With 2015 underway, there’s a lot of discussion around the rapid evolution of cloud services from providers like Amazon Web Services (AWS), Microsoft, Google, IBM, and many others.
What’s surprising is that we have not seen the same rapid evolution in the enabling technology sectors supporting these platforms – most notably in security. However, 2015 will be a landmark year as security companies fully embrace cloud-centric security strategies enabling more IT organisations to adopt, innovate and better manage the risks confronting their cloud-based infrastructure. Here are six predictions for cloud security in 2015.
1. Security technologies will stop being server-centric and become service-centric
For decades, organisations have become used to the network or the server as the battleground where security wars were waged. This made a lot of sense, as the server was the building block that directly stored critical data, and was relatively static in configuration and persistent in presence. The cloud has really disrupted this “server-centric” concept, creating a world in which servers are disposable containers that are not intended for the legacy functions.
>See also: How to secure data in the cloud
Instead, a new breed of services have surfaced to fill those roles formerly held by the physical server (i.e. file storing, processing, functioning a database, etc.). What used to be an operating-system function is now an API call to a service that has been abstracted away from the user. The new challenge for security teams is engaging a whole breed of services that are not accessible using the traditional approach (i.e. can’t install software agents, don’t have administrative OS access, or similar challenges).
Security has to shift to accommodate the proliferation of API-driven services in this abstracted cloud model, and leverage those APIs to perform security functions in the same way that developers leverage them to perform compute, storage and database operations.
2. Security controls will migrate closer to the object they protect
Security controls in the data centre often existed in wide-berthed perimeters. Firewalls encircled a broad set of network segments, server farms and storage tiers. Identity frameworks, access policies and network controls dealt with zones as their smallest component, often comprising whole subnets, data centres or even entire organisations. This was primarily because high costs and complexity of these security mechanisms prohibited granular deployments, and often, technological barriers impeded finer-grained controls.
The cloud redefined the limitation of these traditional environments by building in the micro-perimeterisation of security as a fundamental characteristic. In the cloud, every resource has its own set of security controls: virtual servers have their own dedicated firewall, role access policy, network access rights and more. Files stored in storage services can contain flexible and simple access policies and encryption mechanisms. Users can have powerful identity policies control and dictate their cloud capabilities.
These microperimeters scope security to the resource level, permitting many resources to co-tenant in the cloud without the fear that wide-sweeping security assumptions will create undesirable risk or danger for the organisation. We’ll see controls continue to migrate down to the resource level, enabling more flexibility and control than we’ve ever had in legacy data centre environments.
3. The incumbent players have to revitalise their portfolios
The security incumbents – McAfee, Symantec, CA and similar behemoths – will have to innovate, acquire or partner to refresh their portfolios to be “cloud ready”. The industry practice of re-packaging legacy technology and re-marketing it to fit the latest trend is not working with the unique challenges and opportunities provided by cloud environments. This is a do-or-die moment for big security incumbent players that could drastically impact the future revenue of these organisations.
4. Security professionals will become key players in DevOps teams
During much of the rapid shift to cloud adoption, information security professionals have, unfortunately, been sitting the bench. The fundamental challenge has been the lack of time, resources and tooling to provide necessary security transparency and velocity to support high-velocity DevOps organisations. We saw a lot of progress in 2014 around bridging the gap, and we think 2015 is the year that companies reorganise their DevOps and Security practices to be much closer together – also known as the DevSecOps movement. In 2015, we’ll see security become an enabling and differentiating capability for the organisations that adopt it, and the bane of their competition who do not. Keep an eye on the DevSecOps movement.
5. CSPs will provide fundamental components of security with partner ecosystems creating additional value
Cloud Service Providers (CSPs) deliver utility-like technology, without diving into the complexities of extreme specificity. As such, we believe that in 2015, the big CSPs will deliver more fundamental building blocks of security. Rather than build very specific security solutions to solve each customer vertical’s needs, CSPs like AWS will lean heavily on security partners to deliver incremental value on top of the toolkit provided by the platform. This type of partnership ultimately makes customers more secure than they were in their data centre environment.
6. Continuous cloud security monitoring and mitigation will be a must-have for CISOs
Continuous monitoring and mitigation are critical capabilities for organisations as cyber attacks are becoming increasingly sophisticated, automated, targeted and destructive. Organisations must move to automated defenses and mitigations. Otherwise, they’ll continue to be a statistic like those seen in the Verizon DBIR, where attacks achieve their objectives in hours, but defenses fail to detect it for months. CISOs are getting much smarter about their defensive strategies. By equipping security pros with automated tooling that provides transparency, enforcement and even active mitigation, organisations can maintain parity with the present-day attacker capabilities.
Sourced from Tim Prendergast, founder and CEO, Evident.io