2024: A Critical Year for the Cloud Security Teenager

2024 marks the 15th anniversary of the Cloud Security Alliance. We have seen so many changes in our world, shifts in the tech scene, and several cloud security ventures come and go during that time. In a world that is so dynamic, corporations don’t have the same longevity they once had, but as a not-for-profit organization focused on best practice leadership through generational shifts in technology, we truly feel like the teenagers we are. I am fond of telling staff and others that ask “what’s next?” that CSA is structured to continue our mission for 100 years.

A Quick History of the Cloud

2024 is positioned to be a very interesting year. I wanted to use this platform to talk about what we will be working on this year and put it in the context of key trends that we are trying to react to and address. A good way for me to explain this is to provide a quick history of the cloud by version number.

Cloud 0, or pre-cloud, is the recognition of several developments in the history of computing that led to the cloud. The mainframe computer and its virtual machine and timeshare capabilities are good examples. The Intel 80836 processor of the 1980s brought virtual machine capabilities to the PC. In more recent history, the application service provider, or ASP, was a great example of doing work on someone else’s computer and a precursor to SaaS.

Cloud 1.0, what we recognize as the first version of the cloud computing that we use today, essentially was about delivering traditional IT services, such as the aforementioned virtual machines and storage, in an innovative new business model. We started the work on CSA in these early days, planning it in 2007 and finally launching at RSA in 2009.

Cloud 2.0 describes the emergence of what we would call cloud native – technologies and frameworks unique to cloud. Think containers, serverless functions, DevOps, etc., but also cloud native security solutions such as cloud security posture management (CSPM).

You could argue about the beginning date for Cloud 2.0. Its development was underway for a long time - I would pick around 2016 for when cloud native became mainstream. In 2020, the pandemic caused a rush to work-from-home and exposed how broken traditional security architectures and strategies were in the face of working and thinking virtually. We saw an acceleration in the move to cloud and the rediscovery and rise of Zero Trust as the strategy for securing cloud sprawl.

Cloud 3.0 started some time in 2022. We saw a cybersecurity economic downturn mid-year, IPOs were canceled, and funding started to dry up. Generative AI and large language models (LLMs) started gaining notice in late 2022 with the release of LLM prompts as a cloud service.

I like to joke that the cloud and AI had a baby and they named it ChatGPT. For me, Cloud 3.0 is a merger between generative AI and cloud native and promises to be the version of cloud we will be using for many years ahead, although by its very nature it will be incredibly innovative and fungible. For our industry more specifically, every vendor and enterprise security team is going through a phase of “copilotization,” where they seek to leverage generative AI to automate, scale, and create breakthroughs to reinvent cloud security.

What’s Coming in 2024

The Cloud Security Alliance endeavors to do our best to solve tomorrow’s problems today. For that reason, we hope to understand these trends and ensure that we provide the right support to the industry. Below, I wanted to outline our focus for 2024:

You have no doubt heard about our AI Safety Initiative, where we expect to use our global footprint to deliver all of the research, education, and certification capabilities for AI that we have done for cloud. It is important to note that we are not moving to AI as the next shiny thing, but that AI is coming to the cloud and transforming it. The delivery of AI, from the frontier LLMs and hyperscalers and virtually every SaaS solution, is creating the ultimate shared security responsibility scenario.

If there is one thing I could impress upon my cybersecurity colleagues, it is that the adoption of AI by malicious actors – think AI code scanning – is going to create huge challenges. You might be able to be circumspect in some aspects of AI adoption, but not where it intersects with malicious actors and the necessary countermeasures.

CSA introduced the industry’s first credential for broad-based Zero Trust knowledge, the Certificate of Competence in Zero Trust (CCZT), at the end of 2023. This will be a huge area of emphasis for us in 2024. We believe that as a strategy, Zero Trust will be used to harden any type of compute system, and will be the most popular strategy overall. I have said before that I see Zero Trust as the security blueprint for the next version of the Internet. We intend to build upon the best practices we have articulated and innovate in new areas, such as specific Zero Trust use cases for AI.

CSA’s Security, Trust, Assurance and Risk (STAR) program provides the world’s largest repository of cloud provider assurance statements. STAR comprises our most popular research artifact, the Cloud Controls Matrix (CCM).

Despite being initiated way back in 2011, STAR was our fastest growing product in 2023. It is central to many enterprises’ vendor management and is a standard in many countries and industries. We will have several projects underway to make sure that we are at the forefront of IT GRC modernization. Both assurance of AI and leveraging AI for assurance will be addressed. Continuous monitoring of controls is important. Harmonizing the many compliance frameworks in use by industries, nations, and technology segments is critical.

I am very excited to let you know that our venerable Certificate of Cloud Security Knowledge (CCSK) program will be updated in mid-2024 to version 5. The industry’s standard for the cloud security professional will have the right balance of technologies and practices to provide a living example of what Cloud 3.0 means for cybersecurity. We promise in our CCSK v5 launch that the easiest path will be offered to existing holders of our certificate. We thank you for your loyalty.

These are some key priorities in 2024, but in true CSA fashion we will be ambitious, responsive to the community, and focused on broad coverage of the issues important to you. There will be a plethora of opportunities to intersect with us. Come to our many virtual and in-person events. Join a chapter. Participate in a research working group. Sign up for Circle, our online community. As an old guy, I like to say that I remember when you could literally fit our industry in a single room. Happily, that is no longer possible and we play an important part in so much of the world’s business. Let’s wear that cloak of responsibility well in 2024.