This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
Cybersecurity is facing a shortage of qualified professionals to occupy the many openings within the sector. Earlier this year, Forbes and other sources pegged job vacancies for available cybersecurity sector jobs at 74 percent for the last five years, and that percentage number is expected to increase globally as security concerns become greater for small, medium and large businesses. In addition, new government regulations and best practices for security will put increasing pressure on the cybersecurity infrastructure of many organizations, making talent shortages that much more visible. So how will companies find this much needed talent and what does this mean for both employers and job seekers? Here are our talent hiring predictions for cybersecurity in 2017.
Sure Things
Security companies will continue to look beyond security for talent.
What we’re beginning to see is a shift toward organizations recruiting talent outside of the security space who possess the adaptable technical abilities to be successful within cybersecurity. In other words, many individuals working in cloud, SaaS, networking, virtualization and mobile technologies, even those without specific IT or network security experience, have the transferable skills to become cloud, SaaS, networking virtualization and mobile security experts. This trend will continue into 2017 and beyond.
Additionally, there is a plethora of IT and security-focused talent currently serving in the armed forces. As the search for cyber talent continues to grow, we can expect to see security companies expanding their veterans programs to aid the transition of qualified military personnel into the private sector. Not only is this a positive story for veterans programs – it’s also a powerful connector between cybersecurity jobs and field-tested cybersecurity talent.
Beyond that, we will see security organizations investing more resources into recruiting “next-generation” talent. Large research universities are beginning to incorporate security into the fabric of a well-rounded STEM education; some have defined cybersesurity curriculum and courses of study, such as New York University. This will lead to an increase of young, educated individuals having more exposure to cybersecurity prior to their entrance into the workforce.
The need for non-technical security professionals will also increase.
As 2017 approaches, more non-technical professionals will enter the world of cybersecurity. Like any other emerging industry transitioning into a stable long-term institution, there will be a need to grow the infrastructure surrounding these new technologies. Sales, finance, accounting and human resources all-stars will all be highly desirable within the security space.
Additionally, there will be greater opportunities for talented marketers and storytellers to share the importance of security in a world defined by the Internet of Things. Cyber education and the emergence of thought leadership will be paramount in creating a more cyber-aware society, conscious of the importance of data protection and threat prevention.
It will also be incumbent upon organizations to reward and retain their best cyber talent – and make sure their cyber talent continue to enhance their skills. A recent study conducted by Enterprise Security Group and the Information Systems Security Association (ISSA) cited that 63 percent of cybersecurity professionals find it difficult to keep up with the demands of their jobs and building their skills. More progressive organizations will proactively invest in continuing education for their top talent.
Security will continue to be a desirable destination for job seekers.
Moving past 2017, the overall security industry is expected to grow upwards of $170 Billion by 2020. As cybersecurity continues to weave itself into the fabric of our digitally connected society, more industries outside of tech will be seeking qualified cyber professionals to setup and maintain secure and private infrastructures, fueling the need for qualified individuals.
A prime example of this is the healthcare industry. As concerns about patient privacy continue to rise, more healthcare providers will be in need of security professionals to safeguard the abundance of sensitive data flowing through their organizations. And as we’ve seen at many healthcare organizations, complying with regulations such as HIPAA is too often at odds with investing in the right security technology.
Acknowledging these needs will help the industry stay healthy and attractive for job seekers, especially with the potential for innovation when it comes to preventing successful cyber attacks. And it’s worth noting that many cyber professionals see the nobility of their work. There is a satisfaction in knowing that their efforts to protect data and safeguard information truly help organizations leverage their technologies for the greater good of society. Cybersecurity has moved beyond merely an IT spend – it’s imperative to protecting our way of life in the digital age. Forward-thinking organizations will know to prioritize investing in their people as much as they do their technology.
Long Shots
Companies acquire other organizations to inherit talent
Many startups specializing in a single security component have entered the space with hopes of their product being integrated into the platform of a larger vendor. The space to date has not seen too many wild acquisitions, but it is possible that they may become more common in the near-future.
Strong emergence of cybersecurity academies from larger players in the sector
With these academies, we will see more IT professionals being trained and certified on the implementation of company specific security products and architectures. While this may sound like an excellent solution to the cyber skills shortage, the cost to create these academies is high for many organizations and the infrastructure needed to maintain them is often challenging to create.
