It used to be that security concerns were the biggest impediments to public cloud adoption. But, in 2017, that will no longer be the case.
Tim Prendergast, CEO at Evident.io, believes it is widely accepted that security in public cloud is strong, shifting the top concern to compliance. Organizations moving to the cloud need to be able to demonstrate that they are doing things in a secure and compliant manner.
“So, whether it is PCI, HIPAA, NIST-800 53 or internal compliance standards, organizations need to be able to demonstrate that they can maintain compliance throughout the fast-pace of change that takes place in the cloud,” he said. To solve this, they will have to turn to security and compliance automation solutions that will help them measure and report with ease, he added.
[ PREDICTIONS FOR 2017: What 2017 has in store for cybersecurity ]
According to Scott Chasin, CEO and co-founder of ProtectWise, security will become a utility, thanks to the cloud. “In 2017 we will see more enterprise security organizations using the cloud to enable better visibility with longer retention and continuous processing of their analytics.”
Delivering enterprise security via the cloud will ultimately start to lower the cost and complexity of the security infrastructure, as those legacy appliance systems are replaced in favor of agile, distributed models, he said.
“There’s a growing call for security to be treated as a fundamentally basic utility where safety can be assumed. The cloud is the key to enabling this, with benefits like storage options, scalability and ease of deployment,” Chasin said.
Bluelock CTO Pat O'Day predicts that when faced with a hardware refresh, more companies will turn to the cloud than to new hardware.
“There’s a lot of churn in the hardware space because of virtualization. Companies are growing tired of having to refresh their IT systems with new hardware every five years. People want to be more mobile, and the cloud is a way to get there. Plus, rapid technology innovation has driven increased competition (think about the rise in artificial intelligence, for example),” O’Day said.
For these reasons, more and more businesses are opting for a model that allows them to harness immediate time-to-value and consistently have the latest technology. With the cloud, now even the smallest companies can compete on the technology front.
IaaS to be exploited
Expect attackers to exploit infrastructure-as-a-service (IaaS) as both an attack platform and attack surface, warned Watchguard’s CTO Corey Nachreiner.
Whether it be software-as-a-service (SaaS) offerings like Office 365, Salesforce, and Dropbox, or public infrastructure-as-a-service (IaaS) platforms like Amazon’s AWS and Microsoft Azure, businesses of all sizes have adopted at least some cloud services over the past five years.
[ JOBS IN 2017: What the infosec jobs sector will look like in 2017 ]
Public IaaS, in particular, is growing quickly even among small businesses. According to RightScale’s 2016 State of the Cloud report, 71 percent of small-to-midsize businesses are running at least one application in AWS or Azure. Unfortunately, as more businesses adopt these platforms, they also become a bigger target for criminal hackers, Nachreiner said.
“In the past, we’ve seen threat actors both infect servers running in public cloud services and, more recently, leverage these robust virtualization platforms to build their attack infrastructure. In 2017, I expect to see attackers increasingly leverage public IaaS both as a potential attack surface and as a powerful platform to build their malware and attack networks. There’ll be at least one headline-generating cyberattack either targeting or launched from a public IaaS service next year,” Nachreiner said.
BigPanda’s security employees don’t quite go along with that thinking, putting out this statement: Customers need to not worry about the security behind cloud providers such as AWS, Azure and Google as these public cloud providers have better security practices than most companies’ internal applications.
Stan Black, CSO at Citrix, wonders if dependency on cloud providers will come back to haunt us. “The recent attack on Dyn is only a small example of what is on the horizon. I expect that major sources of cloud data and access management will be increasingly under attack,” he said.
Businesses will need to carefully review cloud provider contracts to ensure there is a process in place for data and access management throughout the data life cycle. For example, when business with your provider or another contractor is complete, what happens to that data or the contractor’s access to the data? Ask questions like, “How do you manage access? How do you deliver my data and how is it stored?” he added.
Milind Wagle, CIO at Equinix, said multi-cloud needs will keep infosec folks up at night. “2017 will be the year for existing corporate data centers to mature to a diverse combination of on-premises, collocated and cloud-based environments. This is further complicated by the heightened need to have a geographically distributed infrastructure to support a global customer and employee base. Responding to this trend, CIOs and CSOs will be challenged to not only construct the right multi-cloud architecture, but also to distribute, shape, service and secure it on an ongoing basis. The right interconnection strategy to connect to multiple cloud services is the only way to work towards the best cloud and customer experience,” Wagle said.
[ IOT SECURITY IN 2017: Data breaches through wearables put target squarely on IoT in 2017 ]
Glenn Weinstein, co-founder, senior vice president of global services and CISO at Appirio, said 2017 will increasingly see cloud migration as a risk mitigation strategy. Delegating industrial-strength security to major cloud providers such as Amazon and Google will be seen as safer, and more scalable, than continuing to invest in corporate network perimeter defense.
Roy Katmor, co-founder, CEO at enSilo, predicts that enterprise network security will shift to the cloud. Enterprises will be relieved to consolidate the distributed network security burden by redirecting corporate traffic and allowing cloud-based network security services to apply and manage the security policies. Just like other services that moved to the cloud decreased costs for customers, network security as a service will reduce the overhead cost of purchasing and maintaining multiple physical firewalls.
Backup solutions
Appirio's Weinstein continued by saying CISOs will implement measures to minimize security risks posed by desktop and laptop computers by lessening users' dependence on them as storage devices. Workflows will be designed so that users find it easier to save data in the cloud versus their hard drives. More laptop vendors will follow the Chromebook example of treating the user-writeable portion of the hard drive entirely as short-term storage, to be erased between user sessions.
Paul Zeiter, president of Zerto, predicts that backup and disaster recovery (DR) will consolidate. “Customers will be able to get long-term archiving out of their DR solutions, which may render some backup solutions redundant. Many DR solutions, for example, have backup-like features, including point in time recovery, which can even be more granular than traditional backup options, recovering from seconds — not hours – ago. If you can recover data from seconds before an attack, for up to 30 days, why would you defer to a 12-hour old backup? Or in worse cases an even older one?
“Threats are on the increase, whether malicious, accidental or courtesy of Mother Nature, and data protection is an absolute must for business continuity. In 2017, with SLAs increasing, we predict that DR solutions will keep expanding their capabilities further and further into the backup space,” he said.
More predictions
Weinstein says:
- Two-factor authentication (2FA) will become a must-have feature for cloud apps. Vendors will be expected to provide both a native 2FA feature, and SAML-ready integrations to major cloud identity providers such as Okta and ADFS.
- Cloud apps providers will build more native logging and audit features, to help security professionals monitor and control user activity at the source, rather than forcing administrators to intercept the activity en route via third-party tools.
Ben Bernstein, CEO and Co-founder at Twistlock, predicts:
- Cloud-native systems will drive zero trust networks. As more cloud-native applications and systems emerge, perimeter-based security protection will become dreadful.
- A rise to more zero-trust security models where protection becomes cloud-native, traveling with data and applications.