SBN

Where Next With Cloud Security?

Cloud computing is more than a decade old, but cloud security, compliance, and even definitions of the technology components, are changing rapidly.

As cloud adoption surges almost everywhere, some governments are even moving from a ‘cloud-first policy’ to a ‘cloud-only policy’ with a few rare exceptions.

Others are still trying to grasp the scope of technology change and keep up with understand what their employees and contractors are doing online. What software-as-a-service (SaaS) apps are being used by staff? How are users opening up security holes in the cloud? Where is data being stored? How are protections working? Can you know any of this information for sure at any given moment?  

Last year, I provided these seven tips for securely moving your data to the cloud, which included some basic definitions. In this blog, I want to dive deeper into cloud security trends and offer steps to consider.

‘The Cloud’ by the Growing Numbers   

According to Geekwire and Gartner, cloud computing will be a $186.4 billion market this year, growing to over $302 billion by 2021. “In 2018, cloud computing — which for the purposes of this discussion includes all the SaaS, infrastructure, platform, and software — will be a $186.4 billion market, Gartner predicted. That’s a 21 percent jump compared to $153.5 billion in 2017, led by cloud infrastructure services like Amazon Web Services and Microsoft Azure, which should grow 35 percent in 2018 to $40.8 billion. …”

And as far as government is concerned, the cloud market is set to grow to $49.2 billion by 2023.

Gartner sees double digit growth in cloud adoption, with spending forecast to grow on average 17.1 percent per year through 2021. “The key to successfully implementing cloud in government is accounting for the unique technical, organizational, procedural and regulatory issues of individual organizations,” says Neville Cannon, research director at Gartner.

“Government private cloud is the new legacy,” says Cannon.

TechRepublic recently highlighted that in a recent industry survey that technology and security leaders are focusing more on cloud security.

Why? “Only 41% of respondent infrastructure remain on-premises, the release said. Businesses are increasingly migrating to alternate infrastructure options like IaaS (25%), PaaS (17%), and containers (10%).

  • 54% of companies are worried that they might outgrow their current security solutions, putting them at greater risk. — Threat Stack, 2018
  • 91% of company leaders believe that development teams are introducing new risks to their organization. — Threat Stack, 2018

Spotlight on Cloud Security

Over the past six months I have interviewed many public-sector CIOs, CISOs as well as private-sector technology leaders, and they have all highlighted the importance of new cloud architectures. It seems that everyone has a special emphasis on cloud security efforts. For example:

Arizona CISO Mike Lettman: “We developed a process to identify risk with our cloud vendors. We are a cloud-first state, and I was told we are the state with the most significant presence in Amazon. I had no idea how our cloud vendors were protecting our data. At the time we had measurements from CSA (Cloud Security Alliance) which was mainly subjective, to FedRAMP (federal gov’s cloud framework) which required vendors to go through a lengthy, expensive process to get certified. We desired something in between. Some needed a way to determine issues and risk. So we developed the AZRamp process for cloud vendors.

New Jersey CISO Michael Geraghty: “The Statewide Information Security Manual (SISM) was one of the first projects we took on. … It’s an interconnected series of policies and standards that has been derived from applicable laws; industry best practices including the National Institute of Standards and Technology (NIST) Cybersecurity Framework for Improving Critical Infrastructure; the Center for Internet Security (CIS) Top 20 Critical Security Controls; the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); lessons learned; and other New Jersey state government business and technology-related considerations.”

Tenable CEO Amit Yoran: “Companies like Tenable are developing solutions to better evaluate companies’ cyber exposure, manage the elastic attack surface and further cloud security. Organizations are now understanding the value of continuous monitoring and are looking for tools to better mitigate cyber risk. ”

I have also highlighted the federal government’s FedRAMP program going back several years as well as the need for contractors to address security compliance deadlines. Recent updates from FCW on these security compliance needs for government are also helpful.   

Today, the FedRAMP program is the “must do” list for federal agencies and is becoming a core need for many state and local governments that are custodians of federal data. FedRAMP “simplifies security for the digital age by providing a standardized approach to security for the cloud.”

For most leading governments, even those not requiring FedRAMP certification for applications or hosting of data, many organizations are implementing Cloud Access Security Broker (CASB) solutions.

Why Do Enterprises Need a CASB? What Comes Next?

Gartner defines CASB as: “An on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Organizations are increasingly turning to CASB vendors to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control. …”

CASB offers four main functions: “Discover which cloud applications are used across the business, secure data, protect against threats, and ensure compliance with corporate policies. …”

According to Netskope, a leading cloud security solution provider recommended by Gartner: “By 2020, 60 percent of large enterprises will use a cloud access security broker.”

I recently asked Sanjay Beri, who is the CEO of Netskope, to provide more insight on where cloud security is heading next. Here is that brief interview.

Dan Lohrmann: What are the top three cloud security trends?

Sanjay Beri: I would start with a need for increased infrastructure as a service (IaaS) governance. With IaaS misconfigurations and inadvertent sensitive data storage exposure causing some of the biggest breaches dominating the news in the past year, businesses are increasingly focusing on increasing governance to prevent data loss. Demand for continuous security assessment and monitoring, effective data loss prevention, and malware and threat protection are at an all-time high. Customers increasingly expect vendors to offer these capabilities.

Second, the use of the cloud for cyberattacks. Between malware, ransomware, crypto-jacking, and other malicious activity, hackers are nearly untethered in terms of available attack vectors for infiltrating the cloud environment. This trend will get worse before it gets better.

Third, accounting for the mobile workforce. To stay competitive, businesses need to find security solutions that do not significantly impact or limit user experience. Security practitioners are increasingly choosing solutions that give immense insight into and real-time protection of cloud activity without banning critical employee tools.

Dan Lohrmann: As we head into 2019, what do public-sector security leaders need to do to protect their data going into (or out of) cloud services?

Sanjay Beri: As cloud adoption expands and demands for shareable data increases, security teams need to keep a close eye on the many channels being used to communicate and share data. Rather than blocking use of those channels, which often impacts employee productivity and flexibility, security leaders need to have the right guardrails in place to ensure employees aren’t intentionally or inadvertently exposing the data to the outside world, and in turn exposing the company to costly vulnerabilities.

Final Thoughts

Over the past few years, I frequently highlight the need for state and local governments to follow the lead of their federal counterparts and offer more bug bounties as well as establish coordinated vulnerability disclosure programs. Now, that bug bounty trend is starting to take-off in a variety of ways, as more and more vulnerabilities are being found in online services offered by governments.

In much the same way, I see the growing need for improvements in cloud security for public sector enterprises as more data is moved into the cloud in various forms. Some state and local governments have implemented a CASB solution, but I see this percentage growing fast in the next two years.

Beyond just a one-time discovery of enterprise cyber-risk, new CASB tools from companies like Netskope provide a constant view of cyberthreats from various channels in an ongoing, even real-time, manner. 

As CIOs and CTOs move more and more data out of government-owned data centers and into shared cloud infrastructure and services, security teams need this new viewpoint in a much more granular level at the same time.

Therefore, as we head into the 2020s, I have no doubt that more and more public-sector security teams will implement CASB solutions to address cloud computer security.

My advice: Start planning for cloud security management tools now and research CASB solutions to help achieve the best results.