What are your cybersecurity predictions for talent hiring? Share your thoughts in the comments.
This post is part an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
In Japan there is much hype around the 2020 Summer Olympics and the expectation that the event will create new business opportunities. There is also concern about cyberattacks disrupting the Tokyo 2020 Olympic Games operations and the theft of national security and/or trade secrets. This type of attack would harm the competitiveness of companies in Japan and damage reputations. With this in mind – and because the Internet of Things (IoT) is rapidly expanding and introducing new attack vectors. Here are some sure things and long shots for 2017, based on these dynamics.
SURE THINGS
Cyber insurance will become more popular. Cyber insurance services have been available in Japan since at least 2012, but the growth of the market in this country had been slower than in the U.S. While Japanese companies were not motivated to invest in stopping potential risks whose damage scale was unknown before actually suffering from cyberattacks, U.S. organizations across various company sizes are willing to consider such risks and invest in them. Another key difference is that Japanese businesses tend to be more reluctant to reveal cyber incidents (per an article from ScanNetSecurity) to other parties, including their own cyber insurance companies, than American businesses are, probably because of the pressure of the shame culture which we profiled in a recent blog.
The tide changed when the Ministry of Economy, Trade and Industry (METI) and Information-Technology Promotion Agency (IPA) published the Cybersecurity Guidelines for Business Leadership Ver 1.0 in December 2015 and the document encouraged companies to use cyber insurance. NISC’s Cybersecurity Approach for Business Management in August 2016 addresses how major companies and SMBs can seek cybersecurity effectively. The document acknowledges that their limited resources make it difficult to adopt sophisticated security products or solutions, and suggests SMBs use cloud-based security solutions and cyber insurance. As major companies have enhanced their security, attackers have ramped up targeting of SMBs (per an article from MYNAVI News) that often are short of the resources needed to detect breaches. This is the case, even though Japan’s economic strength and major companies are reliant on Japanese SMBs, some of which have high technical competence and provide parts for precision machines and metal-processing.
Cyber insurance for SMBs was born in Japan, and the pressure being placed on SMBs could lead to a variety of cyber insurance types, which would be beneficial for financially and resourcefully challenged companies that use cybersecurity services associated with such insurance. It is important to help those companies proactively invest in cyber defense technologies.
There will be more pressure on SMBs and non-critical infrastructure sectors to take cybersecurity measures.
SMBs and non-critical infrastructure sectors will see mounting pressure to take on more cybersecurity measures due to the Japanese government’s recent publications about the necessity of cybersecurity. Several events lead to this:
First, the Japanese government revised the 2003 Personal Information Protection Act in 2015 to remove an exception for SMBs holding fewer than 5,000 pieces of personal information to protect and prevent breaches of personal information. The Act’s revision was specifically timed to coincide with the January 2016 introduction of “My Number,” a new personal identification system for Social Security and taxation information, which has resulted in SMBs (and all companies) holding more personal information on residents in Japan.
Second, the Japan Tourism Agency’s Advisory Committee to Address Breaches in the Tourism Sector published an interim report in July 2016, and the National Center of Incident Readiness and Strategy or Cybersecurity (NISC) released the Cybersecurity Approach for Business Management in August 2016. The report encourages stronger cybersecurity in the tourism sector and also critical infrastructure sectors governed by the Ministry of Land, Infrastructure, Transport and Tourism (MLIT), which are aviation, logistics, and railways. Since Japan wants to see an increasing number of tourists to Japan during the 2020 Summer Olympics and the smooth operation of the event is key, tourism backed up by convenient and secure transportation services is definitely crucial. That is why both of the documents addressed the dire need for more cybersecurity measures taken by SMBs. 2017 will likely see follow-up guidelines.
Third, the NISC IoT Security Framework in August 2016 indicates the need of IoT security-by-design for manufacturers, even though they are not currently categorized as part of critical infrastructure in Japan. It means stewardship ministries and agencies would need to start drafting such guidelines.
Companies will be more active in cyberthreat intelligence and analysis sharing.
