Last year I wrote a blog on what security measures you should take for the cloud in 2019. Now I’m here to review if I am a CloudSec soothsayer, or if I was wide of the mark. Let’s see how I did!
The Security Measures 2019 Review
Don’t Presume the CSP will take full care of your Cloud Security Needs
I believe this has been and still is true (1 point to me). CSP’s have continued with the same security model throughout the year and will continue to follow suit. However, they have been adding functionality to their products and releasing new security-based products to help with the burden on clients. Two great examples are from this years (2019) re:invent, they released IAM Access Analyser and Amazon Detective. The first evaluates IAM policies for wide or incorrect permissions, very useful for catching those mis-configured buckets! The latter helps you quickly analyse cloud events for suspicious activity. Great for those security response incidents that need a quick response.
You can lift and shift and deploy new platforms and systems at a fraction of a price, but don’t leave the security as an afterthought!
This is more of a general view of all movements to new platforms and whether it be the cloud or on-prem. Your security should be considered at the start not midway or at the end. We at Mobilise have been doing that and with the rise of DevSecOps this year it seems to be happening more. (A fuzzy 0.5 points for me as I can’t prove everyone is doing that!).
Engage your on-prem security team to start getting trained on Cloud Security best practices.
For us personally at Mobilise this is one of our go-to standards when lifting people into the Cloud, every team involved from day one. How can I measure that this is being done by other people? Don’t think I can. I hope it is, for any effective cloud strategy will fall apart if you haven’t factored in your Security needs and how your Security team can meet them effectively. Leaving them behind creates a vulnerable system and processes, and a vulnerable system is a dangerous system! (0 points for this as impossible to measure, just hopeful it is happening).
My 2019 score 1.5 out 2. Not Counting the third due to it being hard to measure.
The Security Issues 2019 Review
Social engineering was, and still is the biggest threat to user security in the Cloud.
Between this and Cloud Misconfigurations they have been the biggest threat to user security in the Cloud in 2019. The isc2 2019 report highlighted that 42% of the vulnerabilities are unauthorised access. However, misconfiguration of cloud platforms come in at 40%, so equally as important. I don’t think these two will change much next year. If anything I can see cloud misconfigurations going down due to more tools coming to market and maturity. But also CSPs helping to prevent them from occurring with the new functionality. I especially want to highlight how DevSecOps can help to prevent misconfigurations of cloud resources by making use of security tools and methodologies in your Infrastructure as Code pipelines.
Cloud Security in 2020
The year that DevSecOps becomes the norm.
2020 the year of DevSecOps. I fully believe that this year DevSecOps will become more of a norm that it is currently. There have been more evangelist giving talks, setting up examples and tutorials than ever in 2019. Even the Cyber Security tools are starting to help move towards a more automated framework. Thus, allowing DevSecOps to become possible no matter what part of the DevOps journey you are on. I fully recommend checking out the DevSlop project by the OWASP project (and most of their other work as well). Fully demonstrable project showing how to enable DevSecOps using Azure and the services it offers.
More Cloud security training and Certifications.
AWS Certified Security Specialty went from beta to live in 2019. Azure followed that up by releasing the Azure Security Engineer Associate to the public as well. Not to be left behind GCP also release the Professional Cloud Security Engineer certification. Whichever CSP you use there is now no excuse not to have someone qualified in Cloud Security for that platform. In turn helping you make sure your systems are secure. Expect to see more training classes around these certs in the coming year.
The further emergence of AI and ML in Cloud Security Platforms.
AI and ML looking after and advising your Cloud Security in 2o20? A possibility but can be seen as both a life saver but also a huge risk. ReliaQuest recently produced its Security Technology Sprawl report and found that with all the new security tools out there your system could be at tipping point. What do they mean by tipping point? For instance, it can get to the point where you have too many security tools in your system. Causing under utilized resources and technology but also leaving teams overwhelmed juggling these.
Where does AI and ML fit into this? It can help prevent the security tool sprawl. By centralizing the control plane of the security systems and logs you can filter and control what you get alerting on and what issues can fix autonomously. But as ever that is a double-edged sword, what if the AI misses something? What if it keeps creating false positives taking your Security team away from real issues? IBM are promoting and further developing Watson to do Cognitive Security for instance like a human immune system can learn. This will be one to watch in the future and see how they will plug into in their Cloud Solutions in 2020.