This content is part of the Essential Guide: A CIO's guide to cloud computing investments

Essential Guide

Browse Sections

Cloud provider security in spotlight, gives rise to new role

The big guys already have one -- now smaller cloud service vendors are hiring a cloud-specific security exec to focus on security.

Boston startup SessionM doesn't just use cloud computing to deliver its product, a mobile-marketing software platform -- it taps the cloud for its own IT operations. 

That's why, as the company searches for a new kind of IT professional -- the role it's designing is called chief cloud security officer -- it's looking for someone who has a firm grasp of traditional IT security, is well-versed in cloud computing, understands what the risks are and how to mitigate them, knows various security frameworks and can safely guide customers as they transition from traditional IT to the cloud.

Having an executive on staff with such knowledge and experience shows customers SessionM is serious about cloud provider security, said co-founder and CTO Scott Weller. It shows "we're anticipating or responding to the new threats as they may emerge because of the vectors that get opened up from this cloud-based environment."

As more companies move more pieces of their IT operations to the cloud -- and data breaches get bigger and more press -- cloud providers are starting to put a sharper focus on the security of their offerings.

Candy Alexander, former CISO and independent consultantCandy Alexander

Enter the chief cloud security officer -- or something like that. The title isn't yet standard, but essentially it's a cloud provider executive who builds security enforcements into cloud services and then, ideally, communicates security plans with customers. CIOs looking to take advantage of the cloud -- and who isn't today? -- have a lot to gain from working with one, said Candy Alexander, a former CISO and independent consultant.

"The value would be offering some level of comfort or trust -- knowing that the cloud provider has made the investment of securing the service with an expert who is focused on just that," she said.

A new cloud job offering

Cloud computing is giving rise to jobs that never before existed. Architects are needed to develop a cloud strategy, developers to build and deploy cloud applications and product managers to determine which cloud services are a good fit.

The position of chief cloud security officer began taking shape over the last two or three years, Alexander said, as public cloud providers such as Amazon Web Services and Microsoft started treating security as part of their service packages.

Duties include examining security standards as laid out in U.S. and global standards bodies -- the National Institute of Standards and Technology, for example, and the International Organization for Standardization -- and then building in the mandatory security safeguards, such as network firewalls and data access controls.

With an individual in charge of ensuring cloud services are secure, providers could then show customers -- many of them in regulated industries like healthcare and financial services -- how the security and privacy of their data was being protected.

In the cards

But it was just the big vendors with such a position, Alexander said. Until recently, smaller providers -- startups offering software as a service, for example -- have been "running so fast and not able to really even catch up to their growth," she said, so they focused almost exclusively on service architecture and delivery. Security, as they saw it, was the customer's responsibility.

"It's been a very difficult conversation where cloud providers are saying, 'No, we're backing away. You own everything,'" Alexander said.

But with data breaches happening on an almost daily basis, regulatory agencies are paying more attention to how closely companies comply with their requirements. One example is the Payment Card Industry Security Standards Council's Data Security Standard, or PCI DSS. Companies that process, store or transmit cardholder information must implement the framework.

"PCI is pushing back on their processors, which are pushing back on the financial institutions, which are pushing back on the merchants," Alexander said. "The merchants therefore are pushing back on their cloud providers."

As a result, providers that hadn't previously invested a whole lot in security are now coming around to cloud provider security, she said.

Wanted: Enabler

In pursuing a chief cloud security officer, SessionM is following in the footsteps of cloud "enablers" Amazon and Microsoft.

"They are enablers at providing the core infrastructure," Weller said. "But we are also an enabler in the sense that we're giving a reason to our customers to leverage the cloud faster, easier, better through the lens of our application stack."

SessionM's software helps companies gather information on their customers' "behaviors" -- what they click on, what they purchase, how they make contact. It then syncs that info with profiles it keeps on customers and then sends them personalized marketing messages.

Dealing with all that data requires someone who knows traditional IT security issues: "Is it PII? Is it not PII? What data should go into the cloud? What data should stay out?" Weller said, referring to personally identifiable information. The successful candidate needs to know how companies can safely and securely move their information "out of bare metal."

A chief cloud security officer will also figure out how new technologies fit into the cloud security cosmos, Weller said. He gave the example of AWS Lambda, the cloud service that runs code automatically in response to "events" such as clicks on a website.

"Are there any security concerns there?" Weller said. "Some would argue that Lambda actually makes you a bit more secure -- but maybe that's not true, and that's why we need an expert to live and breathe those requirements every single day and help guide the organization."

A more secure cloud future?

Alexander said CIOs would do well to find a cloud provider with a chief cloud security officer, but certainly not all have one. The better approach is to take in the bigger picture.

"It's important to look at service offerings from an architectural perspective, the service-level agreements and the contracts to ensure security is included," she said. "Look to ensure that the cloud provider is very clear as to what their security strategy for the service is. If they can't articulate it clearly, it's because they don't understand it. If they don't understand it, then you certainly won't either."

Eventually, Alexander said, cloud providers big and small should be able to sit down with their customers and enumerate which areas of security they will take responsibility for and which areas the customer will -- for example, under PCI DSS, the cloud provider must secure the network between it and customer; the customer has to secure its internal networks.

"It is important to get down to that level of granularity, because if something goes wrong, you'll want to know the details," she said.

Currently, the big providers do that for their big accounts -- but not for all customers, who have little choice but to dig and figure out who's in charge of what, Alexander said. Providers are taking steps in the right direction, though. Just last week, Microsoft released information on how it's securing its cloud email and productivity software Office 365.

Over time, Alexander said, more small providers will follow suit, focusing on and articulating how they will provide security to their customers, because expectations are growing that they will. And some will indeed put a chief cloud security officer or similar strategist in place -- and once they do, that role could very well gain a C-level acronym.

"The role may be called a CCSO or even a chief security architect, but the important thing is that they have someone," she said.

To find out about the skills someone in this new cloud provider security job needs to have, read this SearchCIO report.

Next Steps

New security role for businesses: Threat hunter

CISO reporting structure in corporate spotlight

Common problems for today's CISO

Dig Deeper on Enterprise information security management