CLOUDTWEAKS CONTRIBUTOR PROGRAM

Join the CloudTweaks thought leadership contributor program which includes a customized profile, branded identity page, newsletter marketing, social amplification and more...

The program is currently available to consultants, influencers or executive level contributors.

Roy_Headshot_Dome9

Four Cloud Security Mega Trends

Cloud Security Trends

Last year was a big year for the cloud. Cloud adoption continued to grow at a rapid clip, even as executives from companies such as McDonald’s and ENEL talked about how their organizations are embracing a cloud-first approach to IT with an eye toward a cloud-only future. It was also a year of transition, as the customer base for AWS shifted toward large enterprises running their mission-critical workloads in the cloud.

As we experience firsthand many of these enterprises’ transitions into the public cloud, I share my views on where things are headed. Rather than writing about futuristic predictions about what to expect in 2017, I’m sharing my observations about broad sweeping trends that will continue to shape the direction of cloud security in the years to come.

1. Assimilation of Security Technologies into Cloud Platforms

The major cloud providers such as Amazon Web Services (AWS) and Microsoft Azure have invested heavily in their platforms’ security over the past few years to address customer concerns and earn their trust. The first wave of investment focused on foundational security and governance capabilities to enhance platform visibility, with features such as AWS CloudTrail and VPC flow logs as well as control capabilities such as Identity and Access Management (IAM).

Building on this firm foundation, the cloud providers (mostly AWS) are now turning to advanced security technologies. These technologies, which until recently were offered as dedicated products and services by third-party vendors, are now seamlessly assimilated into the cloud platform as integral features.

This disruption has already happened to a number of products in very focused, IP-heavy areas. A few examples:

  • Web Application Firewall (WAF) – First introduced as an advanced protection product in the 90s, WAF was offered as a native service by AWS at the end of 2015 and by Microsoft in Sep 2016
  • Amazon Inspector – A host security service for Linux and Windows workloads (GA on Aug 2016)
  • DDOS mitigation – Provided in Azure and now announced for AWS (AWS Shield)

We have seen this trend of standalone products becoming features of the underlying platform play out several times before. For example, technologies such as storage compression and WAN optimization were first introduced into the market as standalone products, but over time became features of the underlying storage and networking platforms. This integration of technologies is great for cloud consumers who will enjoy more integrated and affordable security services, but spells bad news for legacy security vendors who will find themselves being marginalized or directed into more focused niche markets.

2. A Multi-Cloud Future Becomes Real

Cloud consumers have always understood the value proposition of a multi-cloud strategy in principle. But for many years, multi-cloud was just a fluffy buzzword with low correlation to reality. The complexity and pain associated with managing different cloud environments was just too high compared to the benefits. There was also lack of parity between different cloud services in terms of technological capabilities.

In recent years, multi-cloud environments are starting to become more common, either as a deliberate strategic decision by enterprises, or because of acquisitions, leadership changes, etc. So what’s changed to make multi-cloud environments more feasible?

  • Maturity of Cloud Service Offerings: AWS had a huge head start in the public cloud race. While still lagging in breadth and depth of features, Azure and Google Cloud Platform (GCP) have finally as of end-2016 built solid offerings and filled the critical gaps. As an example, in 2016, Google added IAM and some other mandatory ‘enterprise’ features.
  • Advances in Container Technologies: Several years ago, Docker introduced containers as the building block that encapsulated a single compute unit, with the ability to run the same container image on the developer laptop, on the on-prep server and on any cloud. Since then we’ve seen fast progress in container orchestration technologies: Kubernetes, Mesosphere, Docker Swarm and the new Docker for AWS and Azure offering. These technologies deliver on the ‘write once run everywhere’ no-vendor lock-in promise and allow enterprises to maintain consistent workloads among different cloud providers.
  • Maturity of Third-Party Cloud-Agnostic Governance Tools: One of the challenges with adopting multi-cloud environments was the complexity of managing these different environments. Different clouds provide vastly different operational models for security, cost control, governance, etc. For example, the security model in AWS includes VPCs, Security Groups with unordered “allow” rules, while Azure offers Network Security Groups with ordered “allow” and “deny” rules but without group-to-group micro-segmentation capabilities. Companies had to learn how to use the specific constructs and tools provided by each of the clouds. But now, new cloud-native tools offer enhanced governance in areas like cost management (for example: Cloudyn), security and compliance (e.g., Dome9 Security), have now added multi-cloud support, thus, lowering the bar for enterprises to adopt a multi-cloud strategy. These tools use the native capabilities of each cloud, but combine it with cloud-agnostic orchestration that allows customers to specify policies once and manage everywhere.

