A security risk manager (ISO 27005 certified) not familiar with cloud solutions but who is interested in cloud topics, recently asked me to share my experience about the main cloud security knowledge & skills required to become a key member of cloud-based business transformation programs or initiatives.
It was not the first time for me to receive such request and I decided to provide some insights in this post.
Understanding the difference between business & security priorities
Most companies are transforming their businesses using cloud technologies and services.
Indeed, cloud services provide several benefits (pay as you go model, less or no CAPEX, dynamic scaling, high availability, collaboration efficiency, improved mobility, etc.) that enable a rapid business development and/or transformation.
Business divisions are then interested in trying and quickly adopting these cloud services. Their interests are mostly governed by the cloud benefits.
On the other side, the Security team who is sometime early involved or discovers by chance the businesses’ cloud initiatives, don’t look at the cloud services with the same mindset as business divisions.
Security staff mostly understands and/or analyzes the cloud services via the security risks angle, which is completely different from the benefits angle.
From the business perspective, the main goal is to maximize the cloud benefits for the company while from the security perspective, the main goal is to minimize the security risks for the company.
These two distinct goals are very important for organizations to take the most benefits from the cloud services without jeopardizing their main assets.
This is where a cloud security expert can bring the most value.
Cloud security expertise consists in a set of knowledge & skills that can help an organization to maximize the cloud benefits while minimizing (at the same time) the related security risks for the company.
Organizations should have on board, people who can understand the cloud benefits as well as the cloud security risks and who can support the business divisions to properly balance between cloud benefits & cloud security risks.
This expertise can be acquired via (i) experiences on designing & implementing cloud-based programs, (ii) cloud security trainings and (iii) cloud security certifications.
The main cloud security standards, guidelines and best practices I listed here, cloud certifications such as the top 5 vendor-neutral cloud security certifications I listed here or the platform-dependent cloud certifications such as AWS Certified Solutions Architect or MCSE: Cloud Platform and Infrastructure can be considered as main sources for developing & maintaining the cloud security expertise.
Key characteristics of cloud security expertise
A cloud security expert is a security specialist who can understand the cloud benefits for the company’s businesses and can identify the security risks applicable to a specific cloud use case.
I depict in the below figure, the main cloud benefits and security threats:
As you may know, there are 3 cloud service models (IaaS, PaaS & SaaS) and 4 cloud deployment models (Public, Private, Community & Hybrid). All the security threats are not relevant/applicable for each cloud use cases. As for other contexts, there is never a one-size fits all in terms of cloud security.
A cloud security expert should be able to perform the following tasks:
- Understand the business requirements (specific for each cloud use case)
- Map the business requirements to cloud services capabilities
- Analyze the security controls available in the targeted cloud service (e.g. MS Azure, AWS, Salesforce.com, SAP 4/HANA, etc.)
- Identify & assess the security risks applicable to a given cloud use case (main impact for the business)
- Help the business to decide if the security risks are acceptable (as per the company risk appetite – cloud security policy)
- If necessary, recommend reasonable additional security controls that can be implemented to reduce the security risks to an acceptable level (remediation)
- Support the business & IT during the implementation of the additional security controls
- Ensure that the security posture of the cloud solutions remains acceptable over the time
In short, a cloud security expert should be able to support the business in the following activities:
- Cloud services/platforms evaluation & selection (RFP/I/Q processes)
- Cloud solutions implementation
- Cloud solution operation
The above tasks & activities can be performed by leveraging an agile & effective cloud security strategy such as the Cloud Usage Profile based strategy I described in this previous post.