Enterprise cloud use cases are changing and expanding, and companies are now realizing new security challenges that need to be resolved.
Cloud security solutions can include everything from new security tools to more advanced training to investing in new team strategies.
See below to learn about the tops trends cloud security experts are seeing in the market:
5 Trends to Watch in Cloud Security
- Industry clouds growing in popularity
- Proactive cybersecurity for cloud migration and software development
- Merging best practices through DevSecOps
- Data-centric cybersecurity at the core of cloud security strategies
- Addressing risk from third parties and legacy vendors
Also read: 5 Cloud Networking Trends
Many companies have migrated some or all of their workloads to the cloud to keep pace with digital innovation, but some have struggled to keep their cloud environment and its data up to their industry’s changing regulatory compliance standards.
Hillery Hunter, VP and CTO of IBM Cloud, believes the solution for many companies will be investing in an industry-specific cloud that automates configuration management, regulation tracking, and other concerns specific to a particular industry.
“A recent IBM study found 64% of C-suite respondents agree industry-related regulatory compliance is a significant obstacle to cloud adoption,” Hunter said.
“As organizations grapple with security and compliance — especially highly regulated industries such as the financial services sector and government agencies for example — cloud adoption is evolving towards specialized clouds.
“As these industries strive to meet the demands of today’s digital-first customers and constituents, industry-specific platforms will be key to helping them balance innovation and functionality with stringent compliance protocols. By choosing the right platform — one with built-in controls — they will be able to innovate at the pace of change, ensuring they don’t get left behind while their industry puts new regulations into place or modifies existing ones.”
More on cloud computing trends: Cloud Computing Trends & Future Technology
Cloud migration has moved at a rapid pace, especially as the pandemic forced many companies to adopt a more flexible infrastructure on a quick timeline.
While moving assets to the cloud as part of digital transformation has produced benefits for companies, cloud migration has also introduced new concerns for cybersecurity, particularly when companies did not properly plan their security needs until post-migration.
Alicia Johnson, consulting principal of technology transformation at EY, a top professional services and consulting firm, believes cloud customers are starting to address cloud cybersecurity concerns earlier now, typically before or during the early stages of migration.
“Methodical and strategic cloud modernizations have replaced the expedited lift-and-shift approach — and as such, there’s an increased emphasis on the planning phase for successful cloud migration,” Johnson said.
“For example, security must be considered during the cloud design process, not after. Organizations are lagging in their shift, and cloud optimization efforts are often hindered when the engineering and security groups are not working as a single team, resulting in siloed behaviors.
“Business leaders state that 77% of cybersecurity spending is defensive in nature, focused on risk or compliance rather than opportunity. As such, addressing security challenges, governance, and operations (i.e., workload monitoring and cost optimization) early on will be top of mind. This will allow for smarter and more concrete business decisions, while also avoiding security issues before they happen.”
Gregg Ostrowski, executive CTO at AppDynamics, an application performance management solution and part of Cisco, agrees that cybersecurity planning is important earlier in the migration stages and has noticed vendors and customers alike highlighting cloud security implementations.
“Enterprises are seeing the need to consider cloud security earlier in the migration and monitoring processes,” Ostrowski said. “While introducing cloud services at a rapid rate for transformation, understanding where data is located has become critical.
“During application development cycles, organizations are increasingly starting to factor in security by moving from DevOps to DevSecOps at the beginning of the application development life cycle versus later on in the process.
“During digital transformation efforts, cloud enables speed and scale for development teams, making security early on necessary, so they can help deliver on speed and introduce new innovations targeting cloud security. The industry is taking notice, and we’re seeing more traditional enterprise vendors as well as new startups feature cloud security in their offerings, as they realize the importance of protecting user data in every environment.”
Piyush Sharrma, co-founder and CEO at Accurics by Tenable, a cloud infrastructure cybersecurity solution, believes many organizations will take their proactive cloud security planning a step farther, securing their cloud application and code development levels.
“The future of shift-left security is infrastructure-as-code,” Sharrma said. “If a vulnerability is detected while infrastructure is running, that organization is already exposed — even if a patch is applied right away.
“Now that cloud adoption has rapidly increased, and organizations are embracing the flexibility that cloud-native provides, it is vital to find and fix every bug before deployment. By the time software reaches run time, it’s already too late.
“That’s why detection will move from reactive to proactive in 2022, as CISOs increasingly recognize that security teams don’t have to wait for infrastructure to be created to discover and mitigate vulnerabilities in code.”
DevSecOps is a growing movement toward combining the efforts of security and development teams, so security permeates every aspect of technology development and configuration.
Ankur Shah, SVP and GM for Prisma Cloud, a cloud security solution from Palo Alto Networks, has noticed this “shift left” in cloud and enterprise cybersecurity.
“When the concept of DevSecOps was first introduced, we hoped it would be enough for organizations to understand the importance of security in the center of the DevOps process,” Shah said.
“With the scale of cloud adoption, Gartner predicts 70% of all enterprise workloads will be deployed in the cloud by 2023, up from 40% in 2020.
