The cloud-native landscape is dynamic and is quickly evolving. There’s no denying specific trends stand out more than others. In this article, we will discuss three of the undeniable trends in the cloud security space that warrant a closer look. This doesn’t mean that these are the only three areas organizations should be giving attention to, but they are among some of the most critical areas that organizations can focus on to help get a handle on their cloud security posture.
SaaS Security
Many organizations have been using SaaS for years, however, with the advent of the Covid-19 pandemic, the use of SaaS to support critical business functions has only accelerated. While the use of SaaS is far from new, giving SaaS security-specific attention is.
Many organizations haven’t given much thought to implementing SaaS Security and Governance programs in their organizations. This is despite the reality that many organizations are using up to 100 SaaS offerings in the SMB space and upwards of 200 in large enterprise environments. The use of SaaS also presents some unique challenges. Unlike broader IaaS adoption, only 25% of SaaS is controlled by the IT/Security department.
Organizations are also adding up to 10 new SaaS apps a month, simply outpacing IT and subsequently security’s ability to implement any sort of rigor or governance without being clubbed with the dreaded label of being a “blocker”. That said, these SaaS apps are supporting critical business functions, could have major business continuity impacts and are often storing sensitive data of the organization and even its customers.
Failing to address this brewing storm is a situation rife for negative consequences. Organizations should begin to establish a SaaS Security and Governance program to begin to address this currently neglected focus area.
Multi-Cloud
As organizations have matured their cloud adoption, and slowly begun to get a level of competency and fluency with a single IaaS provider, many organizations are now pushing on with multi-cloud IaaS deployments. This is typical across 2-3 of the major IaaS providers, such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud.
While this is great for the business because it helps usher in a robust portfolio of cloud options to choose from and use the best of breed capabilities as they see fit, it poses major problems for security. As many know, upwards of 99% of cloud security data breaches and incidents are due to customer misconfigurations.
How do we think this will play out across 2-3+ IaaS providers? I’m sure you can make some sound assumptions of what lies ahead for cloud data breaches and incidents. NIST has recognized this trend and recently established its Multi-Cloud Security Public Working Group (MCSPWG).
Supply Chain Risk Management
The last few years have taught the IT and security community (and more broadly society) that supply chain security matters, a lot. This is no different in the cloud-native landscape. Organizations find themselves in a complex web of partnerships, customers, service providers, and more.
Couple that with the reality that most organizations are utilizing upwards of 80% of Open Source Software (OSS) components in their software, sourced from all across the web and you can see potential challenges and risks everywhere.
Organizations need to give specific attention to implementing robust Cybersecurity Supply Chain Risk Management (C-SCRM) programs. A good place to start is NIST’s 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations as well as Cloud Native Computing Foundations (CNCF) Software Supply Chain Security Best Practices whitepaper.