In this video, Stephen Lawton discusses various trends and challenges in cloud computing and cybersecurity, highlighting the growth in cloud spending, concerns about data security, the rise of cloud-native startups, and issues related to AI and machine learning.
It also addresses the importance of cloud sovereignty, the need for secure backups and encryption, and the evolving landscape of cyber insurance requirements and security controls for both on-premises and cloud environments.
The transcript below has been lightly edited for clarity and length.
Stephen Lawton: Hello and thank you for allowing me into your offices and homes. I'm Stephen Lawton, founder and chief consultant at AFAB Consulting LLC, as well as a veteran technology journalist specializing in cybersecurity and related topics.
Like many of you, I've been hanging around technology for a long time. I started writing about the cloud years ago when it went by the name of timesharing. Companies bought time using other companies' mainframes for storage and high performance processing. While many of our younger colleagues might think of the cloud as a relatively new technology, its roots run deep. More than half a century in fact. In those days, you knew exactly where your data was stored. Not necessarily, though, did you have physical access to the system.
Contrast that with today's cloud environment where you don't even know, depending on the cloud service provider you use, what country the servers might be in, let alone have access if you're employing a public cloud environment.
So let's talk a bit about some statistics in cloud computing and set a baseline for today's discussion. Gartner predicts that this year, worldwide public cloud spending will grow 20.7% to $592 billion, up from $490 billion in 2022. It also says that moving to the cloud is no longer an option but rather a priority for organizations. In fact, Gartner expects that in two years, enterprises will spend more on public cloud services than traditional IT services.
Top Cloud Concerns
According to Statista, the top cloud service concerns are data loss and leakage at 69%, data privacy and confidentiality at 66%, followed by accidental exposure of credentials at 44%. Despite being aware of these challenges, only one in five organizations assess their overall cloud security posture in real time. Ouch.
Here are a couple of more stats that are rather sobering. Eighty-two percent of cloud security breaches are caused by a lack of employee skills, and 83% of businesses do not encrypt their sensitive data when using the cloud despite the complexity of the process.
Those are sobering statistics. But now let's look at some trends that we're seeing. Some are relatively new and some expansions of what we've seen in prior years. We started to see virtually everything as a service beginning several years ago. It began with cloud-based storage and software as a service. Today we have virtually everything offered as a service, the ubiquitous X as a service covering nearly every option. In 2021, the beginning of the COVID pandemic, the as-a-service market was a healthy $200 billion and growing.
Today, we've got a growing number of startups that are cloud-native, and that's continuing to grow every day. Research from IMARC expects the market to hit more than $624 billion by 2027 — although frankly, I wouldn't be surprised to see it hit that number even earlier as more companies migrate from a CapEx model to an OpEx model. While we still see corporate data centers being built, we can expect to see many of them being more of the module style rather than the large data centers that we're accustomed to. Corporate data centers won't disappear, but they won't be as prevalent as they were in the past.
Many of the new data centers are being designed as cloud-based data centers, and many of those are from the normal suspects you would think — the Microsofts, the Googles, and many of the other top service providers. Last year, the research firm Forrester conducted the Infrastructure Cloud Survey that indicated 40% of companies will take a cloud-native-first strategy this year. As expected, the reasons are CapEx versus OpEx, agility and efficiency versus local data. Forrester expects to see greater use of technologies such as artificial intelligence and machine learning, internet of things, and 5G technology to drive the growth.
AI's Role in Cybersecurity
We hear a lot about AI and ML, actually, but many of the companies I've talked to over the past couple of years said they were implementing AI but were really not doing so. Ultimately, they acknowledged that they were putting the pieces in place for AI, but they still didn't necessarily have the applications up and running the way they wanted to. Despite the marketing hype, AI and machine learning are nascent technologies and still have a long way to go before they become standard fare. And that actually is a good thing. AI is still developing; we still have a lot of pent-up growth waiting to burst forth. But we're still dealing with issues such as biases in AI training that we need to get past before the AI applications really take hold.
That said, don't look for AI-driven clouds to end the need for human analysts. While AI can make a lot of decisions quickly based on a set of predetermined parameters, it often still has issues with nuance. AI can only make decisions based on what is known knowledge. It still hasn't been able to make the leap from analyzing data and making leaps of faith to new and different decisions that a human analyst can do.
