Cloud Security

Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example of security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.

Use cases

  • Policy enforcement
  • Activity monitoring/situational awareness
  • Data loss prevention

Benefits

  • Consolidated cloud security services
  • Increased cloud data protection capability
  • Decreased risk use of cloud and dependent technologies

Verticals

All verticals

Challenges

CASBs are presently available on the security services market. CASBs capabilities can vary by provider and risk profile and can be deployed in an on-premise or cloud service configuration. They can also be deployed for SaaS, PaaS, and IaaS models.

Cloud Workload Protection Platform

0-2 years

In general, each resource in a cloud account (Amazon EC2 instance, Relational Database Service, Load balancer, Gateways, Containers, etc.) is a workload. Cloud workload protection platforms help to identify security incidents, protect your systems and services, and maintain the confidentiality and integrity of data through data protection in hybrid, multi cloud environments. They fill a gap caused by legacy security tools that are not designed for the dynamic, distributed, virtual environments of the cloud.

Use cases

  • Protect your Data in Production. Defense in depth by Layer 3 / 7 Network Segmentation.
  • Workload security becomes a continuous effort – even a second of non-compliance can be detected.
  • Security as code allows you to automate manual security tasks.
  • Improve your cloud security posture.

Benefits

  • Protect your Data in Production. Defense in depth by Layer 3 / 7 Network Segmentation.
  • Workload security becomes a continuous effort – even a second of non-compliance can be detected.
  • Security as code allows you to automate manual security tasks.
  • Improve your cloud security posture.

Verticals

All verticals

Challenges

  • CWPP need to be flexible and scalable able to manage hybrid as well as multi cloud environments.
  • Increasing use of containers by developers. Puts additional requirement on CWPP to be able to secure containers as well including supporting a shift left approach (DevSecOps)
  • Serverless is the next evolution after containers that will come with their own specific security requirements.

CSP Native Security

0-2 years

CSP Native Security is referring to the security services build in by the CSPs in their IAAS platforms to help customers secure their data in the cloud. In the cloud there is the shared responsibility model: while AWS, MS, Google manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently they would in an on-site data center.

Use cases

  • Threat Detection: Anti malware, Network security, Threat / Anomaly detection, Response/remediation.
  • Compliance: Adhere to industry compliance requirements and show evidence of that compliance
  • Minimize the chance of infection from known and unknown malware.
  • Ensure that users have appropriate levels of permissions to access the resources they need, but no more than that.

Benefits

  • Security as code, fully automated and fully integrated and compliant with the CSP platform.
  • Native Security includes a comprehensive set of native security tools all managed from a single portal eliminating blind spots.
  • Rather than just focusing on protection of a single outer layer, customers can now apply a defense-in-depth approach with fully integrated security controls and to all layers (e.g., edge network, VPC, subnet, load balancer, every instance, operating system, and application).
  • Customer can more easily address the security challenges with moving to the Cloud enabling visibility, control and compliance from a single pane of glass.

Verticals

All verticals

IaaS Container Encryption

0-2 years

IAAS Container encryption is an addition to container image security, addressing data confidentiality and integrity of container images at rest. The primary goal for encrypting containers images is to make them only available to a set of recipients. While others might be able to access these images, they cannot run them or see the confidential data inside them. Container encryption builds on existing cryptography such as RSA, elliptic curve, and AES encryption technologies. Keys can be managed by the service or the customer.

Use cases

  • Compliance: to ensure that sensitive data is protected against unauthorized access or modifications. PCI DSS, FIPS and HIPAA, require that data at rest be encrypted throughout the data lifecycle.
  • Compliance with company’s security practices
  • DLP
  • Prevent against unauthorized access

Benefits

  • Ensure that untrusted hosts cannot run the images
  • When encrypting the images people without the private key cannot access the content.
  • Confidentiality of data and code in container images.

Verticals

All verticals

Challenges

APIs are programmatical calls that different applications use to interact with each other and obtain data or information. Securing APIs means protecting the integrity of the API calls for both the ones built in the developed applications as well as the ones used from other, external, applications. OWASP security standards help implement best practices when developing application.

