Digital transformation leadership strategies do not match up with traditional IT leadership principles. Make sure you're using approaches that set teams up for success
7 security trends to watch in 2021
Tech trends come and go; security is an everlasting concern for enterprise IT. Here's what experts say should be on your radar screen in 2021 - as "normal" gets redefined
5. Cloud misconfigurations remain a major problem
Like ransomware and phishing, improperly configured or monitored cloud accounts will also be a continued threat. Actually, continuous is the better word, since it will (like those other threats) be a mainstay in the threat landscape.
“In 2021 we will continue to see companies leak large amounts of customer data through misconfigured cloud storage services,” Gamblin says. “We will not, however, see a workable solution to this issue and it will likely be back on the list in 2022.”
This points to a disconnect in cloud security: The major platforms invest heavily in their security, but they’re not directly responsible for your own internal policies and processes. Even platforms and tools with robust native security features need to be properly set up and tuned over time for your specific environments.
Burke, the Sungard CSO, expects cloud-jacking – the practice of taking over an organization’s cloud account(s) with compromised credentials – to increasingly go hand-in-hand with ransomware threats. In general, this is a reminder that ongoing diligence and monitoring are key to a layered approach to cloud security.
“Organizations will need to have a clear understanding of their cloud footprint, assets, and provider relationships,” Burke says. “The cloud provider aspect is key because although the providers are responsible for securing the cloud environment, the customer must still implement policies and procedures around access management, data protection, etc. to complete the loop.”
[ Working on hybrid cloud strategy? Get the four-step hybrid cloud strategy checklist. ]
6. Compliance requirements fuel cloud decision-making
Data privacy and protection is both a security matter and a compliance issue. This will continue to be a considerable factor in cloud architecture and strategy in 2021, especially for large enterprises or any organization with a global presence.
“Consumer data privacy pressures continue to mount – a particular challenge for U.S. companies with a European footprint, which must contend with the stringencies of GDPR,” says Wilson, the SAS CISO. “This is a definite factor in the push to cloud. Keeping data in-region eases control and data management strategies, but it also underscores the need for global alignment and resources on the legal and compliance fronts.”
This is among the appeals of hybrid cloud and multi-cloud architectures.
Asher de Metz, security consulting senior manager at Sungard AS, expects more cybersecurity and data privacy regulations to roll out in the year ahead, too. “I foresee an increased development of cybersecurity and privacy requirements driven by countries that are in line with regulations such as GDPR,” de Metz says.
7. MITRE ATT&CK framework gains steam in the business world
Organizations need the best possible information about potential attackers and threats to improve their security posture. That information, which was once the stuff of classified government files, is more readily available than ever, thanks to the MITRE ATT&CK framework. Given the increasingly global and complex nature of enterprise security, this knowledge base is becoming a bigger and bigger deal.
“The MITRE ATT&CK framework will continue to increase in prominence as the backbone for cybersecurity planning and threat-informed defense across the public and private sectors,” says Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ. Reiber previously served as the chief strategy officer for cyber policy and speechwriter in the office of the Secretary of Defense during the Obama administration.
“Historically, only well-resourced organizations like the Fortune 10 and major U.S. government agencies had the resources and personnel required to develop real-world threat intelligence and adversary emulations,” Reiber explains. “Thanks to the analytic resources made available by MITRE ATT&CK, organizations all over the world can focus on known threat behaviors and improve their security effectiveness.”
The MITRE ATT&CK framework means you no longer need to be a massive bank or tech company to level the playing field with adversaries. There’s a famous Sun Tzu quote from The Art of War that sounds like it could have been written for the cybersecurity realm: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
First made public in 2015, MITRE ATT&CK is essentially about ensuring you know your enemy, and businesses, in particular, may be overdue to make more active use of it.
“The ATT&CK framework has gained significant momentum in both the public and private sectors as a globally vetted, all-source repository of adversary behavior, cited regularly by the U.S. government’s Cybersecurity and Infrastructure Security Agency and recently by the Office of the Australian Prime Minister,” Reiber says. “When used in tandem with an automated adversary emulation platform, ATT&CK allows organizations to test their cyber defenses against known attacker behaviors safely, at scale, and in production.”
Reiber also notes that the MITRE Engenuity’s Center for Threat-Informed Defense has begun developing free adversary emulation plans. It released the first plan, for security teams to emulate their defenses against the cybercrime group FIN6, earlier this year.
[ How do containers help manage risk? Read also: Ten Layers of Container Security. ]