The 2020 Summer Olympics hype has certainly led to a huge expectation of innovation to showcase novel designs and technologies that drive economic growth. This all must be done in a secure manner for the convenience and safety of users. Voluntary cyberthreat intelligence-sharing is important to understanding the latest threat landscape and applying appropriate cyberdefenses. Active cyberthreat intelligence-sharing is encouraged by Cybersecurity Guidelines for Business Leadership Ver 1.0.in December 2015.
In fact, the auto and electric power industry plans to launch such a framework. In October 2015, Prime Minister Shinzo Abe stated at the Annual Meeting of the Science and Technology in Society (STS) Forum in October 2015 that driverless cars will be available in Japan when the 2020 Summer Olympics and Paralympic Games are held. Thus, manufacturers, including those in the auto sector, will be under growing pressure to innovate new and secure cars. That is why car manufacturers and auto parts providers will launch a forum for sharing cyberthreat intelligence in January 2017. In addition, Japanese electric power companies, including Tokyo Electric Power Company, plan to establish Electric Power Information Sharing and Analysis Center (ISAC) to share cyberthreat intelligence and best practices and cooperate with overseas entities, especially the U.S. Electricity ISAC and European Energy-ISAC.
Given this trend toward Tokyo 2020 and the importance of manufacturers, tourism, and transportation-related services, more cyberthreat intelligence sharing frameworks will be born in those sectors. Tourism agencies have begun to have regular information-sharing meetings to prevent massive personal information leaks and a guest lecturer recommended creating a tourism ISAC at the third meeting in September 2016. Thus, the Japanese government would appreciate best practices of the U.S. or other countries’ cyberthreat intelligence sharing, such as ISAC, and are interested in acquiring cyberthreat intelligence to add geopolitical context to technical analysis and serve governments’ and industry’s decision-making processes for risk management. The Cybersecurity Strategy in September 2015 recognized that it is important to fuse cybersecurity analysis with technical, legal, international relations, security, and social-scientific perspectives. NISC started to list potential cyber risks to Tokyo 2020 in Japan Fiscal Year 2016 and will continue to review the list and take cybersecurity measures to address the risks. This effort would also require the support of good cyberthreat intelligence and analysis from different types of expertise.
The Japanese traditional procurement system only allows one to buy visible and countable items, and this makes it challenging to procure cyberthreat intelligence, which is not necessarily “countable” unless it is put in reports. Yet, the pressure of Tokyo 2020 is gradually changing the Japanese mindset, and the country is definitely seeing more interest in cyberthreat intelligence and analysis, in a variety of formats.
LONG SHOTS
Increased focus in securing remotemedical services used for disaster relief in the aging society.
Japan is known for its high frequency of natural disasters, such as earthquakes and typhoons. It is also dealing with the reality of an aging society. These challenges have led to demands for remote medical services for disaster relief and elderly people by taking advantage of IT and IoT, such as drones. This also requires cybersecurity services to protect the convenience of these services and to protect human lives.
Japan had a few major natural disasters in 2016, including the Kumamoto Earthquake and the East Japan typhoon. The aging population already passed 25 percent in 2013, and the Japanese government expects the number will reach 39.9 percent in 2060, or two out of five people at 65 years old or older. At the same time, the population has been shifting from rural areas to major cities. The Japanese government expected in 2012 that those rural areas would see a drastic decrease in population from 2.89 million people in 2005 to 1.14 million people in 2050 by 61.0 percent. This affects the availability of doctors in rural areas. According to a report by the Japan Hospital Association in May 2016, 80.0 percent of hospitals all over Japan said that they do not have a sufficient number of doctors. While 72.7 percent of hospitals in big cities said they have a shortfall of doctors, the figure is 92.5 percent in rural areas. The gap between cities and rural areas is widening.
This is even more problematic for disaster relief activities, especially because the Japanese government used to ban remote medical services, except for special cases in isolated islands or rural backwater areas, where face-to-face medical treatment is physically difficult. Finally, in August 2015, the Ministry of Health, Labour and Welfare issued a document to acknowledge the needs and benefits of remote medical services and approve remote medical services if they are combined with face-to-face medical treatment although it does not require face-to-face service before remote service. New medical services have become available since then and the first case for disaster relief was in April 2016 when two companies in Japan provided free remote health consultation by using smartphones and volunteer doctors to help Kumamoto Earthquake victims. This type of new disaster relief effort will be in high demand in the future.
