The human tragedy the COVID-19 pandemic has inflicted on the world is incalculable and continues to grow. Every human life is priceless and deserves the care needed to sustain it. COVID-19 is also impacting entire industries, causing them to randomly move in unpredictable ways, directly impacting IT and tech spending.

COVID-19’s impact on industries

Computer Economics in collaboration with their parent company Avasant published their Coronavirus Impact Index by Industry that looks at how COVID-19 is affecting 11 major industry sectors in four dimensions: personnel, operations, supply chain, and revenue. Please see the Coronavirus Impact Index by Industry by Tom Dunlap, Dave Wagner, and Frank Scavo of Computer Economics for additional information and analysis.  The resulting index is an overall rating of the impact of the pandemic on each industry and is shown below:

Computer Economics and Avasant predict major disruption to High Tech & Telecommunications based on the industry’s heavy reliance on Chinese supply chains, which were severely impacted by COVID-19.

Based on conversations with U.S.-based high tech manufacturers, I’ve learned that a few are struggling to make deliveries to leading department stores and discount chains due to parts shortages and allocations from their Chinese suppliers. North American electronics suppliers aren’t an option due to their prices being higher than their Chinese competitors. Leading department stores and discount chains openly encourage high tech device manufacturers to compete with each other on supplier availability and delivery date performance.

In contrast to the parts shortage and unpredictability of supply chains dragging down the industry, software is a growth catalyst. The study notes that Zoom, Slack, GoToMyPC, Zoho Remotely, Microsoft Office365, Atlassian, and others are already seeing increased demand as companies increase their remote-working capabilities.

COVID-19’s impact on IT spending  

Further supporting the Coronavirus Impact Index by Industry analysis, Andrew Bartels, VP & Principal Analyst at Forrester, published his latest forecast of tech growth today in the post, The Odds of a Tech Market Decline In 2020 Have Just Gone Up To 50%.

Mr. Bartels is referencing the market forecasts shown in the following forecast published last month, New Forrester Forecast Shows That Global Tech Market Growth Will Slip To 3% In 2020 And 2021 and shown below:

Key insights from Forrester’s latest IT spending forecast and predictions are shown below:

• Forrester is revising its tech forecast downward, predicting the US and global tech market growth slowing to around 2% in 2020. Bartels mentions that this assumes the US and other major economies have declined in the first half of 2020 but manage to recover in the second half
• If a full-fledged recession hits, there is a 50% probability that US and global tech markets will decline by 2% or more in 2020
• In either a second-half 2020 recovery or recession, Forrester predicts computer and communications equipment spending will be weakest, with potential declines of 5% to 10%
• Tech consulting and systems integration services spending will be flat in a temporary slowdown and could be down by up to 5% if firms cut back on new tech projects
• Software spending growth will slow to the 2% to 4% range in the best case and will post no growth in the worst case of a recession
• The only positive signs from the latest Forrester IT spending forecast is the continued growth in demand for cloud infrastructure services and potential increases in spending on specialised software. Forrester also predicts communications equipment, and telecom services for remote work and education as organisations encourage workers to work from home and schools move to online courses

Conclusion

Every industry is economically hurting already from the COVID-19 pandemic. Now is the time for enterprise software providers to go the extra mile for their customers across all industries and help them recover and grow again. Strengthening customers in their time of need by freely providing remote collaboration tools, secure endpoint solutions, cloud-based storage, and CRM systems is an investment in the community that every software company needs to make it through this pandemic too.

Photo by Micheile Henderson on Unsplash

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Bottom line: Passwordless authentication, endpoint security, cloud-native SIEM platforms, and new API-based data security technologies were the most interesting tech developments, while keynotes focusing on election security, industrial control systems’ vulnerabilities and the persistent threat of state-sponsored ransomware dominated panel discussion.

This year’s RSA Conference was held February 24 to 28 in San Francisco’s Moscone Center, attracting more than 36,000 attendees, 704 speakers, and 658 exhibitors unified by the theme of the human element in cybersecurity. The conference’s agenda is here, with many session recordings and presentation slides available for download.

Before the conference, RSA published the RSAC 2020 Trend Report (PDF, 13 pp., no opt-in). RSA received 2,400 responses to their call for speakers and based their report on an analysis of all submissions. The 10 trends in the RSAC 2020 Trend Report are based on an analysis of all papers submitted to the conference. It’s a quick read that provides a synopsis of the main themes of the excellent sessions presented at RSAC 2020.