“There’s a critical need to shift further left to have security from the start of any DevOps effort — and throughout the application development life cycle. Maybe it should be known as SecDevOps to make sure that an organization’s security posture is integrated as early as possible –— to make sure that you are not deploying applications with vulnerabilities.
“In 2022, we will see widespread adoption of the shift-left approach, with organizations embedding security at inception of new applications and innovation and strategically embedded throughout their DevOps process.”
Ostrowski from AppDynamics underscored the importance of a DevSecOps approach, covering some of the sensitive data that has entered the cloud.
“Over the years, more sensitive data has made its way to the cloud, such as people’s bank accounts, patients’ health details, and highly sensitive government information,” Ostrowski said.
“Additionally, the pandemic forced people to find new ways of functioning online daily, from online banking and health care access to shopping and connecting with others. In fact, a recent AppDynamics survey found people use digital services 30% more during the pandemic than two years prior.
“With so many people opting for digital services and applications, the need for stronger and better security has grown exponentially, as massive amounts of data migrated from on-prem data centers to cloud-based or hybrid cloud environments.
“To address this massive digital transformation, DevOps and security teams can no longer function successfully in silos.”
More on silos in business technology: Why Data Democratization is Better Than Busting Down Silos
Cloud environments cannot be fully secured with traditional perimeter security, especially with the fluidity of data and users on this kind of infrastructure.
As more companies and cloud vendors recognize the volatility of traditional cybersecurity efforts, many are focusing on taking security down to the data level.
Trevor Morgan, product marketing manager at comforte, a data security solutions provider, explained the importance of data-centric cybersecurity in the cloud, particularly with data-level encryption efforts.
“Even though cloud architectures make the whole notion of perimeters a bit fuzzy, early cloud security was based on the same approach,” Morgan said.
“I think that most organizations now understand that with the increased attack surfaces that cloud creates, data security applied directly to sensitive information in the cloud is the only way truly to keep it safe.
“This does not mean that traditional border/perimeter security isn’t still viable — we simply cannot assume that plain text data should ever exist within a cloud environment. Keeping that data protected with data-centric security, such as tokenization and format-preserving encryption, is the fail-safe, or mitigating, mechanism in cloud security. Even if cloud resources are misconfigured or somehow the perimeters are breached, threat actors cannot leverage data they cannot read or understand.
“I think that next-generation data-centric security combined with more defensive postures, such as zero trust, which is a framework and methodology, not a standard, will keep businesses safer.”
Stephen Manley, CTO of Druva, a data resilience cloud provider, believes that data-level protections are especially important as companies move toward multicloud environments.
“In a multicloud environment, it is nearly impossible to defend the perimeter, so customers will invest more to protect what the attackers are trying to access — their data,” Manley said.
“Customers will explore technologies such as: data resiliency — to ensure that data will be automatically protected and recoverable, regardless of the attack; data classification — to identify the type and location of data throughout the organization, so they can minimize the risk to their most sensitive data; data access governance — to manage who and what can access data; [and] data access analysis — to monitor the patterns of who or what is accessing data.”
More on this topic: Data Security Trends
As many companies have ramped up their efforts for user-level cybersecurity, a growing number are holding their vendors accountable for security issues.
Mike O’Malley, SVP of SenecaGlobal, a software and technical advisory firm, believes companies are starting to focus on improving third-party ecosystems and user safeguards.
“One of the key trends we will continue to see into 2022 is that companies are more proactive about their cloud security postures, with a renewed focus on safeguarding third-party and ecosystem vulnerabilities,” O’Malley said.
“As remote work and virtual services pushed organizations to rapidly shift their operations to the cloud over the past two years, some have not been as diligent with regard to third-party access risk. As a result, their networks are exposed to security breaches.
“Organizations are finally realizing that cloud providers are focused on protecting the network infrastructure, but responsibility for securing the hosted data, IP, and applications falls on them.
“In the coming year, we expect to see organizations scrutinizing third-party remote access points and prioritizing security protection as part of their digital transformation efforts.”
Michael Sentonas, CTO at CrowdStrike, a top cybersecurity solutions provider, believes this pressure for improved security efforts is especially being applied to legacy vendors that haven’t necessarily kept up with cloud security needs.
“The year 2021 has been an especially challenging year for customer trust in legacy vendors,” Sentonas said. “This past year, we’ve seen vulnerability after vulnerability exposed, resulting in devastating attacks with no signs of stopping in 2022. For example, 63% of 2021 CrowdStrike ‘Global Security Attitude Survey’ respondents admitted their organization is losing trust in Microsoft, due to increasing attacks on trusted supply chain vendors.
“Zero-day vulnerabilities in particular will continue to drive legacy vendor security teams into patch panic mode, as they frantically try to react and respond to these threats. This will inevitably drive a larger wedge between legacy vendors and their customers, as the latter will look elsewhere for solutions that can keep them on the front foot in proactively defending against the latest threats.”
Read next: Top Cloud Security Companies & Solutions