Use cases

API Threat protection can be looked at from different angles:

  • Broken User Authentication: helps secure exposed endpoints that handle object identifiers, which in turn reduces the attack surface;
  • Excessive Data Exposure: reduce or limit the properties of used objects during API calls thus making sure that sensitive data is not exposed;
  • Security Misconfiguration: a common problem is using unsecure default configurations which in turn can lead to compromised API calls. Securing the configuration helps prevent unnecessary usage of HTTP methods, too permissive resource sharing or error messages with sensitive information.

Benefits

Securing API calls means ensuring that all data/information sharing between applications is done in a secure manner. As more and more industries rely on this method of information sharing, applying security best practices and hardening techniques will limit or reduce the capabilities of attackers to leverage them as an initial attack point and greatly reduce the attack surface.

Verticals

APIs are usually used in a wide range of verticals, from IoT, autonomous vehicles, smart cities, to bank transfers.

Challenges

API threat protection lacks the transparency of application development. With the shift left approach, the risk of exposing sensitive information through APIs is reduced but not eliminated. Legacy and unsensitized coding can provide a great challenge in securing APIs.

Cloud Application Discovery

2-5 years

Cloud Application Discovery (CAD) are all those security and compliance tools and mechanisms that offer visibility on the organization activity associated with the use of applications in the public cloud, being them known or unknown to the IT departments.

Use cases

CAD services help measure the actual use of an application (number of users, data volume, number of requests), identify which users actually use an application and when they do it, obtain data to be submitted to analysis tools to obtain aggregate information, for example by product, department or time periods.

Benefits

From a strictly cyber security point of view, CAD helps to identify all those situations of Shadow IT, as well as the products and vendors of the various applications used in an organization, thus being able to help in the evaluation of cyber risk.

Verticals

All verticals

Challenges

Some CAD features are already present in tools already in the adoption phase such as CASB tools or classic services such as DNS, proxy and firewall of the new generation. In the short term, organizations will therefore take advantage of these tools already in use. In the medium term, thanks to the consolidation of dedicated and more functional solutions, these will be increasingly adopted more. In the long term, the maturity of CAD tools will guarantee real-time risk analysis and assessment by aggregating data from software and systems in the organization.

Cloud Application Security Testing

2-5 years

Cloud application security testing is a process of validating the security posture of applications hosted on private/hybrid/public cloud using security testing tools that are themselves hosted on the cloud or in tradition on-premise environment. With any cloud environment, the security becomes a shared responsibility depending the type of cloud subscription model involved (Iaas/Paas/SaaS). Cloud application security testing takes this key factor into account and provides the processes and methodologies to validate the security posture at various levels include data security, network security, storage security, container security, IAM and API security.

Use cases

  • API Security
  • Container Security
  • Cloud Storage (Content) Security
  • Web Applications

Benefits

Cloud application security testing enables to identify & address any potential vulnerability that may exist in your code, APIs, webservices or web applications before they could be exploited by hackers or malicious users. The effort and money spent could result in potential savings of millions of dollars against:

  • Brand Reputation damage
  • Loss of customer trust & eventually their business
  • Statutory / Punitive payments
  • Legal Fees / Class Action Lawsuits

Verticals

All verticals

Challenges

While traditional application security hosted on-premise has been implemented for a long time, multi-cloud or hybrid cloud application increases the complexity of implementing a proper application security testing strategy. We need the right tools in the right place along with necessary cloud security skills to conduct this activity. he cloud-based security testing tool must be available all the times from multiple locations so that if there are teams who are working at multiple locations, they can easily coordinate, and the speed of development is not hampered.

Cloud Encryption

2-5 years

Cloud encryption is the process of encoding or transforming data before it’s transferred to cloud storage.

For E2E encryption you need to cover 3 scenarios: data at rest, data in transit and data in use.

