ISC 2 - CCSP

What I Have Learned: Cloud Security Insights From CCSP Pros

Cloud Security Insights From CCSP Pros

The age of cloud security gives rise to the somewhat mixed metaphor of a cat and mouse game played out on shifting sands. Cloud security professionals face a multidimensional conundrum as they try to keep pace with changing technologies, upgrades, internal political pressures, and of course external infiltration attempts. Danger can come from the outside or within. It can be mechanical, software driven, or the fault of human beings. And answering the call at the end of this long list of stresses and priorities is a hugely busy, often overworked security team.

So what do they have to say about it? We asked the CEO of (ISC)², a global leader in information, cyber, software and infrastructure security certifications, including the Certified Cloud Security Professional (CCSP℠), and two CCSP-certified security experts to share some of their knowledge and observations. What have they seen? What worries them, and what advice would they offer? Here are a few of their revelations.

Connecting Devices To The Cloud

Everyone is migrating to the cloud,” says Adam Gordon, CCSP, and author and instructor for (ISC)². Through organizations, large and small, public sector and private, as well as millions of individual consumers, every device is connecting and interrelating with every other in ways that no one can accurately map. “The problem is, we don’t always understand what cloud means as we start to consume. As a result, there tends to be a gap where consumption is a lead indicator and security is an afterthought.” Gordon points out that the causes of major breaches can often be tracked to lax behavior on the part of individuals. “Do they understand the implications of allowing an application on their phone, to use the phone’s location services to provide location information to a cloud service? How is that being used? How is it being archived? How is it being tracked?” he asks.

People place a great degree of trust in their systems and their providers and, for Adam, this is not enough. “I think the mistake we make today, or that we have made historically, is we put faith into the provider and say, “they’re going to take care of it…” and we don’t verify. Adam prefers to embrace the phrase used by President Reagan during the 1987 arms control negotiations, and taken from a traditional Russian proverb: trust but verify. “If you take the trust but verify approach, we come up with a solution that actually leads to cloud security. If we just trust, but don’t verify, I think we’re in for some nasty surprises along the way.

Constant Monitoring Critical

These concerns are echoed by Pat (a pseudonym), a CCSP-certified cyber strategist with a federal government department, who points out that a disturbing lack of cohesive policy makes security efforts much harder. “There is very little foundation for cloud environments right now,” Pat says, “the best things out there actually come from the vendors (as opposed to internal), but each vendor has different kinds of priorities. This makes it hard to determine what the threats are, as well as identifying what you don’t know about this environment.” Pat mentions that although external hacking gets the lion’s share of media attention, sometimes the problems come from more day-to-day maintenance activities. “Every time there is an update to your operating system, and you are running software, they can change your actual security configurations. You have to be constantly going back and reviewing what’s going on, and scanning your systems, and seeing what vulnerabilities that previously had been closed have been reopened again; and that is a constant battle.”

security watch

Pat’s main recommendations for striving toward a more secure cloud-connected IT system are a common nomenclature and a wider vision. “In the CCSP training class, I found it highly beneficial to address the naming conventions of how we talk about the cloud-based environments,” Pat says. “You have to understand all those terms and work them through your head in order to have meaningful conversations.” In addition, there is a need for a defined set of policies, and dependable and thorough processes. For example, when an organization performs an internal audit, they should not simply audit the outcomes of a system’s configuration, but rather they should also audit the process to make sure that people are doing things in a way that consistently reaches management’s expected outcomes. Once again, this means understanding the actions of people, along with the technology.

ISC 2 - CCSP

Compounding the challenges for organizations and their security specialists is convergence, says David Shearer, CEO, (ISC)². People often see expansion, in terms of the increasing numbers of devices and technologies connecting to the global Internet. But at the same time, there is “convergence of literally every engineering discipline on the planet, such as mechanical, electrical, software, biomedical, and chemical,” resulting in a cross pollination of protocols and systems through which abuse and contagion have the potential to run rampant.

