At the start of this year, Infosecurity conducted its second State of Cybersecurity Report. This determined 31 distinct trends in cybersecurity that respondents believed were driving the industry.
Following on from the publication of this report, Infosecurity launched a second piece of research, engaging with students, people on work placements and those starting out their careers in cybersecurity to find out how these trends affected them.
Having looked at compliance, this week we turn our attention to the cloud. In our 2018 research this came in as the fifth most popular trend with 21% of responses, while in the 2019 research, it did not make the top five, coming in as the seventh most popular trend. Despite that slide, cloud remains a popular element of cybersecurity, especially with Infrastructure-as-a-Service (IaaS) platforms like Azure and AWS now prevalent.
We asked if there is enough training and education on how to work with these 'as a service' options? Overall, we received 54 responses, and of that, 18 were positive, whilst 36 were negative.
As the majority of responses were negative, the reasons why were varied. A combination of different factors including: affordability, how essential it is to a job role, personal interest, and accessibility were all cited. One respondent cited the cost and difficulty “to put together a practice environment within a cloud setting” where 40 contestants have to use the security and compliance portal on Office 365 as a training exercise.
Another claimed that in their education they had “looked at what the cloud is and how it works, however we have not been taught how to use Azure or any other type of cloud services” and “it would have been helpful to have been taught this as I am using it with the job I have just got.”
One respondent said that “there are currently no classes that teach Azure or AWS” and most of the knowledge that they had was through personal research.
They added: “Every company I’ve interviewed with has asked me questions pertaining to Azure, AWS, or other cloud platforms. I believe that there should be more training and education on how to work with these options because these platforms are essential to most businesses and corporations. Understanding how these platforms work is vital to creating a more secure network and infrastructure.”
The training aspect was cited a lot among the negative responses. Respondents cited the availability of “free and paid courses that explain how to operate and integrate with cloud services” while another said that there is plenty of training, but “the problem is that cloud technology is growing at an incredible pace that it is making it challenging for people to train quickly enough.” They cited 160+ services on AWS at a last check, and “no cloud expert can know all of those.”
Another said that a lack of open training regarding cloud was worrying, “as many organizations are adopting cloud to improve their overall margins and responsiveness.”
Perhaps most telling was the comment that if there were more training “we wouldn’t be seeing all these ‘AWS bucket exposed to internet’ breach stories.”
On the positive side, the consensus was that the training is there, but in some cases poorly promoted. One person cited opportunities “advertised within the organization for generic and specialized cloud training” which would suggest there are tiered training levels.
A number of resources were recommended whilst doing the research. These included Skillsoft, acloud.guru and Udemy who offer a combination of tools and courses.
Despite one respondent being positive about the resources available, they did say that “I do not believe that the resources are adequate” as “each entity needs to tailor the training further so it more closely matches up the services it is using as they could be different.” They also said that “users need to have a clear understanding of the capabilities cloud services provide, as well as the risks associated with it.”
With a better level of understanding, the difference between cloud and conventional and legacy solutions can be better assessed, they said, as “cloud should not be a term only used by technical people.”
The consensus seemed that to be there needs to be much better understanding of how this works and how accessible it is in order for it to be adopted as a business working practice. One respondent said that they had previous experience of AWS, Google Cloud and Openstack, so they were able to bring that to their role, but “cloud is a huge area so it takes years to understand all aspects of it.” Therefore, they didn’t believe a graduate could take on a day-to-day job without adequate training from the employer.
One comment collected here called “the area of security around cloud computing almost a black art, especially with the area of forensics.” If cybersecurity and IT generally is heading vertically to the cloud, we need to get the next generation prepared and trained to work with this factor, and not thinking that this is something to fear or see as a mystery.