9 Tips to Prepare for the Future of Cloud & Network Security
Cloud and network security analysts outline trends and priorities businesses should keep top of mind as they grow more reliant on cloud.
The transition to the cloud is underway at most organizations. As more people rely on cloud infrastructure and applications, security teams have to rethink several aspects of security, from the structure of their security operations center to software-as-a-service control.
"Cloud is like everything you've used before, except that everything is completely different," said Steve Riley, senior director of research at Gartner, in a session at the 2020 Security and Risk Management Summit, in mid-September. "It's huge, it's dynamic, it's self-service, [and] it exists outside traditional spheres of control."
Discussions of cloud security are often complicated because different people have different ideas of what constitutes cloud computing and what their personal roles and interests are, Riley said. It's incumbent on organizations to focus their attention on aspects of cloud security they can control: identity permissions, data configuration, and sometimes application code. Most cloud security issues that organizations face fall under these three areas.
"The volume of cloud usage is increasing, the sophistication is increasing, the complexity is increasing, [and] the challenge is learning how to better utilize the public cloud," Riley said.
A growing dependence on the cloud will also force businesses to rethink the way they approach network security, said Lawrence Orans, research vice president at Gartner, in a session on the subject. The future of network security is in the cloud, and security teams must keep up.
The changes related to cloud adoption extend to the security operations center, which analysts anticipate will take a different form as more businesses depend on the cloud, adopt cloud security tools, and support fully remote teams. These shifts will demand a change in thinking for security operations teams.
"One thing that we realized after talking to many organizations is that … the jump to the cloud is really more a cultural than a technology leap," said Gorka Sadowski, senior director and analyst at Gartner. "It's really this new normal that is appearing."
In the following pages, we outline insight, trends, and advice from analysts who leveraged their expertise to share how cloud and network security will change in the years to come – and how organizations should respond.
As Riley pointed out, most cloud security questions fall into one of three main categories: cloud risk management, infrastructure-as-a-service (IaaS) security, and software-as-a-service (SaaS) control. IaaS usually falls under the control of developers, who can choose from a small number of providers. Lines of business typically control SaaS and can choose from many more providers.
"Unfortunately, many IT professionals would prefer to ignore the burgeoning SaaS market, even though in most cases it represents a more significant area of computing than do IaaS in private clouds," he said. The sheer size of the SaaS market should be of concern to security teams, who often lack control over which software is downloaded and how it's used.
All services can externally share objects, but the default configuration is to not share. Open buckets, a common security risk, is a customer mistake. SaaS applications are different.
A "surprising number" of SaaS applications not only allow external shares but open them by default, Riley pointed out. There are arguments over whether this is a design flaw or weakness on the part of the user. Default configuration can be modified, he added, but the organization must have the will to do so.
"There's no point in arguing about what the provider's initial default should be," he continued. Your organization will obtain cloud services that may put them at risk, and security teams must be aware of this and do something about it. Closing open file shares is the most effective first step in cloud security a business can take, Riley said.
SaaS is the largest form of public cloud and the hardest for businesses to control, making its upkeep "the most significant security challenge" businesses face, Riley said. While most cloud-based applications are resilient to attack, they aren't as controllable as apps running in-house.
Further complicating the problem, most lines of business have an immature idea of how apps should be maintained, he continued. "They think an application is like a statue -- something to be put on a shelf and admired," Riley said. "We know that an application is more like an animal -- a living, breathing thing that requires ongoing care."
SaaS applications require attention throughout the duration of their life cycle. Many organizations don't know which SaaS applications they're using and end up paying more than once for services that are essentially the same. Policy becomes an afterthought, as do implementation plans that require integration with other commonly used business tools.
Non-IT spending on SaaS continues to grow, creating a set of problems that IT will eventually have to handle. For example, the marketing team may want to use a cool, new SaaS application that won't integrate with your enterprise-approved collaboration platform. In cases like these, business and security must meet in the middle and choose a marketing tool that integrates with existing business tools and can be governed by a cloud access security broker (CASB).
Businesses are in a transition away from a reliance on operating systems as their primary computing model and toward a model that lets them focus on applications. Most now have at least one Linux container-based application in development, pilot, or production, Riley said.
"What are the implications? Your cloud security strategy should be adapted to provide consistent visibility and control of workloads, regardless of their forms or lifetimes," he added. Virtual environments raise new security complications, especially in vulnerability management and patching, as well as in network security.