The following are the five most interesting takeaways from the 2020 RSA Conference:

Endpoint security products dominated the show floor, with over 120 vendors promoting their unique solutions

There were over 50 presentations and panels on the many forms of endpoint security as well. Instead of competing for show attendees’ attention on the show floor, Absolute Software took the unique approach of completing a survey during RASC 2020. Absolute’s team was able to interview 100 respondents, with most holding the position of a manager/supervisor or C-level executive. 

More than three in four respondents reported their organisations are using endpoint security tools, multi-factor authentication, and employee training and education to protect data, devices, and users. You can review their survey results here.

The number of vendors claiming to have Zero Trust solutions grew 50% this year, from 60 in 2019 to 91 in 2020

There continues to be a lot of hype surrounding Zero Trust, with vendors having mixed results with their product and messaging strategies in this area. A good benchmark to use for evaluating vendors in the Zero Trust market is the Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, written by Chase Cunningham and published on October 29, 2019. I’ve summarised the lessons learned in the post, What’s New on the Zero Trust Security Landscape In 2019.

Over 30 vendors claimed to have passwordless authentication that met the current FIDO2 standard

In keeping with the theme of this year’s RSA Conference of Human Element, vendors offering passwordless authentication were out in force. Centrify, Entrust Datacard, HID Global, Idaptive, ImageWare, MobileIron, Thales, and many others promoted their unique approaches to passwordless authentication, leveraging the FIDO2 standard.

FIDO2 is the latest set of specifications from the FIDO Alliance, an industry standards organisation that provides interoperability testing and certification for servers, clients, and authenticators that meet FIDO2 specifications. I’ve written a separate post just on this topic, and you can find it here: Why Your Biometrics Are Your Best Password.

Cloud-based security information and event management (SIEM) systems capable of integrating with third party public cloud platforms reflect the maturity nature of this market

Of the several vendors claiming to have cloud-based SIEM, Microsoft’s Azure Sentinel’s demo showed in real-time how fusion AI technology can parse large volumes of low fidelity signals into a few important incidents for SecOps teams to focus on. Microsoft said that in December 2019 alone, Azure Sentinel evaluated nearly 50 billion suspicious signals, isolating them down to just 25 high-confidence incidents for SecOps teams to investigate. The following graphic explains how Azure Sentinel Fusion works.

One of the most interesting startups at RSA was Nullafi, who specialises in a novel API-based data security technology that combines data aliasing, vaulting, encryption, and monitoring to create an advanced data protection platform that makes hacked data useless to hackers

What makes Nullafi noteworthy is how they’ve been able to build a data architecture that protects legacy and new infrastructures while making the original data impossible for a hacker to reverse engineer and gain access to. It desensitises critical data so that it’s useless to hackers but still useful for an organisation to keep operating, uninterrupted by a breach to your business. Nullafi is built to AWS GovCloud standards.

The Nullafi SDK encrypts the data before sending it to the Nullafi API. It then re-encrypts the data within their zero-knowledge vault in the cloud (or on-premises). The result is that no sensitive data in any format is shared with Nullafi that could be used or lost, as their architecture doesn’t have visibility into what the actual data looks like. The following graphic explains their architecture:

Main picture credit: Louis Columbus

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

• Worldwide spending on information security and risk management systems will reach $131bn in 2020, increasing to $174bn in 2022 approximately $50bn will be dedicated to protecting the endpoint according to Gartner’s latest information security and risk management forecast
• Cloud security platform and application sales are predicted to grow from $636m in 2020 to $1.63bn in 2023, attaining a 36.8% CAGR and leading all categories of information and security risk management systems
• Application security is forecast to grow from $3.4bn in 2020 to $4.5bn in 2023, attaining a 9.7% CAGR
• Security services is projected to be a $66.9bn market this year, increasing from $62bn in 2019

AI, machine learning and the race to improve cybersecurity  

The majority of information security teams’ cybersecurity analysts are overwhelmed today analysing security logs, thwarting breach attempts, investigating potential fraud incidents and more. 69% of senior executives believe AI and machine learning are necessary to respond to cyberattacks according to the Capgemini study, Reinventing Cybersecurity with Artificial Intelligence.

The following graphic compares the percentage of organisations by industry who are relying on AI to improve their cybersecurity. 80% of telecommunications executives believe their organisation would not be able to respond to cyberattacks without AI, with the average being 69% of all enterprises across seven industries.

