Virtualization Technology News and Information
Skyhigh Security 2023 Predictions: The 2023 Cloud Cyber-Hygiene Forecast from Skyhigh Security's Vantage Point


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

The 2023 Cloud Cyber-Hygiene Forecast from Skyhigh Security's Vantage Point

By Rodman Ramezanian, Global Cloud Threat Lead, Skyhigh Security

Over the past 12 months, the style and severity of cloud-based threats enterprises face have continuously evolved. Despite fluctuations in their nature, there is much to be learnt from recent trends to help get ahead of what might lie ahead in 2023. To that, here is what we foresee from our experience:

  • Humans will continue to be in the crosshairs

As called out by Verizon, humans are the #1 contributors of breaches at 82% of all causes - either by compromised credentials, phishing/vishing, misuse, or a user misconfiguring a cloud account leading to exposure of data.

Following the pandemic, many workforces continue to standardize hybrid arrangements; and are likely to do so into the future. This will continue to present vast opportunities for cybercriminals to compromise their corporate targets. Social engineering has paid great dividends for attackers to date, and this will persist in 2023, but becoming far more sophisticated to obtain remote access credentials, ultimately in hope of finding poorly protected servers and a bounty of unfettered space to move laterally. With SIM swapping, SMSishing, and vishing techniques only evolving, this will remain a relentless challenge in the new year.

  • BYOD'oh!

BYOD is almost an obligatory right for employees nowadays. Inevitably, users will perform both work and personal tasks on the same device, and likely synchronize the same cloud accounts, password managers, and remote access resources. With this trend continuing in place of locked-down corporate assets, threat actors will take advantage of these attack surfaces to exploit personal devices that are unprotected or unpatched, as an entry vector to corporate networks. As we've seen in 2022 already, the blurring of lines between corporate and personal accounts has presented tremendous value to attackers, and this will only expand as more BYOD assets and unsanctioned services are brought into the enterprise's scope. Coupled with the "back doors" and "side doors" into corporate cloud platforms from unmanaged devices via API, this will continue to be a fierce battleground.

  • Zero Trust for Network Access isn't enough: Zero Trust for Cloud

Zero Trust continues to surge in attention and relevance, as it presents a strategic shift in how organizations approach cybersecurity to meet today's challenges. Conventionally, Zero Trust's pillar of "least privilege" is considered for traditional access requests into corporate networks. Nowadays, it's typically more cost-efficient to host an application via the cloud rather than in an enterprise's data center. These cloud environments, however, are managed by SaaS vendors and cloud service providers rather than being a component of an organization's network. As a result, the same level of scrutiny or control does not always apply. With more organizations moving to and adopting more of the cloud, it's critical to encompass Zero Trust into the design of these new cloud infrastructures. As new resources are spawned all over the cloud, and with little to no central control over configurations and access, the cloud is in desperate need of Zero Trust principles; not just the traditional corporate networks.

  • Powers of AI & ML to Improve Workflows & Alleviate Resource Constraints

In a recent Workforce Study conducted by (ISC)², the global cybersecurity skills gap has increased to over 3.4 million workers. While this may not be a particularly new challenge, it reinforces a common refrain that we must strive to do more with less. Thanks to advancements in Artificial Intelligence (AI) and Machine Learning (ML), there is a tremendous opportunity to extend the powers of AI/ML across data detections and responses, advanced anomaly algorithms and pattern matching, policy enforcements, automated incident remediation workflows, and many other capabilities. At a time when organizations face constant waves of sophisticated threats across multiple vectors, cloud security will increasingly harness AI and ML capabilities to not only alleviate skills shortages and resourcing challenges, but also automate powerful workflows to help enterprises stay ahead of attackers.

  • Stronger Push for Data Privacy Regulations

The handling of data privacy is becoming increasingly complicated as organisations rapidly move to the cloud. Data privacy and security are undoubtedly key considerations for any robust cloud strategy. Based on Gartner's predictions, "by the end of 2024.......75% of the world's population will have its personal data covered under modern privacy regulations. This regulatory evolution has been the dominant catalyst for the operationalization of privacy". Although public cloud data security offerings will indeed grow, fundamental requirements of data privacy and protection involve identifying and classifying your data, knowing where and how your data is stored/shared/used, and ultimately how it needs to be protected across all vectors. With the proliferation of enterprise cloud usage across almost any device nowadays, today's rapidly-evolving privacy landscape will absolutely be a key driver for tomorrow's security concerns.

  • In Summary:

Looking into the future, it's important to understand the complexities posed by rapid cloud advancements. Rest assured, across your devices, web, cloud, and private applications, you'll be covered if you take these thoughts into consideration.




With over 11 years’ worth of extensive cybersecurity industry experience, Rodman Ramezanian is a Global Cloud Threat Lead, responsible for Technical Advisory, Enablement, Solution Design and Architecture at Skyhigh Security. Rodman is an Australian Signals Directorate (ASD)-endorsed IRAP Assessor - currently holding CISSP, CCSP, CISA, CDPSE, Microsoft Azure, and MITRE ATT&CK CTI certifications.

Published Monday, November 14, 2022 7:32 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>