Evolution of Cloud Security and Privacy Technologies

Written by Satyavathi Divadari of Micro Focus CyberRes

Organizations accelerated digitization and cloud transformation rapidly in the last two years to offer customer digital services from anywhere while balancing Cyber Resilience requirements. Technologies for Security and Privacy evolved to a next-level to provide such high velocity transition to cloud.

Cloud Security Alliance (CSA) in association with Micro Focus CyberRes and the CSA Bangalore Chapter conducted a global survey to understand the industry views of the evolution. In this article, we will review three key findings of the research.

Finding 1: Increase use of multi-cloud despite the challenges

Organizations continue to have their workloads on hybrid-cloud (with a combination of workloads on cloud and on-premises), while most of them are interested to use multiple cloud platforms instead of just one. The first reason (29%) of favouring multi-cloud deployment is to meet best technical features from each cloud platform. For example, organization A uses IaaS services from Amazon Web Services (AWS), office utility services as Software as a Service (SaaS) from Microsoft Azure, and business analytics platform on Google Cloud Platform (GCP). In this example, the organization built a best-fit technology combination based on their skills, high-availability requirements, and currently used technology compatibilities instead of relying on one provider.

Not surprisingly, avoiding vendor lock-in, the most quoted explanation for a multi-cloud strategy, is the second reason (21%). Organizations are interested to have higher portability and flexibility without getting locked into one cloud platform. Some companies are ready to trade-off unique vendor functionalities towards better portability.

The third reason (16%) is a regulatory requirement to avoid cloud concentration risk. Regulators are concerned about business resilience and the operational risks involved in over-reliance on one service provider to support key business services, and to avoid any adverse effect on the Cloud Service Provider (CSP) that could heavily impact their business.

Challenges to Multi-cloud Adoption

A key concern to take advantage of multi-cloud is the skill availability (26%). Technology abilities and experienced staff on multiple cloud platforms is a tough ask. Other challenges related to skills are capabilities to understand architectural differences in multiple cloud platforms (22%), and complexity to manage security controls (18%) among a wide variety of services and products on different cloud providers. Getting a comprehensive oversight of all the resources, governance, and risk oversight across wide variety of resources across multiple cloud platforms and on premise is the next important challenge (20%).

With increased adoption of multiple public providers, developers are facing the challenge of keeping code consistent across diverse platforms with diverse interaction points. Automating security testing into continuous integration and continuous code development and during the containerization helps in reducing the risk exposure.

Alternate trend: Private cloud favoured by one third

One of the favourite flavours of cloud adoption is private cloud (30%) among the other deployment models such as hybrid cloud, public, and on premises. Key reasons to chose private cloud are mainly data residency, data sovereignty requirements or local regulations.

Finding 2: Deployment of Privacy by Design and its Maturity lower than anticipated

Privacy by design is heavily in the development stage with two thirds of the organizations (65%) either currently building or planning to build the strategies, with very few (8%) having a fully planned privacy by design strategy. This is no surprise considering the stronger regulations around privacy were enforced in last three years (Ex: Global Data Privacy Regulations (GDPR) in 2018, Central Consumer Protection Authority (CCPA) in 2020) and organizations are picking up the speed of deployment as the time go by.

The most mature category among data privacy by design was unsurprisingly regulatory compliance. Over the years, national and international laws and regulations are the most influential ones to enforce privacy compliance. It is a revelation to know that Data discovery and Governance still have not reached its maturity as per the majority of the respondents (60%). It seems there is a lot of scope to improve in this area, considering that Governance and Oversight is one of the concerns for multi-cloud adoption too.

Finding 3: Use of Zero Trust, AI/Machine Learning and Serverless expanding in the next two years

With the continuous evolution of cloud, a few technology concepts are clearly influencing the organizations to build their plans to implement in next two years. The top influencing concepts are zero trust (60%), artificial intelligence (AI) or machine learning (43%), and serverless computing (42%).

Zero Trust

Remote working and increased use of online businesses in the pandemic times wiped out the perimeter-based security control, thus bringing emphasis on zero trust, the concept of ‘trust no one, verify everyone’. With such a popular opinion, deployment of zero trust seems to be at higher pace: close to one-half (45%) of the organizations are planning, and more than one-fourth (28%) implemented zero trust architectures to some extent. However, complete implementation of zero trust concepts is low (8%) at the time of the report indicated lower maturity of the concept.

When it comes to domain level maturity of zero trust, “network” domain had the highest maturity. The Rational for this maturity is clear, because network-based trust establishment is the known method from many years. Followed by that “policy” is the next mature domain, as contracts, regulations and policies are other dominant ways to establish trust among different organizations as well as within organizations. Other new methods such as “identity” based trust and “data” centric trust are still below the maturity curve.

Artificial intelligence (AI) or machine learning

Even after two years of a pandemic, organizations are still struggling with the Covid outbreak and related concerns. Automated systems powered by Artificial intelligence or machine learning technologies came across as saviours to achieve operational excellence, cost efficiencies, and business resilience.

AI/ML technologies have been used for monitoring anomalies, analysing user behaviours, detecting malware, and preventing cyberattacks in cyber security domain. Further extensions are being observed in hunting threats, developing security intelligence, and reducing false positives with continuous development of machine learning models.

Serverless Computing

Serverless became popular with the increased use of cloud provider services such as AWS Lambda, Google Cloud Functions, Azure Functions, or others. Serverless functions offers nano services without the need to build a virtual server, operating system, or web hosting. Greater financial benefits and resource economics of serverless is causing dynamic growth of adoption and in turn helped acceleration containerized deployment of applications. Building secure serverless scripts and container images is still below the maturity curve causing concerns to security teams.

More Findings and Perspectives

Read more findings and analysis in the CSA global research report sponsored by CyberRes in association with the CSA Bangalore Chapter on “Cloud Security and Technology Maturity Evolution.”

Join us in the upcoming CSA CloudBytes webinar that covers diverse opinions of Chief Information Security Officers (CISO), Chief Privacy Officers (CPO), Security Strategists, and Solution Integrators around the technology evolution in the areas of cloud security and privacy.