If you could go back in time, armed with all the knowledge and skills you have today, would you do anything differently? Would your changes make things better, or lead to unintended consequences?
Though it might sound like the plot of Back To The Future and many other time travel stories, it’s something to consider when it comes to areas such as cloud security. Thinking about the journey that we’re all on can help our decisions in the future.
For cloud, there are lessons to be learned from the past, present and predicted future for security. Using this information in the right way can help us improve and better our security posture.
Cloud security past – internal issues and trust
We should look at how cloud services have developed to meet different needs and use-cases. To start with, most cloud services provided infrastructure-as-a-service, or IaaS. This offered a combination of hardware resources and computing capacity that customers could use and consume as they needed. This was followed by platform-as-a-service offerings, or PaaS, where the hardware was abstracted and users could consume the service rather than having to think about their infrastructure requirements. Alongside these services, software-as-a-service (SaaS) delivered everything in a browser window. Taken together, the evolution of IaaS, PaaS and SaaS helped companies adopt the cloud.
Alongside these general categories, cloud security solutions have existed for decades. In fact, outsourcing services to a provider for processing that ran using a cloud model predates the launch of services such as AWS by several years. The challenge was how companies that had been used to building and operating their own data centres could trust in cloud services instead. They certainly had the need, but how to get the same level of trust?
Even with a company the size of AWS launching services, the perception of cloud was for many years that security was somehow a problem and that achieving cloud security was a goal that few would be able to attain. To remedy this, huge amounts were invested in demonstrating that cloud implementations and infrastructure were just as secure – if not more so – than what companies could achieve on their own.
This effort was aimed at increasing trust in cloud computing generally, and then looking at how cloud services could be used for security. One important step here was the formation of the Cloud Security Alliance in 2008 to represent the needs that companies had around cloud and security, establishing best practices and supporting more collaboration across the industry.
Support for standards around data processing, privacy and security such as PCI DSS in payments and HIPAA in US healthcare were also priorities. Alongside this, standards and frameworks for best practices such as ISO 27001, NIST Cybersecurity Framework and the FBI’s Criminal Justice Information System (CJIS) report in 2012 all provided guidance on how cloud computing services could be deployed securely, and how cloud security could be used effectively within these overall approaches.
Slowly, the tide turned. While at the start, questions tended to focus on whether cloud could be secured properly at all, the industry as a whole recognised that cloud computing services could be delivered more securely than many companies were able to achieve on their own. There was also recognition that cloud companies have a vested interest in their own security, and that they will not be viable as businesses if significant security failings are discovered. As long as cloud companies could prove that they were putting in the right efforts around security through accreditation and testing, they were able to win customers.
Cloud security today
Fast forward to 2021, and the industry landscape is very different. Today, companies no longer solely exist behind their corporate firewalls. Instead, enterprises have IT assets spread across internal IT resources, in the cloud and distributed across devices. There is no perimeter that surrounds the business, and there is therefore no well-defined border for security to guard. Instead, we have to guard everything, everywhere, wherever it happens to be.
The role for cloud security has continued to grow based on two trends. The first is that, as companies have digitised more of their processes, they have seen more potential risks crop up alongside. Whether it is looking at complex operational technology implementations getting connected through to smaller businesses deploying new applications and services, all companies rely on their technology in order to run their operations. This complexity offers more potential for attackers, and therefore the job of IT security has got harder over time.
Security incident and event management (SIEM) solutions started out alongside cloud services, but were focused on knitting together existing security products and alerts based on the corporate network that existed at the time. As more services have moved to the cloud, SIEM solutions have struggled to keep pace. Cloud-based SIEM products have been developed as one approach to solving this problem, but they do not cover the whole gamut of IT devices, services and approaches that exist today.
The second trend is how digitisation has led to more data being created in near real time. This constant creation of more data has been a blessing and a curse for security teams. On the one hand, they can get more timely data from IT systems to look for potential vulnerabilities or attacks taking place. On the other, that data is becoming so voluminous that it is more difficult and more costly for companies to manage this solely themselves.
For those companies that did not make the move to cloud initially for reasons of trust – or because those solutions were not invented internally – the sheer volume of data created has forced them to consider cloud solutions. This has led more companies to adopt cloud solutions as part of their overall strategy for security operations and analysis. This will continue into the future, as more automation is required to keep up with business data and potential attacks.
Cloud security: what does the future look like?
At this point, the future for cloud security involves more automation and analytics. Part of this is due to the scale of data that is involved today. The sheer volume of data that security analysts have to investigate is getting so high that it will be impossible for all but the very largest teams to work manually around data. Instead, using analytics and machine learning for pattern recognition will be vital to keep teams focused on real risks rather than false positives.
New technologies and approaches to handling data such as extended detection and response (XDR) build on top of SIEM and security orchestration and automation response (SOAR) products have emerged. These services bring together the whole security stack that companies have in place across their existing internal IT infrastructure, from their endpoints and their cloud services and from new containerised applications through to operational technologies that have been in place for decades.
XDR promises to integrate every set of data that a company produces and put it into the right context. It is based on much greater use of automation and analytics to achieve these goals, as well as by making it easier for security analysts to carry out their work and be productive. By making analysts more efficient, XDR should help bring up the overall standard of approach that companies can achieve consistently and keep them one step ahead of attackers.
This is important because there is a human element to all this. According to ISC2 the global workforce involved in cyber-security has grown to around 3.5 million people worldwide. This has been an increase of 25 per cent year on year, but there are still around 3.12 million professionals required to fill all the available positions that companies will need. This gap in skills is a serious one, and it’s only by widening the potential pool of applicants that can join the security that companies will succeed. Alongside this, companies have to make more use of automation to make existing staff more efficient based on the power of cloud.
In order to continue the success of cloud security – and to keep cloud computing secure – the future will involve looking at the whole picture. Companies have more variation in the IT assets they use, in the locations where people work from, and how they run their operations. To maintain security in these circumstances, open approaches that can integrate across the entire stack will be necessary. Solutions will have to be compatible with XDR, or they will be replaced. Lastly, security analysts can get more support through automation and recommendation for what to investigate, while also seeing fewer false positives.
This will be essential as more security issues get discovered, and the most egregious ones are weaponised and automated. According to FireEye Mandiant, the average time between disclosing an issue and attacks appearing in the wild was nine days in 2018 and 2019. The attacks around issues in Microsoft Exchange are a good example where multiple issues can be chained together, and more importantly automated, in order to run attacks and exploit unpatched issues. With attackers keen to speed up their processes and use automation in their attacks, IT security teams have to take the same approach to stay ahead.
By concentrating on what companies need – and where to reach those goals in the most efficient manner – cloud security has gone from being a niche to one of the dominant approaches for delivery. Over time, the sheer scale of data that we all create and the speed at which attackers try to misuse or exploit that data will continue to drive more use of cloud for security. While we might not have a time machine, we can learn the lessons of the past around cloud security, and we can improve our overall approach and build on what has gone before. More importantly, we can use these lessons to deliver better security processes and more effective automation over time.