Tools in the cloud security posture management (CSPM) market can assess the posture of the cloud control plane and suggest changes that reduce risk with capabilities that include access management configuration, storage configuration, connectivity, and console control, Riley noted. For large cloud-based workload deployments, CSPM capabilities "should be considered mandatory. They're the mistake capturers," he said.
Several traditional endpoint protection vendors have developed specific offerings for cloud workload protection platforms (CWPP). Riley pointed to the rise of startups building tools with capabilities such as identity-based segmentation, application control, integrity protection, and activity monitoring. Last year, Gartner estimated the CWPP market size at $1.25 billion; it anticipates the space will reach $2.5 billion by 2023.
The cloud security shift "starts with a cloud native mindset that's oriented less toward the network and more toward identity, data, and applications," Riley said. For both the general cloud infrastructure and specific cloud workloads, the fundamental controls are "critical starting points," while important and optional controls can be layered in later.
Orans pointed to the growing adoption of secure access service edge (SASE). Businesses are buying more cloud-delivered security services and fewer physical appliances as they adopt SaaS applications like Microsoft 365 and Salesforce.
"We need to secure how our branch offices are connecting to the Internet, we need to secure how our mobile users are connecting to the Internet, and things are changing rapidly," he explained in a Gartner Summit session on network security. Analysts expect organizations will spend between $80 billion and $100 billion on SaaS applications through 2023, affecting the way they design and rearchitect their wide area networks.
There is a lot of conversation around moving the cloud, Orans said. These discussions usually focus on moving workloads from private data centers up to public clouds like Amazon Web Services, Microsoft Azure, Google Cloud, and other public clouds. While these transitions are critical, more money is being spent on SaaS applications, which are the "key driver changing network security."
Analysis who are tracking the SD-WAN market are projecting strong growth for SD-WAN through 2024, Orans said.
"When I take inquiries on adopting these cloud-delivered security services, what I'm hearing is that in conjunction with the WAN rearchitecture and moving security from the data center up to the cloud, that you're adopting SD-WAN," he explained.
SASE is driving the market convergence. Network-as-a-service and network security-as-a-service are two projects often done at the same time, he continued. An SD-WAN project will be done when the user is moving to a cloud-delivered secure Web gateway or a CASB service.
Convergence can mean different things to different people. Some network security vendors are buying SD-WAN vendors, Orans noted, so some acquisitions are consolidating the market. Partnerships are also bringing together network and network security vendors. For many organizations, the most strategic decision in moving security to the cloud is deciding on a cloud secure Web gateway or cloud proxy.
By the year 2025, the traditional functions of the security operations center (SOC) will look very different than they do now, said senior director and analyst Sadowski in a talk on SOCs in the cloud. As security becomes more programmatic, organizations will redistribute traditional SOC functions across divisions. As a result, the ownership of security will shift.
"Now that people will be working from home, the center doesn't exist anymore," he said. "At best, it's a construct ... now instead of being log management centric, it's going to be threat detection and response centric."
The broad use of SaaS applications will be problematic for threat detection and response and drive much of this change, he explained. "Why would the SOC be in charge of doing threat detection and response for a SaaS application when that SaaS application was bought ... by somebody somewhere who didn't tell anybody and is running in production?" Sadowski said.
Businesses still need threat detection and response, but some things need to change, and the cloud hybrid SOC will eventually become the SOC of choice, he said. "It's going to be in the cloud, for the cloud, and we'll see how that is going to change and force people, process, and technologies to align," Sadowski said.
When rethinking their SOC approach, he advised organizations to assume a distributed team with no "center" for the SOC and to develop cloud-centric but also business-centric security skills. "At the end of the day, we are here to serve the business," he noted. The company should also have fluid, per-incident teams who will bring together different skills to solve a problem.
As for the "don'ts," Sadowski emphasized that security teams should not expect a "unicorn," or an expert in all things cloud security. They should also avoid putting employees into silos and instead encourage groups of people to better work together.
In his talk on the SOC, Sadowski encouraged organizations to consider their existing tools before running out to invest in new ones.
"One of the first things that an organization can do and should do is really inventory your security operations function," he said. "You will likely find threat detection and response in there as one of the main buckets, but it is important to identify all the different functions that you have."
Large cloud service providers have begun to offer cloud detection and response (CDR) but only within that CSP and for the CSP. Sadowski pointed to Microsoft Azure ATP and Amazon GuardDuty as two examples. CDR tools "have access to amazing telemetry," he said, as well as analytics, native response capabilities, and the ability to send alerts and context -- all doable via API.
