em360tech image

By Robin Campbell-Burt, CEO at Code Red

The shift to the cloud has gathered strength year-on-year, and 2022 was no exception. Gartner found that almost two-thirds (65.9%) of spending on application software will be directed towards cloud technologies in 2025, up from 57.7% in 2022. 

Whilst the trajectory of most organisations in the digital age continues to catapult towards the cloud, the journey along the way isn’t always as simple as it seems. Senior decision-makers, along with IT and security leaders, are discovering the challenges of managing and securing cloud environments, and it’s a secret well-known by cyber criminals as well.

Threat actors are targeting weaknesses within organisations’ cloud environments, with 45% of breaches occurring in the cloud. More worryingly though, 43% of organisations stated they are just in the early stages or have not started implementing security practices to protect their cloud environments.

So, as 2023 is almost here, what should organisations that are in the early stages, or haven’t started, be doing to secure their cloud environments?

Kelly Ahuja, CEO at Versa Networks, believes that the adoption of cloud has expanded the attack surface of organisations, and security teams are required to protect what is outside their perimeter as well as inside it.

“Cloud adoption and the increase in remote work has extended the enterprise perimeter, expanding the attack surface. Continued shift to hybrid cloud extends this attack surface further. But the hybrid work and IoT extends this attack surface from outside the perimeter to inside the perimeter.

“As the traditional enterprise perimeter dissolves, protecting users, devices, data and connecting this hybrid workforce/devices to applications in hybrid cloud will drive a rethinking of the security architecture.

Camille Charaudeau, Vice President, Product Strategy at CybelAngel, believes this rethink in security needs to be enterprises being more proactive: “Organisations need to go beyond perimeter-centric defence and start thinking like attackers. This means adopting a proactive posture and taking an outside-in approach with vigilant monitoring of possible exposures in their extended external attack surface.

“Doing this will enable enterprises to fully maximise the value of their vulnerability management and endpoint detection & response programs and ensure issues can be remediated expediently before bad actors can take advantage of them.”

However, Tom Van de Wiele, Principal Technology & Threat Researcher at WithSecure, argues that understanding attack surface of cloud environments will still be an uphill battle for most companies that rushed their cloud transition.

“Companies will continue to play catch up when it comes to knowing what their actual attack surface is, or what an attacker perceives as the attack surface relating to an organisation,” said Tom Van de Wiele.

“Especially with the introduction of so many different cloud services, the transparency levels have reached new lows of opaqueness to the point where companies are involuntarily down-prioritising their own inventory assessment efforts and have to transfer the risk to their third parties and suppliers, while for the most part betting on reactive controls such as detection and response.  

As well as the increase in cloud environments, there is also the rapid adoption of cloud identity and Yaron Kassner, Co-Founder and CTO at Silverfort, said this will expose organisations to new cyber risks and CISOs must be aware of them: “Driven by the great and the good of identity, everyone from Microsoft to Okta and Google, cloud identity adoption will continue to gather pace in 2023. 

“This, however, presents risks for CISOs as it can lead to a fragmented mess of legacy and cloud-based identity providers which refuse to integrate. This can introduce blind spots in the identity attack surface – as well as driving up management complexity and cost.  In addition, a mix of identity providers also complicates the application of MFA.

“To stop this complexity spinning out of control in 2023, organisations should be looking for ways to unify identity providers to provide simpler, more cost effective, management and a standardised MFA experience.”

This is further backed up by Wade Ellery, Field Chief Technology Officer at Radiant Logic, who argues that organisations will be looking to gain visibility across all their identity data in 2023.

“For almost all organisations, an identity-first mindset for organisations is still at an early stage of its maturity. They’re still learning the concept of identity sprawl and the scale of their technical debt, which means that companies are just starting to realise the scale of the challenge. 

“Organisations are looking into how they gain visibility into their identity data, and how it can offer long-term benefits when it comes to scale, cost and timeframe. We are starting to see a shift in the mindset and attitude towards Identity Access Management – it is a journey, not just one solution implemented and then forgotten about. 

“In 2023, we are going to see more and more businesses ‘slow down to speed up’ – they’ll recognise they need to put in an identity data foundation before they can justify building new, revenue-oriented projects that demand access to identity.”

However, Adam Brady, Director, Systems Engineering, EMEA at Illumio, argues that security teams’ attention will shift from “find and fix” to “limit and contain” irrespective of the environment.

“We will see acceptance in the industry that breaches are here to stay and security strategies evolve to take this into account. It will no longer matter if it’s on premise, hybrid, cloud or at the edge, what will be important is maintaining visibility across the entire estate.

“Organisations will need to know where the vulnerabilities are in their environment and then proactively implement policy to contain breaches early on and limit damage. Ultimately, breach containment will be the new resilience paradigm in 2023.”