In 2018, more organizations adopted cloud computing, and at a rapidly growing pace. The main drivers for cloud were high efficiency, easier and faster deployments, and, of course, scalability. But from a security perspective, the speedy adoption of cloud computing is forcing security professionals to learn about new challenges, cloud-specific risks, and relevant mitigations as well as to develop more modern cybersecurity strategies.
The past year also brought with it a greater number of security incidents related to misconfigured cloud accounts, which is a trend that I expect to increase as more organizations adopt cloud computing without growing their cloud security teams or hiring professionals with a deep understanding of cloud security issues.
What do those recent trends portend for the future? Here are six cloud security predictions for 2019:
Prediction 1: Serverless adoption will drive cloud security automation.
As organizations increasingly move to serverless architectures, they are also discovering more use cases for cloud security automation because serverless functions provide a means to launch security logic as a response to cloud events. Examples include: when there are spikes or anomalies in cloud account billing expenses as a result of service abuse, denial-of-service attacks, or cryptomining; when someone attempts to deploy new cloud assets/services or code outside the normal deployment pipeline; or running compliance checks on new code or cloud resources as part of the deployment pipeline.
Prediction 2: Cloud providers will take on a major role in security.
With serverless adoption skyrocketing in 2018, more teams are choosing to either switch from container-based architectures to serverless, or simply skip containers all together. The reason? An increasing number of system components are now abstracted and, subsequently, they require less management. This is also the case for cloud security. Serverless architectures are the highest abstraction of cloud computing to date, which makes application owners only responsible for security at the application layer and in cloud configurations. As a result, much of an organizations' security responsibility has now passed to the cloud provider. This includes physical security, operating system security configurations and patches, network security, and virtual machine or container security.
Prediction 3: Expect to see more cloud-native guidelines and research.
In 2018, several industry analysts released research papers and recommendations around cloud-native technologies, with Neil MacDonald of Gartner spearheading into the serverless domain with his research on Security Considerations and Best Practices for Securing Serverless PaaS. I expect analysts will pay even more attention in 2019 to cloud-native security in general and serverless security in particular, as organizations continue to modernize their applications and seek help in determining the right security strategy.
Prediction 4: Declining demand for security support in multicloud deployments.
In 2017 and 2018, much attention was given to the topic of cloud vendor lock-in. As a result, cloud security vendors were required to answer inquiries regarding their support for multicloud deployments. In late 2018, several thought leaders in the cloud computing industry called out the fact that cloud vendor lock-in is mostly fear, uncertainty, and doubt (FUD)! As Simon Wardley, a UK researcher for Leading Edge Forum and the lead practitioner for Wardley Maps, stated: "It would be nice to have a competitive environment with different providers you can switch between. But that is secondary to usefulness and functionality." We expect to see less and less attention being given to this topic, and cloud security vendors will see less demand for supporting multicloud deployments.
Prediction 5: Security will shift even more to the left.
As an increasing number of system components become the responsibility of cloud providers, application owners will find themselves dealing less with infrastructure, operating system, and networking security. This shift in security responsibility is maximized in serverless architectures, where the only responsibility for application owners is in the application layer. As a result, organizations will see an internal shift, with a lot less involvement from traditional corporate IT security teams in corporatewide high-level security strategies. On the other hand, expect development teams to become more involved and responsible for security, which will push the adoption of the DevSecOps movement.
Prediction 6: Traditional security vendors will move into cloud-native security.
In 2018, traditional security vendors started making strategic efforts to modernize their security offerings and adapt to cloud-native environments. Recent examples include Palo Alto Networks, which acquired Evident.io and RedLock, and Check Point, which recently acquired Dome9. This trend is expected to continue in 2019, as vendors realize that cloud computing is not just the domain of startup companies but is also being adopted by large corporations, financial services, healthcare, and even government offices. Bottom line: Organizations now recognize that public cloud infrastructure is not less secure than on-premises, and that cloud vendors provide a high level of security.