If you’ve been working to shore up your organization’s security posture, good for you. It’s part of a necessary modernization trend, as security pros and IT leaders come to terms with the fact that traditional network perimeter defenses and other longstanding strategies alone won’t quite cut it in today’s IT environments.
Keep up the good work – because the new year promises plenty of emergent and evolving challenges on the cybersecurity front.
Security trends in 2020: Emerging threats
“2020 is shaping up to be a year of testing the new cybersecurity defenses and strategies that enterprises have deployed over the last five years,” says Jerry Gamblin, principal security engineer at Kenna Security. “Due to the recent tensions with Iran, upcoming U.S. presidential elections, new ransomware attacks, and continuing nation-state actor level breaches, I expect this year to be a year where organizations are in [a] continual process of react and response as they work to keep ahead of a quickly changing threat landscape.”
For many companies, however, the most immediate threats might not be of the front-page news variety. It may be a new year, but the same old risks continue to plague too many businesses.
“Organizations that have lagged on system patching and maintenance will continue to be targeted by malicious actors,” Gamblin says.
No doubt, punting the fundamentals is as much a problem today as ever. If you’ve always practiced poor hygiene in areas like passwords and other credentials, for example, guess what? That’s still a problem – more so, some would argue – when companies adopt cloud technologies and other hallmarks of modern IT.
[ How do containers help manage risk? Read also: Ten Layers of Container Security. ]
So it’s always a good idea to revisit the basics and ensure security as a matter of both operational practice and organizational culture. Beyond that, Gamblin and other security experts anticipate several key trends in the enterprise threat landscape in 2020. Here are four issues you and your teams should watch in the year ahead.
1. Cloud-native technologies require cloud-native security strategies
A simple security pattern plays out time and again: As platforms or ecosystems grow in popularity, so do the proverbial bullseyes on their backs.
“The larger the user base, the richer the target,” as Trevor Pott, technical security lead at Juniper Networks, put it.
As cloud environments – and particularly multi-cloud strategies and hybrid cloud infrastructure – continue to become an operational norm, bad actors have paid increasing attention to those environments in hopes of finding security holes to exploit. They’re also keying in on related tools and technologies like containers and orchestrators as possible attack vectors.
Josh Stella, CTO of Fugue, sees this as one of the major trends in enterprise cloud security this year: “The emergence of advanced cloud-native attacks – those which exploit misconfigured cloud resources in order to gain access to environments, move laterally, and extract data without detection by traditional security analysis tools.”
There’s good news here, however: As cloud-native technologies – and IT pros using those tools – continue to mature, so do their security features and the general awareness and implementation of best practices. Kubernetes is a particularly good example: The community has made a visible commitment to the security of the open source platform, and that appears to already be paying off.
“In late 2019, the CNCF completed its first full Kubernetes audit, which revealed that Kubernetes is a foundationally secure and fully functional platform for container orchestration,” notes Michelle McLean, VP of product marketing at StackRox. “The benefits of the growing confidence in the security of the cloud-native stack will ripple through 2020 and beyond. As people learn more about best practices for securing Kubernetes and containers, we’ll see increasingly robust environments, improving businesses’ abilities to tap into the operational value of cloud-native technologies.”
[ Kubernetes terminology, demystified: Get our Kubernetes glossary cheat sheet for IT and business leaders. ]
Mike Bursell, chief security architect at Red Hat, notes a growing interest in confidential computing: Simply put, that’s extending encryption for data at rest and in transit to encryption for data in use. “Organizations are realizing that some workloads are just too sensitive to deploy to hosts they don’t own or can’t fully trust, and regulatory bodies are echoing that concern. We can expect to see new projects and technologies in this area gaining interest and popularity,” Bursell says. The Confidential Computing Consortium, formed in October 2019, already has more than 20 members and three open source projects being donated to it, including Enarx, a project using WebAssembly to provide a trusted run-time across multiple hardware platforms.
2. Continued rethinking of security responsibilities
This will also mean revisiting and revising traditional security siloes and roles. There’s been plenty of discussion in recent years about DevSecOps, for example, and the general principle of “shifting left” with security – which means moving security to the earliest possible points of a software pipeline rather than considering it a final or near-final step before code hits production environments.
No matter what you call it, the idea here is that security can’t be treated as a niche need. “Security is everyone’s responsibility” might sound like a hackneyed ideal, but there’s at least a partial truth in it.
“Human error has been at the heart of most security incidents,” McLean says. “Containers and Kubernetes have a lot of knobs to dial and settings to get right. Sometimes, limited alignment between DevOps and security teams has made securing this infrastructure more challenging.”
Given that this kind of discussion inherently involves people’s day-to-day job responsibilities – namely, adding new ones, as well as the perception of stripping away responsibilities from someone else – this will cause ongoing debate and disagreement in some organizations.
“DevOps teams will find themselves taking on more and more responsibilities, including more security and quality automation,” says Rani Onsat, VP of strategy at Aqua Security. “As enterprises adopt DevOps practices at an ever-growing scale, the impact on the business and mission-critical applications cannot be ignored.”
Stella from Fugue sees a concurrent trend with the rise of cloud-native attacks: Giving developers more responsibility for the security of their code.
“Developers [will take more] ownership over the security of their cloud infrastructure with software engineering tools such as policy-as-code validation and automated remediation of critical misconfiguration vulnerabilities,” Stella says. “Enterprises that invest in empowering their developers with the tools they need to keep their cloud environments secure have a fighting chance against advanced cloud-native attacks.”
McLean points out that the “bolted on” approach to securing applications and infrastructure is destined to fail with modern technology stacks.
“Until recently, security was often an afterthought in the development process,” McLean says, adding that the “shift left” mindset is a must in cloud-native development. “Being ‘late’ with security doesn’t work with this tech stack or the DevOps process – getting configurations correct, for example, during the build phase is essential to securing the infrastructure.”
No matter how security roles and responsibilities shake out in your own organization, expect automation to be one of the more powerful security levers across roles and teams.
“The processes and methods that traditional IT, security, QA, and compliance teams have been using are often incompatible with the agility of DevOps and cannot cope with the rate of change,” Osnat says. “The solution lies in automating many of these practices into the DevOps processes and toolchain, enabling a more integrated, ‘detect early, fix fast’ environment.”