The bottom line is all organisations have an urgent need to improve endpoint security and resilience, protect privileged access credentials, reduce fraudulent transactions, and secure every mobile device applying Zero Trust principles. Many are relying on AI and machine learning to determine if login and resource requests are legitimate or not based on past behavioral and system use patterns.

Several of the top 10 companies to watch take into account a diverse series of indicators to determine if a login attempt, transaction, or system resource request is legitimate or not. They’re able to assign a single score to a specific event and predict if it’s legitimate or not. Kount’s Omniscore is an example of how AI and ML are providing fraud analysts with insights needed to reduce false positives and improve customer buying experiences while thwarting fraud.

The following are the top ten cybersecurity companies to watch in 2020:

Absolute

Absolute serves as the industry benchmark for endpoint resilience, visibility and control. Embedded in over a half-billion devices, the company enables more than 12,000 customers with self-healing endpoint security, always-connected visibility into their devices, data, users, and applications – whether endpoints are on or off the corporate network – and the ultimate level of control and confidence required for the modern enterprise.

To thwart attackers, organisations continue to layer on security controls — Gartner estimates that more than $174B will be spent on security by 2022, and of that approximately $50B will be dedicated protecting the endpoint. Absolute’s Endpoint Security Trends Report finds that in spite of the astronomical investments being made, 100 percent of endpoint controls eventually fail and more than one in three endpoints are unprotected at any given time.

All of this has IT and security administrators grappling with increasing complexity and risk levels, while also facing mounting pressure to ensure endpoint controls maintain integrity, availability and functionality at all times, and deliver their intended value.

Organisations need complete visibility and real-time insights in order to pinpoint the dark endpoints, identify what’s broken and where gaps exist, as well as respond and take action quickly. Absolute mitigates this universal law of security decay and empowers organisations to build an enterprise security approach that is intelligent, adaptive and self-healing. Rather than perpetuating a false sense of security, Absolute provides a single source of truth and the diamond image of resilience for endpoints.

Centrify

Centrify is redefining the legacy approach to Privileged Access Management (PAM) with an Identity-Centric approach based on Zero Trust principles.

Centrify’s 15-year history began in Active Directory (AD) bridging, and it was the first vendor to join UNIX and Linux systems with Active Directory, allowing for easy management of privileged identities across a heterogeneous environment. It then extended these capabilities to systems being hosted in IaaS environments like AWS and Microsoft Azure, and offered the industry’s first PAM-as-a-Service, which continues to be the only offering in the market with a true multi-tenant, cloud architecture.

Applying its deep expertise in infrastructure allowed Centrify to redefine the legacy approach to PAM and introduce a server’s capability to self-defend against cyber threats across the ever-expanding modern enterprise infrastructure.

Centrify Identity-Centric PAM establishes a root of trust for critical enterprise resources, and then grants least privilege access by verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, Centrify minimises the attack surface, improves audit and compliance visibility, and reduces risk, complexity, and costs for the modern, hybrid enterprise. Over half of the Fortune 100, the world’s largest financial institutions, intelligence agencies, and critical infrastructure companies, all trust Centrify to stop the leading cause of breaches – privileged credential abuse.

Research firm Gartner predicts that by 2021, approximately 75% of large enterprises will utilise privileged access management products, up from approximately 50% in 2018 in their Forecast Analysis: Information Security and Risk Management, Worldwide, 4Q18 Update published March 29, 2019 (client access reqd). This is not surprising, considering that according to an estimate by Forrester Research, 80% of today’s breaches are caused by weak, default, stolen, or otherwise compromised privileged credentials.

Deep Instinct

Deep Instinct applies artificial intelligence’s deep learning to cybersecurity. Leveraging deep learning’s predictive capabilities, Deep Instinct’s on-device solution protects against zero-day threats and APT attacks with unmatched accuracy. Deep Instinct safeguards the enterprise’s endpoints and/or any mobile devices against any threat, on any infrastructure, whether or not connected to the network or to the Internet.

By applying deep learning technology to cybersecurity, enterprises can now gain unmatched protection against unknown and evasive cyber-attacks from any source. Deep Instinct brings a completely new approach to cybersecurity enabling cyber-attacks to be identified and blocked in real-time before any harm can occur. Deep Instinct USA is headquartered in San Francisco, CA and Deep Instinct Israel is headquartered in Tel Aviv, Israel.

