Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/10/2018
10:30 AM
Ory Segal
Ory Segal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

6 Cloud Security Predictions for 2019

How the fast pace of cloud computing adoption in 2018 will dramatically change the security landscape next year.

In 2018, more organizations adopted cloud computing, and at a rapidly growing pace. The main drivers for cloud were high efficiency, easier and faster deployments, and, of course, scalability. But from a security perspective, the speedy adoption of cloud computing is forcing security professionals to learn about new challenges, cloud-specific risks, and relevant mitigations as well as to develop more modern cybersecurity strategies.

The past year also brought with it a greater number of security incidents related to misconfigured cloud accounts, which is a trend that I expect to increase as more organizations adopt cloud computing without growing their cloud security teams or hiring professionals with a deep understanding of cloud security issues.

What do those recent trends portend for the future? Here are six cloud security predictions for 2019:

Prediction 1: Serverless adoption will drive cloud security automation.
As organizations increasingly move to serverless architectures, they are also discovering more use cases for cloud security automation because serverless functions provide a means to launch security logic as a response to cloud events. Examples include: when there are spikes or anomalies in cloud account billing expenses as a result of service abuse, denial-of-service attacks, or cryptomining; when someone attempts to deploy new cloud assets/services or code outside the normal deployment pipeline; or running compliance checks on new code or cloud resources as part of the deployment pipeline.

Prediction 2: Cloud providers will take on a major role in security.
With serverless adoption skyrocketing in 2018, more teams are choosing to either switch from container-based architectures to serverless, or simply skip containers all together. The reason? An increasing number of system components are now abstracted and, subsequently, they require less management. This is also the case for cloud security. Serverless architectures are the highest abstraction of cloud computing to date, which makes application owners only responsible for security at the application layer and in cloud configurations. As a result, much of an organizations' security responsibility has now passed to the cloud provider. This includes physical security, operating system security configurations and patches, network security, and virtual machine or container security.

Prediction 3: Expect to see more cloud-native guidelines and research.
In 2018, several industry analysts released research papers and recommendations around cloud-native technologies, with Neil MacDonald of Gartner spearheading into the serverless domain with his research on Security Considerations and Best Practices for Securing Serverless PaaS. I expect analysts will pay even more attention in 2019 to cloud-native security in general and serverless security in particular, as organizations continue to modernize their applications and seek help in determining the right security strategy.

Prediction 4: Declining demand for security support in multicloud deployments.
In 2017 and 2018, much attention was given to the topic of cloud vendor lock-in. As a result, cloud security vendors were required to answer inquiries regarding their support for multicloud deployments. In late 2018, several thought leaders in the cloud computing industry called out the fact that cloud vendor lock-in is mostly fear, uncertainty, and doubt (FUD)! As Simon Wardley, a UK researcher for Leading Edge Forum and the lead practitioner for Wardley Maps, stated: "It would be nice to have a competitive environment with different providers you can switch between. But that is secondary to usefulness and functionality." We expect to see less and less attention being given to this topic, and cloud security vendors will see less demand for supporting multicloud deployments.

Prediction 5: Security will shift even more to the left.
As an increasing number of system components become the responsibility of cloud providers, application owners will find themselves dealing less with infrastructure, operating system, and networking security. This shift in security responsibility is maximized in serverless architectures, where the only responsibility for application owners is in the application layer. As a result, organizations will see an internal shift, with a lot less involvement from traditional corporate IT security teams in corporatewide high-level security strategies. On the other hand, expect development teams to become more involved and responsible for security, which will push the adoption of the DevSecOps movement.

Prediction 6: Traditional security vendors will move into cloud-native security.
In 2018, traditional security vendors started making strategic efforts to modernize their security offerings and adapt to cloud-native environments. Recent examples include Palo Alto Networks, which acquired Evident.io and RedLock, and Check Point, which recently acquired Dome9. This trend is expected to continue in 2019, as vendors realize that cloud computing is not just the domain of startup companies but is also being adopted by large corporations, financial services, healthcare, and even government offices. Bottom line: Organizations now recognize that public cloud infrastructure is not less secure than on-premises, and that cloud vendors provide a high level of security.

Related Content:

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was senior director of threat ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18056
PUBLISHED: 2019-08-20
An issue was discovered in the Texas Instruments (TI) TM4C microcontroller series, such as the TM4C123. The eXecute-Only-Memory (XOM) implementation prevents code read-outs on protected memory by generating bus faults. However, single-stepping and using breakpoints is allowed in XOM-protected flash ...
CVE-2017-18566
PUBLISHED: 2019-08-20
The user-role plugin before 1.5.6 for WordPress has multiple XSS issues.
CVE-2018-20978
PUBLISHED: 2019-08-20
The wp-all-import plugin before 3.4.7 for WordPress has XSS.
CVE-2017-18526
PUBLISHED: 2019-08-20
The moreads-se plugin before 1.4.7 for WordPress has XSS.
CVE-2017-18527
PUBLISHED: 2019-08-20
The pagination plugin before 1.0.7 for WordPress has multiple XSS issues.