Cloud security in 2022 – a hot topic with a lot of variables

Cybersecurity is always a top priority in the IT industry. Yet, every now and then we get an event like the Log4j vulnerability. They show us that no matter how much work we do in improving cybersecurity, there’s always a lot more to do. And cloud security is no exception.

Enhanced security is a key selling point for cloud services. Customers expect their data will be better protected than what they can do at their own premises. Cloud service providers (CSPs) have also put an extra emphasis on security and for 2022 they will have a lot to do; this list will cover both continuous security improvements, and better messaging and communication with their customers. Here are a few of the main cybersecurity tasks and challenges for the cloud industry for 2022.

Fixing miscommunication

A lot of cloud customers expect that once they move to such a service, maintenance and security will sort themselves out. While a lot of the heavy-lifting is indeed handled by the service provider, users still have responsibilities. Fugue’s State of Cloud Security 2021 Report claims that 36% of companies suffered a serious cloud security leak or breach in the past year due to cloud misconfiguration. Also, Gartner predicts that by the end of 2023, about 99% of cloud security issues will be the customer’s fault. Again, the reason will be misconfiguration.

This means that no matter how good service providers make their cloud security, if customers aren’t careful, breaches will always happen. The good news is that these issues are preventable. It’s all down to how much customers are willing to put in the effort to take care of their accounts and configuration. And they will. The only reason they don’t, is because they aren’t well informed about the importance of proper configuration.

So, it’s up to CSPs to better communicate to their customers and help them out through better messaging, more information, along with clearing up some cloud myths.

For example, the myth that the cloud is simply a data center somewhere. The data center is only a single component of the entire cloud service. It also includes infrastructure, software and security. It’s a complex system and not simply a connection to the data center. In fact, the main benefit of cloud services are the infrastructure and software capabilities and APIs that customers can use and add.

Security is a team effort

And by that we don’t mean only the service provider’s team, but also the customers’. They should be working together to find potential issues and solve them. Customers shouldn’t wait and rely only on their provider’s security team to act. They can’t cover all the vectors, especially when a customer is using the cloud to develop and deploy custom code and applications. This is where customers have to be proactive and do their security due diligence.

CSPs and their customers should know each other better. This means keeping the customer informed about current and future developments or issues. Customers should also remember that hackers are constantly evolving and improving their abilities. Automated attacks are now a daily occurrence, and they require appropriate response.

Prevention is another key area. For far too long cybersecurity has been focused mostly on reacting to and looking for breaches. Prevention is looked at as covering a few bases and hoping for the best. Following proper security protocols and adapting them on a regular basis depending on latest security discoveries is an important part in the overall security structure. Yes, it’s an involving process which can also mean more investment, but in the long run they will be a better expense than having to deal with a breach along with the indirect losses, reputation woes, and potential lost customers.

Focusing on new approaches

Speaking of keeping in touch with new developments, 2022 will have its fair share of interesting cloud security trends. One of them is the Cybersecurity Mesh.

Niel Harper, a chief information security officer and ISACA board director says to the SecurityIntelligence blog that the security mindset is changing. He commented, “The increase in remote access to on-premises data centers and cloud resources is driving the need for a flexible, composable architecture that integrates widely distributed and disparate security services”.

Enter the Cybersecurity Mesh. This is a new term which was coined by Gartner. They describe it as a “a flexible, composable architecture that integrates widely distributed and disparate security services”.

Harper thinks of it as a concept rather than an actual technology or standard. “It suggests that organizations need to adopt a cybersecurity architecture to integrate security tools into a cooperative ecosystem to reduce the risk impact of individual security incidents. A mesh will use analytics and intelligence coupled with ‘meshed’ controls around identity, policy, posture and information/event visibility.”

If it sounds familiar, it’s basically what we already covered. Gartner expects that the cybersecurity mesh will allow businesses to ensure all their data, systems and devices receive equal treatment regardless of their location. It seems a bit surprising that this is not already a norm, but that’s the reality – a lot of companies have very… strange approaches to their own cybersecurity.

Gartner is optimistic and thinks that things will change. It envisions that by 2025 the cybersecurity mesh approach will reduce the financial impact of security incidents by 90% on average which is a very brave expectation.

