Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Everything about IT has changed, but our security measures are still built around how we used to design software and systems. Where does security need to catch up with digital transformation -- and how?

14 Min Read

With the C-suite laying the gauntlet down for digital transformation in the enterprise — tying swift software delivery and market-adaptable tech services directly into core value propositions — many IT departments are entering an enlightenment period. CIOs, chief digital officers, DevOps visionaries, and plenty of collaborative tech industry luminaries have spurred on drastic changes in the past few years in how software is delivered, how infrastructure is run, and what IT architecture looks like.

These changes are already starting to be felt by security teams. But most in the industry have managed to muddle through some of the earliest stages of these transformative shifts clinging tentatively to the status quo. It's uncertain how long it will take, but those in that old guard are headed toward a wall of disruption.

Figure 1:(image source: Chinnapong, via Adobe Stock) 
These changes are already starting to be felt by security teams. But most in the industry have managed to muddle through some of the earliest stages of these transformative shifts clinging tentatively to the status quo. It's uncertain how long it will take, but those in that old guard are headed toward a wall of disruption.
{image 1}
'Every single aspect of how we conceive of, build, write, deploy, run, and operate software has changed drastically in the last 10 years. We've gone from monolithic to microservices, waterfall to agile, on-premises to cloud, and so on,' says Brendan Hannigan, CEO and co-founder of Sonrai Security. 'But everything we do in the security world was built around how we used to build software.'
As pilot projects in areas like containerization start to scale out and organizations move to cloud-first deployment policies, the same old, same old will quickly grow untenable. In fact, a number of trends are on track to seriously disrupt traditional security thinking and technology.
These trends will require CISOs and their teams to rethink security architectures, question old assumptions, rip-and-replace completely outdated security platforms, and invest in new security categories. Most importantly, these trends will demand security leaders work more collaboratively than they've ever have before to ensure they're in lockstep with the breathtaking pace of change that's remaking IT architecture and software delivery models today.
Here's a closer look at five trends putting the most pressure on security.
{page 1 of 6, continued on next page}(image source: Chinnapong, via Adobe Stock)

These changes are already starting to be felt by security teams. But most in the industry have managed to muddle through some of the earliest stages of these transformative shifts clinging tentatively to the status quo. It's uncertain how long it will take, but those in that old guard are headed toward a wall of disruption.

{image 1}

"Every single aspect of how we conceive of, build, write, deploy, run, and operate software has changed drastically in the last 10 years. We've gone from monolithic to microservices, waterfall to agile, on-premises to cloud, and so on," says Brendan Hannigan, CEO and co-founder of Sonrai Security. "But everything we do in the security world was built around how we used to build software."

As pilot projects in areas like containerization start to scale out and organizations move to cloud-first deployment policies, the same old, same old will quickly grow untenable. In fact, a number of trends are on track to seriously disrupt traditional security thinking and technology.

These trends will require CISOs and their teams to rethink security architectures, question old assumptions, rip-and-replace completely outdated security platforms, and invest in new security categories. Most importantly, these trends will demand security leaders work more collaboratively than they've ever have before to ensure they're in lockstep with the breathtaking pace of change that's remaking IT architecture and software delivery models today.

Here's a closer look at five trends putting the most pressure on security.

Figure 2:(image source: IRStone, via Adobe Stock) 
Cloud Sprawl Keeps Snowballing
With cloud deployments proving their value and then some, enterprises are tripping over themselves to increase the penetration of cloud across their entire organizations. Whereas four years ago just 27% of cloud users were running applications, that's now risen to 49%, according to ESG Research. And by next year, analysts believe some 83% of all enterprise workloads will run in the cloud — with about half of those in public clouds, another quarter in private clouds, and the final fourth in hybrid.
Amid all that growth, cloud deployments sprawl both more broadly across organizations and deeper into systems that were once firmly on-prem. And the variety of deployments can be dizzying. According to the Cloud Security Alliance, 66% of organizations have a multicloud environment.
'People aren't in the cloud anymore,' Sonrai Security's Hannigan says. 'They're in hundreds of clouds.'
This is posing some big security management upheaval for those who rely on monitoring and controls that don't translate well between different on-prem and cloud environments.
'From a CISO perspective, it becomes increasingly important to have solutions that can natively support and provide real coverage across all the different environments,' says Zane Lackey, CSO and co-founder of Signal Sciences. 'This way, you avoid a management headache of having one vendor for data center apps, another for hybrid cloud apps, and yet another for pure public cloud apps.'
(page 2 of 6, continued on next page)(image source: IRStone, via Adobe Stock)

Cloud Sprawl Keeps Snowballing

With cloud deployments proving their value and then some, enterprises are tripping over themselves to increase the penetration of cloud across their entire organizations. Whereas four years ago just 27% of cloud users were running applications, that's now risen to 49%, according to ESG Research. And by next year, analysts believe some 83% of all enterprise workloads will run in the cloud — with about half of those in public clouds, another quarter in private clouds, and the final fourth in hybrid.

