Nowadays, you don’t have to be a security expert to recognise just how much the threat landscape has evolved in the last ten years – you only have to read the all-too-frequent headlines about the latest data breach.
2014 saw significant change in the IT security industry – the cloud became real as large enterprises furthered adoption. Changes in infrastructure environments require changes in how organisations protect against threats. CIOs are now moving their focus from preventing a breach to accepting it and the requirement for fast detection, analytics and identifying vulnerabilities before they are exploited.
Here are the dominant trends that are shaping cloud security for the next few years.
1. Security designed for the cloud – using the DevOps model
When we spoke to some of the largest enterprises in the world about how their software development lifecycle model is changing.
Even if they don’t mention the word DevOps, most large enterprises will describe the process of continuous delivery when asked about how their software development lifecycle model is changing. This continuous delivery automates the process from the development of the code, through to testing, quality assurance and production.
However, most of the security technologies today do not operate in this fashion. What we see often in cloud environments is that the security teams are not included in the automation discussions and in a planning process, so security is left to be a ‘bolt on’ at the end of the process, often stalling or slowing down the delivery model.
This often means that there are underlying security and compliance risks to the application and underlying data that are pushed into production. Legacy security tools are not cloud-ready, do not have the levels of automation enabled, and lack integration with cloud providers environments. The way organisations do security is not exactly aligned with the way they conduct cloud development anymore. In order for security to be effective in the cloud, it has to be scalable, on-demand, can be self-provisioned, and has strong API integrations to enable automation as part of the continuous delivery cycle.
Companies should be demanding security solutions that are specifically designed for the cloud, programmable and highly automated, and able to deploy and auto-scale with minimal effort.
2. Big data security analytics
Legacy security technologies have been used for years, but when you are deploying applications into a cloud environment, those tools are no longer adequate to collect, analyse and identity cloud security related incidents. Traditional SIEM products collect security log data, but they are complex, expensive, difficult to manage and the security teams have often been left to find the threat ‘needle’ in the proverbial haystack.
How do you extract just the right points of evidence to let you know that there has been an incident, and turn it into actionable intelligence? From a forensic perspective, let’s say you have a security breach in your enterprise – you have to re-construct what happened and try to understand and trace every single footprint that the attacker has left behind, acknowledging that at some point they were able to access privileges and look like normal users. It’s very apparent that machine data is incredibly valuable to carry out security analytics. You have to be able to ingest petabytes of security data and make actionable decisions on what it is telling you.
However, conducting big data security analytics is not sufficient on its own; we have to be able to incorporate threat intelligence which, in turn, has to be specifically tuned for cloud environments. Integration between cloud and security providers is crucial. You not only have to build these cloud security technologies from the ground up, but you have to make sure that the cloud provider shares enough access to their underlying infrastructure with the providers in order to make these things work.
3. Cloud threat intelligence
Threat intelligence, one of the most active fields of research in security today, includes context, indicators of compromise, actionable data about malicious actors and identifying further threats with high fidelity. Threat intelligence augments security analytics for both pre and post compromise by providing insight into malicious IPs, domains, urls, new attack models, tools and techniques.
When hackers compromise a system they leave traces and indicators behind – evidenced that there has been a compromise. This is where threat intelligence comes in. When you are processing large amounts of big data security analytics, and having access to more indicators and context of compromise, knowing where to look, and what to look for, are really important. However cloud threat intelligence is only just starting to come out, and there is a specific reason behind that: cloud is still not the dominant form of IT although it will continue to grow over the next few years.
In the next couple of years we will see some companies continue to stay firmly on on-premise environments, but increasingly more will focus in on the cloud. We will see cloud service providers – such as Rackspace, Amazon, Google, Microsoft and so on – integrate threat intelligence feeds to protect their customers, drastically improving the security industries ability to understand the threat landscape and enrich the cloud incidents we collect and analyse. Fundamentally, the threats in the cloud are different; the initial entry methods are different; the way you attack a cloud environment is very different – therefore threat intelligence has to be different too.
Long-term security has to be designed and specially developed for cloud and really support cloud operations; supporting the way that cloud applications are being built and delivered today.
Cloud computing has driven us into a new era of data security, not only in terms of the challenges and risks associated with cybercrime, but also the tools available to protect both data and IT infrastructure, wherever it is located. How we create and deliver applications, how we log and analyse security incidents at scale, how we derive context and deep threat intelligence, and how the security industry and customers start to share cloud threat intelligence is going to drive the security market focus for the next few years.
Sourced from David Howorth, VP EMEA, Alert Logic