Standards are a good thing

People do like putting labels on everything, though sometimes this isn’t as good as we think it is. And others it’s incredibly helpful. When it comes to cybersecurity, labels, i.e. standards, are a great thing.

Thanks to them, customers can easily identify if the service they are researching is right for them or not. It also gives them a good idea of any additional security measures they might need to add in order to achieve the level of protection they require. As you can imagine, creating, invoking, adopting and maintaining these standards is quite the task.

There are several organizations which govern standards. One of them is ISO (International Organization for Standardization). It develops standards for many systems, including for the cloud. Another one is the National Institute of Standards and Technology (NIST). There’s also the European Telecommunications Standards Institute (ETSI) and a lot more.

It is quite the challenge to receive certifications from these organizations. Candidates, including CSPs, must meet a lot of strict requirements and are then checked on a regular basis that they maintain them. If they don’t, they will be stripped of their certification.

And as there are so many out there, cloud providers have to pick the ones that reflect their goals and abilities the best. It can be a bit of a challenge to select which ones to become certified for, and this is where communication with (potential) customers is key; find out what they need and offer it to them.

What if you are said customer and aren’t sure? Again, talk with potential cloud service providers. See which certifications they are  going for, and tell them what you need. They will be able to help you out in pinpointing your security goals.

Top cloud security trends for 2022

If you need a bit of help of what to look for in cloud security in 2022, let’s check out some of the top trends.

Data-centric cybersecurity

You can’t approach the cloud security as any other IT resource. The cloud is unique as there are a plethora of different data and users all using the same infrastructure at the same time. Each has their fair share of specific needs and expectations, and as such, one security measure might be incredibly useful for a portion of these users, but it can disrupt the service for the rest.

So, finding the right balance is important and difficult. This is where data-centric cybersecurity can help. It’s meant to be applied on top of traditional security measures, not to replace them.

What is data-centric security? It includes approaches like zero-trust, taking advantage of multi-cloud environments and focusing on protecting the data, not the perimeters. It also means automation for protection and data recovery, reorganizing data according to type and location, continuous analytics for patterns and access.

DevSecOps

As more and more of the cloud becomes automated, security becomes key at the development stage. One mishap during coding, can lead to a cascade of issues. DevSecOps puts security as an integral part of the entire DevOps. The goal is to have organizations integrate security features and protections at the earliest stage of their cloud apps and projects. And it is also an easier way to merge best practices.

It’s an important step and somewhat ties in with the data-centric approach. Today, the cloud is home to very sensitive data, including health information, financial details, etc. As such, implementing security at the early development stage will be important for reinforcing protections for users.

Cloud-native security

This approach means taking advantage of the cloud features and services for security reasons. Like developing individualized, flexible, easy to integrate security features and solutions for cloud customers. Aqua Security claims that this approach has been tested in small scale by many organizations, and in 2022 it is ready to scale up!

Potential benefits are consistent security improvements for the entire cloud environment and for the customers’ data and applications. The market demand focuses mostly on complete solutions, so vendors will adapt to that reality with consolidation, joint projects and new services.

Mind the third-parties

SenecaGlobal says that in 2022 companies will become even more proactive about their “cloud security postures”. This will include increased attention to third-party and vendor vulnerabilities. The company says that in 2022, cloud customers will start to be more and more proactive about their part in securing their data and apps.

As such, they will expect more from their third-party partners and vendors. For example, 63% of 2021 CrowdStrike ‘Global Security Attitude Survey’ respondents admitted their organization is losing trust in Microsoft, due to increasing attacks on trusted supply chain vendors. This means that organizations will expect more visible effort made from everyone they work with. Including cloud service providers.

Analysts expect a greater wedge between legacy vendors and customers with the latter looking for new solutions. This will open new opportunities for smaller cloud vendors and will put pressure on the industry to drive security developments further. So, 2022 will definitely be a very interesting year for the cloud and its security and we should (hopefully) all benefit from that.

Another related article, that might be interesting to you, is that one:

2022 could be a big year for the cloud industry. Here’s what to expect