All three experts agree that the establishment of a common lexicon and culture of clear, proactive communications, paired with both mechanical and corporate awareness, is essential for helping to maintain secure systems, both locally and globally. This commonality and vision must be embraced throughout all managerial levels, reaching right to the top.

For more on the CCSP certification from (ISC)² please visit their website. Sponsored by (ISC)².

By Steve Prentice

Steve Prentice

Steve Prentice is a project manager, writer, speaker and expert on productivity in the workplace, specifically the juncture where people and technology intersect. He is a senior writer for CloudTweaks.

View Website

CONTRIBUTORS

3 Developing Expectations For The IoT

3 Developing Expectations For The IoT

IoT Expectations The Internet of Things, or IoT, has received a lot of attention from tech analysts and curious consumers ...
Global Public Cloud Spending To Double By 2020

Global Public Cloud Spending To Double By 2020

The Cloud and Endpoint Modeling The worldwide migration of IT resources to the public cloud continues, at a head-spinning pace ...
Data as a Service

Data as a Service: 5 Strategies to Transition How You Access Data

Data as a Service Information wants to be free — at least that’s the saying. And like any good saying, ...
Using Private Cloud Architecture For Multi-Tier Applications

Using Private Cloud Architecture For Multi-Tier Applications

Private Cloud Architecture These days, Multi-Tier Applications are the norm. From SharePoint’s front-end/back-end configuration, to LAMP-based websites using multiple servers to handle ...
Get Used To It – Artificial Intelligence For Real-time Gas Pricing

Get Used To It – Artificial Intelligence For Real-time Gas Pricing

Real-time Gas Pricing Get used to it – we will extract every dollar you can afford at your friendly … ...
5 Recommendations for Effective Governance, Risk and Compliance Management

5 Recommendations for Effective Governance, Risk and Compliance Management

Effective Governance, Risk and Compliance Cloud adoption continues to grow, which is evident from the fact that annual 2016 revenues ...
Enterprises look for partners to make the most of Microsoft Azure Stack apps

Enterprises look for partners to make the most of Microsoft Azure Stack apps

Microsoft Azure Stack Apps The next BriefingsDirect Voice of the Customer hybrid cloud advancements discussion explores the application development and platform-as-a-service (PaaS) benefits from Microsoft ...
The Need For Planning In The Drone World

The Need For Planning In The Drone World

The Drone Highway Do we need to plan the sky? Given the current state of drones that seems a bit ...

NEWS

Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance

Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance

EDINBURGH, Scotland, Nov. 21, 2017 /PRNewswire-USNewswire/ -- The Cloud Security Alliance (CSA), the world's leading organization dedicated to defining and raising awareness of best practices ...
OVH Announces New Hosted Private Cloud Offerings for US Market

OVH Announces New Hosted Private Cloud Offerings for US Market

OVH delivers next-generation services for hosted private cloud, disaster recovery, and hybridity leveraging industry-leading solutions RESTON, VA--(Marketwired - Nov 20, ...
HPE CEO Whitman's surprise exit stumps Wall Street

HPE CEO Whitman’s surprise exit stumps Wall Street

(Reuters) - Shares of Hewlett Packard Enterprise Co (HPE.N) fell 6 percent on Wednesday after Chief Executive Officer Meg Whitman’s ...

SPONSORS

Hybrid IT Matures Just In Time To Tackle Complex Challenges

Hybrid IT Matures Just In Time To Tackle Complex Challenges

Tackling Complex IT Challenges Today’s sophisticated business environment demands a dynamic and robust IT infrastructure which is a far cry ...
How Printers Help Hackers Hide In Plain Sight

How Printers Help Hackers Hide In Plain Sight

Printers and Hackers Spies and thieves often do their best work by hiding in plain sight. No one suspects the ...
The Skill & Training Mandates of Big Data

The Skill & Training Mandates of Big Data

Big Data Mandates For some years a dearth of data scientists and analysts has caused concern, with McKinsey expecting a ...