For example, you might find AI engines scanning networks for unusual activities that indicate malware or an attacker moving through the network. The obvious action is to take a defensive action, be it leading the attacker through a diversion tactic to the corporate equivalent of the Star Trek holodeck where the malicious invader can be overwhelmed by enticing, yet completely bogus data.
This might be an appropriate action sometimes, but it's not the appropriate action if say, for example, developers are testing their own security applications and the AI program sees it and thinks it's a real attack. Human analysts with knowledge of the inner workings of the company and the staff's actions would be able to prevent those actions from occurring on the network without engaging any unnecessary defensive actions.
We've seen some excellent results from the managed detection and response — or MDR — offerings from various vendors for both corporate security and SOC-as-a-service providers. In fact, SOC-as-a-service offerings are being rebranded as MDR in some cases. It's not a rebranding that I particularly like. SOCs have so much more to offer than just MDR, but it does show the traction that AI and MDR are gaining in the market.
Importance of Cloud Sovereignty
While the requirements for sovereign clouds have been around since GDPR became effective in 2018 and called for data to be kept within the EU country where it was created, we still have some problems with sovereign clouds even today. In the U.S., some networks ignore international boundaries with Canada, hitting routers across the border as it traverses from one part of the country to another. A Capgemini study found that 71% of enterprise leaders from 10 countries including the U.S. and UK and Germany believe their organizations will adopt sovereign cloud services to ensure compliance with GDPR and similar regulations. In fact, Capgemini's report "Journey to Cloud Sovereignty" estimates worldwide spending to hit $1.3 trillion in 2025.
It can be frustrating for organizations that work hard to comply with a plethora of regulations, only to find out that their cloud service provider in its infinite wisdom of reconfiguring its network has breached the sovereignty of the cloud environment and is sending at least some of the users' data to a country other than the country of origin or perhaps even to a country that is hostile to the country of origin. Despite the consumers' best efforts, it's now out of compliance with GDPR and some of the other cloud sovereignty regulation. When that happens, there's little that clients can do save for working with the provider to remediate the problem or simply change providers. That said, organizations that are required to meet compliance regulations need to test continuously to ensure they remain compliant just as they would for any other regulation.
The Move to SASE
Another interesting trend that we're seeing is the move to SASE, Secure Access Service Edge. SASE isn't a technology — it's a marketing term coined by Gartner. It's a collection of technologies that work together as part of the zero trust initiative, which is yet another marketing term. As many of you already know, the idea of zero trust environment has been around for many years and is a very productive move, but it's fraught with challenges. For example, zero trust network access (ZTNA) sounds great and is likely to continue to grow in the enterprise. But ZTNA is a bit of a bust for those who are not already authorized in your Azure Active Directory, for example. This could be a problem for, for example, small companies.
While ZTNA is an excellent strategy for employees of large corporations as it scales better and is much more robust than the virtual private network, it does have its challenges. It's not ideal for consumers, or perhaps a manufacturer that needs a large supply chain. Each company in that supply chain has its own network requirements. That means separate ZTNA configurations for each business partner. It's not a bad idea, but potentially could become complicated to manage a unique ZTNA configuration for each partner. Some companies might default back to VPNs simply to decrease the complexity of their network.
The Ransomware Debate
Attacks on cloud assets simply are not going away. Whether we see another round of massive breaches such as those targeting Log4J and Spring 4 Shell, OpenSSL remains to be seen. But rest assured, the cybercriminals are very active. We have seen some successes from law enforcement, such as the January announcement of the Department of Justice and FBI that the Russian-linked Hive ransomware syndicate was shut down.
But for every major syndicate this is shut down, more take their place. Even now there's a debate going on whether a ransomware victim or their insurance company negotiating with state-sponsored attackers is violating the Foreign Corrupt Practices Act, a Logan Act violation for a non-government official to be negotiating with a foreign government or a Patriot Act violation for negotiating with terrorists.