Data at rest encryption builds on existing cryptography such as RSA, elliptic curve, and AES encryption technologies. There are different strategies to protect your encryption key, a common one is envelope encryption whereby the data encryption key (public key) is encrypted using another key, the master key (private key). The master key can be managed by the service or the customer.
For data in transit encryption often industry standard TLS is used to encrypt data sent to and from the cloud or between servers in the cloud.
Data in use encryption is also referred to as secure computing and is an emerging technology. Inquiry trends reveal increased anxiety among cloud-using organizations about CSP staff eavesdropping into or tampering with customer workloads.

Use cases

  • Compliance: to ensure that sensitive data is protected against unauthorized access or modifications. PCI DSS, FIPS and HIPAA, require that data at rest be encrypted throughout the data lifecycle.
  • Comply with company’s security practices
  • DLP
  • Prevent against unauthorized access

Benefits

  • Comprehensive data protection at all times. If data is lost it does not matter, you only have to delete the key and encrypt the data using a new key
  • Protection of privacy
  • Compliance

Verticals

All verticals

Cloud security Posture Management

2-5 years

Cloud Security Posture Management (CSPM) offerings continuously manage cloud risk through the prevention, detection, response and prediction of where excessive cloud infrastructure risk resides based on common frameworks, regulatory requirements and enterprise policies.
They proactively and reactively discover and assess risk/trust of cloud services configuration (such as network and storage configuration), and security settings (such as account privileges and encryption). Ideally, if a setting is non compliant or a configuration represents excessive risk, the CSPM offering can take automated action to adapt, including remediation.

Use cases

  • Continuously monitoring for gaps between the desired security policy, the intended security posture (by the developer or DevOps team) and the actual security posture observed at runtime.
  • Continuously assess for trust/trustworthiness in addition to risk (workload, service and API identities are verified, changes to Cloud infrastructure using a control change process, behavioral baselining and anomaly detection and so on)

Benefits

  • Policy visibility and consistent enforcement across multiple cloud providers.
  • Continuous discovery and identification of cloud workloads and services.
  • Alerting on risky new deployments or changes to the cloud environment, hosts or services.
  • Risk assessment versus frameworks and external standards (ISO, NIST), technical policies and
    best practices (CIS, CSP).
  • Continuous cloud risk management, risk visualization and risk prioritization capabilities.
  • Verifying operational activities are being performed as expected.

Verticals

All verticals

Challenges

Put in the place the correct organization between security and application teams to leverage the
output/results of the solution.

Container Security

2-5 years

Container security is the application of security processes, testing and controls to container-based environments. Comprehensive container security starts in development with an assessment of the risk and the trust of the contents of the container and should extend into runtime threat protection and access control to containers when in production. Interest in containers (primarily Linux containers) is being driven by developers in the name of speed and agility in development, typically using DevOps style workflows.

Use cases

  • Container malware scanning, anomaly detection, identify container vulnerability, prevent file access of container
  • Container communication segmentation and IP-Based features
  • Microservices architecture security
  • Support with continuous integration/continuous deployment (CI/CD) scanning in a DevOps environment, scan for configuration and vulnerability issues of all code before production.

Benefits

Secrets management – store credentials, keys, certificates in a centralized secrets manager hardening and patching for the container host OS

Verticals

All verticals

DevSecOps is a culture shift in the software industry that aims to bake security into the rapid-release cycles that are typical of modern application development and deployment, also known as the DevOps movement.
DevSecOps solves for both DevOps and Security/Compliance at the same time. It enables businesses to rapidly bring new applications to market but in a safe and compliant manner, ensuring business requirements are met or exceeded along the way.

Use cases

  • proactively identify high-risk vulnerabilities and security threats, even within complex and highly distributed environments by automated and continuous security checks and anomaly detection
  • prioritization of application risks
  • discovering and remediating defects
  • visibility into the development process
  • protecting data and applications without affecting business operations

Benefits

DevSecOps applies the principle of shifting rather than waiting to audit after development and testing have concluded.
In the case of DevSecOps, automated and continuous security checks and anomaly detection are of particular importance as applications run on distributed, multi-cloud infrastructures and the IT perimeter continues to expand.

Verticals

BFSI (Banking, financial services and insurance), Government and Defense, Healthcare, IT & Telecom, Manufacturing, Retail, and others.

