Four security trends for ‘22—and what to do about them
Seth Rosenblatt
Security Editor, Google Cloud
When it comes to cloud security, 2022 will be the year that the past catches up with the future. Trends that businesses have been ignoring for too long will force organizations large and small to confront and control their security debt.
That’s according to Google Cloud’s own cybersecurity experts, who have identified four security trends that organizations need to watch out for—and get ahead of. We have predictions on what to expect in the coming year from MK Palmore, director of the Office of the CISO; Brian Roddy, vice president of engineering for Cloud Security; Tim Dierks, engineering director for data protection; and Panos Mavrommatis and Vikram Makhija, senior directors of security engineering for Google Cloud.
Supply chain shenanigans
“We will see continued asymmetric attacks from adversaries as they exploit supply chains and other previously ‘trusted’ third-party entities,” says Palmore.
Supply-chain problems in cloud computing should be easily solvable, right? Software versions and any vulnerabilities they contain should be trackable and patchable, but the reality of fixing software is that “just patch it” is hard to execute—just look at the challenges posed by the Log4j 2 vulnerability. Supply chain is such a huge problem that President Biden addressed it in an Executive Order in May 2021. Customers can expect the issue to be top of mind at Google Cloud.
Not exactly many happy returns (to the office)
“Return to office around the world will drive changes as office infrastructure has not been invested in for a year and a half while the focus has been on remote users. This likely will drive a short-term boom in traditional on-prem security, but it will be the last boom for that as people adapt their remote, zero-trust style strategies to a more modern on-prem approach,” says Roddy.
The misconception that on-prem infrastructure is categorically more secure than cloud is driven by the desire to have physical access to servers and backups so that only the organization which owns the data controls it and has access to it, even in cases of a catastrophic failure or successful cyberattack. In the early years of cloud computing, that may even have been true. But the conditions that drove the myth of on-prem security primacy changed years ago, and the needs driving secure cloud infrastructure help ensure that cloud stays more secure.
Paying down your security debt
“While there's all the new hotness of cutting-edge concerns, many enterprises still carry security risks and security debt from not yet fully adopting controls which have been broadly accepted as important for years. For example, loads of companies are still not using phishing-resistant two-factor authentication such as FIDO keys,” says Dierks.
Authentication keys such as those made by Yubico and Google’s own Titan Security key support the zero-trust security principles that require user identities to be authenticated, authorized, and then continuously validated before they can access applications and data. Strong authentication is such an important part of contemporary user security that even weaker forms of it that rely on text messages are significantly more secure than not using it at all. That said, why use a less-secure standard when you can reduce risks to your data and bottom line even further by requiring a phishing-resistant hardware key?
Dierks stresses another challenging but important part of eliminating security debt: using social connections to encourage best security practices. “It's important for CISOs to use their business relationships to emphasize the importance of baseline controls [such as 2FA] for their partners. Enterprises have close relationships that attackers can leverage, so it's critical that partners hold each other accountable to maintain high security.”
KYD (Know Your Data)
The impact of a data breach can harm organizations as they currently are as well as far into the future. Current tough-to-crack encryption standards protecting data could become easier to decode in the years ahead, so even if cybercriminals can’t access stolen data now there’s no guarantee that paradigm will hold. This means it's crucially important that organizations understand what data they’re storing, how they’re storing it, and where they’re storing it, say Mavrommatis and Makhija.
“You can’t secure what you don’t know about, and not all data breaches are equal. Stolen machine logs are not as bad as customer data. But how many security teams know the difference? So you have to crawl your own data to automatically classify and discover where sensitive data lives,” they say.
Makhija adds that the shared fate model requires the cloud providers and cloud customers to have a mutual understanding of the quantitative risks each faces. “Shared fate models will pick up significantly in 2022,” he says, as more organizations move to the cloud, and those already using cloud infrastructure improve their security postures.
“To date, there’s been a disparate set of tools for understanding your posture. It’s difficult for third-party tools to stitch together what cloud services should be providing from the start,” he says.
What you can do to make your organization more secure
One cloud security trend that’s ever-present is the ever-increasing importance of keeping cloud deployments secure. As cloud infrastructure becomes more commonplace across businesses and industries of all sizes, it will continue to grow as an attractive target for cybercriminals and other threat actors.
Because enterprise data has expanded exponentially, the ability to identify and detect threats have become increasingly challenging. To better secure the enterprise software supply chain, use advanced threat detection and analysis tools—especially those designed to catch anomalies.
The faster that organizations adopt a zero-trust architecture, the more secure the new normal can be. Zero trust helps limit the blast radius of any potential intrusion, while maximizing new enterprise access expectations. Part of adopting zero trust means many end-users can abandon legacy technology like VPNs, but the benefits of segmentation and context-aware access for both identity and device will make all the difference for large scale enterprises. When coupled with a full zero-trust approach and the use of a zero-trust maturity model for improvement, organizations will be better positioned to manage their digital risks.
Security debt can come in many forms and one critical payoff that needs to be made is for organizations to migrate en masse to hardware two-factor authentication keys. They make user accounts significantly more resistant to takeovers, and are much harder to circumvent than two-factor authentication over SMS.
It’s past time to get to know your data, and a bouquet of flowers and a bottle of red wine won’t help. There are third-party tools that can do this, but for Google Cloud customers who use BigQuery there’s automatic Data Loss Prevention. It continuously monitors existing tables and profiles new ones; it can be customized for selected folders or projects, or for an entire organization; and it generates data profiles in the same geographic region as the original data.
Understanding and managing the security challenges of cloud infrastructure helps maximize its benefits, and makes for a safer security landscape in 2022—and beyond.