Amid all that growth, cloud deployments sprawl both more broadly across organizations and deeper into systems that were once firmly on-prem. And the variety of deployments can be dizzying. According to the Cloud Security Alliance, 66% of organizations have a multicloud environment.

"People aren't in the cloud anymore," Sonrai Security's Hannigan says. "They're in hundreds of clouds."

This is posing some big security management upheaval for those who rely on monitoring and controls that don't translate well between different on-prem and cloud environments.

"From a CISO perspective, it becomes increasingly important to have solutions that can natively support and provide real coverage across all the different environments," says Zane Lackey, CSO and co-founder of Signal Sciences. "This way, you avoid a management headache of having one vendor for data center apps, another for hybrid cloud apps, and yet another for pure public cloud apps."

Figure 3:(image source: เอกคนเดิมของเธอ เสมอ, via Adobe Stock) 
Gone Native: Containers and Serverless Eat the World
Further complicating the issue of cloud sprawl is the fact that what's being hosted on the cloud is much more complex architecturally than it once was. The rise in containerization and serverless function adoption has been rapid and extremely difficult for security professionals to wrap their hands around.
According to the 'State of Container and Kubernetes Security' report, Kubernetes adoption has risen by 51% in the last year. And the most recent 'Security for DevOps — Enterprise Survey Report' published by ESG found more than one in three organizations now use serverless functions extensively, compared with two years ago when the technology was too new to even ask about adoption.
These cloud native technologies are putting security teams in an uncomfortable spot, as they typically have completely different security properties than the older VMs they may have previously been familiar with. When they try to apply old models to these new technologies, they're trying to shoehorn in false equivalencies that don't help them manage risk for these cloud-native technologies.
'They might think, 'Is there a firewall, just for containers?' But that doesn't make any sense and is not what we actually need,' says Kelly Shortridge, vice president of product strategy at Capsule8. 'If you're operating off that assumption, then your threat models are going to be all wrong, particularly if you weren't mapping the workloads and understanding how different systems are working with each other.'
(page 3 of 6, continued on next page)(image source: เอกคนเดิมของเธอ เสมอ, via Adobe Stock)

Gone Native: Containers and Serverless Eat the World

Further complicating the issue of cloud sprawl is the fact that what's being hosted on the cloud is much more complex architecturally than it once was. The rise in containerization and serverless function adoption has been rapid and extremely difficult for security professionals to wrap their hands around.

According to the "State of Container and Kubernetes Security" report, Kubernetes adoption has risen by 51% in the last year. And the most recent "Security for DevOps — Enterprise Survey Report" published by ESG found more than one in three organizations now use serverless functions extensively, compared with two years ago when the technology was too new to even ask about adoption.

These cloud native technologies are putting security teams in an uncomfortable spot, as they typically have completely different security properties than the older VMs they may have previously been familiar with. When they try to apply old models to these new technologies, they're trying to shoehorn in false equivalencies that don't help them manage risk for these cloud-native technologies.

"They might think, 'Is there a firewall, just for containers?' But that doesn't make any sense and is not what we actually need," says Kelly Shortridge, vice president of product strategy at Capsule8. "If you're operating off that assumption, then your threat models are going to be all wrong, particularly if you weren't mapping the workloads and understanding how different systems are working with each other."

Figure 4:(image source: metamorworks, via Adobe Stock) 
Microservices and APIs Smash Old Software Models
Capsule8's Shortridge echoes Sonrai Security's Hannigan's thoughts about security disruption.
'There is almost a Copernican revolution right now where the primitive models that we've held dear for decades and are the basis for a lot of security strategies no longer apply to this cloud and microservices world,' she says.
Microservices and the attendant APIs necessary to glue them all together stand as one of the most disruptive, long-term forces for security architecture in the future. Microservices break large, monolithic applications into smaller, reusable chunks. APIs are what tie these chunks together — and experts increasingly point to these interfaces as a key ingredient to driving digital transformation. But the more deeply organizations rely on APIs and the more systems they touch, the more risk they bring to the table.
This is why API concerns dominate three of the top five worries named by executives using cloud-native technologies like serverless functions.
The industry is starting to move on the disruptions that API security issues will be causing organizations in the coming year. Most recently, OWASP published a Top 10 list specifically for API vulnerabilities. 
(page 4 of 6, continued on next page)(image source: metamorworks, via Adobe Stock)

Microservices and APIs Smash Old Software Models

Capsule8's Shortridge echoes Sonrai Security's Hannigan's thoughts about security disruption.