Challenges

This lengthy, human-intensive model is incompatible with the high-velocity, integrated, and automated model of DevOps. And it makes clear that it’s not enough to build security into DevOps. You need to leverage AppSec tools that have DevOps built into them.

That means to be truly DevOps compatible, tests must be triggered by events in the SDLC (e.g., pull requests, commits, builds, etc.), run in the background without human intervention, and automatically apply security policies so developers can focus on the highest risk.

OpenID Connect

2-5 years

If over the years OAuth has been the standard used by all cloud service providers (CSP) to implement the authorization of APIs, as regards the authentication of end users, OpenID Connect (OIDC) allows client applications to verify the identity of users based on the authentication performed by an Authentication Service, as well as obtaining basic information about the user itself.

Use cases

OIDC mainly covers all use cases where authentication is required on a system whose end user identity is provided by a third party CSP or a social network. Customer IAMs (CIAM) leverages OIDC in order to make more user friendly the login on cloud services with a social network account.

Benefits

OIDC is a technology that responds to current needs of a native cloud world. OIDC is based on simple and light technologies (i.e. JSON and REST) that are better suited to IoT devices, mobile applications, smart TVs. OIDC, being a layer of OAuth, makes it natural for CSP to adopt the OIDC and OAuth combination for user authentication and API authorization, instead of another different technology such as SAML.

Verticals

All verticals

Challenges

The trend already underway is the native support of OIDC for authentication by vendor of federated identity and IAM systems. While for consumer services OIDC is the standard, in the medium and long term OIDC should supersede SAML in B2B, enterprise and government environments. The same will apply for developers, with an increasing availability of native integration in the platforms used, rather than the use of external libraries and SDKs.

Chaos Engineering

5+ years

Chaos Engineering is the discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production.

Chaos engineering consists of:

  • What could go wrong? Hypothesizing about a potential failure.
  • What will happen? Theorizing about and documenting the consequences of the failure.
  • Oops. Causing the failure.
  • What happened? Observing the consequences of the failure.
  • What now? Cause larger failures (scale) if consequences match expectations or fix the observed issues (squash).

Use cases

While the goal of Chaos Engineering is to increase the resilience of large-scale cloud-based distributed production systems and some companies, such as NetflixTM perform failure injection testing on their production system, often it is rather made part of development, continuous integration, continuous testing, load and performance and production test systems.

Benefits

The key benefits of introducing Chaos Engineering into your DevOps cycle :

  • bring down the cost of downtime of your production system by fixing failures before they happen on a production system and creating a DevOps team that easily recognizes failures when they happen and knows how to react to those failures sot that SLAs can be met.
  • increase confidence in the resilience of the production system.

Verticals

All verticals

Cloud Security deception Automation

5+ years

The automation of deception technology to prevent a cybercriminal that has managed to infiltrate a network from doing any significant damage is Cloud Security Deception Automation. The technology works by generating traps or deception decoys that mimic legitimate technology assets throughout the infrastructure. These decoys can run in a virtual or real operating system environment and are designed to trick the cybercriminal into thinking they have discovered a way to escalate privileges and steal credentials. Once a trap is triggered, notifications are transmitted to a centralized deception server that records the affected decoy and the attack vectors that were used by the cybercriminal.

Use cases

Attacks it can help protect against :

  • Network Discovery
  • Active Directory Reconnaissance
  • Account and Credential Hijacking
  • Phishing
  • Containerized Applications / Functions-as-a-Service
  • Vulnerable Applications and Libraries
  • Ransomware

Benefits

  • Ability to Detect early and Respond more quickly
  • Measurable Output – Low False Positives and Low Risk
  • Significant Threat Intelligence and Situational Awareness – Understand the kind of attackers targeting your company and/or market
  • More Deceptive Systems – Less Attack Surface
  • Ability to understand, adapt and defend actual infrastructure against attacker techniques
  • Stay camouflaged and hence keep luring attackers to learn more about their modus operandi

Verticals

All verticals

Challenges

Limitation of budget allocation in IT organizations and inability to meet technical requirements of the deceptive security tools are likely to hinder the cyber deception market.

