Cloud Eats Security

Over the past 20 years, cybersecurity has persistently played an unwinnable game.  In this game, the attacker makes all the rules, sets all the timers, records all the scores, and can walk away from the game anytime without losing anything.

Meanwhile, the defenders are encumbered with a cavalcade of rules, tools, and fools: insidious compliance rules that drag down progress, a messy assortment of tools that never work together, and company executives that dismiss security as a nuisance inhibiting their success.

If you have ever had to implement enterprise security you know that it is not merely difficult, it is profoundly difficult.  However, what is the alternative?  Companies must defend themselves.  And so, security departments diligently persevere buying new tech, hiring more people, and fighting enemies inside and out.  After a while, the virtuousness of their perseverance becomes indistinguishable from insanity.

I will skip rehashing all the tales of security breaches as they are documented elsewhere.  However, it is safe to say the root cause of all security breaches is people.  People bypass security rules, people misconfigure controls, people ignore alerts, and so forth.  However, this is not anybody’s fault.  To state the obvious, we are human and therefore imperfect.

Beyond Human

The crux of this Unwinnable Game is that protecting modern IT systems and data is beyond the cognitive abilities of humans, even a team of humans.  There are too many variables, too much data, and too much volatility for humans to manage on a consistent basis.

If humans cannot handle security, then who or what can?

Since breeding perfect humans is the stuff of supervillains, we are left with making compute environments more “intelligent” about security –  artificial intelligence (AI).  AI has tremendous potential to fundamentally alter security into a winnable game for the defenders.  An AI engine can repeatedly (and tirelessly) analyze data to identify outliers and potential attacks.  Moreover, an AI engine can learn over time the nuances and quirks of an environment, and come to understand what is and is not important.  AI has promise to stop an attacker before widespread damage. It may also automatically restore any affected data and optimize the environment to defend against follow-on attacks.

Unfortunately, AI has some gigantic hurdles to adoption.

First, implementing AI at scale is well beyond the technical capabilities of most security teams. Most organizations struggle to maintain basic security hygiene. Expecting them to install, tune, and manage complex AI technologies is unrealistic.

Second, AI is unlikely to identify a zero-day attack.  It may identify attack-like behavior or activity, but it cannot magically determine an attack type without relevant, relatable data.

Lastly, AI engines must have access to vast amounts of data such that they can build propensity models.  This means the engine must have both abnormal and normal data (and anything in between).  Most security technologies discard or ignore normal data, favoring the abnormal.  This is because the humans who manage those security products cannot handle the onslaught of both normal and abnormal data.

This is the point when AWS, Microsoft, and Google join the chat.  The cloud providers have some huge advantages in regard to AI.  Mostly they are skilled at taking technologies and processes, and transforming them into standardized, easy to implement, and automated services.  AWS has the people, purpose, and scale to build AI engines.  Mostly, cloud providers have a huge advantage over the point players, like Crowdstrike or Splunk.  Cloud providers can see everything, normal and abnormal.  This makes them a logical place to implement security AI at scale.

The reason computing workloads are moved to the cloud is because the cloud providers simplify complex technology into standardized services.  Cloud and SaaS have already consumed entire markets, such as email.  Ten years ago, if you needed an email server, you had to setup, manage, and secure your own.  Today, with a few clicks and a script you can have an enterprise class email system at Microsoft or Google, pre-configured and secured correctly.  There is no reason to run your own mail server these days.

Security is on a similar path.

The New Cloud Order

By 2030, the cloud providers like AWS and Azure, will consume and dominate the security market.  Security will be both stand-alone services and tightly integrated into other services.  These services will extend out to endpoints and IoT devices as well.  What we know today as the security industry, with thousands of vendors all selling point products will dramatically change.

This trend is already in motion and will accelerate in the coming years. This new order will have some profound impacts:

