More organizations of all sizes are moving their business-critical operations and workloads to the cloud, and as we head 2016, these trends will only to intensify. According to a report from Gartner, public-cloud services will see growth of 13.5% during 2015, and spending on cloud services will continue to increase through 2019. Gartner also found that 80% of IT organizations expect to increase their investments in cloud computing in the years to come. This trend makes it more important than ever for IT organizations to use a cloud-specific security strategy that employs cloud-native solutions—those developed exclusively for cloud environments.
Cloud security requires a different approach than traditional IT security in an on-premises data center environment because it requires in-depth knowledge of certain nuances and challenges that are unique to working in the cloud. Yet many IT managers have yet to fully understand this new reality for securing their cloud infrastructure.
Without a cloud security strategy that is geared toward the unique intricacies of the cloud, your organization risks losing time and money by exposing your deployment to vulnerabilities that can be identified and mitigated with the right tools. After all, one of the biggest drivers behind moving to the cloud is reducing costs and gaining efficiencies of scale. But an uninformed approach to cloud security can jeopardize the gains you anticipate in moving business processes to the cloud. For example, if you simply try to drop an IDS in the midst of your cloud deployments, you risk losing elasticity, breaking things or simply falling short of the target security threshold for maintaining compliance or upholding service requirements.
With that in mind, as we look ahead to 2016, it’s worth taking a closer look at some of the top trends not only in cloud adoption, but in cloud security as well. Here are a few of the top trends that will be impacting organizations’ cloud security efforts in 2016:
Emergence of Serverless Frameworks
One of the most challenging innovations in the cloud in 2016 will be the rise of serverless frameworks. They includes elements like Amazon Web Services’ (AWS) Lambda and the rise of code-PaaS (code-based platforms-as-a-service), in which IT departments will no longer have to manage an operating system or virtual machine.
This is a big change for cloud security strategy, because it means APIs are becoming an additional area of vulnerability for attacks. It’s an area where IT teams are usually unaccustomed to configuring for and defending against these types of threats.
Host- and Network-Based Security Measures Move to the Control Plane
Another aspect of cloud security that differs from traditional data center environments is that security features are moving into the control plane. This change is opening up more opportunities for IT to get information about risks and vulnerabilities as they arise. And instead of presence-based discovery, as is par in a traditional in-line network, a big advantage for cloud security will come in the form of real-time “firehose streams” of updates on network, host and serverless-process events through APIs.
Cloud-Aware Security Solutions Delivered by Incumbents
Cloud security will be delivered by more than innovative startups, because as cloud infrastructure becomes more important to organizations of all sizes, cloud security solutions will have to evolve to keep up. This evolution will happen from cloud security providers of all sizes, including some of the big incumbent players in the IT security industry. For example, multiple vendors are coming to the market with solutions for Windows- and Linux-based workloads in AWS. Other incumbent vendors will see more pressure from customers who need them to support hybrid deployment models that include traditional data centers and AWS.
Whether it’s by acquiring smaller IT vendors or by developing innovative new products, big security players will become more involved with delivering cloud-based security solutions. And if not, they’re going to risk disruption by faster-moving competitors.
Azure and AWS Will Compete on Security Features
Large platform providers like Microsoft Azure and AWS practice a “shared security” model where they focus on securing the platform itself. Within that model, however, these providers will be looking to further enhance the features and security aspects that are the responsibility of customers to help improve their overall cloud security experience. Forrester describes the shared-security model as “an uneven handshake” where customers have a certain level of responsibility for security in a variety of roles, including enterprise integration, governance, architectural views and other areas.
In 2016, look for Azure and AWS to start offering new rich security capabilities via new platform features or third-party products. This effort will create less of an “uneven” handshake as platforms begin to offer greater transparency and new capabilities to support the customer’s security efforts.
Security Becomes Native to CI/CD Pipeline and Tool Set
In cloud infrastructure, especially as more organizations switch to a DevOps style of rapidly developing and deploying applications in the cloud, security should no longer be considered a separate entity from development and deployment. In 2016, cloud security will become more widely integrated and native to the overall process of continuous integration and continuous deployment (CI/CD), with tools like Jenkins being used to verify code and validate security as a standard quality-assurance step.
More vendors are offering DevOps-enabled tools for security testing and monitoring, such as SAST technologies to analyze source code and conditions of an application in a static state from the “inside out” to find security vulnerabilities and DAST technologies to detect possible security vulnerabilities while an application is running. IT security is becoming faster and more agile in the DevOps environment.
Cloud Security Will Accelerate
Attacks on cloud infrastructure are becoming more sophisticated and automated, and this trend is unlikely to abate in 2016; if anything, attacks on the cloud will become even more intense because more organizations are storing more and more valuable data in cloud infrastructure. But the cloud security landscape will reflect the same tension in that “uneven handshake” of shared security responsibilities. According to research from Gartner, “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”
IT organizations need to upgrade their security preparations with real-time alerts and response capabilities while also taking a closer look at their in-house operations, internal configurations and employee security training and credentialing.
Cloud security is on the minds of more IT managers than ever before, and as the threats and vulnerabilities become more complex, the solutions and systems for responding to those threats are becoming more agile and integrated into the overall picture of what it means to work in the cloud. Hopefully in 2016, all of these trends will combine to result in stronger and a more adaptable security presence for cloud platforms and IT organizations alike.
About the Author
Tim Prendergast is founder and CEO of Evident.io. Having well over two decades of experience pushing the limits of technology, Tim set out to create the first “next-generation” security company, Evident.io, focused solely on programmatic infrastructures (cloud). He cofounded the company to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim’s prior experience includes leading technology teams at Adobe, Ingenuity, Ticketmaster and McAfee. He holds over 15 years of security experience, as well as 8 years of AWS security experience, spending 3 of them defending the Adobe AWS infrastructure from inception to production as an AWS Certified Solutions Architect.