Blog
Why You Need a Technical and Strategic View of Cloud Security
When it comes to cloud security, it’s the Chief Information Security Officer’s (CISO) responsibility to understand the risks of a cloud architecture and develop a strategy for protecting against existing and emerging threats.
And Luis Gonsalves, Head of Security for Banco de Portugal, Portugal’s central bank, arguably has a bigger picture view than most. Not only is he a CISO, but he founded the Portugal Chapter of the Cloud Security Alliance. Gonsalves is also a professor at the Instituto Universitario de Lisboa, and the Portuguese Banking Training Institute and serves as a consultant for other companies.
From this multifaceted vantage point, Gonsalves has observed the evolution of cloud security over the last nine years and how the Certified Cloud Security Professional (CCSP) certification uniquely prepares security practitioners to deal with the current and emerging cloud security issues they face.
The Evolution of Cloud Security
Cloud service providers initially focused on getting their cloud infrastructure up and running, paying minimal attention to security, Gonsalves says. Today, cloud service providers are more mature from a service and a security perspective although organizations adopting the cloud still have a long way to go when it comes to security. Gonsalves sees organizations challenged along two dimensions: technical and strategic.
“On the technical level, the main concern is data breaches—and we’ve seen many high-profile examples” says Gonsalves. “These breaches are the result of inadequate controls and configuration issues, for example, when people deploy the cloud using default parameters.”
Another technical trend, which will only grow in 2020-2021, is the use of the cloud for malicious purposes. Gonsalves says, “I’ve seen extensive use of commercial cloud services to launch cyberattacks, such as denial of service attacks.” A Cloud Service Provider whose services are linked to this type of attack could find their public IP address on blacklists and their customers can experience connectivity issues and possible service downtime.
To make matters worse, attackers are increasingly using Artificial Intelligence (AI) and Machine Learning (ML) to scan internet connected machines and devices for vulnerabilities as well as deliver new weapons that can hijack accounts, impersonate legitimate users to gain access and more. For example, Unisys recently published an article that described how AI and ML is ushering in a new era of cyberattack. The article cited a report from Webroot that found that 86% of those surveyed said they were concerned that hackers will use AI in cyberattacks.
Gonsalves is also seeing more weak multifactor authentication mechanisms. In addition, he has observed growing numbers of developers building cloud-based products using APIs that have not been properly secured. And of course, there’s the ongoing need to adhere to growing numbers of privacy regulations, such as GDPR. “These trends will only escalate and anyone using the cloud or on their adoption journey needs to be aware of them,” says Gonsalves.
From a strategic perspective, Gonsalves observes that many organizations lack an effective security architecture, or vision for security. “That’s one of the biggest challenges I see that creates additional risks for their companies,” notes Gonsalves.
Lack of strategy results in data custody issues, privacy issues, lack of knowledge of where a company’s data resides, as well as lack of visibility over cloud usage in the enterprise. This lack of visibility can lead to the risk data will be unprotected, as well as unexpected costs. For example, when moving to a cloud service provider for initial low capital expenditures, companies might not understand they will be subject to higher ongoing outlays for things like storage, usage, and data transport.
CCSP Enhances Technical and Strategic Skills
As a CISO for Banco de Portugal, Gonsalves addresses technical and strategic challenges in his own organization, as well as when assisting consulting clients. Because of the cybersecurity talent shortage, Gonsalves recruits’ staff with cybersecurity skills and knowledge of the cloud, and then trains them on cloud security, ultimately helping them obtain their CCSP certification.
Gonsalves explains that a specialized cloud credential is essential because the cloud has different security requirements than on-premises solutions. To properly adopt the cloud, organizations must be aware of risks specific to the cloud. For instance, the cloud has the notion of a shared security model. Both the company and its cloud service provider (CSP) have responsibility. This means companies need to be clear on what protections the cloud service provider will provide, and work with their CSP when testing security. As Gonsalves explains, “A shared responsibility model is not a common security model and not everyone is ready for it.”
The CCSP certification is unique because unlike other certifications that focus on technical security, it also gives cybersecurity experts a strategic understanding of cloud governance, risk and data privacy. By offering cloud security staff a strategic perspective, CCSP enables them to better assist their organization on its cloud adoption journey.
Gonsalves says, “The CCSP gives cybersecurity experts higher maturity in cloud adoption and security and enables them to explain the advantages and risks of the cloud model to executives, CFOs and CEOs. That’s the real differentiator. It’s not just a technical certification, it gives participants a big picture technical and strategic vision. I would even recommend CCSP to mid and upper level management, so they understand the cloud environment and everything that orbits around it.”
To learn how CCSP training can help your organization improve your technical and strategic understanding of the cloud, download our newest cloud security risks whitepaper .