Infoblox

Infoblox empowers organisations to bring next-level simplicity, security, reliability and automation to traditional networks and digital transformations, such as SD-WAN, hybrid cloud and IoT. Combining next-level simplicity, security, reliability, and automation, Infoblox can cut manual tasks by 70% and make organisations’ threat analysts 3x more productive.

While their history is in DDI devices, they are succeeding in providing DDI and network security services on an as-a-service (-aaS) basis. Their BloxOne DDI  application, built on their BloxOne cloud-native platform, helps enable IT professionals to manage their networks, whether they’re based on on-prem, cloud-based, or hybrid architectures.  BloxOne Threat Defense  application leverages the data provided by DDI to monitor network traffic, proactively identify threats, and quickly inform security systems and network managers of breaches, working with the existing security stack to identify and mitigate security threats quickly, automatically, and more efficiently. The BloxOne platform provides a secure, integrated platform for centralising the management of identity data and services across the network. A recognised industry leader, Infoblox has a 52% market share in the DDI networking market comprised of 8,000 customers, including 59% of the Fortune 1000 and 58% of the Forbes 2000.

Kount

Kount’s award-winning, AI-driven fraud prevention empowers digital businesses, online merchants, and payment service providers around the world to protect against payments fraud, new account creation fraud, and account takeover. With Kount, businesses approve more good orders, uncover new revenue streams, improve customer experience, and dramatically improve their bottom line all while minimising fraud management cost and losses. Through Kount’s global network and proprietary technologies in AI and machine learning, combined with flexible policy management, companies frustrate online criminals and bad actors driving them away from their site, their marketplace, and off their network. Kount’s continuously adaptive platform provides certainty for businesses at every digital interaction. Kount’s advances in both proprietary techniques and patented technology include mobile fraud detection, advanced artificial intelligence, multi-layer device fingerprinting, IP proxy detection and geo-location, transaction and custom scoring, global order linking, business intelligence reporting, comprehensive order management, as well as professional and managed services. Kount protects over 6,500 brands today.

Mimecast

Mimecast improves the way companies manage confidential, mission-critical business communication and data. The company’s mission is to reduce the risks users face from email, and support in reducing the cost and complexity of protecting users by moving the workload to the cloud.

The company develops proprietary cloud architecture to deliver comprehensive email security, service continuity, and archiving in a single subscription service. Its goal is to make it easier for people to protect a business in today’s fast-changing security and risk environment. The company expanded its technology portfolio in 2019 through a pair of acquisitions, buying data migration technology provider Simply Migrate to help customers and prospects move to the cloud more quickly, reliably, and inexpensively. Mimecast also purchased email security startup DMARC Analyser to reduce the time, effort, and cost associated with stopping domain spoofing attacks.

Mimecast acquired Segasec earlier this month, a leading provider of digital threat protection. With the acquisition of Segasec, Mimecast can provide brand exploit protection, using machine learning to identify potential hackers at the earliest stages of an attack. The solution also is engineered to provide a way to actively monitor, manage, block, and take down phishing scams or impersonation attempts on the Web.

MobileIron

A long-time leader in mobile management solutions, MobileIron is widely recognised by Chief Information Security Officers, CIOs and senior management teams as the de facto standard for unified endpoint management (UEM), mobile application management (MAM), BYOD security, and zero sign-on (ZSO).

The company’s UEM platform is strengthened by MobileIron Threat Defense and MobileIron’s Access solution, which allows for zero sign-on authentication. Forrester observes in their latest Wave on Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 that “MobileIron’s recently released authenticator, which enables passwordless authentication to cloud services, is a must for future-state Zero Trust enterprises and speaks to its innovation in this space.” 

The Wave also illustrates that MobileIron is the most noteworthy vendor as their approach to Zero Trust begins with the device and scales across mobile infrastructures. MobileIron’s product suite also includes a federated policy engine that enables administrators to control and better command the myriad of devices and endpoints that enterprises rely on today. Forrester sees MobileIron as having excellent integration at the platform level, a key determinant of how effective they will be in providing support to enterprises pursuing Zero Trust Security strategies in the future.

One Identity

One Identity is differentiating its Identity Manager identity analytics and risk scoring capabilities with greater integration via its connected system modules. The goal of these modules is to provide customers with more flexibility in defining reports that include application-specific content. Identity Manager also has over 30 direct provisioning connectors included in the base package, with good platform coverage, including strong Microsoft and Office 365 support.

