8 Priorities for Cloud Security in 2024
The pace of cloud migration has outpaced security. How can organizations prioritize cloud security this year?
![Floating castle tower on a cloud Floating castle tower on a cloud](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt63a05efd4df0b15c/65b3ca7aecb4a4040a28425c/00cloudsec-Hardi_Saputra-alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Hardi Saputra via Alamy Stock
The skills gap is an ongoing challenge in the broader field of cybersecurity and in cloud security. In a 2022 survey conducted by 451 Research, 44% of organizations reported that finding qualified candidates to hire was a significant challenge they face in tackling the cloud skills gap.
The challenge of finding new hires is compounded by the retention of existing cybersecurity talent. Burnout is widespread in the industry, impacting analysts and CISOs alike. The State of the CISO 2023-2024 Benchmark Summary Report notes that 75% of CISOs are considering switching jobs, up from 67% in 2022. Job dissatisfaction could be a factor fueling that drive for change.
“Everybody's trying to solve the problem at the same time: trying to hire top talent, trying to train people up; and it's just not going to happen at the pace I think we need it,” says James Campbell, CEO of cloud incident response firm, Cado Security.
Enterprises will likely need to consider a combination of technology, training, and talent sourcing to ensure it has the resources to adequately address cloud security.
Identifying misconfigurations can help organizations secure their cloud environments, but these vulnerabilities remain a problem. Nearly a third of respondents to a cloud security survey from cybersecurity training nonprofit ISC2 report that the inability to identify misconfigurations quickly is a big operational challenge impacting the protection of cloud workloads.
When working with clients, the team at cybersecurity advisory and solutions company Optiv frequently identifies misconfigurations. “I don't think we've ever done one where we're going in and [haven’t] found cloud misconfigurations that have increased the vulnerability or the risk of an organization’s cloud infrastructure,” Edward Lewis, Optiv’s secure cloud transformation director, tells InformationWeek.
The majority of IT and security decision makers (93%) consider segmentation of critical assets essential to securing cloud-based projects, according to Illumio’s Cloud Security Index 2023. “If I'm properly segmenting the cloud environment, that's going a long way towards not only achieving zero-trust maturity but [also] creating an environment that makes it very difficult for attackers to successfully attack,” says Illumio’s Kindervag.
Cloud touches nearly every aspect of an enterprise’s operations, yet security is many times undertaken with a piecemeal approach. When security operates in siloes, risk and operational overhead tend to increase. Kindervag argues that a zero-trust approach can break down those siloes.
“If you have a zero-trust effort in place, then that's going to bring cloud in and networking and endpoint … and identity and all these things, and they're going to be able to collaborate,” he says.
The number of large organizations shifting to a multi-cloud strategy is only going to increase, expected to go up from 76% to 85% in 2024, according to Forbes. “The moment you added a second or third CSP [cloud service provider] to the mix, there’s a couple of areas that become a challenge … and I think that a lot of companies are at that point where they're really looking to understand how they … manage their increasingly complex cloud environment,” says Optiv’s Lewis.
As that complexity grows, enterprise leadership could consider where a cloud security posture management (CSPM) or cloud-native application protection platform (CNAPP) fits into their strategy.
Continuous monitoring is a vital strategy for thwarting threat actors’ persistent targeting of cloud environments. “Continuous monitoring is … a great way to essentially find attacks from an unsophisticated level all the way up to a zero-day anomaly,” says Law Floyd, director of cloud services at cybersecurity company Telos Corporation. “Continuous monitoring … allows you to find attacks as they're happening, before they even touch anything significant.”
Artificial intelligence is at the forefront of nearly every technology and security leader’s mind in 2024. What opportunities and threats does it bring?
On the opportunities side, AI could be instrumental in alleviating the skills gap by driving further automation in areas like continuous monitoring. It can also be used to combat AI-fueled attacks.
“Companies must consider deploying advanced AI-driven security measures to safeguard cloud environments and counteract the sophisticated strategies employed by malicious actors,” Moshe Weis, CISO of cloud native security company Aqua Security, shares in an email interview.
While AI has the potential to be a powerful security tool, CISOs and their teams need to exercise caution when selecting those tools. With the glut of options in the market, which ones will deliver on their promises? “People do have to be aware and actually make sure they are testing what is promised when it comes to leveraging AI and machine learning models,” says Cado Security’s Campbell.
In the ISC2 survey on cloud security, 44% of respondents cite budget as a barrier standing in the way of migration to cloud-based security solutions.
