By Chris DeRamus, CTO and co-founder, DivvyCloud
- Cloud misconfigurations will continue to cause massive data breaches. As enterprises continue to adopt cloud services across multiple cloud service providers in 2020, we will see a slew of data breaches caused by misconfigurations. Due to the pressure to go big and go fast, developers often bypass security in the name of innovation. All too often this leads to data exposure on a massive scale such as the First American Financial Corporation’s breach of over 885 million mortgage records in May. Companies believe they are faced with a lose-lose choice: either innovate in the cloud and accept the risk of suffering a data breach, or play it safe with existing on-premise infrastructure and lose out to more agile and modern competitors. In reality, companies can accelerate innovation without loss of control in the cloud. They can do this by leveraging automated security tools that give organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue or even trigger automated remediation in real-time. Automation also grants enterprises the ability to enforce policy, provide governance, impose compliance, and provide a framework for the processes everyone in the organization should follow—all on a continuous, consistent basis. Companies can innovate while maintaining security, they simply must adopt the proper cloud strategies and solutions.
- New Year, New Threats. As companies continue to invest in new technology, we will see the introduction of new and advanced tactics, techniques, and procedures from malicious third-parties that seek to either exfiltrate critical customer, company and partner data or even interrupt or disable business operations. Companies often make the costly assumption that they will be safe from threats just by investing in additional security tools for every new technology or service that they adopt. This piecemeal approach to security is both extremely expensive and inefficient. In fact, since we don’t know what the most pertinent threats will be in a year from now, the best approach is for companies to invest in holistic security solutions that can evolve and scale with a company over time.
- IAM is the new perimeter, and it is harder than you think. Everything in the cloud has an identity, and the relationships are complex, so scoping to least privilege or adopting zero trust sounds great, but is really difficult to do. In 2020, security professionals are going to realize that identity and access management (IAM) is an area where they can lose control rapidly, and it is very hard to take back. Approaches and strategies from the datacenter world don’t transfer, and companies need to rapidly invest in the process and in supporting tools (including automation) to stay ahead in this complex landscape. The repercussions of poor IAM governance are substantial and sometimes unpredictable. For example, a former AWS employee was able to access over 100 million Capital One customers’ records by bypassing a misconfigured web application firewall, performing privilege escalation and as a result, obtained access to a swathe of customer information.
- There will be increased caution around M&A deals. Learning from the mistakes of Marriott, companies going through M&A deals in 2020 will prioritize comprehensive evaluations of cybersecurity and risk. Before Marriott acquired Starwood in 2016, it was reported that Starwood suffered a breach of North American customers’ credit and debit card data after threat actors implanted malware on the company’s point-of-sale registers. Eventually, Marriott became aware of its breach of about 383 million Starwood guests’ data when a security tool flagged a database query from an unauthorized user whom had admin privileges. The company later found out that the intrusion went undetected for four years before Marriott even acquired Starwood, however, Marriott still had to pay more than $120 million to the UK’s Information Commissioner’s Office (ICO) for violating GDPR, and the hotel giant can even face additional punishments from other data privacy mandates, including the soon-to-be-enforced CCPA. While M&A is an important part of many companies’ growth plans, organizations will become increasingly wary of suffering a similar fate as Marriott. In 2020, organizations will place cloud security at the forefront of the M&A process including thorough audits of how the acquisition or merger target is operating cloud services. In a multi-cloud world, companies will need solutions that provide complete visibility across all clouds and cloud services, and an approach to bringing these into their security and compliance posture via automation.
- Federal data privacy law on the horizon. With the enactment of CCPA and the introduction of additional ideas for state-regulated data privacy laws across the U.S., all roads point towards the creation of a federal data privacy law. It is highly unlikely that a federal law will be passed in 2020, but it will be likely that Congress prioritizes the idea and begins discussing criteria for such a law. A patchwork of slightly different data privacy laws in each state would discourage businesses (especially SMBs) from operating across state borders. Multiple, varying data privacy laws is a thorn in the side for large companies, but devastating for SMBs, and is a turn off for international corporations that have to comply with other mandates such as GDPR as well. CEOs of Amazon, AT&T, Dell, IBM and other companies that comprise the Business Roundtable have already sent an open letter to Congress asking for a federal data privacy law, and the Internet Association, which boasts Dropbox, Facebook, Reddit, Snap and Uber as members, has also made a push toward a federal law.
About the Author
Chris DeRamus is the co-founder and CTO of DivvyCloud where he leads product development and the technology team. He is dedicated to building the most robust, scalable, high-quality software possible to meet DivvyCloud’s customers’ demanding requirements. Before co-founding DivvyCloud, Chris was the online operations manager at Electronic Arts for the Mythic Studio where he helped design, build and operate large scale cloud infrastructure spanning public and private clouds to run Electronic Art’s largest online games