Continuous Privacy Compliance Posture Management

5+ years

Cloud adoption has increased exponentially in the past couple of years and with that there is a greater challenge in protecting sensitive or personally identifiable data. At the same time, several security frameworks have emerged as standard for protecting private information, such as GDPR, PCI DSS, and HIPAA.

Use cases

Continuously protecting private information has several benefits:

  • The right to data protection : Many public services provide compliance with the latest data privacy security frameworks, thus providing the user with the right tools and mechanisms for protecting their PII;
  • Continuous compliance: the rapid rise of the public cloud adoption has led to several data leakages which usually has a resource misconfiguration or human error as the root cause.
  • Continuous assessment and auto remediation greatly reduce the risk of a data leakage in a public space.

Benefits

As the main driver for business, data and intellectual property security leads to a data-centric security approach. Having personal or intellectual property leaked in the public space can have a financial impact on any business.

Verticals

Data privacy is a concern that covers most, if not all industry verticals, from the banking industry to healthcare and social media as well as the IoT space (e.g. smart city, smart home, etc.)

Challenges

The data-centric approach to security is sometimes hard to implement as it requires strict adherence to security policies and control mechanisms. Continuous monitoring and remediation is required in order to ensure that any threat to sensitive data is prevented or averted.

Immutable Infrastructure

5+ years

As a natural outcome of the CI/CD paradigm and heavily encouraged and supported by ease of deployment, not only in public cloud environments but also in private clouds, immutable infrastructure has become the norm for the today IT projects, facilitating a swift place into operation of each of its components with the full set of packages and dependencies. The end result is that each component is defined, described and deployed in a well-known and properly tested set up which, instead of being adjusted to meet new requirements, it is rather re-deployed in a new configuration. Latest developments have pushed the concept further by the advent of Infrastructure as Code solutions which translate friendlier declarative-language syntax into cloud-specific APIs, thus allowing for an easy adoption of hybrid cloud environments.

Use cases

  • Complex monolithic software broken down into a microservices architecture, with microservices configured as immutable configuration components
  • Computing environments that require repeatable deployments of similar subcomponents
  • Heavy load systems that require scale-out capabilities

Benefits

  • Stable and repeatable deployment, with a predictable, error-prone outcome
  • Defining a baseline will improve detections of any deviation as well as problem investigation
  • Reduced maintenance efforts
  • Ease of change management
  • Ease of rollback to earlier versions

Verticals

All, perhaps with more emphasis on those involved in Research and Development

Challenges

The necessity to set up an automation framework that will address related aspects.

The current tendency to embed public libraries and software repositories bring in security challenges that must be addressed through proper testing and validation.

Security for Serverless Cloud

5+ years

Serverless Cloud computing or Functions-as-a-Service consists of a simple function executed to achieve a given task that is triggered by an event. That way the developers just focus on deploying applications and its business logic, without taking care of the underlying infrastructure. When applications are not running, they don’t consume computing resources. Serverless Cloud is bringing some specific risks or threats that need to be mitigated. This is the reason for the Security for Serverless Cloud.

Use cases

Due to the nature of the Serverless Cloud approach, the main use case is the protection of the Application layer:

  • Providing visibility of the serverless vulnerabilities.
  • Protecting against Denial of Service attacks.
  • Maintaining the Security Posture when depending upon external resources.
  • Access Control of serverless functions.
  • Function inventory.

Benefits

  • Cost: as it is only includes the time needed to execute a function.
  • Disaggregated Services: as every specific function is considered a service.
  • No Server Management Required: due to the concept of Serverless computing, as it is delegated to the Serverless provider.
  • Securing secrets in transit, at rest, and while in use by a function.
  • Logging and Auditing what is accessing the serverless applications.
  • Reduce serverless permissions by implementing a least privilege model for all deployed functions.
  • Monitor function layers and infrastructure in real time to identify malicious activity.
  • Maintain serverless/cloud asset inventory.

Verticals

All verticals