Virtualization Technology News and Information
Illumio 2021 Predictions: Digital acceleration results in security holes & IaC will be next big exploit

vmblog 2021 prediction series 

Industry executives and experts share their predictions for 2021.  Read them in this 13th annual series exclusive.

2021 will be a year of reckoning: Digital acceleration results in security holes & IaC will be next big exploit

By PJ Kirner, CTO, Illumio

2020 brought with it many complex security challenges. A sudden uptick in ransomware, an unenviable struggle to secure millions of remote endpoints seemingly overnight - as employees around the world were forced to work and live fully remote - and a rapid surge in cloud adoption.

In fact, in an effort to proactively combat these newfound (or some, age-old) foes, we saw more development teams "shift security left" to further embed security into product development lifecycles. We saw an increased focus on Zero Trust, as a framework of choice for organizations looking to bolster their security postures. And we saw even more organizations prioritize adaptable, scalable technology solutions to support growing and expanding developer workloads. 

But what do these trends mean for next year? And what cybersecurity risks should technology teams keep top of mind, as we head into 2021? Here's what we can expect:

There is such a thing as ‘too much of a good thing' when it comes to the cloud.

As organizations rushed to retool for remote work in 2020, obviously a greater emphasis was placed on the cloud. As a result, we've seen faster adoption of cloud security and cloud-delivered approaches, like SASE, with SD-WAN offered with cloud-delivered firewalls, secure internet gateways, etc.  

However, in 2021, organizations will begin to feel some pain that they will come to realize is an over rotation to the cloud, assuming the cloud solves all business problems. And while it solves many, it is not a panacea. By assuming that the cloud solves everything, organizations have overlooked the endpoint-where certain controls and capabilities should be carried out-rather than in the cloud.

Next year, we will see a recalibration, as IT, networking, and security teams will find more security value on the endpoint that they initially looked to the cloud for. For these teams to get what they had before with on-prem security controls monitoring people at the office, they will be forced to augment what they are doing on the endpoint.

For example, how can functionality like local network-level visibility be delivered by the cloud for traffic on home networks? Cloud-delivered functionality from SASE can see inbound and outbound traffic from endpoints that is sent to it, but it is blind to traffic not sent to the SASE gateway and also blind to the local home network, which has traditionally been seen as trusted, and the traffic moving between devices and hitting work laptops sitting at home. This is where some threats lie, and the ability to address this is better served at the endpoint, with full endpoint context.

In sum, we'll see a better balance between controls in the data center, cloud and endpoint in 2021.

Infrastructure as code will be the next, big culprit.

Will infrastructure as code lead to the next headline-breaking breach?

The benefits of Infrastructure as Code (IaC) are huge and have accelerated the way we do business by increasing innovation through greater productivity. IaC is a technique that truly embodies the DevOps philosophy.

That said, to date, the security side of IaC has been lacking, if not entirely overlooked. We hear about "shifting security left" but realistically, a true DevSecOps model has not been prioritized, and while many embrace the strategy, many fewer really know how to make the organizational changes to fully realize it.

This can leave organizations pursuing IaC for innovation and productivity open themselves up to more cyber risk than they realize, and, in turn, that risk could lead to a large-scale attack. Let's face it. Because IaC can have a huge impact, given the power of the automation behind it, bugs in code-and IaC configuration files in this case-happen, and can also have an outsized impact.

Those unidentified or subtle bugs often occur when things are assembled from multiple developers or operations teams. Your CI/CD pipeline constructing the pieces of that puzzle can create infrastructure containing potentially exploitable misconfigurations or vulnerabilities. These issues will manifest in the gaps where nobody is looking, in the one piece that is missing, or in the one piece that doesn't fit well with the others. Individual pieces of IaC may pass security tests, but the assembly of all those pieces may not. Naturally, the repercussions are vast. 

In 2021, we will see problems in IaC exploited in security incidents, so the security industry will be left with no choice but to take a hard look at better protective practices for IaC. This will mean a true shift left: both demanding more of a CI/CD focus from security teams and insistence that security considerations become a real part of the CI/CD pipeline. We'll also see a greater focus on tools that let developers see and fix configuration issues directly in code.

The security industry is behind. Because you can now develop infrastructure in minutes, there is often no time to find vulnerabilities, or prevent misconfigurations from being deployed. With attackers always waiting in the wings, it's imperative that organizations prioritize IaC security in 2021 and write more secure configurations to avoid future problems.


About the Author

PJ Kirner 

As chief technology officer and co-founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also held several roles at Juniper Networks, including distinguished engineer focused on advancing Juniper's network security and layer 4-7 services plane. PJ graduated with honors from Cornell University.

Published Friday, January 22, 2021 7:26 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2021>