InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Cloud native security platforms (CNSPs) and the secure access service edge (SASE), both saw increased levels of investment from a combination of acquisitions and customer demand in 2020.
SASE saw the largest boost, thanks to stay-at-home orders due to the COVID-19 pandemic. Organizations that typically had 5 percent of their workforce remote, went to 95 percent in a week. Most found their aging remote access infrastructures simply could
not scale to handle the demand, and SASE became the way to quickly scale, gain visibility and apply consistent controls, no matter the location of their users.
As information security teams move into 2021, we see new cloud security trends on the horizon fueled by a COVID-19-inspired cloud binge. In this piece, we bring you up to date on the current state of cloud threats, peer into what to expect from cloud security in 2021 and offer
a structured approach for tackling cloud security in an ever-changing landscape.
At the root of all cloud security challenges are two concerns:
SASE mostly addresses the first concern and CNSP mostly addresses the second. However, neither are a panacea for the underlying issue of cloud complexity.
If you hoped cloud might go away, COVID-19 was your undoing. In a 2020 study conducted right at the beginning phases of the pandemic,
enterprises reported being at nearly the halfway mark in their journey to the cloud. At the time of the report, organizations ran 46 percent of their workloads in the cloud and expected to get to 64 percent in the next two years (this was prior to
the COVID-19 cloud surge). Consider the findings from Synergy Research Group that estimate enterprises
spent $65 billion on cloud infrastructure services in the third quarter of 2020, an increase of 28 percent from the same quarter in 2019 (see Figure 1).
Complexity Equals Misconfigurations
This rapid uptick in demand for cloud services quickly led to increased security incidents, with 70 percent of enterprises running workloads in the cloud experiencing one, according to Sophos’ State of Cloud Security 2020 report. Why is this? Because we had cloud complexity and velocity without adequate automated process and controls across the development pipeline. The same report
found cloud complexity and velocity led to 66 percent of organizations leaving services misconfigured, and misconfigurations lead to breaches.
To solve the cloud complexity challenge, it is critical security programs holistically address both sides of the coin: securing access to the cloud and securing the workloads/data in the cloud.
Start the process by developing a one-page cloud security strategy. The problem set between these two areas of cloud security is very diverse. It is important to complete a gap analysis before jumping into technology and vendors. The gap analysis helps
flesh out control gaps, as well as use and abuse cases. These can then in turn be used to drive vendor requirements and any resulting proofs of concept (PoCs) or proofs of value (PoVs) that might ensue.
This is about ensuring your user access resources both on-premises and in the cloud in a consistently secure manner. Here’s where SASE comes in. For the uninitiated, SASE represents the convergence of network-as-a-service and network security-as-a-service
into one platform delivered from the cloud (not a hardware appliance). If you take the alphabet soup of firewalls, virtual private networks (VPNs), network data loss prevention (DLP), cloud access security brokers (CASBs), software-defined wide-area
networking (SD-WAN), cloud secure web gateways (SWGs), etc., and deliver them all from the cloud, that’s SASE.
When approaching this side of the challenge, be mindful of impacts on other teams, such as networking. Because this is a convergence technology, part of your gap analysis should involve the development of a responsible-accountable-consulted-informed (RACI)
matrix. This helps sort out who is going to own what and ensures your gap analysis includes feedback from key stakeholders. If you attempt to address security to the cloud without addressing this first, you may end up with a solution that meets the
needs of one team while ignoring those of another. That can result in the realized value of SASE being far lower than anticipated, due to point products needing to be brought in later, or the lifespan of costly legacy products being extended to fill
Palo Alto Networks Prisma Access and Zscaler Internet Access (ZIA) are top-of-mind in the market. Innovation has mainly come in the form of acquisitions. In 2020, Palo Alto acquired SD-WAN provider CloudGenix and Zscaler broadened its appeal by acquiring
Cloudneeti, a cloud security posture management (CSPM) company focused on infrastructure- and platform-as-a-service (IaaS/PaaS) security. A newer entrant to the space is Netskope.