3. Automation in Security, Compliance and Governance

IT governance and compliance management used to be a point-in-time process that companies engaged in periodically (once a quarter, once a year, etc.), but is now transitioning into a continuous process. The forces for this change come from the ‘demand’ side, i.e. the need as well as the ‘supply’ side, i.e. technological feasibility. On the demand side we can see the dynamic, elastic nature of new cloud environment, turbocharged by DevOps and continuous delivery (CD) practices. The new reality that your core production systems are now in the cloud and being deployed multiple times a day is a real change from the past. On the supply side we can see the technological enhancements that makes continuous security, governance and compliance a reality:

  • With API-driven compute, most of the new cloud datacenter is ‘describe-able’ by API. Compare that with unreliable past data gathering methods (port scanning as an example).
  • This solid clean data is an enabler for proper monitoring, reasoning and even taking automated actions.
    Improvements in cloud native auditing, notifications and event driven computing (like AWS Config, CloudTrail, CloudWatch Log events, Lambda) – lowering the technical bar for implementing continuous monitoring and even auto-remediation systems.
  • Proliferation of new companies and products that target continuous cloud security and compliance, enhancing the CSP’s capabilities and diversifying the ecosystem.

Still not sure?

To get a sense of future trends, take a look at how AWS is educating the industry. Here’s the list of the security sessions from last re:Invent:
Yes, almost 40% of the sessions had some sort of ‘automation’ in their title!

cloud security trends

4. IAM Merges with Network and Host Security

The cloud of 2016 is very different from the cloud of 2006. Public IaaS clouds started out with just compute (virtual machines) and storage services, but now provide dozens of services. The line between IaaS and PaaS is blurring rapidly.

This means that a modern cloud datacenter does not look like an on-premises deployment. Instead, a typical application has a hybrid architecture that includes traditional virtual machines or instances as well as hosted, managed services such as databases, data warehouses, load-balancers, Lambda / FaaS and so on. Let’s compare 2006-style cloud deployment with a 2016-style deployment.

In the 2016 deployment, operations teams have only limited control over many of the building blocks of the application. From a security point of view, legacy network and host security tools are just not enough. For example, where would you install a security agent in a Lambda function? How do you get network visibility to the traffic between an API Gateway and a Lambda (serverless) backend?

To truly manage security in this brave new world, administrators need to complement network security with robust IAM management. IAM and cloud-native settings are becoming the logical glue and the main security policy to drive new cloud deployments. What is needed is a holistic approach to control, monitor, protect and govern in the cloud, which includes cloud configurations, IAM policies, cloud events and audit trails as well as traditional network and host-based security.

We are expecting to see this trend translated into cloud consumers’ practices (possibly breaking some internal silos) as well as to cloud-native security products.

By Roy Feintuch, Co-Founder / CTO, Dome9

Roy Feintuch

Roy is the Co-Founder & CTO of Dome9 Security. Since 2011, Roy has enabled some of the largest AWS deployments with enhanced network security and identity access management protection. A veteran technology leader, he has spent more than a decade managing R&D within various Israeli high-tech startups. Previously, he served as Chief Architect at DV-Tel, focusing in IT security management solutions and IP-video development, as well as a Captain (reserve) in the IDF C4I Corps. He received a B.Sc. in Mathematics and Computer Science at BGU University, Israel.

