Pete Nicoletti, Field CISO – Americas, Check Point Software.
What will the future of cloud security look like? The crystal ball is cloudy when looking beyond a few years from now, but we can anticipate near-term trends! There are three big trends that will shape what lies ahead.
However, preparing for what lies ahead requires strong mastery of fundamentals, which will allow you to stop repeating the same mistakes again and again.
Before we delve into the three big trends, let’s discuss how to protect your organization from the most common cloud security risks today – which will be absolutely critical as new risks appear and current ones evolve.
First: How to strengthen your current cloud infrastructure and prepare for tomorrow:
Many companies continue to repeat cloud security mistakes over and over, as if they were living through Groundhog Day. To break this pattern of making mistakes, you need to have awareness of the modern cloud security landscape and address issues with a solid strategy.
As your company builds out applications, you need to understand if they provide an entry point for threat actors and where that software lives. For example, when we have fast-moving zero days or other vulnerabilities, such as Log4j, you need to ask yourself: “am I using software that makes us vulnerable to a new exploit? Where is this software used in our infrastructure? Do we have an SBOM (Software Bill of Materials) for each cloud project? How do we quickly remediate this risk or implement a compensating control if attacked?”
So many organizations, large and small, have trouble getting their heads and hands around all of their cloud instances and all of the different services that they’re using.
And it’s not just about implementing a specific new product category, such as security posture management. It’s about wanting to understand: do we have hundreds, thousands, or millions of containers? Do we have serverless deployments? Are we using different accounts? Do we have good segregation between how we are archiving, backing up information, and how are we managing assets? It’s critical to have this overall awareness and visibility while maintaining consistent hygiene and consistent versioning.
Many risks go beyond being cloud-specific. For example, there are risks associated with using 3rd party and 4th party vendors, and sophisticated hacker groups are going to attack the cloud providers directly or perform cloud hopping attacks.
To protect your organization from cloud security risks, it’s important to return to the basics: implement good security hygiene, update your software, patch everything, train your workforce, have a sufficient number of employees, and implement security and compliance automation. Finally, don’t forget to architect things with the right amount of redundancy and availability zones and ensure your backups are in place and working – those all come into play.
Three big trends that will define the future of cloud security:
First, blockchain will have a real fundamental role in how we bring back a high level of assurance in ownership and responsibility. For example, using blockchain-based smart contracts can govern your relationship with your different cloud providers. If it goes down or there’s a problem, an SLA exception will automatically credit you – it’s in the smart contract. The business arrangement can be preordained there. It’s not just used for cryptocurrency; it’s looking at that fundamental relationship and the responsibilities related to your important infrastructure. Cloud and blockchain together are how we’ll do cyber security correctly and return control to individuals and organizations that want it.
Second, privacy will play a critical role in cloud security. The world, led by the EU, is enforcing privacy that should be at the center of our world. For example, we always need to use encryption appropriately and deploy it for every bit of PII or proprietary information. This requires understanding of encryption overhead, key management and understanding all of the different locations of data with the layered model of cloud, so that organizations may effectively deploy encryption and data protection.
Third, quantum computing will be the next big trend that will have a world-changing effect on cloud security and all of our current encryption algorithms. The Cloud Security Alliance (CSA) estimates that a quantum computer will be able to break present-day cyber security infrastructure on April 14, 2030. All modern algorithms used for global public key infrastructure are vulnerable to quantum attacks.
In a post-quantum world, organizations will need to adopt quantum-resistant cryptography by utilizing public key algorithms that are resistant to quantum computing attacks. For more information on this, read CSA’s guide.
How can new companies securely transition to the cloud?
If you’re a new company that wants to transition to the cloud, here are some recommendations:
First, utilize the Cloud Controls Matrix from Cloud Security Alliance (CSA). It provides a very good framework for understanding the overall governance of the organization. It also teaches you how to think about these problems in terms of the different layers of the applications, or down into the plumbing and technologies of your organization, as well as mapping that to other security standards that you’re using.
It’s also a good framework that will help you assess your organization’s goals and risks. It provides insight into the shared responsibility model, as the typical large organization is using multiple major cloud infrastructure providers in addition to thousands of SaaS applications. You must understand your responsibility and the Cloud/SaaS providers’ responsibilities to ensure complete coverage.
Second, train your workforce for specific providers’ tools and capabilities so that they can understand how they handle serverless functions, storage, network functions, and more.
Have your workforce obtain CSA’s Certificate of Cloud Security Knowledge (CCSK) and a Certificate of Cloud Auditing Knowledge (CCAK) so that they’ll have a thorough, vendor-neutral view of cloud technology and use the same language when discussing your cloud journey.
Third, implement zero trust not as a specific technology or architecture, but as a philosophy of least privilege and no implicit trust of anything. Go through high-priority business access issues in the cloud and look at how to ensure appropriate levels of access to resources only by appropriate individuals who all have a Zero Trust perspective.
The cloud will continue to evolve, but so will threat actors. To prepare, you need to understand history, partner with the leading providers, properly train your workforce and understand the next big trends.
For more insights from Pete Nicoletti, please see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.