It wasn't that many years ago when the FBI's unofficial policy for ransomware was simply to pay the ransom. Today that is no longer the case. However, when an organization's cloud environment comes under attack, they may have very few options. For example, an organization running a high backup cloud instance with the different provider might — and I emphasize the word "might" — be able to switch over to the hot site and continue operating. That could be the case if the provider itself was a target and not the corporate data. If the company was attacked directly and the malware saved to multiple cloud instances, it could corrupt the hub site concurrently with the primary site. And of course, let's not forget the backups. One cannot simply restore a backup without ensuring that the backup itself has not been compromised by malware.
This is a case where we're talking about cloud-based backups or local backup, it doesn't matter. Before a backup is restored, it must be confirmed to be clean of any malware or ransomware. A Cybereason study from April 2022 found that 80% of companies that paid a ransom were hit a second time, with 40% paying a second ransom. Of that group that paid the second time, 70% of them paid a higher ransom than the first. During 2022, cloud applications accounted for 48% of malware deliveries, a 10% increase over the previous year.
More than 400 distinct cloud apps were used as targets with malware during 2022, according to Netskope, with Microsoft's OneDrive highlighted as the most abused app by the threat actors, accounting for 30% of all cloud-based malware delivery. That actually should not be surprising. In the previous year, 2021, Google Drive held the top spot. Obviously, the attackers like to go after cloud-based data storage.
Local telecommunications companies saw a significant increase in the volume of malware attacks last year, with 81% of attacks cloud-based compared to 59% the previous year. Retail, healthcare, and manufacturing also saw a surge in cloud-delivered network attacks.
Encryption in the cloud is an ongoing challenge as well. Cloud encryption transforms plain text into data that's completely indecipherable. It's called cybertext. While it's essential to remember that cloud security is a shared responsibility between the service provider whose main responsibility is frankly protecting their own investment in the infrastructure and the user who is responsible for protecting their own data.
Cyber hygiene ensures that encryption keys are protected by a key management system that's not simply stored in the cloud. It seems like it shouldn't need to be said, but we've seen too many data breaches where the keys were exposed because they were stored with the data they were protecting. This is not a good idea.
Secure backups and recovery are essentially components of a disaster recovery plan. For that matter, one of the cyber controls needed to obtain cyber insurance, which we'll address in a moment, is having encrypted and secure backups.
Secure backups are not only for your physical hardware, such as your data centers, departmental servers, and workstations. But as the Netskope research demonstrated, it's cloud-based storage as well. Cloud-based backups are popular, but it's important to remember that some cloud environments cannot be used for bare-metal restores of an on-prem partner. This situation has improved tremendously over the past 10 years, but it's still essential for you to check with your cloud service provider to determine if that capability is available for your servers on-prem.
Since we're talking about backup, it's also appropriate to note that should an organization be attacked by a cybercriminal and have their cloud storage compromised, they need to ensure that their backups are clean before doing the restoration. We touched on that already. It does you no good to restore a backup that's restoring the malware that took you down in the first place.
Additionally, your older backups need to be analyzed to ensure that there are no instances of malware, advanced persistent threats, unpatched software, and other vulnerabilities and compromises existing in the backup that would make the restoration problematic without first remediating those problems. You perhaps had already remediated those issues on your working server, but since you're going to a backup, you need to check and make sure that it's done again.
And of course, never simply apply patches and updates to the backup without making a second master backup. You don't want to be in a situation where a failed operating system upgrade to the backup ends up destroying your one and only copy.
Targets of cloud-based attacks include not only your primary cloud storage environments, but also the various virtual machines that get spun up for short time use. A great many organizations have more controls over the creation and destruction of virtual machines.
The discussions I've had with CISOs over the years I've often heard about departments that purchase low-cost services because it's easier to obtain the services directly than to try to obtain them through a corporate IT department. Some cloud service fees easily fit into the spending limit, so the department managers who need the resources for a short-term project, but often they don't cancel the service or they forget to turn off the virtual machines. Engineers to spin up the VMs might simply keep them running in case they need them again in the future. These rogue VMs are not under the control of corporate IT and could be used as points of entry into the network. Think of it as a piece of shadow IT sitting out there on the network just waiting to be abused by an attacker.