Drones also expand the scope of remote medical services by delivering medicine. Since the revised aviation law was enacted in December 2015 to add rules for drones, tests for proof of concepts have started in rural areas, such as the Yabu City (an article from Nikkei Digital Health), Hyogo Prefecture and western part of the Japanese mainland.
Associated cybersecurity services will be in demand to ensure the convenience of such services and to protect patients from disruption to the services by cyberattacks. Proactive, prevention-based cybersecurity is needed.
Massive My Number personal information leak will happen.
Japan faced massive breaches in May 2015 and in summer 2016. The May 2015 incident saw the leak of 1.25 million pieces of personal information from a government-associated organization, and the June 2016 incident suffered the leak of personal information belonging to 7.93 million people from a tourism agency. In July 2017, the Japanese government will start to share My Number-related information with local governments for welfare services. Since all of the organizations now have more personal information from their employees, thanks to My Number, they are more worried about potential breach risks.
According to an ABeam Consulting Ltd.’ survey, of the 1,917 publicly listed Japanese companies (105 companies responded) between May and June 2016, almost all had finished gathering My Number information from their employees. Nonetheless, in most cases, security measures taken for My Number remain expedient. For example, only 49 percent of companies have audit policies in place to check the data regularly. While 72 percent say they have strengthened access control for the systems to store My Number information, only 16 percent had improved prevention and detection of potential hacking. Although half of the companies plan to provide training for people who are newly assigned to deal with My Number, only 39 percent plan to review the training program regularly, and 32 percent plan to provide such training in a repetitive manner.
If those problems remain unresolved, Japan will most likely see a bigger scale of personal information breaches in the near future. Of course, cybersecurity efforts cannot be made overnight. It takes time because they entail the reform of corporate governance, as we pointed out in our September blog. But if Japan can combine My Number security efforts with cybersecurity governance for the success of Tokyo 2020, it will prevent damage by potential cyberattacks to steal or leak personal information.
What are your cybersecurity predictions for Japan? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for ICS.
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
Based on the trends we are seeing within the mobile industry, here are some predictions for 2017:
Sure Thing: Cyberattackers will target service providers by tapping into wide network of IoT devices
We have seen how IoT and wearable technology can be used by cyberattackers to launch unprecedented levels of volumetric attacks aimed at taking down specific websites and applications. These attacks will now increasingly be aimed at taking down critical service-provider network infrastructure that cause wide-scale disruptions of mobile and other connected services. Service providers will have significant pressure to shift their security posture and leverage advanced network-based mechanisms to prevent these types of malware infections from reaching IoT devices that are connected to their networks.
Sure Thing: Cyberattackers will increase their emphasis on exploiting mobile device users, and mobile device infections will exponentially increase
Consumers continue to increase their reliance on smart devices and mobile applications to manage their digital lives, making themselves easy targets for cyber criminals and creating a ripe environment for the spread of many different types of mobile malware. This trend will degrade overall trust that consumers have in their mobile services and create a new challenge for service providers, which will spur providers’ increased focus on protecting end user services and preventing potential negative impacts on their brands. “Is it the service provider’s fault” will be a common debate.
Long Shot: Cyberattacks on mobile users will become the leading cause for churn
Research has shown that consumers would rather lose their wallets than their mobile phones (and now some are using their phone as their wallet). A recent Accenture survey of smartphone users revealed 62 percent are concerned about the security of their financial transactions; 60 percent are dissatisfied with their connectivity and experience; and 47 percent are concerned about privacy and security. Altogether, a majority of them are ready to switch providers, partly because they feel their current ones don’t help safeguard their critical properties. Mobile operators will shift focus to develop new strategies that ensure the security of customer devices and prevent an erosion of customer trust that leads to lost business.