View Website
The Lighter Side Of The Cloud – Efficiency
The Lighter Side Of The Cloud - 100 Lines
The Lighter Side Of The Cloud - WIFI
The Lighter Side Of The Cloud - Seeing Things
The Lighter Side Of The Cloud – Smoke
David

Future Data Storage Needs Increasing At A Rate Of Nearly 25X By The Year 2021

The Future of Data Storage Data is everywhere. In the security industry, there are close to 300 million surveillance cameras ...
State of the Cloud Report

State of the Cloud Report

Cloud Report As the definitive guide to the biggest trends in the cloud industry, this year’s “State of the Cloud ...
Cloud’s Mighty Role - Why Custom Development is the Next Big Thing (Again)

Cloud’s Mighty Role – Why Custom Development is the Next Big Thing (Again)

Custom Development is the Next Big Thing Today, software is playing a very important role in performing basic business processes ...
Ransomware Cyber-Attacks: Best Practices and Preventative Measures

Ransomware Cyber-Attacks: Best Practices and Preventative Measures

Ransomware Cyber-Attacks “WanaCrypt0r 2.0” or “WannaCry,” an unprecedented global ransomware cyber-attack recently hit over 200,000 banking institutions, hospitals, government agencies, ...
David

The Coming Era of Simple, Fast, Incredibly Cheap Cloud Storage

Cheap Cloud Storage Is On Its Way Data storage, like other commodities such as bandwidth, electricity, or simple computer power, ...
Infatuation leads to love - How container orchestration and federation enables multi-cloud competition

Infatuation leads to love – How container orchestration and federation enables multi-cloud competition

Container Orchestration The use of containers by developers -- and now increasingly IT operators -- has grown from infatuation to ...
CloudTweaks Q&A: How Smart Will Your City Be by 2025?

CloudTweaks Q&A: How Smart Will Your City Be by 2025?

How Smart Will Your City Be by 2025? What role does back end infrastructure play in connecting IoT devices? Probably ...
Data Protection Officers

Free Linux Firewalls of 2018

A firewall is an important aspect of computer security these days, and most modern routers have one built in, which while helpful, can be difficult to configure. Fortunately there are also distributions (distros) of the free operating system Linux which ...
20 Leading Cloud CMS Wordpress Alternatives

20 Leading Cloud CMS WordPress Alternatives

Cloud CMS Wordpress Alternatives Content management systems (CMS) have grown exponentially in recent years. Their number and features have exploded. There are now dozens of cloud CMS Wordpress alternatives for startups and small business. CMS is getting more sophisticated. Website building ...
real time hacking attacks

Live Real Time Hacking and Ransomware Tracking Maps Online

Real Time Hacking Attacks We've recently covered a few real time hacking maps but have decided to extend the list based on the recent ransomware activities with some additional real time hacking attack and ransomware tracking maps. Ransomware refers to malicious ...
The Developer’s Guide to Azure

The Developer’s Guide to Azure

Develop on a cloud platform designed for you. In this update of the Developer’s Guide to Azure, see how the comprehensive set of Azure app platform services fits your needs. Use it to navigate the architectural approaches and most common ...
Top 10 Machine Learning Algorithms

Top 10 Machine Learning Algorithms to Know

Top 10 Machine Learning Algorithms Modern advancements in Artificial Intelligence (AI) are set to change our world for the better. These developments have largely been made possible due to technologies such as cloud sharing, data analytics, blockchain, and improved computing ...
Leading Programming Languages - TIOBE Index for July 2018

Leading Programming Languages – TIOBE Index for July 2018

Last month we announced that TypeScript entered the TIOBE index top 100 for the first time. TypeScript appears to keep growing in popularity. This month it entered the top 50. TypeScript is slowly becoming the new and improved JavaScript. One ...