "They then want to develop strategies for protecting, defending and responding to an incident where a compromise could expose multiple customers and large sets of information."
"In this case, customers are looking for services to assist not only with standing up a secure private cloud infrastructure, but help prepare the government for follow-up public cloud activity as well," Parry said.
Indeed, a CSP security practice can focus its efforts on securing customers' private, public and hybrid clouds (using public clouds such as Amazon Web Services or Microsoft Azure in combination with in-house, on premises IT). Part of the job, Ward said, is to be the eyes and ears of a customer's security breach prevention plan.
"Customers have tended to take a reactive posture. They rely on their cloud vendors to secure their data stored in the vendor infrastructure because they have constrained IT resources," Ward said.
He also said customers have a perimeter focus, which does not protect them against threats that originate internally on the private network through laptops, email, USB drives, and on tablets and smartphones.
"We see an overreliance on signature based solutions, with little to no defense mechanism in place for emerging threats. In both public and private cloud scenarios we see a discrete security infrastructure. In other words, the systems in place do not talk with each other," Ward said.
CompTIA's survey underscores the need for CSPs to understand what their client's security posture in the cloud should look like and highlights the need for customers to have a good idea of what their requirements are before deciding on a cloud engagement.
The survey revealed that after an initial cloud migration, many companies had second thoughts on where their data should reside. Those companies switched their choices for security-related reasons. According to the report, data was either moved from a public cloud to a private cloud (36%) or from a public cloud to an on-premises system (31%), or from one public cloud to another (30%).
Other significant changes occurred after a cloud offering was adopted. CompTIA's survey found that 48% of companies said they changed company policy because of changing views on securing data in the cloud, and 41% said they built additional security features into cloud-hosted applications.
As CSPs look for opportunities to solve their customers' security problems, they'll find that many companies already have encryption, firewalls, and end-point security offerings as well as intrusion detection and intrusion prevention systems, security information and event management systems and a sandbox environment.
According to Ward, in a new, more threatening security environment customers recognize they'll have to establish a security posture that requires a lot more than implementing the latest security appliance.
To help them get there, Ward said customers are looking to CSPs to help them do three things:
1. Outsource the continuous 24x7 expert monitoring,
2. Provide new technologies (like machine learning and adaptive network behavioral analysis) that help filter out the noise (e.g., reduce false positives),
3. Provide new technologies that help mitigate the risk of advanced persistent threats, zero day vulnerabilities and internal threat actors -- like machine learning and adaptive network behavioral analysis.
"The first need is driven by the fact that even if an IT team can get the budget needed to staff security experts 24x7 for continuous monitoring, finding and retaining this type of talent today is incredibly difficult," Ward said. "The second and third are driven by the fact that without new advanced technology, your ability to detect real threats and act on them in a timely fashion is materially discounted."
Once a cloud security consulting practice understands the current security product landscape, how these technologies work and what problems they are good at solving, security consultants can easily identify what specific technology will close specific security gaps.
To pinpoint specific customer requirements, Ward said CSPs should ask critical questions including:
- How are you protecting your business today?
- How confident are you in your security readiness?
- Do you have real-time insight into your security infrastructure?
- How would a breach impact your business?
- Do you have the appropriate IT security staff and expertise to manage it today?
IT security skills in short supply
Another challenge for CSPs offering cloud security consulting: finding the right personnel.
Force 3's Parry bemoans the fact that it's very difficult to find qualified IT security staff and even more challenging to scout for qualified security experts who have cloud security skills.
"We often hire great security consultants and then train them in other areas they might not have as much exposure to. The foundational security elements are the same, we simply need to train them in how these apply to cloud (public, private and hybrid) environments," Parry said.
Parry added that security product vendors also provide training that covers a range of design, deployment and configuration scenarios including on-premises, public cloud and hybrid cloud architectures.
Jobgen said he highly recommends good infrastructure-type, technical certifications for security consultants. He said those include such certifications as CompTIA's Advanced Security Practitioner Certification and The Cloud Security Alliance's STAR Certification.
But whether or not a CSP decides to launch a formal cloud securing consulting practice, a service provider should at least have some dedicated security experts on hand.
"There are certain security decisions that need a degree of independence that is not possible if a security expert is embedded with another team," Witten said. "The simple fact is that organizations nowadays see a lot of cyberattack activity and CSPs need focused, dedicated security support to fight back effectively."
View a video on cloud data migration and security considerations
Learn how to avoid security issues in cloud computing
Find out how to evaluate cloud access security brokers