He advised businesses to privilege CSP tools for CDR features for the specific CSP they're using, insist on a full set of APIs from all vendors, and define a hierarchical approach to centralize, rationalize, and treat all local and micro incidents. Sadowski urged listeners to not buy the "latest shiny toy or service" at the risk of having too many systems.
"Don't accumulate too much technology debt because it is indeed going fast," he said. "It is going to speed up ... so just keep an eye on that and be on top of it." If you're already using a CSP, revisit and reconsider its security offering before buying more tools.
The SOC stack is mainly centered on the security incident and event management (SIEM) tool, Sadowski said in his discussion of the cloud hybrid SOC. In a separate talk, he explored whether organizations must have a SIEM or whether they can use managed detection and response (MDR).
Think about the type of threat detection you need. Many standard organizations focus on "commodity" threats like ransomware. They're neither worried about business-specific threats nor do they have the need to ingest business application logs. However, some need advanced capabilities, such as the ability to detect specific threats and monitor events from business apps.
Businesses must also consider whether they have the resources to manage the SIEM. They'll need someone to run, adapt, and watch the SIEM, or at least adapt and watch for a SaaS SIEM.
For organizations only worried about standard threats that lack sufficient resources, Sadowski advised opting for MDR. Those worried about standard threats and do have the resources can consider SIEM optional; however, a combination or endpoint detection and response (EDR), network detection and response (NDR), and contract life cycle management (CLM) may work.
Those who are worried about advanced threats and have the resources should invest in a SIEM, Sadowski said. A SIEM is still preferred for those without resources. However, they could also opt for a co-managed SIEM and managed security services (MSS).
Many organizations that struggle with the complexity of several cloud security services are simplifying their environments by cutting down on the number of vendors they use, Orans said.
"Let's say you have five cloud-delivered security vendors -- you've got one for the secure Web gateway, you've got one for zero trust, you've got one for CASB, [and] maybe a couple others," he noted. The company must determine how to get traffic to the service, which usually requires an agent on each user's device -- which can get complicated as the number of agents grows.
Now, Orans said, businesses are sticking with one or two cloud-based security services -- typically a secure Web gateway vendor and/or a separate CASB vendor. He did note these two markets are converging, so organizations will eventually be able to choose one vendor for both services.
Many organizations that struggle with the complexity of several cloud security services are simplifying their environments by cutting down on the number of vendors they use, Orans said.
"Let's say you have five cloud-delivered security vendors -- you've got one for the secure Web gateway, you've got one for zero trust, you've got one for CASB, [and] maybe a couple others," he noted. The company must determine how to get traffic to the service, which usually requires an agent on each user's device -- which can get complicated as the number of agents grows.
Now, Orans said, businesses are sticking with one or two cloud-based security services -- typically a secure Web gateway vendor and/or a separate CASB vendor. He did note these two markets are converging, so organizations will eventually be able to choose one vendor for both services.
The transition to the cloud is underway at most organizations. As more people rely on cloud infrastructure and applications, security teams have to rethink several aspects of security, from the structure of their security operations center to software-as-a-service control.
"Cloud is like everything you've used before, except that everything is completely different," said Steve Riley, senior director of research at Gartner, in a session at the 2020 Security and Risk Management Summit, in mid-September. "It's huge, it's dynamic, it's self-service, [and] it exists outside traditional spheres of control."
Discussions of cloud security are often complicated because different people have different ideas of what constitutes cloud computing and what their personal roles and interests are, Riley said. It's incumbent on organizations to focus their attention on aspects of cloud security they can control: identity permissions, data configuration, and sometimes application code. Most cloud security issues that organizations face fall under these three areas.
"The volume of cloud usage is increasing, the sophistication is increasing, the complexity is increasing, [and] the challenge is learning how to better utilize the public cloud," Riley said.
A growing dependence on the cloud will also force businesses to rethink the way they approach network security, said Lawrence Orans, research vice president at Gartner, in a session on the subject. The future of network security is in the cloud, and security teams must keep up.
The changes related to cloud adoption extend to the security operations center, which analysts anticipate will take a different form as more businesses depend on the cloud, adopt cloud security tools, and support fully remote teams. These shifts will demand a change in thinking for security operations teams.
"One thing that we realized after talking to many organizations is that … the jump to the cloud is really more a cultural than a technology leap," said Gorka Sadowski, senior director and analyst at Gartner. "It's really this new normal that is appearing."
In the following pages, we outline insight, trends, and advice from analysts who leveraged their expertise to share how cloud and network security will change in the years to come – and how organizations should respond.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024