One year into the COVID pandemic, it has become cliché to say that we have compressed years of corporate digital transformation into the span of just a few quarters. What started as a scramble to ensure that employees could work from home has turned into a simultaneous acceleration of cloud adoption, explosion of ecommerce, rethinking of software development approaches, and significant investment in data science. Even without the pandemic, the past year would have been an explosive one for cybersecurity, with major hacks of SolarWinds and Microsoft Exchange exposing just how vulnerable corporations and governments are to sophisticated state-sponsored attacks.

Amidst this chaos, CISOs need to dramatically rethink their defense posture and how they approach protecting their organizations. Underlying the changes are two key shifts that are reshaping the cybersecurity landscape:

• New IT environments — the adoption of multi-cloud architecture and a proliferation of devices mean that endpoints have multiplied and the “perimeter” can look quite blurry
• New approaches to security — thinking about how to integrate security practices into the DevOps lifecycle, treating data as something that must be guarded the same as devices or applications, and expanding the notion of identity and access management to encompass all of the above changes

Cloud Security

This March marked the 15-year anniversary of Amazon Web Services, which arguably kickstarted the modern era of cloud computing. Yet, it feels like we are still in the early innings of cloud adoption for enterprise workloads at legacy companies, even after the coronavirus pandemic seems to have compressed years of digital transformation into a few months’ time. Perhaps unsurprisingly, the adoption of modern cybersecurity postures in most organizations has not kept pace with overall cloud adoption. This creates a critical vulnerability, because the shift to cloud-based architecture has left the traditional notions of perimeter and point security utterly obsolete.

The first problem that cloud architecture has created from a security perspective is the complete dissociation between the notion of an IT asset and a physical asset. It is no longer enough to have a running tally of servers and desktops/laptops that might exist within an org with an understanding of the network topology connecting them. Today, the list of assets needs to include a wide range of VMs, containers, and serverless functions scattered across a variety of on-prem servers and cloud providers, each with unique security needs.

The cybersecurity gaps that have resulted from the shift to cloud infrastructure have become even more pronounced due to the concurrent adoption of DevOps practices. As resource provisioning experiences a “shift left” from IT to engineers, and we see greater adoption of Infrastructure-as-Code, a company’s traditional IT and security organizations become even more disconnected from the environments that they are supposed to be managing and protecting. In most cases, a company’s CISO and cybersecurity teams are still more tied to the IT organization than to developers, creating a critical gap in understanding of what needs to be secured and how, and adding friction to remediation processes.

Concurrently with the shift to cloud infrastructure, the shift from monolithic software to meshes of microservices and serverless functions has created additional complexity for safeguarding applications and data as it is passed around through API calls. The number of points of vulnerability for any given application have multiplied, and the speed and flexibility of this software architecture has come at the cost of overall security.

Proliferation of Devices

Somewhat paradoxically, at the same time that companies are attempting to replace many of their legacy on-prem systems with abstracted cloud offerings, they are also attempting to bring thousands of new physical devices into their networked environments for the first time. While adoption of enterprise Internet of Things might be happening at a bit slower pace than the fantastical predictions of a few years ago, it nonetheless is progressing in all sectors of the economy and presenting problems of device visibility, access control, and endpoint protection.

What has quickly become obvious is that there are very few “one size fits all” solutions for enterprise IoT security. In particular, the industrial, medical, and automotive sectors have all emerged as distinct sub-verticals requiring specialized approaches.

The industrial environment has emerged as an especially complex cybersecurity challenge. While many new IoT devices have been designed for interoperability with traditional IT systems, that is not the case for legacy Operational Technology (OT) systems and devices. These items traditionally sat disconnected from a company’s IT environment. However, the trends of greater automation and real-time process visibility are requiring OT resources to be not only connected to a company’s IT environment, but increasingly to also form part of a new web of converged IT/OT computing resources at the edge.

The increasing overlap between IT systems and OT systems is where we start to see the risk from cyberattacks crossover from mostly financial (ransomware, identity theft, data/IP loss, etc), to the physical and potentially life-threatening. A decade ago, the Stuxnet worm targeting programmable logic controllers was used to destroy industrial machines involved in Iran’s nuclear weapons program.

In addition to securing the devices that operate in their internal environment, more and more companies need to think about how they ensure security on the devices that they are selling to their own customers. In industries ranging from automotive to medical devices to smart homes, more and more connected devices are creating more points of vulnerability for end users who may not consider themselves responsible for securing these devices.

DevSecOps

Historically, cybersecurity has been viewed as an add-on to application deployment — something that IT departments worried about after the fact. It traditionally has not been a significant concern in the development lifecycle except for standard QA checks and patching vulnerabilities in later release cycles. However, in the modern world of continuous delivery of applications and microservices, that “post-deployment” security thinking is no longer good enough.

DevSecOps is a movement towards integrating good security practices throughout the entire software development lifecycle, in parallel with other DevOps practices. In the context of traditional cybersecurity activities, this means shifting more responsibility onto development teams for ensuring proper provisioning, configuration, and protection for the resources that they create and manage, particularly in the cloud.

