Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
2021 will be a year of reckoning: Digital acceleration results in security holes & IaC will be next big exploit
By PJ Kirner, CTO, Illumio
2020 brought with it many complex
security challenges. A sudden uptick in ransomware, an unenviable struggle to
secure millions of remote endpoints seemingly overnight - as employees around
the world were forced to work and live fully remote - and a rapid surge in
cloud adoption.
In fact, in an effort to proactively
combat these newfound (or some, age-old) foes, we saw more development teams
"shift security left" to further embed security
into product development lifecycles. We saw an increased focus on Zero Trust,
as a framework of choice for organizations looking to bolster their security postures.
And we saw even more organizations prioritize adaptable, scalable technology
solutions to support growing and expanding developer workloads.
But what do these
trends mean for next year? And what cybersecurity risks should technology teams
keep top of mind, as we head into 2021? Here's
what we can expect:
There is such a thing as ‘too much of
a good thing' when it comes to the cloud.
As organizations rushed to retool for
remote work in 2020, obviously a greater emphasis was placed on the cloud. As a
result, we've seen faster adoption of cloud security and cloud-delivered
approaches, like SASE, with SD-WAN offered with cloud-delivered firewalls,
secure internet gateways, etc.
However, in 2021, organizations will
begin to feel some pain that they will come to realize is an over rotation to
the cloud, assuming the cloud solves all business problems. And while it solves
many, it is not a panacea. By assuming that the cloud solves everything,
organizations have overlooked the endpoint-where certain controls and
capabilities should be carried out-rather than in the cloud.
Next year, we will see a
recalibration, as IT, networking, and security teams will find more security
value on the endpoint that they initially looked to the cloud for. For these
teams to get what they had before with on-prem security controls monitoring
people at the office, they will be forced to augment what they are doing on the
endpoint.
For example, how can functionality
like local network-level visibility be delivered by the cloud for traffic on
home networks? Cloud-delivered functionality from SASE can see inbound and
outbound traffic from endpoints that is sent to it, but it is blind to traffic
not sent to the SASE gateway and also blind to the local home network, which
has traditionally been seen as trusted, and the traffic moving between devices
and hitting work laptops sitting at home. This is where some threats lie, and
the ability to address this is better served at the endpoint, with full
endpoint context.
In sum, we'll see a better balance
between controls in the data center, cloud and endpoint in 2021.
Infrastructure as code will be the
next, big culprit.
Will infrastructure as code lead to
the next headline-breaking breach?
The benefits of Infrastructure as
Code (IaC) are huge and have accelerated the way we do business by increasing
innovation through greater productivity. IaC is a technique that truly embodies
the DevOps philosophy.
That said, to date, the security side
of IaC has been lacking, if not entirely overlooked. We hear about "shifting
security left" but realistically, a true DevSecOps model has not been
prioritized, and while many embrace the strategy, many fewer really know how to
make the organizational changes to fully realize it.
This can leave organizations pursuing
IaC for innovation and productivity open themselves up to more cyber risk than
they realize, and, in turn, that risk could lead to a large-scale attack. Let's
face it. Because IaC can have a huge impact, given the power of the automation
behind it, bugs in code-and IaC configuration files in this case-happen, and
can also have an outsized impact.
Those unidentified or subtle bugs
often occur when things are assembled from multiple developers or operations
teams. Your CI/CD pipeline constructing the pieces of that puzzle can create
infrastructure containing potentially exploitable misconfigurations or
vulnerabilities. These issues will manifest in the gaps where nobody is
looking, in the one piece that is missing, or in the one piece that doesn't fit
well with the others. Individual pieces of IaC may pass security tests, but the
assembly of all those pieces may not. Naturally, the repercussions are
vast.
In 2021, we will see problems in IaC
exploited in security incidents, so the security industry will be left with no
choice but to take a hard look at better protective practices for IaC. This
will mean a true shift left: both demanding more of a CI/CD focus from security
teams and insistence that security considerations become a real part of the CI/CD
pipeline. We'll also see a greater focus on tools that let developers see and
fix configuration issues directly in code.
The security industry is behind.
Because you can now develop infrastructure in minutes, there is often no time
to find vulnerabilities, or prevent misconfigurations from being deployed. With
attackers always waiting in the wings, it's imperative that organizations
prioritize IaC security in 2021 and write more secure configurations to avoid
future problems.
##
About the Author
As chief technology officer and
co-founder, PJ is responsible for Illumio's technology vision and platform
architecture. PJ has 20 years of experience in engineering, with a focus on
addressing the complexities of data centers. Prior to Illumio, PJ was CTO at
Cymtec. He also held several roles at Juniper Networks, including distinguished
engineer focused on advancing Juniper's network security and layer 4-7 services
plane. PJ graduated with honors from Cornell University.