Cloud Security: Part 3: The Future!

Data is the new oil! If only I had a dollar for every time I heard that. It is true though! But there’s an important corollary to that statement: data might be the new oil, but it’s the software that acts as the refinery that turns that crude oil into something useful. The cloud is an amalgamation of both – a lot of data and a lot of software! Part 1 and Part 2 of this blog series just set the ground realities of the cloud as the hub that supports multiple digital technologies; and that cloud-centric network and information security is much more than tools and technologies – it’s about a cultural shift. This last part focuses on how these multiple shifts are shaping the present day and the future.

Network and information security vendors have been caught in the same cultural quagmire for some time – not knowing how to serve this new data-, software- and cloud-centric world. But the industry hasn’t totally stagnated as such. The incumbents are evolving and start-ups are emerging with cloud-native offers designed for the present and future. Let’s look at some emerging areas to understand this changing landscape.

Cloud-Centric Security: Foundational Concepts

The most foundational concept in cloud security that anyone can look into is the shared responsibility model. Following is a representative list of some foundational technologies or technology areas that you need to be aware of for understanding the future of network and information security, as enterprises increasingly move their workloads to the cloud.

Network Virtualization: Network virtualization is the future of networking. While not necessarily dependent on the cloud, network virtualization and the cloud share a symbiotic relationship. The underlying principle is virtualization, only this time, it’s addressing the virtualization of the network infrastructure. Network virtualization is enabling enterprises and network providers to leverage the power of software to build and operate a network. So, rather than relying heavily on specialized hardware for all the functions, most networking logic is managed through software, sometimes just leveraging commoditized hardware.

Software-defined Network (SDN) and Network Function Virtualization (NFV): Both SDN and NFV rely on network virtualization to extend the benefits of agility and cost effectiveness to building and managing networks. Together, they enable an enterprise to reduce dependency on hardware, and control network functions like routing or firewalls predominantly through software.

Software-defined Wide Area Network (SD-WAN): SD-WAN is the application of network virtualization to the world of WANs. A simple way to look at it is that SDN is to SD-WAN, what LAN is to WAN!

Shadow IT: For obvious reasons, innovation in SaaS applications has outpaced the legacy on-prem applications. The result has been that even when IT hasn’t sanctioned the use of certain applications, business users are still using them; oftentimes without IT even knowing about them. This phenomenon of prevalence of unsanctioned applications is often referred to as Shadow IT.

Data Loss Prevention (DLP): DLP refers to the security controls deployed to prevent sensitive data from deliberately or accidentally being leaked. DLP is not a new term, but a lot more prevalent today because of the influx of data and the significantly distributed nature of data in a cloud-centric world.

Cloud Access Security Broker (CASB): CASB is the perfect example of a cloud-native (born in the cloud!) security control. CASBs are predominantly responsible for reducing the risks of Shadow IT and DLP. For example, imagine a marketing executive accidentally downloading credit card details of a group of consumer from a SaaS application that is not being managed by IT. A CASB prevents such breaches (among others) from happening.

Identity-as-a-Service (IDaaS): IDaaS is a modernized security control that extends the world of authentication to a cloud-centric world; enabling smart authentication mechanisms that are tailored with modern security threats and user experience in mind.

What has changed?

Let’s start with what hasn’t changed. The basic principles of security (the CIA Triad) haven’t changed! The small list of terminologies listed in this post and part 2 of this series do not do justice to the vast landscape of tools and technologies available to enterprises today, and even moving forward for the cloud-centric world. But the idea was to capture a representative set of technologies, technology areas and phenomenon that could help explain how this landscape is evolving. If you haven’t caught the rift, here are a few points that can help sum it up:

• Whether some CISOs like it or not, cloud adoption will continue to grow because of the business needs
• The cloud, and the benefits it brings, is increasing enterprises’ dependence on leveraging software and data to be more agile and innovative
• This change is not just changing the face of business applications, but fundamentally challenging the notion of discrete hardware appliances for network management and network security
• Network and security vendors need to adapt to this fundamental shift…and fast! The realization is already there, but just like certain CISOs have tackled this cultural inertia, vendors need to acknowledge the need for this cultural change to truly harness the cloud too
• Your enterprise’s data and your customer’s data is already in the cloud! It’s not lying locked up in your data center. This is the single biggest change that enterprises and vendors need to acknowledge, as it multiplies their challenges to ensure confidentiality, integrity and availability
• The cloud is the network of the future, so there’s no such thing as a perimeter anymore. Today’s “corporate network” is already an aggregation of cloud and on-prem resources

The Future

Part 1 of this series looked at the cloud from the lens of adjoining technologies. The cloud is a core element of the digital transformation initiatives. IoT, Big Data, AI, Edge Computing, 5G, and many other technologies that are going to shape the future of our digital lives rely on the cloud. And cloud adoption, in turn, relies a lot on these adjoining technologies too. Networks and network security are no exception. The notion of cloud security is not just the security of the cloud, but security in the cloud (look back at the shared responsibility model). The future of cloud security is intertwined with digital security in other areas, which is why cloud security always needs to be seen from a broad lens, as illustrated at the beginning of this post.