Long Shot: Service Providers will market IoT security as a competitive advantage
Over the years, service providers have tended to define network security pretty narrowly, with a prime objective of maintaining network availability and no real need or obligation to secure end user devices. This may have been sufficient for operating successfully in the past, but the landscape is now changed, with an expanding mobile attack surface and growing occurrences of infected IoT devices launching malicious attacks. The implications to service providers are significant, especially considering that IoT is being counted on to help fuel the next wave of mobile-service revenue growth; providers have no choice but to now embrace IoT security as a means of enabling future business. Who wants to be the operator that allowed a hacker to take over thousands of cars or the operator that is labeled as “less secure” than its competitor? Service providers will begin to adopt advanced network-based IoT threat prevention mechanisms, and they will begin marketing to potential IoT customers with security as a competitive advantage.
What are your cybersecurity predictions for service providers? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for Japan.
2016 was a challenging year for organisations particularly as cyber adversaries achieved high-profile success, mainly with ransomware. Organisations in Asia-Pacific are no exception. The year also taught a valuable lesson that no industry vertical is safe; if there is a hole in your security, a determined adversary will find it.
2017 should be an opportunity for organisations to instigate a regular program of security risk assessments to stay ahead in cybersecurity. New technologies and ever-increasing levels of connectivity are transforming businesses and unlocking business development opportunities across the region.
Being aware of security concerns doesn’t mean avoiding new technology altogether. It’s about being sensible and trying to stay ahead of cybercriminals by understanding current and potential threats and what can be done to mitigate the risk.
What are my predictions for Asia-Pacific in 2017?
1. Industrial control systems may turn against you
Industrial control systems (ICS) are an integral part of any business, especially in Asia-Pacific. These include building management systems, heating ventilation and air conditioning (HVAC), and security doors, just to name a few.
Most businesses outsource their building management requirements so they don’t necessarily know whether the third-party provider has adequate security in place. It’s not impossible for a malicious actor to execute an attack that could cause significant damage.
For example, an attacker could turn the heating up in a company’s server room or data centre to 50°C and then disable all the building access points so no one can get in to physically remove hardware to a safer location. The hardware would eventually overheat, causing significant disruption to a business, its customers and its partners.
What you need to consider:
When you think about it, nearly all businesses could be at risk of an attack like this. Business leaders have to consider security beyond the basic steps of protection. Organisations need to gain an overarching view of their potential weak spots through third parties as well as their own network. Additionally, they need to put a plan in place that would help counter any potential attacks.
Have you checked what non-IT equipment your business depends on and what security they have enabled? Are they connected to the internet, managed by a third party?
When outsourcing to a third party, what level of security assurance do they have in place? Are they able to provide information to you on how they secure themselves and, ultimately, how they secure and manage your network and systems?
2. The Internet of Things (IoT) devices will be a target for cybercrime
Market research firm Gartner predicts that the number of connected ‘things’ will rise from 6.5 billion in 2015 to almost 21 billion by 2020. This will result in better customer experiences, with connected devices providing information on everything from when the brakes on a bus need to be replaced to whether all the machines on a mine site are running within acceptable parameters.
However, connected devices will also be a target for cybercrime, even more so because people place enormous trust in third-party vendors being safe. These endpoint devices provide thousands of potential entry points to an organisation’s network. They need to be secured. In 2016, we saw the first real challenges appear where compromised devices were connected together in a botnet to launch attacks against banks and key parts of the internet infrastructure.
Anything that you connect into your computer or network is a potential risk. The types of devices range from CCTV cameras to tiny sensors attached to complex machinery, and they may not always be top of mind for security professionals. But if they are connected to the internet or managed by a third party, then they could put the business at risk.
Committed cybercriminals will use every trick in the book and be creative in trying to access the information they want, and look at what ways they can gain entry.
What you need to consider:
It is important to understand that the IoT is not a possibility or a project of the future – it is a current reality. Make a point to ask suppliers involved in security assurance how they can assure the security of the devices they provide. As we have seen many times, there may be no security, or the devices could be using some default username or password. These should be changed from the moment they are on your network.
Any devices using factory settings for security are simply asking to be compromised. IT managers must change those standard administrator passwords to avoid being targeted.
These devices should also be regularly checked to see if they adhere to the company’s security policy.
3. We may see a ransomware vortex with a nasty surprise
Ransomware involves attackers locking up a business’s data and demanding a ransom for its release. If you thought 2016 was bad for ransomware – where attackers access data and ransom it back to the victim – then 2017 will be worse. We can expect to see a higher attack volume, using more sophisticated technologies. If the discovery of Locky ransomware was anything to go by, financial malware will continue on an upward trajectory in 2017.
