What’s ahead for the cloud in 2018? CRN asks F5, Palo Alto, VMware, Kaspersky, Arrow, and Ixia
Trevor Treharne, deputy editor at CRN ChannelWeb.co.uk, recently led a panel of cloud experts in predicting trends impacting the cloud in 2018 and at a high level we all agreed: all roads lead to security.
Sponsored by Arrow, a leading Ixia distribution partner in the U.S. and EMEA, the webinar featured thought leaders from F5, Palo Alto Networks, VMware, Kaspersky Labs, Arrow, and Ixia, and covered a range of hot topics from General Data Protection Regulation (GDPR) to IoT to multi-cloud deployments. Panelists agreed that security is hard and operating in the cloud makes it harder, and that organizations need to take risks and be open to making both strategic and operational changes in the way we do things. Above all, they must have a plan that includes contingencies for dealing with the known and unknown alike.
Perhaps the most formidable, fundamental change is embracing the shared security model inherent in public cloud services. The architecture controlled by providers defines the way in which every instance can get to the Internet and be reached from the Internet, and in many cases, the public cloud connects to private clouds, data centers, and end-points.
While cloud providers may do a better job of securing the core infrastructure—a definite “plus”—enterprises still own their own applications and are still responsible for securing their own privileged data. This shift brings up some obvious questions:
Exactly what data is in the cloud and what conditions apply to it? Who has access—employees, third parties, etc.—and will they be approaching from the office, the road, or home? What controls are in place to restrict access? And last but not least, what is the impact to the organization if data gets breached and falls into wrong hands?
Five Trends Fueling the Challenge
Industry dynamics add to the challenge of answering these questions:
Scarcity of cybersecurity skills: A survey conducted by Kaspersky Labs found 50 percent of organizations already perceive a shortage of basic cybersecurity skills. The scarcity is compounded by the fact that very different skillsets are required to successfully deploy applications in the cloud and to manage and control access and security. Those adept at managing Exchange servers and traditional firewalls may not be versed in techniques for managing cloud-deployed applications in a compliant fashion.
Public cloud deployments are still new and initial misconfigurations of things like Amazon Web Services (AWS) instances are creating new ways for hackers to sneak in the back door.
GDPR: With the deadline upon us, panelists agree that most organizations still underestimate the impact GDPR will have, along with their own responsibility for securing data. Moving applications to the cloud does not automatically outsource security to cloud providers, and providers’ ability to deliver data required to satisfy GDPR requirements within the time allotted remains unknown. GDPR may also pave the way to new ransomware exploits; for example, having to pay cyber-criminals to return data within the time allotted under GDPR or face up to four percent fines for non-compliance.
Multi-cloud: Products used to secure and monitor cloud deployments must work across all intended cloud providers, and multi-cloud skillsets will be needed to identify and remove security gaps across platforms.
IoT: Companies need to consider all devices, how they authenticate, and the languages they and protocols they use to avoid leaving a back door open. Security planning must also be extended to include operational technology or “OT” as well as IT. Where the two traditionally existed in parallel, we now have air conditioning, lighting, and building control systems attached to the same network and cloud infrastructures as web, database, and application systems. This creates the potential for opportunists to unplug a light panel, do some sniffing and take over a building and bring organizations down digitally and physically within hours.
The net of these dynamics is that the way we think about writing security policies becomes more important, yet less straightforward. Because complete prevention is not a realistic option, focus must shift to rapid detection, and preventing whatever happened from happening again. Traditional elements such as intrusion prevention still have a role because we still need to know when we’re under attack. However, response and forensics processes must change because, by the time we figure out that we’re under attack, the compromised cloud instance may be gone.
Panelists resoundingly agreed that visibility becomes more important than ever and ranks among the biggest security gaps in the cloud. Companies need better visibility and context around who is accessing data:
Who is the user and where are they located? What device are they using and what groups are they in? What were they doing five minutes ago?
Compliance also mandates a more holistic view of the security architecture. “What we really need,” says David Warburton, Senior Systems Engineer at F5, “is to be able to see what’s happening across all platforms and get consistent reporting and analytics.”
Leveraging Solution Providers
Due to the shortage of cloud skills, the panelists concurred that bringing in experts to help plan and manage the journey of securing and managing cloud implementations, GDPR, and IoT represents a win-win for enterprises and solution providers. According to Greg Niece, VMware’s Cloud Business Manager for northern EMEA, 30 percent of enterprise customers do not have a formal plan in place for cloud.
This translates into tremendous opportunity for solution providers to offer cloud-specific expertise. Diverse, immediate education is needed, and proven experts can provide it fastest. They can also help IT and security teams extend strategic discussions and due diligence to include supply chain management, the executive board, and other stakeholders, as well impending paradigm shifts such as incorporating artificial intelligence (AI) and machine learning.
Resellers that embrace these shifts described above will be invaluable in helping companies optimize workflows and transform data into knowledge and action; for example, working with retailers to determine the best placement for specific products. And as scary as security is, the cloud itself represents virtually limitless potential to drive growth—if we all approach it as a shared journey and opportunity.
GDPR, for example, presents an ideal opportunity to rethink the whole flow of taking in, scrubbing, processing, hiding, and eventually storing data. IoT and multi-cloud also offer timely reasons to work with trusted solution providers to bring data management under control, and perhaps transfer some of the responsibility through managed services.
The impetus may still lie with IT departments, but the journey to profitable transformation must be shared amongst enterprises, vendors, “born in the cloud” providers, and solution providers uniquely positioned to lead organizations through the process of breaking down traditional barriers, forming alliances, and educating end users and business leaders alike.