However, DevSecOps also aims to embed security much earlier into the software development process than the deployment phase. The recent SolarWinds hack exposed the security vulnerabilities that exist throughout the software supply chain. As developers increasingly rely on third party dependencies, constantly changing code-bases, and splintered repositories, it becomes more crucial to have security checks and verifications embedded in each of those tools.

The adoption of DevSecOps is not just about implementing new software tools. It requires a fundamental shift in the processes and culture within an organization. For this reason, the big outstanding question with DevSecOps is the extent to which developers will embrace it. We’re currently going through a software development evolution where multiple tasks are simultaneously “shifting left” and placing more responsibility onto the developer. But without proper incentives in place, developers will naturally push back against these activities, limiting their effectiveness.

Data Security

Over the past few decades, we have seen cybersecurity extend across every permutation and layer of hardware and software — from networks, to infrastructure, to applications. While all of these areas continue to evolve in response to the trends noted above, enterprises have begun to realize that the latest frontier is to protect data itself.

We’re currently seeing corporations struggle with five main challenges around data security:

• Data discovery & cataloging— As the number of data lakes, data warehouses, SaaS applications, and devices all explode across an organization, companies are struggling more than ever to identify where sensitive data might sit, let alone what it contains and who has the rights to use it.
• Monitoring & visibility — Traditional cybersecurity monitoring was designed for the world of physical assets and software applications, not data. As the notion of DataOps is emerging for data science & engineering applications, it will need to cross over into the realm of security as well.
• Regulatory complexity — As concerns about privacy abound, a new alphabet soup (GDPR, CCPA, HIPAA, SOC2, etc) of regulations and compliance standards has emerged, creating a patchwork of data security requirements that might not be uniform across an organization.
• Conflicting priorities — Data has proliferated because people want to use it! There is an inherent trade off between data security and the ease of use & performance of that data that companies need to be cognizant of in order to balance the ROI of data against the risks of data loss.

In addition to these challenges and the resultant implications for what an ideal data security stack should look like, there is also an ongoing debate inside organizations about who “owns” data security. When thought of as an extension to classical cybersecurity approaches, it would make sense for the CISO to be the ultimate owner of data security. However, as regulations have proliferated, many companies have created Chief Privacy Officer roles or equivalents, often sitting in the General Counsel’s office or as part of a broader compliance org. This has sometimes resulted in split responsibilities and budgets, making the overall procurement process more complicated than that for other parts of the cybersecurity toolbox.

Identity & Access Management (IAM)

While all of the above themes have added new layers of security to a company’s defense posture, the question remains: who is actually allowed through to access the underlying systems? As environments spread across clouds and new devices, traditional approaches to identity and access management have failed to keep up with the increasing complexity of systems and determining who counts as a legitimate user.

Typically we would think of identity as being tied to combinations of specific people and devices, all of which exist inside a company’s environment. These types of identities have continued to proliferate over time. However, today’s users are no longer just a company’s own employees, but also contractors, vendors, partners, and customers who might all have some access to critical systems. Likewise, each user might have a laptop, a phone, and a tablet all provisioned by their employer, but might also be occasionally trying to access corporate resources from their own personal devices when necessary. Managing a source of truth for identities in this environment can be daunting, let alone applying consistent policies and privileges that minimize exposure while not interfering with legitimate access requests.

At the same time that identities have proliferated and fragmented, the traditional notion of the perimeter has dissolved, making access control a more complicated problem. It’s hard to design a gate when you don’t know where the wall is! The idea of accessing corporate systems via VPN connections feels stale in an always-connected cloud and SaaS world, and even the first generation of Cloud Access Security Broker (CASB) solutions is already being challenged by new entrants. Meanwhile, newer access tools are experimenting with Zero-Trust concepts and Secure Access Service Edges (SASE) in an attempt to find access solutions that can be applied in more varied environments.

In addition to the increasing complexity surrounding people and devices as users, there is an increasing shift towards the recognition that software itself can be a user, complete with its own identity and needed privileges. As more software systems are linked via custom integrations or APIs, and applications themselves shift to microservices architecture, the number of requests for access to systems and data by software is growing exponentially. Moreover, as developers increasingly leverage third party services to speed development, these services become an integral and inseparable part of a company’s own applications. Misapplied policies can derail availability of or expose data that might not initially appear to be leaving a company’s internal environment. IAM tools have to account for this shift in the definition of a user in order to remain relevant.

Putting It All Together

These five cybersecurity themes do not exist in silos. Every large enterprise is grappling with all five themes to varying degrees according to its maturity in cloud adoption and digital transformation. Consequently, many of the cybersecurity startups formed in recent years sit at the intersection of multiple of these trends, attempting to balance the simplicity of a point solution against the long-term revenue potential of a platform play. That means that there is not yet any “reference stack” of discrete tools that CISOs can point to today to adequately address all five areas. But as the underlying trends around cloud adoption and the proliferation of devices and user types continue, we can be confident that the markets around these themes will be large enough to support multiple winning approaches and companies.