In a pandemic-ridden 2020, a series of high-profile cloud data breaches put organizations on high alert. As organizations brace for long-term remote work, threats to cloud infrastructure and containers will grow. Here, Jeremy Snyder, Senior Director of Corporate Development at Rapid7, shares four key predictions for cloud security and how IT can better protect current and future cloud environments.Â
Looking ahead at cloud trends for 2021 and beyond, the clearest forecast experts can make is that cloud security will continue to be a pressing issue for years to come. With the public cloud marketOpens a new window growing by more than 18% a year and cloud-related data breachesOpens a new window continuing to proliferate, Forrester is projecting a two-fold increase in cloud security spendOpens a new window from 2018 through 2023.Â Â Â Â
Less clear is what will change inside the cloud security space â€“ what challenges will take priority and how users will execute their security strategies. The cloud is only about a decade and a half old, and it’s encountered some shifts from year to year. What’s on the horizon for the next few years?Â
Here are four predictions to watch: Â
1. Containers Will Help Security Teams Adopt a More Central Role in IT
Over the past five years, Kubernetes has emerged as the de facto orchestration systemOpens a new window , used by more than 90% of the organizations that create containerized applications. While it dominated from day one in staging and development environments, it took a few years to get going in production environments. This forced groups to use containers to set up separate security programs to protect individual environments.
That’s starting to change. As containers move further into production in the next few years, engineers will begin using Kubernetes and deploying directly to Kubernetes for computing functions rather than just deploying directly to the cloud.Â
This will allow security teams to move back to a more centralized role rather than just stay on the sidelines. IT organizations will be able to provide reference designs and approved, secure architectures for Kubernetes clusters that the engineering teams use to deploy their applications. In addition, security automation will allow both teams to monitor for change, drift, anomalies, and continuous compliance to policy. This will shift the pendulum back a little â€“ not to the centralized management control position security used to occupy before cloud took hold, but to a point where it plays a bigger role inside IT from a production workload perspective.
2. Cloud-Based Identity Will Become a Bigger Priority on CSOs’ Agendas
As cloud adoption continues, organizations’ use of cloud applications is maturing. Organizations are moving beyond pilot projects and departmental cloud initiatives to embrace the next stage in the process: optimizing their approach to using cloud infrastructure and making it more secure. This requires more sophisticated identity management strategies to ensure the right people and resources have access to the right cloud privileges for the right reasons and at the right times.
In the next few years, identity will be a big area of focus for organizations. It is the new perimeter â€“ for cloud infrastructure.Â
Gartner acknowledged the need for more advanced privileging strategies by including a new category â€“ Cloud Infrastructure Entitlements Management (CIEM) â€“ in its Hype Cycle for Cloud SecurityOpens a new window for the first time this year. Gartner defines CIEM as specialized identity-centric solutions focused on managing cloud access risk via continuous administrative controls for managing entitlements and data governance in hybrid and multi-cloud IaaS architectures. CIEMs often rely on analytics, machine learning (ML), and advanced statistical techniques to detect anomalies in account entitlements. Expect organizations to wrestle with identity-related challenges and turn to CIEM strategies to provide more advanced cloud security.
3. Cloud Helps To Break Down Walls Between Developers and Security
A half-decade after DevSecOps â€“ the act of shifting security responsibilities â€œleftâ€ within an organization â€“ emerged as a new concept, 40% of all software projectsOpens a new window claim to be following these practices. Gartner expects adoption to more than double by 2022. We agree. Organizations’ goals of upgrading security and streamlining overall efficiencies will push them to change procedures and realign reporting responsibilities.
This will not only lead to productivity improvements â€“ it will promote a whole new collaborative relationship between developers and security personnel. It will remove many of the tensions that arose when applications shifted between environments that operated with different sets of security controls, such as moving from staging into production.
Business requirements and an increasingly competitive landscape will dictate that organizations need to let engineers innovate more freely, with less ongoing oversight. But the increasing volumes of data collected will also make it vital that data security is constantly evaluated and enforced.Â Â
The software-defined nature of the cloud, removing antiquated hardware controls and making it simple to replicate production and non-production environments, provides the perfect opportunity to bring engineering and security teams together to collaborate on controls. Controls will be designed by security and implemented by developers as part of a consolidated build pipeline that includes both application and infrastructure code. The environments will then be verified during a launch inspection step and monitored continuously by specialized software to verify and enforce that required controls are still in place.Â
By 2022, Gartner predicts, 90% of all development projects will include DevSecOps functions in their DNA. The processes will become â€œtable stakesâ€ for development projects, and the tensions that resulted from projects moving between phases will become a thing of the past.
Learn More: Role of DevOps in Cloud Security Adoption
4. Organizations Will Approach Cloud Security From a More Holistic Perspective
Over the years, security teams have added layers of protection as the larger business added new types of resources in the cloud. They established plans and purchased tools to secure containers, virtual machines, serverless functions, the underlying infrastructure, and the code itself. Weaving together all of these disparate elements made it hard to service them as part of one cohesive security strategy.
We’re going to see a shift in focus to a more holistic view of security. Rather than concentrating on securing each element, organizations will start looking at what really matters: determining whether the applications themselves are secure. The conversation will shift toward securing an application holistically â€“ ensuring its security health from the code build through to operations, and from the infrastructure to the application, to identity and vulnerabilities. Each application would be viewed through a single lens, getting assigned a composite score to ensure that that particular application is secure.
Today, cloud security is performed in a scattershot manner. It’s like bringing your car to the shop and having different people look at the tires, the engine, the braking system, and the fender. As a customer, you’re concerned about the whole car: Is it in good shape? Cloud-centric organizations are concerned about applications and the data collected: Is it all secure?
As organizations mature their use of the cloud, they explore and adopt new services and configure applications in new and innovative ways. As cloud maturity becomes the industry norm, bad actors will also evolve their attacks to probe new breach points. This will require organizations to spend more aggressively on cloud security and act more strategically, adopting best-in-suite approaches to protect mission-critical assets from design and build phases to launch and operate, and from top to bottom in the stack. Expect more moves and consolidation in these areas in the coming years.