When choosing among SASE vendors, organizations should:
This is where automation and development pipelines come into clearer focus (although this is less so with SaaS since the provider manages the code base and you as the customer are left largely managing configurations and identity permissions). Complexity
is perhaps at its greatest with IaaS/PaaS, since customers must do the heaviest lifting. In fact, complexity has risen to the point where industry groups such as the Open Networking User Group are pressuring cloud providers to standardize how they
As before, it is critical to complete a RACI. In all three cloud models, you as the customer are giving up differing levels of control, but never accountability. The RACI is important because the responsibility for security is likely going to be split
across multiple different teams including networking, security, DevOps and IT.
When approaching this problem set, consider splitting it into two separate domains:
Two vendors in the CNSP space include CloudGuard from Check Point, Aqua Security and Prisma Cloud from Palo Alto Networks. To make a product decision, as before, start by looking at what you already own. You may already have Check Point or Palo Alto gear
in your environment. Investigate how you might be able to leverage existing enterprise license agreements (ELAs) to get competitive on costs. While cost should not be your primary driver in product selection, reduced complexity should be.
When looking to secure IaaS/PaaS platforms, be sure to include the configuration of the cloud itself as well as the workloads and data running inside it.
When evaluating CNSP vendors, it’s also important to focus on:
A new market that emerged in 2020 was SaaS security posture management or SSPM. This new crew of startups (e.g., AppOmni, Obsidian and Adaptive Shield) aim to secure the configuration of popular SaaS platforms such as Microsoft 365, Salesforce and Box,
to name a few.
SaaS security issues run the gamut from failure to enable multifactor authentication (MFA) to overly permissive sharing for external users. This new group of companies takes an API-based approach (no agents, because that is not possible with SaaS) to
add visibility and remediation into the configuration of SaaS platforms.
Due to the early nature of this market and overlap with some existing CASB capabilities, we expect to see some consolidation in 2021.
As we peer into 2021, the current trends will continue to intensify. The shift to cloud is only going to increase. COVID-19 has assured this, with a combination of work-from-home for the foreseeable future (a widely available vaccine will bring some back
to work, but it will not go back to what it was) and data centers continuing to go by the wayside.
In the SASE space, expect to see new players emerge, but rather the existing players will continue to augment their positions with smaller acquisitions and expanded capabilities, such as DLP.
In the CNSP (IaaS/PaaS) space, expect further consolidation via acquisitions and the smallest of players dying on the vine. When it comes to securing IaC, the market is still very young, and some current players already have capabilities in this area.
In the SSPM space, while it is still very new, SSPM vendors will seek to differentiate themselves in two ways: the number of SaaS platforms they support and the depth of capabilities in each.
Innovation brings complexity, and this is precisely why the cloud security market is so fragmented. Despite cloud being around for over a decade, in the world of computing, it is still very new and changing rapidly. A general best practice for cloud security is to try and be as proactive as possible.
Develop a one-page cloud security strategy. This is not a technical document, but rather a casting of your vision of what cloud security means in your organization. Be sure to include people, process and technology.
Become the cloud champion. If your organization is one of the laggards that has yet to make a major move, you as the security practitioner are in a unique position. You can get ahead of the business to help it stay competitive. Work closely with the CIO
to get a fix on when the move to cloud is coming. Even if the dates are murky, take the time to carve out a project that will create security guardrails in each of the major cloud providers. Doing this now will save major headaches later, and CNSPs
will aid greatly in this effort.
Get SASE. If you managed to get through the pandemic with your aging remote access infrastructure, good for you. 2021 is the year to deeply assess potential cost savings as well as reduced operational complexity when it comes to managing multiple different
sets of technologies such as SWG, CASB and SD-WAN. SASE is your path to doing this, while enabling you to apply consistent security controls no matter the location of your users.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
May 19, 2022
By IANS Faculty
Understand potential security risks for executives on social media. Find information on attack trends and guidelines to help identify potential attacks and keep both social media accounts and the organization secure.
May 17, 2022
Learn how to make progress with zero trust, including common zero trust use cases, success stories, tooling guidance and tips for effectiveness.
May 12, 2022
Gain an understanding of the role executives play in incident response (IR). Find guidance on key actions to take before, during and after a security incident.