Why the Worst Cloud Security Predictions Might Not Come True

June 3, 2021
| |
4 min read

We’ve all heard dire predictions about the future of cybersecurity trends, especially cloud security. Internet of things (IoT) environments will expand the attack surface beyond control and encourage breaches. Hybrid offices will always pose a greater risk as cyber criminals exploit flex and remote work. Insecure application programming interfaces (APIs) will open the door to attacks. Attackers will hijack employee accounts. Cloud resources will lack visibility.

But what if these threats and risks are overblown? Here’s why all these dire predictions about cloud security might never come to pass.

Prediction: The Out-Of-Control IoT Attack Surface

Employees install random, internet-connected devices like coffee makers that connect to the network but which those employees don’t even consider IT devices. Office equipment. Mobile gadgets. Wearables meant to make them more productive. Sensor-based warehouse devices. All manner of shadow and orphaned IT. And each device could be a door into the network for threat actors.

This risk is largely one of knowledge and scale. It’s the devices that you don’t know about that can’t be secured. And the sheer number of devices can overwhelm.

But just as the coming years involve an explosion in the number of devices, mostly driven by the IoT boom, tools become more automated and intelligent. The IoT will be made much more secure by artificial intelligence (AI)-based network automation tools that find and inventory all the IoT devices connecting to a network. Enabling automated action in the event of a discovered incident will have to become mainstream. We’ll bring the feared out-of-control attack surface under control with intelligent automation.

Prediction: Hybrid Work Poses Risks

When it comes to cloud security and more, the post-pandemic world won’t return to where it was before 2020. Experts agree that, although specifics will vary from company to company and industry to industry, in general far more people will work remotely, at least part time.

Remote work security feels like a paradox, as employees can’t secure home offices as a matter of policy. Users do their own ‘tech support’ and often even provision their own devices and equipment. Employees are using weak passwords and connecting over consumer or public networks. Arbitrary and unknown devices share the networks they use.

Many employees switched to work from home in 2020. At its peak, some 42% of the American workforce worked from home, according to a Stanford Research study. At the same time, cyber criminals took notice and got to work exploiting this unplanned scenario. Facing a future of hybrid work, flex work and remote work, crystal balls predict disaster.

But the world when we were unprepared won’t look like the future, when we know how to plan for hybrid work. We can now apply the zero trust model to devices and resources connected in the office, in the home and on the road. In fact, the use of zero trust for at-home workers is already rising fast. That means no more device sharing, no more password sharing and no more clicking on links from strangers and letting their payloads run wild on the network.

Prediction: Insecure APIs Will Open Doors to Attack

Analysts and security experts have been warning that API breaches are becoming more common, predicting that threat actors will make APIs the next big attack vector.

One problem with APIs is that already over-tasked security and IT pros assume that somehow defense is built in or will take care of itself.

Once largely reserved for connecting internal applications, APIs are now used to connect internal apps to suppliers, partners and customers. APIs have become a key part of digital growth. With their growing external use, and the relative ease for exploiting insecure APIs, the predictions of a crisis to come make sense. Accessing an insecure API can open up all the data that API has access to (including, for example, customer data).

But will this really turn out to become a major future crisis? Maybe not.

Best practices around securing APIs are likely to become widespread, given the risks. These include designing APIs with default deny policies and strong verification measures. All API data must be encrypted without hurting performance. And API calls need to be authenticated at every layer. Use password hash, HTTPS, secure URLs and other measures. You’ll notice that all these practices are rising in usage, and will likely continue to do so.

Prediction: Cloud Security Hurt by Low Visibility

A well-known lack of visibility has hampered cloud adoption in recent years. It stands to reason that this lack of insight, and the threats that lurk in that darkness, will grow into a major problem. After all, complex hybrid cloud setups are becoming more common.

The reasons for this lack of visibility are many. Among these is that the agents provided by public cloud providers work by processing the metadata they collect. That isn’t deep enough to identify all the security issues potentially present, or examine data traveling between public clouds and private infrastructure. Relying on public cloud agents leaves blind spots.

It’s becoming clear to many teams that managing your own security platform is mandatory. That means having cloud security posture management that discovers and helps you address risks across any place storing data, including across many cloud environments. As more groups embrace such cloud-native tools, the visibility and safety crises from complex hybrid cloud environments might not be as big a problem as predicted.

Be Ready for Tomorrow’s Cloud Security and Beyond

In short, the doom-and-gloom predictions largely rely on tomorrow’s threats facing yesterday’s defenses. But there’s reason for optimism that tomorrow’s defenses will rise to the challenge.

Of course, some threats will remain, and even grow. But widespread disaster predicted on multiple fronts just might not ever happen, thanks to evolving tools and evolving thinking.

Mike Elgan

I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...
read more