The future is data-centric

Your CEO, regulators, partners or your customers couldn’t care less whether you’re using a firewall or gateway or any other security control. All they care about is that any of their sensitive data that you’re storing or processing stays confidential and isn’t misused. Lose their data, lose their trust! Step one is to have visibility of your stakeholder’s data: in the public cloud, private cloud, data center, your employee’s laptops or your IoT devices. Data is going to get more distributed, so start with sensitive data discovery across your network, and then build security controls around the Zero Trust principles to have a scalable data security strategy.

The future is more connected

The cumbersome energy company illustration above is already a thing of the present – sensitive data being produced and consumed by entities connected to the cloud. Software-defined networking is a core element of this expansive system. Consequently, network security will also rely increasingly on software-based and virtualized network services. More and more network security functions will get virtualized and deployed in a public or private cloud. So a large part of the corporate network fabric and its security will be managed from the cloud and virtualized functions. A nice example of making security functions software-friendly is the Thales "Virtual" Encryptor, which offers the highest level of security for the SD-WAN future, much similar to using a hardware encryption appliance.

The future is multi-cloud

When thinking of building network and network security features of the future, enterprises (especially medium to large-sized) need to be prepared for a multi-cloud environment. If the corporate network of the future is spread across multiple cloud environments, organizations need to think of securing them by design to avoid single-vendor dependencies for network and information security. Think back on the CIA Triad, and see how modern solutions can help you scale for your future. Core functions like authentication and encryption, for example, are now available in “as-a-Service” mode (check out authentication-as-a-service and encryption-as-a-service to learn more).

The future is devices, devices and more devices!

As illustrated in the energy company example, the number of devices connected to the corporate network are only going to increase further over time. And to harness the true power, organizations will rely on the cloud and the cloud-based network infrastructure to securely and reliably let these smartphones, laptops or IoT devices exchange data over disparate networks (proprietary, LAN, SD-WAN, 5G, NB-IoT etc.). The cloud will serve as the fabric, not just for the connectivity of these heterogeneous systems, but also for their security. If you dig deeper in the smart grid use case, you'll realize that it's an ecosystem on its own, but security and risk officers need to have an insight into these security issues.

The future is Big Data and Artificial Intelligence

AI is everywhere today, whether it’s in your smartphone, your smart-home devices, or even the tiniest of microprocessors through capabilities like TinyML. But the core processing for AI still lies where the significant chunk of computing power and data resides – the cloud. While security measures are built to protect AI projects, AI itself is a critical component for improving network and information security. Machine Learning is becoming an integral part of every security solution, as enterprises want to leverage network and security-related data (events, alerts, logs etc.) to detect anomalous behavior, which is otherwise difficult to detect. AI is going to be weaved into the security infrastructure of every enterprise.

Old security controls either need to be ripped out, or at least repurposed for the cloud- and data-centric future.

The future is already here

Most of the trends highlighted above a still slightly nascent, but already exist today. Tomorrow, there will be more data, more devices, more software, and definitely more AI; all connected by the fabric of the cloud. It's important that enterprises as well as security vendors gear up for this future. Old security controls either need to be ripped out, or at least repurposed for the cloud- and data-centric future. What's also important to remember is that enterprises aren't going to ditch their data centers and move to the cloud overnight. In some cases, in fact, data privacy regulation itself might prevent this transition. The security industry needs to take these nuances and the prevailing enterprise security culture in mind. For example, every day, we’re helping customers and partners who are different stages of their cloud security journey. And we see a broad spectrum of enterprises, ranging from large-scale legacy enterprises to emerging digital-native organizations, all having variable needs. We’ve remodeled our offers for the cloud-centric world with capabilities like Authentication-as-a-Service or Encryption-as-a-Service, all the while avoiding any compromise on security. And these core capabilities enable our customers, network security vendors and even cloud infrastructure providers to embrace the future with utmost confidence. How are you preparing to embrace for the cloud-centric future?

Jump to Cloud Security: Part 1: The Cloud!

Jump to Cloud Security: Part 2: Evolution of Network Security to Cloud-Centric Security

DISCLAIMER: All the cool views presented in this post are my own, and do not necessarily reflect the views of my past or present employers.