Understanding cloud computing's impact on all aspects of IT is vital, and this requires a broader set of skills and knowledge that meet the rapid evolution of the industry head on.
With businesses actively embracing the cloud, there is a need for new skills to enable infosec professionals to deal with technology in a virtual context. “The change from traditional IT to a cloud computing environment is significant because of the need to secure technology systems and provide services without complete control,” says Jim Reavis, co-founder and executive director of the Cloud Security Alliance (CSA). “Professionals need to be able to transfer business processes into systems that are operating as a utility.”
This requires education, certification and standards for cloud computing across the spectrum of IT. “Corporate users now need cloud skills at the application development layer more than they do at the operating systems layer,” says Reavis. “Aside from assurance and networking skills, given the proliferation of huge virtualisation farms, managing big data securely is proving to be a challenge.”
‘Bring your own device' is exacerbating this challenge, leading to the need for more sophisticated desktop management and helpdesk capabilities – there is greater emphasis on endpoint VPN as a variety of systems and devices are integrated with corporate networks. The focus on identity management has grown significantly too as professionals get to grips with Security Assertion Markup Language and other open identity standards in order to securely integrate internal and external environments.
In recognition of these issues, (ISC)2 and the CSA are collaborating on the development of a new professional certification. Reavis explains: “The idea is to establish a common understanding of knowledge and best practice that enables professionals to develop secure, vendor-neutral enterprise architectures for the cloud. The cloud is evolving and so are the risks. Our early experience with cloud has shown that customers with a mature approach to architecture and a sense of the shared responsibility are able to successfully mitigate the risks related to confidentiality, integrity and availability. Professionals must have the knowledge that allows them to accurately interpret the developments taking place, and assess the various options available to them.
“Cloud computing security skills are not simply required by infosec professionals in enterprises alone. Cloud technology and service providers also need to understand the requirements to build systems that deliver functionality and meet their customers' security needs.”
Reavis concludes: “A re-alignment of the IT industry is taking place, due to the new technology trends. All these require a much broader set of skills.”