Organizations that use public clouds are adopting an increasingly sophisticated approach to security. While they have become comfortable with their sensitive workloads operating in the cloud over the past few years, they also have gained a better understanding of what’s required to apply security best practices across the entirety of their cloud framework. There is also more general awareness of compliance demands and the corresponding need to employ smarter strategies to continuous compliance.
Preparing to meet these demands will require organizations to make cloud security and compliance a priority, but we are already seeing smart enterprises take note of certain trends. I had the opportunity to sit with our CEO Tim Prendergast, and VP of Customer Solutions, John Martinez to get their thoughts about the things organizations will need to be aware of in the coming year. Herewith is an overview of the security and compliance issues they think will impact organizations most in 2018:
Demand from customers for more compliance reporting: In 2017 we saw many examples of breaches that were a result of 3rd party vendors not properly securing data in the cloud. We predict that in 2018, we’ll see more enterprises demand assurances about the steps vendors are taking to secure data in their cloud environment. And, perhaps we’ll start to see more enterprises demand security, compliance service-level agreements, and a regular reporting cadence over and above an annual audit.
Massive shift from single cloud to multicloud: The adoption of multiple clouds is becoming and will continue to be more prevalent, creating an even more complex situation for security and compliance teams who struggle to keep up with development. Despite the additional complexity, organizations will make the move to multicloud in order to satisfy availability and disaster recovery requirements, the technology preferences of development teams, or as a tactic to manage growing cloud expenses. Additionally, companies are also looking at cloud agnostic microservices and secondary cloud services for their future uses.
Enterprises will make a meaningful move to predictive security rather than reactive: The market is becoming more sophisticated when it comes to cloud security and they are pushing the envelope around integration and incident life cycle management. We predict that companies will really start to be much more proactive at managing security within the DevOps lifecycle. There is a huge need to integrate security into the development process rather than reacting to issues once a project has been deployed to production. If companies can implement the DevSecOps mindset into both their culture and products in 2018 then security will be all around better for it. This mindset will need to affect both hiring practices and processes for companies and it will potentially fundamentally change what a security engineer looks like.
Container and serverless computing ramps up creating security headaches: In 2018 companies will move to adopt the cloud-native approach and the traditional host-based operating system will either become irrelevant or it will need to reinvent itself or die. From a security standpoint, no one is really prepared to secure all these containers and functional compute opportunities, but people are adopting it nonetheless.
Increase in attacks on APIs: APIs are all about data – transacting, communicating, integrating, and processing it. Organizations are increasingly relying on APIs to direct data for different workloads, and at the same time are using them to manage their serverless computing. Without insight into the security state of all that activity, organizations risk an environment that could quickly get out of control; it’s a matter of scale and volume. Hackers know there will be a lot of vulnerabilities and will look to exploit those.
Companies will aggressively hire and train cybersecurity experts: Cybersecurity will become the #1 in-demand job skill, requiring organizations to fill positions in creative ways, including training existing employees and hiring from non-traditional sources.
Insistence on application telemetry to increase awareness: Greater attention will be paid at the application development level. Telemetry and corresponding analysis of application data support better decision making and better control over an organization’s security posture.
More integration of compliance and security functions: The simple algorithm will finally start to have an impact – be secure, and you’re closer to being compliant. Yet, while security and compliance are different disciplines, they will increasingly be integrated. Organizations will look to align compliance efforts with those of the their security experts.
Cloud breaches for device data (IoT): IoT offers some compelling opportunities for attention-hungry hackers. We will see more efforts aimed at all different types of devices. For brands that are dependent upon connectivity to the cloud, this could have a hugely negative impact on their brand. In some cases (autos, health devices, etc) it could lead to dangerous personal situations.
New emphasis on diversity: Breaches, hackers, and risks come in all different shapes and sizes, and so too must the makeup of the people who are defending against these things. Smart organizations will recognize the importance of creating a diverse group of people to identify, address, and plan for security and compliance issues.
The cloud isn’t new, but new approaches to it surface all the time. In the midst of a lot of digital transformation and the addition of new applications and resources to cloud environments, there’s a continuously increasing need to get control of the risks in your cloud environment. This begins with insight, but it includes organizational behavior, incident response discipline, and having a strategy for ensuring that your customers and their data are safe.
If that’s not goal #1 in your organization right now, you can make it so in 2018.