The conversations about cloud security are changing rapidly. A few years ago, companies were hesitant to even talk about moving to the cloud because of all the unknowns — specifically in regard to security. Cloud service providers like Amazon, Google, and Microsoft have made bold commitments to security, so today the conversation is shifting from how secure the cloud itself is, to how individual companies can better secure their data and systems.
On Tuesday, January 17, Threat Stack’s Director of Products, Vikram Varakantam, and OneLogin’s CISO, Alvaro Hoyos, hosted a webinar to discuss where they each see cloud security headed in the coming year.
You can listen to the full webinar recording here. We’ve also highlighted key topics discussed in the webinar below.
Because this webinar was so rich in information, this is Part 1 of the recap where we dive into what key learnings for cloud security in 2016 (to better understand where it’s headed in 2017 which we'll cover in Part 2).
1. Security Became a Business Accelerator
This is where the role of a CISO comes in — and Alvaro sees this role only increasing in importance in the coming year. Already, more and more companies are hiring CISOs to lead the charge in implementing the right layers of security and to communicate that to prospects and customers.
2. The Convergence of Security and Compliance
Historically, security and compliance have been treated as two very different disciplines and entities. But the way in which companies must manage risk and secure their infrastructure becomes one and the same in the cloud. You see, when a company spins up new servers in the cloud, for example, they need to meet both compliance and security best practices. The way in which companies are now doing that is by implementing continuous security monitoring, which gives them deep visibility into who is doing what, where, when, and why and also enables them to answer critical security and compliance questions.
This enables companies that are running and scaling fast in the cloud to meet both security and compliance requirements using the same tools, such as Threat Stack and OneLogin.
3. Incident Response Progresses
In the past year alone, we saw incident response shift from a focus on prevention to a more proactive focus on detection. That’s largely because companies are learning that prevention can and will fail. Especially in the cloud, where there is no longer a perimeter to defend, there are many more unknown variables, so threats can and will get in. And when they do, companies need the ability to detect them so they can respond before damage is done.
A key security metric many companies are now paying attention to is Mean Time To Detect (MTTD), and rightly so. Security threats are becoming more and more sophisticated and prevalent, so companies need to keep up. Having both prevention and detection capabilities is the key to catching suspicious activity quickly, before it can do major damage.
4. Adoption of API-Enabled Solutions
In the cloud, with so many moving parts, security can’t be done in a vacuum. No single security tool can handle all of your company’s needs, but the more tools you have, the more unwieldy managing them all becomes. That’s why, in 2016, we saw many security tools open up their APIs to enable users to integrate them in a centrally managed place like a SIEM or an access rights management tool.
This gives you comprehensive visibility into all activity so you can quickly decide which applications need to be shut down, which accounts need to be disabled, or which hosts need to be spun up or down. Even better, APIs enable security tools to talk to each other, passing along critical information to tell the full story behind a threat.
5. Better Employee Education
In the cloud, it’s quite easy to buy a new SaaS tool or spin up a new server. So easy, in fact, that employees often do so without approval for the sake of speed and efficiency. This is the concept of shadow IT. It can help companies move fast and build better, more interesting products. But what employees often don’t realize is that, by making adhoc additions or changes to the cloud environment, security can be neglected or circumvented, and this can be very dangerous.
In 2016, companies realized that, rather than fighting to eliminate shadow IT, they had to accept that it will always be there. Instead of trying to stop it, smart companies are informing and educating employees in order to help them make good choices for security. One of the best ways to do that is to explain to them why things need to be done a certain way and how that will help the entire organization. So if an employee needs to spin up a new service on the fly, encourage them to follow a few critical steps to be sure it’s secured, and make it as easy as possible for them to do so. This is also where API-enabled services and security monitoring come in, since they are able to rapidly deploy security with each new instance, server, or application that is brought into the cloud environment.
2016 was truly an exciting year in the evolution of cloud security. In Part 2 of this webinar recap, we’ll take these 2016 trends and predict where we see security heading in 2017 and what companies like yours can be doing to stay ahead.