Security trends to pay attention to in 2019 and beyond
The Google Cloud security team
Software security requires good hygiene and constant diligence to protect your organization and users from known threats; it also requires working proactively to identify and address emerging risks.
Here at Google Cloud, we help you do both. We build products that make security easy—from automatic protections that keep you safe behind the scenes, to tools and recommendations that help you tailor your security posture to your organization’s specific needs (check out our “taking charge of your security” posts for some best practices). We’re always hunting for, and thinking about, how to protect against new and emerging threats, as demonstrated by the “Spectre” and “Meltdown” CPU vulnerabilities that our Project Zero team revealed earlier this year.
As we kick off 2019, here are some security trends to watch, from some of the people here at Google Cloud who think about security every day:
Attacks that skirt two-step verification will push high value targets to adopt stronger 2SV methods.
Two-step verification (2SV), also known as two-factor authentication (2FA), goes a long way to help protect user accounts, and has become standard for most modern applications. However, not all 2SV methods are created equal; attackers are finding new ways to circumvent weaker 2SV methods, such as intercepting one-time-passwords like SMS codes through phishing attacks and phone number takeover. Typically, these are targeted attacks against high-value users such as executives, political figures, or cloud admins. With increased risks ahead, we predict more services will adopt stronger phishing-resistant 2SV methods, utilizing FIDO standards. This will allow users to authenticate with security keys, gaining stronger protection against phishing attacks and account takeovers.
— Christiaan Brand, Product Manager, Google Cloud
We’ll see broader strides toward a true “passwordless” era, due to mainstream adoption of new standards.
We will see secure passwordless login experiences start appearing in the mainstream in 2019. This will mark the start of a broader “passwordless” era, enabled by W3C and FIDO APIs which will appear in major browsers and OS platforms. To start, websites will begin to offer the ability to re-login by just presenting a biometric such as a fingerprint. Comprehensive adoption of passwordless first-time logins will take more time, but in the future, we can expect simple and highly secure login experiences such as the ability to log in to a website on your computer simply by unlocking your phone nearby.
— Sam Srinivas, Director, Product Management
Zero-trust architectures move from idea stage to implementation stage.
“Zero Trust” architectures, and how to implement them, have been an increasingly hot topic in security as organizations embrace more business-critical cloud services and face increasing employee demands for anytime, anywhere, any device access to business resources. Google’s BeyondCorp model was the original enterprise implementation of this concept. Expect this to change in 2019 as more providers and vendors make packaged commercial solutions available and the concept is implemented at an architectural level in projects like Istio.
— Jennifer Lin, Director, Product Management
Identity and access management (IAM) professionals will continue to face an increased scale, size, and sophistication of attacks against their users and infrastructure. Organizations will embrace IAM solutions that leverage vast amounts of data and machine learning techniques to automate discovery, configuration, and response to lighten the burden of their IT and security teams.
— Karthik Lakshminarayanan, Director, Product Management
Self-managed cloud encryption gets more visibility.
Self-managed encryption keys can provide additional control over data access, provide additional audit clarity, help meet policy or regulatory requirements, or provide a measure of control over provider access. However, in the coming years, there will be cases of customer-managed key mishandling that lead to high-profile data loss. Cloud providers will continue to build out native key management capabilities, extending provider-key-managed coverage across more services and offering customers more granular control options. These options can provide a good balance between customer control and robust durability and availability. So while self-managed key options will continue to evolve, customers will increasingly look to leverage provider-key-managed services to manage their keys.
— Scott Ellis, Product Manager, Google Cloud
Attackers will turn their attention to more sophisticated attacks on cloud-native environments like containers.
We've seen public attacks on container deployments, but most of them went after "low-hanging fruit" or mimicked attacks that you would be just as likely to see on a VM — e.g. misconfigurations, credentials and secrets in public code, etc. Think of them as doors that were accidentally left open. As container adoption increases, we'll start to see more advanced attacks that are specific to container architectures and container vulnerabilities. Many admins will look for strong Cloud-managed services that offer best practices on container security by default.
— Maya Kaczorowski, Product Manager, Google Cloud
Vulnerabilities in open-source software will become increasingly common, requiring more rigorous testing.
Introducing vulnerabilities into open-source software via source-code repositories is an effective attack method, since many downstream users use open-source software without inspecting it or testing it themselves. A widespread compromise of this manner is not unlikely, and might be just the thing that drives more companies to use continuous vulnerability scanning tools.
— Matthew O’Connor, Product Manager, OCTO
There will be more than double the reported data incidents on legacy systems from the previous year as a result of GDPR.
The EU’s GDPR requires organizations to report data incidents involving EU personally identifiable information (PII) to data protection authorities or risk large fines. In the UK alone, there were 30% more self-reported data breaches in the first half of 2018, compared to the whole of 2017. The first fines issued under GDPR are likely to be issued in 2019, and the increased transparency resulting public and regulatory scrutiny may highlight the fragility of legacy systems, and ultimately drive cloud adoption, where enterprise privacy management tooling and processes have been specifically developed to support GDPR.
— James Snow, Customer Engineering Manager, Security & Compliance
Highly-regulated enterprises will select for cloud providers who provide real-time monitoring and controls for access to their workloads
While one of the major benefits to being in the public cloud is having your infrastructure managed for you, customers often have had limited visibility and control over activity conducted by their cloud provider. In 2019, companies—especially those in highly regulated industries—will increasingly expect full visibility and control over what actions cloud administrators can take on their data. These customers will expect more assurance that they are in control of their data and workloads.
— Joseph Valente and Michee Smith, Product Managers, Google Cloud