Cloud Security Predictions for 2018

Cloud Security Predictions for 2018

Considering it’s the season for annual predictions, I asked a few of the leaders and experts at vArmour to tell us what they think 2018 will bring. Since we spend our time at vArmour helping our customers secure their clouds and hybrid clouds – probably the intersection of the two most dynamic areas of IT, with far reaching implications for business and society – our experts have tremendous insight into the evolving cloud security market.

Prediction 1: On the Software Defined movement (SDDC, SDNs etc.) 

Public clouds have transformed the way we operate IT but also the way that society and business operate, from cloud based social media and content offerings to digitalization of virtually every business sector. Attempts at moving Enterprise technology, i.e., the systems companies run within their own datacenters, to software and API driven models have been less successful. I was incredibly excited about the early days of the SDN movement, the opportunity for us to allow customers to program networks according to their application’s requirements and to also simplify some of the arcane complexities of networking. 

However, the SDN 1.0 solutions which have emerged over the past decade haven’t lived up to the promise of SDN: 

  • At best, they expose low level network configurations via APIs (group-based access lists when it comes to basic security, and complex service chaining once slightly more capable security controls are required)
  • Often they require the management of 2 disjoint network layers (the overlay and underlay) which increases operational complexity.
  • The additional ‘layering’ was not offset by a corresponding reduction in complexity within the new stack. SDN 1.0 effectively replaced a complex distributed hardware model, with an equally complex software model, also requiring of new skillsets within the infrastructure teams.
  • Sometimes they are just a re-hash of the old proprietary hardware stacks with a locked-in centralized management plane. 

In short, Software Defined Networks 1.0 have become another way of delivering networks with an API, rather than exposing network services to the application DevOps team or reducing the complexity of infrastructure.

In the next year, we will begin to see the emergence of the Application Controller – a function which will address the early promises of SDN and SDDC. The application controller will establish an understanding of the dependencies and constraints associated with runtime applications, and offer an interface to application and security owners in their own language that will allow them to define their intent and remove the infrastructure complexity from decisions. In this way, we will finally approach the holy grail of ‘Self Service’ for customers of enterprise IT and cloud providers. 

We will begin to call this simpler, environmentally agnostic architecture SDN 2.0.

Prediction 2: On Cloud Attack Surfaces

Cloud and automation, particularly in PaaS, container, and serverless environments, expose a tremendous ‘control plane’ attack surface of agents, controllers, and APIs. As demonstrated at last year’s DefCon conference, we will begin to see attacks on this cloud ‘underbelly’ as a vector for attacking the data and applications being served. Careful hardening and monitoring of these new attack surfaces is going to become crucial.

Until now, the container security space has largely been a collection of vertical specialist companies providing security exclusively for container and microservices environments. We are hearing from our customers that they aren’t comfortable deploying unique security solutions for their container environments, particularly since many of the challenges apply to all areas of the hybrid cloud – for example, software executable integrity and authenticity, segmentation, access control, application analytics. Vendors offering ‘best of breed’ services across all environments of the hybrid cloud will prevail as they cover the entire enterprise and application attack surface and also remove the complexity of niche solutions for specific environments.

The intersection of cloud and security is an incredibly important and exciting area. As cloud provides many new security benefits, it also exposes new attack surfaces and as we develop mechanisms for understanding applications better (and I didn’t even mention ML or AI once!) we approach the promise of application self-service and intent-based IT. In reality, rather than just in marketing hype.

Prediction 3: On IOT Attack Surfaces
From Seth Chromick, Lead Application Security Architect

“I suspect 2018 will be the year the pervasiveness of IoT inside banks gets abused by organized attackers to inflict financial loss at a level we haven't seen before. Network defenders are always playing a game with unfair rules, but in the context of IoT, the attackers are far ahead, having already used IoT against the public and businesses in many forms.  

Studies of the financial industry show an average of $100M a year is spent on using IoT devices for everything from customer experience and monitoring, to every step of the organization's internal supply chain. The capabilities IoT brings to this industry are numerous, but as they get better at shoring up the traditional defenses around the traditional network perimeter, IoT makes the poorly understood internal network even more complex. The individual businesses can only maintain an even playing field if they see their network in the same way an attacker does, where everything has a computer in it that could provide a path inside. The financial industry as a whole will need to continue to evolve the security standards being implemented today to assume IoT is now a standard part of that ecosystem.”

Prediction 4: On Regulation and Compliance
From Mark Weatherford Chief Cybersecurity Strategist and former First Deputy Under Secretary for Cybersecurity at DHS

"Most companies are not appropriately incentivized economically to invest in the necessary security controls required for adequate risk reduction. So while it’s readily understood that compliance does not equal security, an oft-repeated axiom is that companies don’t buy security but they do buy compliance. This has resulted in increasing calls for regulation and compliance that address concerns about the protection of personal information being managed by both public and private sector organizations. From GDPR in Europe, to New York’s recent Department of Financial Services (DFS) regulations, it’s obvious that governments are serious about playing a larger role in establishing better security. There are currently 184 bills, resolutions and amendments in the US Congress dealing in some form or fashion with cybersecurity. 2018 will see an increasing urgency and commitment by federal, state, and local governments to enact legislation that raises the bar for investment in appropriate security controls that both protect citizen personal information and safeguard the critical infrastructures that our society depends upon."

I hope you enjoyed reading about our predictions for 2018. If you have your own, please share with us on Twitter at @varmournetworks. 

Happy holidays and I hope everyone has a prosperous and secure New Year!

Marc Woolward, vArmour CTO