• The demand for point security products will not disappear, rather it will move down-market to SMB and laggard industries that refuse to adopt the cloud.
• The market valuations for these point solutions will, consequently, decline as they run out of customers.
• The demand for in-house security expertise will also decline. With cloud services and AI doing much of the dirty work, in-house teams will have less to do.  This will make the security roles less about twiddling with tools and more about managing risk posture throughout the organization.
• Since everything in the cloud can be automated through an API, a new class of value-added resellers will emerge: automation integrators. These providers will repackage automations between different providers. They will offer pre-built architectures, with your preferred vendors (like ServiceNow or Salesforce) pre-integrated.  With a few clicks you will be able to build an entire enterprise infrastructure with everything tightly integrated.
• The market for managed security providers (MSSP) will remain stable, however they must adapt to work with the cloud. The traditional MSSP, with a big SOC managing hardware devices, will be less relevant.  MSSP will also move down-market into SMB environments.
• Demand for stand-alone security awareness and application code scanning solutions will remain stable or increase. These services are difficult for cloud providers to adopt, due to the customized nature of them.  However, security awareness training has already moved to cloud-delivery.  Likewise, most application code scanners have SaaS delivered versions as well.
• Hardware security products must refocus on access, with tight integration to cloud services. Many of the hardware vendors, like Palo Alto Networks and Fortinet have already begun this transition.
• Compliance will be dramatically devalued. Compliant environments can be built, certified, and authorized through automated means.  Compliance bodies will resist this at first, but the cloud providers will strong-arm them into adopting.  You already see the beginnings of this, with the FedRAMP office push their standardized OSCAL language.
• Multi-cloud will become more difficult as cloud providers find more ways to create lock-in strategies. This will also increase the need for automation integrators, which can smooth out multi-cloud adoption complexities.
• Attacks and ransomware will continue, but shift focus to “softer” targets such as laptops and IoT devices.
• AI engines will become increasingly more capable at identifying new attacks. However, people will need to manage the response and remediation.
• Automation will also extend to remediation tools. Cleaning up an intrusion will no longer require expensive engagements with outside consultants.  Rather, automation tools will gather evidence, wipe out affected systems, and rebuild from known-good repositories.
• Risk management will become more important to companies, as they shift from a purely reactionary approach to that of controlling risks.
• Watch closely anybody AWS, Azure, Google, Salesforce, Service Now, Oracle, SAP etc. acquires. They will start vacuuming up technologies that will serve this change.  AWS has already done a few.

Evidence

The evidence of this movement is already out there.

• Microsoft Azure has their own Security Event and Information Management (SIEM) product: Sentinel
• AWS has rolled out Guard Duty and WAF, rendering the need for standalone WAF or IDS/IPS less relevant.
• Google’s Chronicle integrates multiple security functions as well as some AI capabilities.

Counterpoints

Of course, this trend will encounter resistance from all those vendors.  Just as hardware vendors ignored the writing on the walls in the early 2000s, so too with the sea of booths at the RSA show ignore the rising waters around them.  However, let’s consider some contrary points.

Cloud services are not as accurate or capable as dedicated point solutions.

This may be true, but it does not matter.  The cost and complexity of implementing, optimizing, and managing point solutions is already higher than adopting cloud-native tools.  Moreover, the quality of a product is largely irrelevant in the grand scheme of protecting a business.  Most of the companies which experienced a large data breaches possessed cutting edge security technologies.  It was not the technology that made a difference, but rather how that technology is implemented, monitoring, and managed.

Cloud providers are incentivized to ignore or cover up security problems.  You cannot have the fox guarding the henhouse!

Pushing the lame farm clichés aside, this is simply untrue.  Cloud providers are under tremendous legal, regulatory, and reputational pressure to secure their services.  For example, a few years back AWS took heat for customers with public S3 bucks.  Even though this is a legitimate configuration, and customers are entirely responsible for setting this access, AWS still implemented improvements to lock down S3 buckets even more.

Furthermore, if you are going to entrust the entirety of your company’s data and processing to AWS, why can you not trust their security?  Lastly, cloud providers are deeply incentivized to protect customer’s workloads for one less savory reason: lock-in.  If a cloud platform is consistently having security issues, customers will leave and move to a competitor’s platform.

This is monopolistic, many organizations will reject using cloud-native security tools leaving a market for point-solution vendors. 

Yes, some companies will resist, however this will not stop the cloud providers.  Those companies that resist will be at a disadvantage.  Security today is an insanely inefficient and error-prone precisely because there are too many tools which are difficult to interoperate.  Automating and standardizing security is the only way to contain this expanding inefficiency.  Those companies that resist, will lose the efficiency and effectiveness gains of those companies who do adopt the cloud-native security tools.

The follow-on question for this is: at what point do the cloud providers transform from merely providing a compute service, to being a utility.  Where are the limits of their reach? That is a larger, complex question for another article.

Conclusion

Information security is stuck playing a game it will never win.  However, unlike the sage wisdom of Wargames which suggested the only winning move is not to play, we do not have that choice.  We must defend our data, our infrastructure, and our nations from cyberattacks.

Information security teams can win this game, if they leave defense to the robots.  Only automation can adapt, react, and protect at the scale necessary to defend an enterprise.  And only the cloud providers have the scale, resources, and motivation to be able to build these robots effectively.

This was originally published at  The Analyst Syndicate.