The kicker will be that, because enterprises and individuals have previously paid, more than likely the prices will increase. There have been cases where the ransom was paid, the data was unlocked, and then the victim was hit again. Paying to unlock one or more machines in your organisation doesn’t provide immunity from a threat that could be spreading in your environment. Our advice has always been: don’t pay.
What you need to consider:
If you have fewer than 72 hours to respond, do you have a comprehensive backup strategy and response ready to counter these attacks?
When was the last time you tested and verified the backup?
Have you applied basic file blocking to prevent threats from entering your organisation? Certain file types can be a risk to your organisation. Ask yourself, “Should we allow all files or should we manage the risk by not allowing malicious files types that may cause an issue?”
4. We will have serious data trust issues
People will continue to be too trusting or fooled into thinking something is safe when it really isn’t. For example, confidential data can be exposed, or made available, that looks like it comes from an organisation, when it was actually planted by a malicious party. Either way, there’s a business reputational risk and a monetary price to pay.
For years, information security professionals have been focused on a model known as the CIA triad, which looks at Confidentiality, Integrity and Availability and is designed to guide policies for information security within an organisation. Many organisations have long looked at confidentiality as a means to protect their data from theft or availability as a means to ensure they can access their data or systems, but how much time has been spent focusing on the integrity of the data or systems?
Imagine a data project, years in the making, where the data an organisation has been collecting and analysing is corrupted. For example, a resource company that has invested heavily in research and development is prospecting for the next drill site where they collect petabytes of data, but an attacker manipulates the information, rendering it worthless. If the integrity of the data is manipulated, where a few bits of information are changed, the company might drill in the wrong spot, wasting time and money and potentially creating an environmental disaster. This could cause companies to make incorrect decisions with significant ramifications. The same could be said about cases where systems have been wiped after an attack, removing all traces that it happened.
Another frightening example is personalised medicine, where the genetic makeup of a person is known and so well-understood that, rather than doing trial and error on which medication works, doctors can tailor exactly the right mix and dosage. If an attacker changed the data on a program such as this, it not only has an impact on the effectiveness of the drug but also could have a lasting negative impact on patient, or even threaten their life, so the stakes are incredibly high.
So What Can Be Done?
Firstly, any business should welcome these changes as they are a way to further digitise services and enhance our way of life. But with any move to further digitising services that we offer or are offered to us, we need to ensure that the data is protected. Verification should be at the centre of all platforms, at every stage of development, and at the core of every provider-customer relationship. Its integrity must be protected from being modified by unauthorised parties. Data must only be made available to authorised parties to access the information when needed.
What you need to consider:
Businesses need to look at two key things: where their sensitive data resides and what data is critical to the business to operate. Somewhat surprisingly, many organisations struggle to answer this question. This can lead to misappropriation of resources in the form of security controls being used broadly across the entire organisation, rather than being targeted to where they’re needed most. This then results in increased cost to acquire and use security measures.
Who amongst our employees has access to our sensitive data? Simply knowing who has access to documents or big data stores stops short of understanding to what they have access.
A key way to reduce risk to sensitive information is to also understand how the data is protected. Is there protection in place, and does it meet the right level to mitigate risk for something that could be mission-critical to a business?
What are your cybersecurity predictions for 2017? Share your thoughts in the comments.
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
Here’s what we predict for cloud in 2017:
Sure Things
A multi-cloud, hybrid security strategy will be the new normal among InfoSec teams
In the last few years, the digital footprint of organizations has expanded beyond the confines of the on-premise data center and private cloud to a model that now incorporates SaaS and public clouds. To date, InfoSec teams have been in a reactive mode while trying to implement a comprehensive security strategy across their hybrid architecture. In 2017, we will see a concerted effort from InfoSec teams to build and roll out a multi-cloud security strategy geared toward addressing the emerging digital needs of their organizations. Maintaining a consistent security posture, pervasive visibility, and ease of security management across all clouds will drive security teams to extend their strategy beyond security considerations for public and private clouds and also focus on securely enabling SaaS applications.
