Head in the clouds…takeaways from Cloud Security Expo 2017

Last week, I had my head in the clouds, but no, I wasn’t daydreaming:  I was at the Cloud Security Expo in London where I presented two sessions.  With around 20,000 attendees across the two-day event, it was a great opportunity to take a deep dive into the trends that are currently shaping the industry, and to get insights into how these are expected to evolve over the next year.

Hybrid is here

Hybrid and multi-cloud environments was the most discussed topic at the Expo.  There’s a good reason for this:  recent research from RightScale showed that 85% of enterprises will follow a multi-cloud strategy in 2017and hybrid cloud remains the preferred strategy for 67% of enterprises.

The reasons for embracing multi or hybrid clouds will vary from company to company, but in my experience they’re usually based on a blend of these three key requirements:

• Improving resilience and business continuity: mitigating the risk of a failure at a single provider or vendor, and reducing the risk of being impacted by a cyberattack which targets a specific provider.
• Extending geographic reach: to address local latency issues, to reach new markets and customer sectors, accommodate business change and expansion, or address data sovereignty and compliance issues.
• Better management of costs: either to avoid lock-in to a specific provider, or to choose cloud platforms that scale to the required workload, to get the best value.

Of course, as enterprise cloud usage multiplies, there is a critical need for organizations to have clear end-to-end visibility of their entire enterprise estate – public, private and hybrid – through a single pane of glass, together with cloud-agnostic security policy management across the various security controls they are using.

Orchestration and automation

Hand in hand with visibility, the critical need for orchestration and automation solutions to help organizations reap the full benefits of hybrid cloud agility and flexibility was also widely discussed at the conference.

More specifically, organizations will to deliver granular protection to large-scale applications which carry regulated data across both on-premise networks and in the cloud. This will become especially acute when the General Data Protection Regulation (GDPR) comes into effect in May 2018 (and possibly BREXIT).

So again, enterprises need to be able to visualize and manage policies across their hybrid environments in a consistent and cohesive way, through a single pane of glass, to ensure that they meet their security and compliance requirements – as I covered in my presentations during my own presentations at the Expo.

Containers:  boxing clever

Another hot topic at Cloud Expo was cloud containers.  Containerization technology has been around for a few years now, but its usage is growing fast as enterprises are looking to standardize and automate the deployment of applications, by building smaller, autonomous (yet compatible) services that can be started and stopped on-demand without affecting other services.  The use of Docker, the most popular container technology, is expected to grow by more than 25% in 2017, with 35% of enterprises using it.

Containers give each application its own, isolated environment to run in, with the containers all sharing the host server’s OS.  This means applications in a container can be spun up faster while using fewer resources compared with a conventional virtual machine.  But containers can also introduce security risks.

While containers are isolated from each other (so one cannot spread into another’s assigned memory space) they can be set up to communicate with each other.  This means that while malicious code in one container should not be able to cross to another container, the code may be able to snoop for sensitive information in the data that’s allowed to be communicated between containers.  So it’s important that controls are implemented to ensure that a container only has access to the network resources it absolutely needs to run, using the principle of least privilege.  This in turn demands a ‘continuous security’ approach during development, that is integrated into developers’ continuous integration/continuous deployment processes, to ensure that any potential vulnerabilities are detected early, before being put into a production environment.