Additional premium connectors are charged separately. One Identity also has a separate cloud-architected SaaS solution called One Identity Starling. One of Starling’s greatest benefits is its design that allows for it to be used not only by Identity Manager clients, but also by clients of other IGA solutions as a simplified approach to obtain SaaS-based identity analytics, risk intelligence, and cloud provisioning.

One Identity and its approach is trusted by customers worldwide, where more than 7,500 organisations worldwide depend on One Identity solutions to manage more than 125 million identities, enhancing their agility and efficiency while securing access to their systems and data – on-prem, cloud, or hybrid.

SECURITI.ai

SECURITI.ai is the leader in AI-Powered PrivacyOps, that helps automate all major functions needed for privacy compliance in one place. It enables enterprises to give rights to people on their data, be responsible custodians of people’s data, comply with global privacy regulations like CCPA, and bolster their brands.

The AI-Powered PrivacyOps platform is a full-stack solution that operationalises and simplifies privacy compliance using robotic automation and a natural language interface. These include a Personal Data Graph Builder, Robotic Automation for Data Subject Requests, Secure Data Request Portal, Consent Lifecycle Manager, Third-Party Privacy Assessment, Third-Party Privacy Ratings, Privacy Assessment Automation and Breach Management. SECURITI.ai is also featured in the Consent Management section of Bessemer’s Data Privacy Stack shown below and available in Bessemer Venture Partner’s recent publication How data privacy engineering will prevent future data oil spills (10 pp., PDF, no opt-in).

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability. As criminal threats evolve, online authentication has become reactive and less effective. Many organisations have taken on multiple point solutions to try to stay ahead, deploying new authenticators, risk engines, and fraud tools. In the process, the customer experience has suffered.

With an increasingly complex environment, many enterprises struggle with the ability to rapidly innovate to provide customers with an omnichannel experience that enables them to stay ahead of emerging threats.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

• Cloud-based endpoint protection platforms (EPP) are proliferating across enterprises today as CIOs and CISOs prioritise greater resiliency in their endpoint security strategies going into 2020
• Gartner predicts that global information security and risk management end-user spending is forecast to grow at a five-year CAGR of 9.2% to reach $174.5 billion in 2022, with approximately $50bn spent on endpoint security
• Endpoint security tools are 24% of all IT security spending, and by 2020 global IT security spending will reach $128bn according to Morgan Stanley Research
• 70% of all breaches still originate at endpoints, despite the increased IT spending on this threat surface, according to IDC

There’s a surge of activity happening right now in enterprises that are prioritising more resiliency in their endpoint security strategies going into 2020. The factors motivating CIOs, CISOs, IT, and practice directors to prioritise endpoint resiliency include more effective asset management based on real-time data while securing and ensuring every endpoint can heal itself using designed-in regenerative software at the BIOS level of every device.

CIOs say the real-time monitoring helps reduce asset management operating expense, a big plus many of them appreciate give their tight budgets. Sean Maxwell, chief commercial officer at Absolute, says, “Trust is at the centre of every endpoint discussion today as CIOs, CISOs and their teams want the assurance every endpoint will be able to heal itself and keep functioning.”

The endpoint market is heating up going into 2020

Over thirty vendors are competing in the endpoint security market right now. A few of the most interesting are Absolute Software, Microsoft, Palo Alto Networks, and others who are seeing a surge of activity from enterprises based on discussions with CIOs and CISOs.

Absolute Software’s Persistence self-healing endpoint security technology is embedded in the firmware of more than 500 million devices and gives CIOs, CISOs and their team’s complete visibility and control over devices and data. Absolute is the leading visibility and control platform that provides enterprises with tamper-proof resilience and protection of all devices, data, and applications.

Like Absolute, Microsoft is unique in how they are the only vendor to provide built-in endpoint protection at the device level, with the core focus being on the OS. Windows 10 has Windows Defender Antivirus now integrated at the OS level, the same System Center Endpoint Protection delivers in Windows 7 and 8 OS. Microsoft Defender Advanced Threat Protection (ATP) incident response console aggregates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP, Azure ATP, and Active Directory, in addition to Azure.

