Okay, I’m just throwing this one out there because the research is far from complete but I really want to hear what other people think.
As I spend more time flying around meeting with security professionals and talking about the cloud, I find that security teams are generally far less engaged with cloud and virtualization projects than I thought. It seems that large swaths of essential enterprise security are almost fully managed by the cloud and virtualization teams, with security often in more of a blind role – if not outright excluded.
I’m not saying security professionals are willfully ignorant or anything, but that, for a variety of reasons, they aren’t engaged and often lack important experience with the technology that’s required to even develop appropriate policies – never mind help with implementation.
To be honest, it isn’t like most security professionals don’t already have full plates, but I do worry that our workforce may lose relevance if it fails to stay up to date on the ongoing technology shifts enabled by virtualization and the cloud. The less involved we are with the growing reliance on these technologies, the less relevant we are to the organization. I already see a ton of security being implemented by DevOps types who, while experts in their fields, often miss some security essentials because security isn’t their primary role.
Not that security has to do everything – that model is long dead. But I fear lack of experience with virtualization and the cloud, and of understanding how fundamentally different those operating models are, could very negatively affect our profession’s ability to accomplish our mission.
Reader interactions
6 Replies to “Incomplete Thought: Is the Cloud the Secproasaurus Extinction Event? And Are DevOps the Mammals?”
You’re right … but it’s not first time.
Of course it’s only IMHO but I think security people were often kept out of IAM projects because they belong to devops, VoIP infrastructures and applications because they belong to netops (like CCIEs Voice realm, even though of course I don’t blame them – it’s an org thing…) and finally virtualization because … well isn’t security just a check somewhere in the Vmware management console?
What do you guys think about it?
Have you similar experiences?
Best
Marco, really good point. Ain’t on the checklist, ain’t on the audit, ain’t my problem.
chort-
I feel exactly the same way. The “Inflection” post I did a while back echoed exactly that belief (on where skills need to be), although I gave it 10 years before the operational transition really hit.
But man, even as someone barely able to program anymore I’m astounded at the things I can do now with cloud and other APIs.
Rich,
I think this is a valid point. My take on it is that whether we like it or not, external compliance requirements drive a majority of security initiatives. And seeing that e.g. PCI DSS is still trying to react to internal virtualization gives you an idea on how up to date that is. Simply no big driver from either of the big compliance reqs yet. Should we be ok with it? Obviously not and organizations that understand that security needs to be handled like any other business risk are working on setting up cloud usage in a secure way. But as we all know a lot of organizations ‘don’t get it’ and to be honest a lot of security professionals don’t either.
Marco
I’m a bit unique, since I do enterprise security for a SaaS provider, but our team is very involved on the production operations side. There was a lot of friction at first when the Dev and Ops folks initially tried pushing things out fast and loose, but we’ve come to a much better understanding and our Ops folks are building some fantastic tools that would make corporate enterprise security folks jealous.
On the other hand, we still have the problem of individual teams going out and buy cloud services that leaves IT and security in the dark.
Regarding the relevance issue, yeah I’d say if you are in security and aren’t learning either forensics/malware/threat intel, or virtualization/APIs/WebAppSec, you’re going to be a dinosaur in 5 years. If you want to do “traditional” security, the easiest transition is probably to learn virtual provisioning/management and API security.
Honestly, if I was hiring right now I’d probably prefer younger, less experienced candidates, because they’d be easier to train on cloud concepts than people with a long IT/Security history.
It is truly a transformational event for multiple departments (not only security) All the processes around what is the product lifecycle change including: product management, dev, support, and even marketing. Companies who approach this transformation holistically are the ones that yield the most benefit and there are already enough cases to point to (netflix, etc). Can’t wait to read the research and I think the base can not only include security from a customer side but you can also compare and contrast from the vendor side also. Everyone is leveraging the transformation (or should be at least)