Shifting ground within data privacy laws will impact cloud security choices
Cross-border data privacy laws play a significant role while considering cloud computing options for organizations across the globe. With recent developments, such as Brexit and the expansion of cross-border data flow restrictions in Asia-Pacific, IT security leaders will look for flexibility and adaptability from their cloud security vendors in 2017. Cloud security offerings need to address the diversity among clouds, enforce consistent security policy, and adapt to the data privacy laws of the resident nation-state. The WildFire EU cloud is a great example of enabling regional presence to comply with local data residency requirements. It is a global, cloud based, community-driven threat analysis framework that correlates threat information and builds prevention rulesets that can be applied across the public, private and SaaS footprint of organizations based out of Europe.
Large-scale breach in the public cloud
The excitement and interest around utilizing the public cloud reminds us of the early days of the Internet. Nearly every organization we talk to is using or looking to use either Amazon Web Services (AWS) or Microsoft Azure for new projects. And it is based on this observation that we predict a security incident resulting in the loss of data stored in a public cloud will garner international attention. The reality is that, given the volume of data loss over the past year, one or more successful breaches has likely occurred already, but the specific location (private, public, SaaS) of where the data was located is rarely, if ever, disclosed. But that is bound to change as more companies move their business-critical applications to the public cloud.
The basis of the prediction is twofold. Public cloud vendors are more secure than most organizations, but their protection is for underlying infrastructure, not necessarily the applications in use, the access granted to those applications, and the data available from using those applications. Attackers do not care where their target is located. Their goal is to gain access to your network; navigate to a target, be it data, intellectual property or excess compute resources; and then execute their end goal – regardless of the location. From this perspective, your public cloud deployment should be considered an extension of your data center, and the steps to protect it should be no different than those you take to protect your data center.
The speed of the public cloud movement, combined with the “more secure infrastructure” statements, is, in some cases, leading to security shortcuts where little to no security is being used. Too often we hear from customers and prospects that the use of native security services and/or point security products is sufficient. The reality is that basic filtering and ACLs do little to reduce the threat footprint, whereas opening TCP/80, TCP/443 allows nearly 500 applications of all types including proxies, encrypted tunnels and remote access applications. Port filtering is incapable of preventing threats or controlling file movements, improving only slightly when combined with detect and remediate point products or those that merely prevent known threats. It is our hope that, as public cloud projects increase in volume and scope, more diligence is applied to the customer piece of the shared security responsibility model. Considerations should include complete visibility and control at the application level and the prevention of known and unknown threats, with an eye toward automation to take what has been learned and use it to continually improve prevention techniques for all customers.
Long Shots
Autonomic Security: Rise of artificial intelligence and machine learning-driven security frameworks
2016 introduced self-driven cars and selfie drones to consumers. The technology behind these innovations was heavily driven by artificial intelligence (AI) and machine learning (ML). AI and ML usage within cybersecurity is not new. Cybersecurity vendors have been leveraging them for threat analysis and big data challenges posed by threat intelligence. But, the pervasive availability of open source AI/ML frameworks and automation simplicity associated with them will redefine the security automation approaches within InfoSec teams. Today, security automation is about simplifying and speeding up monotonous tasks associated with cybersecurity policy definition and enforcement. Soon, artificial intelligence and machine learning frameworks will be leveraged by InfoSec teams for implementing predictive security postures across public, private and SaaS cloud infrastructures. We are already seeing early examples that reflect the above approach. Open source projects, such as MineMeld, are shaping InfoSec teams’ thinking on leveraging externally sourced threat data and using it for self-configuring security policy based on organization-specific needs. In 2017 and beyond, we will see the rise of autonomic approaches to cybersecurity.
Insecure API: Subverting automation to hack your cloud
Application programming interfaces (APIs) have become the mainstay for accessing services within clouds. Realizing the potential problems associated with traditional authentication methods and credential storage practices (hard-coded passwords anyone), cloud vendors have implemented authentication mechanisms (API keys) and metadata services (temporary passwords) as alternatives that streamline application development. The API approach is pervasive across all cloud services and, in many cases, insecure. It provides a new attack vector for hackers, and in 2017 and beyond, we will hear about more breaches that leverage open, insecure APIs to compromise clouds.
What are your cybersecurity predictions around cloud? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for Asia-Pacific.
