What Trouble Awaits Cloud Native Security in 2023?
Gartner predicts that by 2025, we’ll finally see over half of IT spending will finally have shifted from traditional IT infrastructure to the public cloud. That’s quite a jump compared to 2022’s 41%. But, I’m sure it will happen. I’m also sure that along the way, cloud native security problems will only grow to match its overall growth.
Why? It’s not that there’s some shocking security problem lurking in the heart of Kubernetes 1.26. Or, that Amazon Web Services (AWS) Lambda will suddenly start glitching your code. If only it were that easy!
No, technical problems can be as annoying as hell — we’re looking at you, Log4j — but the real cloud native security problem is the living, breathing one sitting between the keyboard and the seat. Your tech support people may know it as: Problem Exists Between Chair and Keyboard (PEBAK).
Don’t believe me? A 2020 Ponemon and IBM study found that misconfigured cloud servers alone cause 19% of data breaches. This isn’t rocket science. It’s that simply setting up a cloud properly isn’t easy.
It’s not that I doubt your cloud people are bright and know their way around, for example, Azure‘s Kubernetes Event-Driven Autoscaling (KEDA); Kyndryl Cloud Native Services; or Google Kubernetes Engine (GKE). That’s table stakes if you’re doing real work with cloud native services.
No, the problem is that it’s hard enough to understand how to build and maintain cloud native applications, never mind securing them. Now, as always, developers and IT operate under tight deadlines. This pressure to perform leads to security neglect.
You may say, “You already know that.” And, to stop bugging you about it. Well, I can’t. You see, you may know security is important, but that doesn’t mean your team is taking it seriously. Lip service doesn’t count.
Sure, you may be shifting security left in your development pipeline, but that doesn’t mean it’s getting done. As a recent University of Zurich study, Software Security during Modern Code Review: The Developer’s Perspective, showed, most developers still don’t focus on security issues during code review. They’ll say they are, but they don’t. More often than not, security is disregarded in the push to get deliverables out as fast as possible.
This is still happening because problem number one is that management still doesn’t take security seriously enough. Until a company or a project has had its nose bloodied, they all seem to refuse to take it seriously.
Cloud native security company Oxeye Security hopes “Leaders will want to know [the security risk] so they can allocate resources accordingly to lower their overall risk exposure.” I wish.
True, Gartner predicts cloud security will grow quickly, with a 26.8% growth rate, in 2023. After all, as Ruggero Contu, Gartner’s senior director analyst, observed, “The pandemic accelerated hybrid work and the shift to the cloud, challenging the [chief information security officers] CISO to secure an increasingly distributed enterprise.” Therefore, security services will reach $76.5 billion in 2023.
More money will be spent, but I’m not sure it will go where it’s needed. As a McKinsey cybersecurity study states, “the budgets of many, if not most, CISOs are underfunded.”
Besides, leaving aside pure security funding, there’s not enough funding for the programmer and IT security. This shows in practice by many companies are still not providing security training. Despite this, they assume developers will somehow magically know how to build security into their programs and pipelines.
Far too often, the C suite and IT teams still think of security as a magical black box that you stuff code and processes in and — ta-da! — they become secure. Nothing could be further from the truth.
Security training must become part and parcel of modern cloud development. I fear we won’t see that coming in 2023 until after we have even bigger cloud disasters.
A related problem is how we all know cloud native computing is complex, but we don’t recognize just how hard that makes securing cloud native programs. As Deloitte Consulting chief cloud strategy officer David Linthicum recently put it, “multicloud and other complicated, heterogeneous platform deployments have accelerated overly complex deployments. At the same time, security budgets, approaches, and tools have remained static. As complexity rises, the risk of breach accelerates at approximately the same rate.”
Exactly.
Linthicum suggests that before you add the latest, shiny new cloud native tool to your workbench, you “consider the impact of adding so many more moving parts to an already complex IT environment.” He’s right. I make my living from being on top of technology, and I barely have a superficial understanding of the Cloud Native Computing Foundation (CNCF) Cloud Native Interactive Landscape. Stick with what you know best and master it before making your infrastructure any more complicated than it already is.
In addition, as Ron Vider, Oxeye’s CTO and Co-founder, said, “Cloud native applications are game-changers when it comes to business agility, but the protection of these platforms introduce new challenges, restrictions, and requirements that restrict traditional application security solutions from functioning effectively in these environments. As this is a rapidly evolving space, the shift to cloud native application security demands a new approach that holistically looks at all software components and the underlying infrastructure to ensure resilient operations.”
That’s easier said than done.
Now some security advances do appear on their way to reality in 2023. According to Okta, an Identity and access management (IAM) powerhouse, 97% of companies either have a zero trust initiative in place or will have one coming in 2023/24. This will make cloud security, according to zero trust company Zscaler, much easier to do rather than depending on cloud-inappropriate security mechanisms such as firewalls and virtual private networks (VPN). Zero trust, besides simply helping secure end-user cloud access, will also help with API-secured and context-based access policies.
We’re going to have to wait for other technical cloud security improvements. For example, as Spiceworks points out, simply managing multiple cloud security dashboards is a major pain. How bad is it? “69% of organizations experienced a breach or data exposure due to inconsistencies in application security across different platforms.” That bad.
Remember what I said about complexity? Here it is again.
To battle this, we do have more helpful automated security tools than before. For instance, as we all know now, software supply chain issues, thanks to insecure third-party libraries, have become major security issues. Thanks to shift-left security software processes such as Supply-Chain Levels for Software Artifacts (SLSA, pronounced “salsa”); Software Package Data Exchange (SPDX)/Software Bill of Materials (SBOM); and Static Application Security Testing (SAST) and Interactive Application Security Testing (IAST) we have a better, automated grip on our code security issues.
But, today, tools for all these areas cover multiple bits and pieces of the supply chain. Once again, we’re dealing with a lot of complexity.
So, what can you do about all this? First, security must become a top issue for the executive suite. They must also back this by pouring considerably more funds not just in Security with a capital “S” but into training everyone in the trenches how to secure their part of the cloud. That said, you must also invest in zero trust and software supply chain security tools.
None of this, not one bit of it, will be easy. In as much as possible, I urge you to simplify your cloud infrastructure so you can get a handle on it. Do that, and with a lot of hard work, I hope you’ll make it through the next year without any major security problems or outages.
Good luck, folks. The hackers will be after us. All of us.
