It’s fascinating to take a step back and look at how “the cloud” developed over the last two decades. There has been a lot of innovation that has sparked a new wave of technologies – from the boom in serverless technologies (allowing firms to scale and build platforms at speeds never seen before) to the evolution of cloud automation security.
These innovations have enabled organizations to improve business agility and reduce costs; but they’ve also increased the attack surface as demonstrated by a recent IDC report, which highlights that 98% of organizations suffered at least one cloud security breach in the previous 18-months.
Based on these variables, below are the top cloud security trends expected to emerge in 2022.
The growth of serverless
We are seeing more and more organizations adopt a serverless architecture in their platforms. This translates into not just utilizing cloud service providers’ FaaS (Function as a Service) services, but also digging into the wide range of serverless offerings that are available. With new serverless offerings being introduced quarterly, it’s so important to understand the potential risks that may arise.
For example, AWS Pinpoint is an AWS service that offers an email, SMS messaging and marketing tool that is easy to set up and start integrating Lambda, API gateway, etc. With a myriad of integration options and features, it’s important for application developers and the cloud IT team to understand what the security configuration would look like, and the potential risks associated with these tools.
We also see things like “distroless” architectures being utilized to have more control over FaaS architectures across multiple CSPs. With increased control of these types of architectural decisions comes a new way to think about security. We have our eyes glued to these new models and are looking at how to think about security when more serverless services are being utilized. For this coming year we are keeping a close eye on serverless, and how best to secure it, while enhancing efficiencies and mitigating risks.
More organizations are starting to fully adopt Infrastructure-as-Code (IaC) to create fully autonomous cloud-based environments. From a security perspective, ensuring that the supply chain from the code to production is protected and monitored is becoming an increasing concern for organizations. We are seeing tools in this space starting to mature, and new strategies are being implemented. For example, you can do things like pre-validation of configurations and architecture, ensuring your architecture and code are compliant and secured before it even moves to production. In the coming year we are hoping to see more third-party tools being introduced and native cloud-based services to better support the overall supply chain.
Multi-cloud strategies are here to stay – and many enterprises are picking technologies best suited for their platforms while also creating resilient architectures that utilize more than one cloud service provider. We will soon see this adoption model mature along with multi-cloud security practices and tools. Additionally, we see “multi-cloud” enveloping edge computing, which will continue to extend onto factory floors, as well as into branch offices and private data centers. We are monitoring this area’s growth and developing new ways to adopt a multi-cloud strategy for organizations.
The lines between the application developer and infrastructure engineer have become very blurred. Developers are creating cloud architectures based on the services that they are trying to utilize, or creating new infrastructure from their codebase. Cross-functional teams are starting to work together to think about how security plays a role in this newer way of thinking. We’ve discovered potential new attack vectors and security configurations that have helped customers understand the impact. We see this trend continuing.
This past year we have seen a huge spike in breaches utilizing SaaS platforms. With this increase, we have also seen the growth of SaaS security offerings and tools as a response. One of those areas is SaaS Security Posture Management (SSPM) tools.
SSPMs are helping organizations dive into their overall SaaS portfolio to ensure they are keeping a pulse on the activity while remaining in compliance. In 2021, we saw these SSPMs adopt about a dozen or so platforms, but in 2022 we will see a significant increase in the number of SaaS platforms supported by these tools. Organizations are starting to create a stronger SaaS security program that can encompass their entire portfolio, from the onboarding and validation of cloud-based vendors to the monitoring and alerting of SaaS vendors in their ecosystem.
Dynamic access policies with attribute-based access control (ABAC)
ABAC leverages tags to dynamically determine access permissions. For example, if I have a tag “project”, I can construct a policy that grants permissions if the value of tag “project” on the principal matches the value of the same tag “project” on the target resource or environment. This allows for more scalable and reusable policies, simplifying management, and improving permission segregation. While many cloud service providers have not yet implemented this new approach across all services (minimizing its utility), we’re excited to see how this new approach grows in its adoption and support in the coming year.
With more organizations employing a work-from-home and hybrid environments and moving workloads and data to the cloud, securing cloud-enabled infrastructure needs to be built in from the start. The cloud is an enabler of business productivity, yet it must be used with a security-first approach to minimize risk while concurrently advancing productivity.