Another trend we're seeing this year is a move to agentless security versus the more traditional agent-based approaches. Agentless approaches are flexible and often more cost-effective, while agent-based product offerings offer deeper insights with a clear snapshot of what's going on it at any given time. And then there's the ubiquitous hybrid approach.
The debate over agent base versus agentless is not dissimilar to some of the backup debates about technology in that proponents argue technology rather than value of benefits are more important. Ultimately, it's not a question of which approach you should deploy — or rather, which approach is appropriate for wherever you want to deploy it. Security teams are focused on just that — the security of the data off of the CIO's teams. And those some of the system architects and departmental IT teams are more concerned with creating as little friction in the operation as possible, permitting the users to get their jobs accomplished and increase corporate value rather than focusing on the data security element. This is a debate as old as computing itself, and affects corporate decision-making at many levels.
Finally, I mentioned cyber insurance a moment ago. The cloud is playing a much bigger part in terms of companies qualifying for cyber insurance or failing to qualify in many cases than ever before. In years past, cyber insurance was sold like a commodity much like home or car insurance. Then came COVID, the huge ransomware attacks that turned the cyber insurance market on its head.
Today, the market is recovering from the chaos of high prices and the changes in how the insurance was being offered. Coverages are significantly lower than they had been in previous years; prices are still high. But today, the insurance companies are fairly on an even keel in the profit/loss area. A couple of years ago, the publication Canadian Underwriter reported that Canadian cyber insurance companies were spending almost 22% more in claims than they were bringing in.
That level of chaos is apparently gone now, and the insurers are back on an even keel. Insurers are tightening the qualification required however for both existing policy holders and new policies, often requiring new applications, even for renewals and, again, much of this affects cloud services. Marsh McLennan, the world's largest insurance broker, has 12 cybersecurity controls for companies that want to obtain a policy. Other carriers and brokers have their own list, but the point is you can't just call them and buy a policy.
On top of that, the SEC is now requiring enterprises to have cyber insurance as part of its governance regulations. It's no longer a nice-to-have. If you're covered by the SEC, you better have cyber insurance protecting your cloud environment, as well as your on-prem data.
If you're planning to renew a policy or get a new one, where do you start? Let's begin with the top five security controls from Marsh:
- multifactor authentic authentication for remote access and administration controls;
- endpoint detection and response;
- secure, encrypted, and tested backups;
- privileged access management; and
- email filtering for web security.
Without these five security controls in place, both for your on-prem and cloud assets, you'll have a hard time finding cyber insurance. In April of 2022, a manufacturing company obtained the cyber policy directly from Travelers Insurance. The company attested to having suitable multifactor authentication across its entire enterprise. A month later, the insured was hit by an attack that penetrated through an unprotected device on the network. Rather than simply denying the claim, Travelers sued the client, claiming it lied on his application that it had adequate 2FA. Despite having two-factor authentication in place, the security control simply wasn't up to snuff. It didn't cover 100% of the enterprise. Several months later, the company agreed that its security control was inadequate and lost its policy and all of its premium payments after being sued by Travelers for lying on its application.
Insurers are getting serious about these security controls, be they for on-prem or in the cloud. Simply attesting to having security controls is not enough anymore.
And just to close the loop, here are the other security controls that Marsh requires:
- Patch management and vulnerability management;
- Cyber incident response planning and testing;
- Cybersecurity awareness training and phishing testing;
- Remote Desktop Protocol mitigation and similar hardening techniques;
- Logging and monitoring of network protections;
- End-of-life system replacement; and
- Vendor supply chain risk management.
To put this last control into perspective, Verizon's 2022 Data Breach Investigations report said that 62% of all breaches came through a business partner. Forrester's Alla Valente told me recently she believed that number was likely higher than 62% — possibly reaching even 70%. That's a lot of breaches due to third-party risk management vulnerabilities.
We've covered a lot of ground today and yet we've barely scratched the surface. Cloud-native apps and cloud computing in general have changed the very fabric of the computing environment forever. Sure, we still have corporate data centers and likely always will. But the cloud brings a type of level playing field for those who don't have the financial or staffing resources to compete with larger, more established companies.
For someone like me who's been writing about the computer industry for decades, it gives me hope that even startups can compete and succeed, even if they can't afford the most experienced and expensive SOC analysts.