"There is almost a Copernican revolution right now where the primitive models that we've held dear for decades and are the basis for a lot of security strategies no longer apply to this cloud and microservices world," she says.

Microservices and the attendant APIs necessary to glue them all together stand as one of the most disruptive, long-term forces for security architecture in the future. Microservices break large, monolithic applications into smaller, reusable chunks. APIs are what tie these chunks together — and experts increasingly point to these interfaces as a key ingredient to driving digital transformation. But the more deeply organizations rely on APIs and the more systems they touch, the more risk they bring to the table.

This is why API concerns dominate three of the top five worries named by executives using cloud-native technologies like serverless functions.

The industry is starting to move on the disruptions that API security issues will be causing organizations in the coming year. Most recently, OWASP published a Top 10 list specifically for API vulnerabilities. 

Figure 5:(image source: monsitj, via Adobe Stock) 
Software-Defined Everything
With momentum increasingly growing for technology like infrastructure-as-code and software-defined networking, we're starting look down the horizon toward a world of software-defined everything. This transformation is definitely longer-term than those previously mentioned, but it stands to pose the most disruptions — and positive opportunities — for security down the road.
Infrastructure and networks are increasingly becoming programmable applications themselves, and the hyperconverged world will centralize data control planes and could potentially concentrate risk in certain areas. That means security teams need to understand new architectures to build suitable security boundaries — and be ready for big changes in how networks are architected and workloads are managed. We see glimmers of this already with growing movements like zero trust and microsegmentation, which dovetail well into a software-defined reality.
You could also see a new world of software-defined security open up opportunity for greater security automation baked into the infrastructure. One recent study shows that some 56% of organizations today are poised to explore software-defined perimeter technology within the next 18 months. 
(page 5 of 6, continued on next page)(image source: monsitj, via Adobe Stock)

Software-Defined Everything

With momentum increasingly growing for technology like infrastructure-as-code and software-defined networking, we're starting look down the horizon toward a world of software-defined everything. This transformation is definitely longer-term than those previously mentioned, but it stands to pose the most disruptions — and positive opportunities — for security down the road.

Infrastructure and networks are increasingly becoming programmable applications themselves, and the hyperconverged world will centralize data control planes and could potentially concentrate risk in certain areas. That means security teams need to understand new architectures to build suitable security boundaries — and be ready for big changes in how networks are architected and workloads are managed. We see glimmers of this already with growing movements like zero trust and microsegmentation, which dovetail well into a software-defined reality.

You could also see a new world of software-defined security open up opportunity for greater security automation baked into the infrastructure. One recent study shows that some 56% of organizations today are poised to explore software-defined perimeter technology within the next 18 months. 

Figure 6:(image stock: Sergey Nivins, via Adobe Stock) 
The Ever-Expanding Edge
Cloud isn't the only thing that's completely changing the complexion of the data center. According to computing visionaries, we ain't seen nothing yet, as more compute power gets pushed to the network edge. One recent luminary from The Linux Foundation predicts 'edge computing will overtake cloud computing' by 2025.
This is supported by a recent study by Vertiv, which shows that between now and 2025 we can expect the number of cloud computing sites to grow 226%. Fueled by the Internet of Things and 5G maturation, this trend will likely be security's next unknown crisis as risk experts try to gain rapid understanding of the new risk surface that the expanding edge poses.
As Peter Panfil, vice president of global power at Vertiv, says, 'The pressure on the edge has pushed the requirement for understanding IT applications out into places that didn't exist just one generation ago.' 
Related Content:

- Why Clouds Keep Leaking Data
- Escaping Email: Unlocking Message Security for SMS, WhatsApp 
- From the Core to the Edge: 7 Reasons You Need Security at the Edge
- Everything You Always Wanted to Know About Security at the Edge But Were Afraid to Ask

 (image stock: Sergey Nivins, via Adobe Stock)

The Ever-Expanding Edge

Cloud isn't the only thing that's completely changing the complexion of the data center. According to computing visionaries, we ain't seen nothing yet, as more compute power gets pushed to the network edge. One recent luminary from The Linux Foundation predicts "edge computing will overtake cloud computing" by 2025.

This is supported by a recent study by Vertiv, which shows that between now and 2025 we can expect the number of cloud computing sites to grow 226%. Fueled by the Internet of Things and 5G maturation, this trend will likely be security's next unknown crisis as risk experts try to gain rapid understanding of the new risk surface that the expanding edge poses.

As Peter Panfil, vice president of global power at Vertiv, says, "The pressure on the edge has pushed the requirement for understanding IT applications out into places that didn't exist just one generation ago." 

Related Content:

 

Read more about:

2019

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights