Cloud security is no longer relevant?

We are seeing big shifts in cloud security education these days, which prompted me to do some research. ?

When I started doing cloud security education in 2012, we were convinced that cloud computing would eventually dominate as a delivery model in IT. I could fill a full article on how that has or has not become a reality. In any case we thought it would subsume all of IT, and by extension, cloud security would subsume all of cybersecurity. What we learned in cloud security was easily transferable to IT at large, mainly because cloud security is more scalable.

However, the world is no longer as split between cloud and ‘regular’ IT these days. From the traditional data center ‘snowflake’ servers, carefully and individually groomed, we went to hyper converged infrastructure. From pure cloud we went to containers and Kubernetes, or at least programmable infrastructure. The line between oldschool datacenters and pure cloud are blurring. And automation rules on both sides.

In the same way the line between cloud security and cybersecurity is blurring. But which of the terms is winning?

Using Google Trends I analysed the popularity of the search terms ‘cybersecurity’, ‘cyber security’, and ‘cloud security’, worldwide over the past 20 years. Interestingly, there is no search volume for ‘cloudsecurity’. Also the spaceless term, while still lower in volume than ‘cyber security’, is gaining momentum.

The most interesting trend to me is the search volume of ‘cloudsecurity’ as a fraction of the cyber security terms. As you can see in the diagram, this peaked in 2011 and has fallen down since.

A few more observations from the data that are not in the diagram:

• The cyber security terms had search volume from 2004 onwards (which is the beginning of time for Google Trends).
• While cloud security grew in absolute numbers about 3-fold in 10 years, it seems to have levelled off since 2012.
• In the corresponding period, the cyber security terms grew 7-fold, between 20-30% per year, with no sign of slowing down.
• The growth of the cybersecurity terms search volume started to accelerate around 2013.

What is going on here?

In the early days of my cloud security training, people were often coming ?to my sessions with the express intent of hearing why cloud is so unsafe that they should not use it. So the search volume for cloud may have been driven by a negative sentiment.

At the same time, cybersecurity had lukewarm attention across IT disciplines. Some say, it still is, and only driven by regulation are companies beginning to significantly invest in it, and take it more serious on the board levels. The data suggests that this accelerated in the 2014-2016 timeframe in particular.

You might think that this is a reaction to growing cloud penetration, which raises awareness to cybersecurity as a whole. After all, cloud spending still only accounts for a minority of total IT spending, and traditional IT already had its risks, even though people where happy to sweep these under the rug.

Concluding, even though cloud security may be driving cyber security these days, it now falls under its umbrella, instead of the other way round. Cyber security rules, and cloud security is, at best, a name for an important subdiscipline.

While the CCSK (Certificate of Cloud Security Knowledge) and the CSA (Cloud Security Alliance) guidance are more relevant than ever, they no longer have an important monolithic audience that is searching for them.

Cloud security is fragmenting, and as educators we need to adapt to that reality. Let me have your thoughts about where you see the biggest opportunities to make a difference.