We’ve all heard dire predictions about the future of cybersecurity trends, especially cloud security. Internet of things (IoT) environments will expand the attack surface beyond control and encourage breaches. Hybrid offices will always pose a greater risk as cyber criminals exploit flex and remote work. Insecure application programming interfaces (APIs) will open the door to attacks. Attackers will hijack employee accounts. Cloud resources will lack visibility.

But what if these threats and risks are overblown? Here’s why all these dire predictions about cloud security might never come to pass.

Prediction: The Out-Of-Control IoT Attack Surface

Employees install random, internet-connected devices like coffee makers that connect to the network but which those employees don’t even consider IT devices. Office equipment. Mobile gadgets. Wearables meant to make them more productive. Sensor-based warehouse devices. All manner of shadow and orphaned IT. And each device could be a door into the network for threat actors.

This risk is largely one of knowledge and scale. It’s the devices that you don’t know about that can’t be secured. And the sheer number of devices can overwhelm.

But just as the coming years involve an explosion in the number of devices, mostly driven by the IoT boom, tools become more automated and intelligent. The IoT will be made much more secure by artificial intelligence (AI)-based network automation tools that find and inventory all the IoT devices connecting to a network. Enabling automated action in the event of a discovered incident will have to become mainstream. We’ll bring the feared out-of-control attack surface under control with intelligent automation.

Prediction: Hybrid Work Poses Risks

When it comes to cloud security and more, the post-pandemic world won’t return to where it was before 2020. Experts agree that, although specifics will vary from company to company and industry to industry, in general far more people will work remotely, at least part time.

Remote work security feels like a paradox, as employees can’t secure home offices as a matter of policy. Users do their own ‘tech support’ and often even provision their own devices and equipment. Employees are using weak passwords and connecting over consumer or public networks. Arbitrary and unknown devices share the networks they use.

Many employees switched to work from home in 2020. At its peak, some 42% of the American workforce worked from home, according to a Stanford Research study. At the same time, cyber criminals took notice and got to work exploiting this unplanned scenario. Facing a future of hybrid work, flex work and remote work, crystal balls predict disaster.

But the world when we were unprepared won’t look like the future, when we know how to plan for hybrid work. We can now apply the zero trust model to devices and resources connected in the office, in the home and on the road. In fact, the use of zero trust for at-home workers is already rising fast. That means no more device sharing, no more password sharing and no more clicking on links from strangers and letting their payloads run wild on the network.

Prediction: Insecure APIs Will Open Doors to Attack

Analysts and security experts have been warning that API breaches are becoming more common, predicting that threat actors will make APIs the next big attack vector.

One problem with APIs is that already over-tasked security and IT pros assume that somehow defense is built in or will take care of itself.

Once largely reserved for connecting internal applications, APIs are now used to connect internal apps to suppliers, partners and customers. APIs have become a key part of digital growth. With their growing external use, and the relative ease for exploiting insecure APIs, the predictions of a crisis to come make sense. Accessing an insecure API can open up all the data that API has access to (including, for example, customer data).

But will this really turn out to become a major future crisis? Maybe not.

Best practices around securing APIs are likely to become widespread, given the risks. These include designing APIs with default deny policies and strong verification measures. All API data must be encrypted without hurting performance. And API calls need to be authenticated at every layer. Use password hash, HTTPS, secure URLs and other measures. You’ll notice that all these practices are rising in usage, and will likely continue to do so.

Prediction: Cloud Security Hurt by Low Visibility

A well-known lack of visibility has hampered cloud adoption in recent years. It stands to reason that this lack of insight, and the threats that lurk in that darkness, will grow into a major problem. After all, complex hybrid cloud setups are becoming more common.

The reasons for this lack of visibility are many. Among these is that the agents provided by public cloud providers work by processing the metadata they collect. That isn’t deep enough to identify all the security issues potentially present, or examine data traveling between public clouds and private infrastructure. Relying on public cloud agents leaves blind spots.

It’s becoming clear to many teams that managing your own security platform is mandatory. That means having cloud security posture management that discovers and helps you address risks across any place storing data, including across many cloud environments. As more groups embrace such cloud-native tools, the visibility and safety crises from complex hybrid cloud environments might not be as big a problem as predicted.

Be Ready for Tomorrow’s Cloud Security and Beyond

In short, the doom-and-gloom predictions largely rely on tomorrow’s threats facing yesterday’s defenses. But there’s reason for optimism that tomorrow’s defenses will rise to the challenge.

Of course, some threats will remain, and even grow. But widespread disaster predicted on multiple fronts just might not ever happen, thanks to evolving tools and evolving thinking.

More from Cloud Security

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…