“Costs relating to cloud services expenses, infrastructural changes and migration projects, establishment of governance and compliance implementations, training and skills development and many others must be budgeted and managed diligently to strike the right balance between securing cloud environments and handling costs effectively,” says Rodman Ramezanian, global cloud threat lead at Skyhigh Security, formerly McAfee Enterprises, says in an email interview.
CISOs are increasingly gaining a seat at the leadership table, and once there, they need to make the business case for security spending. Does an enterprise’s budget take into consideration the millions of dollars a potential breach could cost? How much does an organization need to invest in cloud security versus on-premises security? Is the money being spent in the right places?
“You could spend millions on cloud security tooling, if you like, but if you don't spend the money where it matters, which is upskilling your team and operationalizing it within your organization, then it's going to be a pretty bad ROI for all involved,” says Optiv’s Lewis.
As security leaders evaluate their spending, consolidation is could emerge as an effective cost reduction measure. “Consolidated platforms are becoming essential tools for companies to effectively manage cloud spending, enhance security posture and achieve overall optimization,” says Aqua Security’s Weis.
Cybersecurity is gaining more attention from not only business leaders but governments and regulators as well. The federal government rolled out a national cybersecurity strategy in 2023. The US Securities and Exchange Commission’s cybersecurity incident disclosure requirements went into effect last year. And data privacy regulation is an increasingly pressing, if quite complex, issue.
“A lot of organizations aren't planning as well as they should for these various … compliance efforts,” says Telos Corporation’s Floyd.
Maintaining compliance can be a complicated matter, requiring buy-in across an enterprise and, of course, a part of the budget.
Organizations need to invest in security tools and strategies to keep up with evolving threats and evolving regulations. Aqua Security’s Weis offers data privacy as an example. “Increasing data privacy concerns push organizations to have comprehensive data security measures, such as encryption, access controls and data anonymization,” he says.
The core tenet of cybersecurity is clear: defend an organization’s network, IT infrastructure, and assets from attacks. But organizations’ strategies need to evolve to embrace security in increasingly complex multi-cloud and hybrid environments besieged by sophisticated attacks against the backdrop of a changing regulatory reality.
Cybersecurity is gaining more attention from not only business leaders but governments and regulators as well. The federal government rolled out a national cybersecurity strategy in 2023. The US Securities and Exchange Commission’s cybersecurity incident disclosure requirements went into effect last year. And data privacy regulation is an increasingly pressing, if quite complex, issue.
“A lot of organizations aren't planning as well as they should for these various … compliance efforts,” says Telos Corporation’s Floyd.
Maintaining compliance can be a complicated matter, requiring buy-in across an enterprise and, of course, a part of the budget.
Organizations need to invest in security tools and strategies to keep up with evolving threats and evolving regulations. Aqua Security’s Weis offers data privacy as an example. “Increasing data privacy concerns push organizations to have comprehensive data security measures, such as encryption, access controls and data anonymization,” he says.
The core tenet of cybersecurity is clear: defend an organization’s network, IT infrastructure, and assets from attacks. But organizations’ strategies need to evolve to embrace security in increasingly complex multi-cloud and hybrid environments besieged by sophisticated attacks against the backdrop of a changing regulatory reality.
Over the past year, 47% of breaches originated in the cloud, according to the Cloud Security Index 2023 from cloud security company Illumio. “We’re seeing just so many problems coming out of the cloud because the rush to [adopt] the cloud moved faster than the trailing effort to secure the cloud,” John Kindervag, Illumio’s chief evangelist and creator of zero trust, tells InformationWeek.
Some enterprises are in the early days of their cloud journeys, testing the waters with a single cloud provider. Others, typically larger enterprises, are well into their cloud strategies with complex hybrid and multi-cloud environments.
Initially, enterprises’ security concerns will revolve around the basics. Are they introducing any legacy issues into the new environment? Do they understand how cloud security differs from on-premises security? Instead of focusing on migration, enterprises with more mature cloud strategies are likely honing their cloud operating procedures and defenses.
Where an organization is in its cloud journey can dictate its priorities, but a core set of security issues are omnipresent. What are the attack vectors? How are the threats evolving? How can the organization defend itself?
If an enterprise is using cloud, it cannot operate that technology in a silo isolated from security. The following slides identify some of the biggest cloud security priorities for CISOs and their teams to consider this year.
Read more about:
RegulationAbout the Author(s)
You May Also Like