Page 77 - Cyber Warnings
P. 77
Audit and Compliance Skills
Many of the softer skills needed for cloud success stem from the need for organizations to gain
more visibility into hybrid environments that are becoming more complex as SaaS, PaaS, and
IaaS services are cobbled together with each other and private clouds.
Audit rights can be built into a service level agreement (SLA) as a way to make sure the
provider complies with corporate security policies and industry or government regulations. This
is one reason why the ability to develop comprehensive SLAs with service providers is an
increasingly important skill. IT and security teams will need to work together to negotiate terms
that provide maximum protection and visibility into third-party services, to ensure that data,
applications, and other components of your cloud environment are secure and compliant.
In addition to formal audits, security professionals require skills (and tools) for continuously
monitoring compliance and threats across SaaS, PaaS, and IaaS deployments in two key areas:
threats and applications. Starting with threats, achieving (or maintaining) visibility to specific
threats across these environments so your organization has a full view of attacks is critical. That
visibility needs to extend across endpoint, infrastructure, and network elements in order to
recognize and respond to coordinated, multi-angle attacks.
Second, application security experience with cloud access security brokers (CASBs) will help
security professionals increase the visibility into user behavior and their needs across public
cloud service providers.
That said, we see convergence between the need for application visibility, threat visibility, and
data security for SaaS applications, so look for skills that bridge those three areas as you build
an organization for the future. The same need for a blended skill set will increasingly be true as
threat and application needs converge.
Organizations in highly regulated industries also need to devote resources to tracking how third-
party providers handle data and applications to ensure compliance with industry-specific
regulations. The same goes for global players: Requirements around data storage can vary
dramatically by country, requiring in-depth knowledge of local regulations regarding where data
resides and how it is transmitted for any geography in which you do business.
Skills for Hybrid: the New Private Cloud
Security practices for a private cloud deployment – which enables enterprises to keep data and
applications under their control – would seem to be more traditional than public deployments.
But the virtualization technology that is inherent in the private cloud model creates a need for
new security skills beyond those for traditional on-premise environments.
The first is understanding the difference in the infrastructure itself, for example between a
traditional virtual machine and a framework like OpenStack. Second, as organizations explore
software defined networking (SDN), they see a need for more automation skills, as security
policy must co-exist with the orchestration to fully exploit an SDN environment. Third, the
77 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