Further evidence of how enterprise customers are placing a high priority on endpoint security is the increase in valuations of key providers in this market, including Absolute Software (TSE: ABT) and others. Absolute’s stock price has jumped 13% in just a month, following their latest earnings announcement on November 12th with a transcript of their earnings call here.

Absolute’s CEO Christy Wyatt commented during the company’s most recent earnings call that, “The ability to utilise near real-time data from the endpoint to… to deliver actionable insights to IT about where controls are failing and the ability to apply resilience to self-heal and reinforce those security controls will become a critical skill for every one of our customers. This is the essence of Absolute’s platform, which adds resiliency to our customer’s operations.” It’s evident from what CIOs and CISOs are saying that resiliency is transforming endpoint security today and will accelerate in 2020.

Key takeaways from conversations with enterprise cybersecurity leaders

The conversations with CIOs, CISOs, and IT Directors provided valuable insights into why resiliency is becoming a high priority for endpoint security strategies today. The following are key takeaways from the conversations:

• Known humorously as the “fun button” cybersecurity teams enjoy being able to brick any device any time while monitoring the activity happening on it in real-time. One CIO told the story of how their laptops had been given to a service provider who was supposed to destroy them to stay in compliance with the Health Insurance Portability and Accountability Act (HIPAA), and one had been resold on the back market, ending up in a 3rd world nation. As the hacker attempted to rebuild the machine, the security team watched as each new image was loaded, at which time they would promptly brick the machine. After 19 tries, the hacker gave up and called the image re-build “brick me"
   
• IT budgets for 2020 are flat or slightly up, with many CIOs being given the goal of reducing asset management operating expenses, making resiliency ideal for better managing device costs. The more effectively assets are managed, the more secure an organization becomes. That’s another motivating factor motivating enterprises to adopt resiliency as a core part of the endpoint security strategies
   
• One CIO was adamant they had nine software agents on every endpoint, but Absolute’s Resilience platform found 16, saving the enterprise from potential security gaps. The gold image an enterprise IT team was using had inadvertently captured only a subset of the total number of software endpoints active on their networks. Absolute’s Resilience offering and Persistence technology enabled the CIO to discover gaps in endpoint security the team didn’t know existed before
   
• Endpoints enabled with Resiliency have proven their ability to autonomously self-heal themselves, earning the trust of CIOs and CISOs, who are adopting Absolute to alleviate costly network interruptions and potential breaches in the process. 19% of endpoints across a typical IT network require at least one client or patch management repair monthly, according to Absolute’s 2019 Endpoint Security Trends Report. The report also found that increasing security spending on protecting endpoints doesn’t increase an organizations’ safety – and in some instances, reduces it. Having a systematic, design-in solution to these challenges gives CIOs, CISO, and their teams greater peace of mind and reduces expensive interruptions and potential breaches that impede their organizations’ growth.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

• 60% of security and IT professionals state that security is the leading challenge with cloud migrations, despite not being clear about who is responsible for securing cloud environments
• 71% understand that controlling privileged access to cloud service administrative accounts is a critical concern, yet only 53% cite secure access to cloud workloads as a key objective of their cloud privileged access management (PAM) strategies

These and many other fascinating insights are from the recent Centrify survey, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments, downloadable here. The survey is based on a survey of over 700 respondents from the United States, Canada, and the UK from over 50 vertical markets, with technology (21%), finance (14%), education (10%), government (10%) and healthcare (9%) being the top five. For additional details on the methodology, please see page 14 of the study.

What makes this study noteworthy is how it provides a candid, honest assessment of how enterprises can make cloud migrations more secure by a better understanding of who is responsible for securing privileged access to cloud administrative accounts and workloads.

Key insights from the study include the following:

Improved speed of IT services delivery (65%) and lowered total cost of ownership (54%) are the two top factors driving cloud migrations today

Additional factors include greater flexibility in responding to market changes (40%), outsourcing IT functions that don’t create competitive differentiation (22%), and increased competitiveness (17%). Reducing time-to-market for new systems and applications is one of the primary catalysts driving cloud migrations today, making it imperative for every organisation to build security policies and systems into their cloud initiatives.

Security is the greatest challenge to cloud migration by a wide margin

60% of organisations define security as the most significant challenge they face with cloud migrations today. One in three sees the cost of migration (35%) and lack of expertise (30%) being the second and third greatest impediments to cloud migration project succeeding. Organisations are facing constant financial and time constraints to achieve cloud migrations on schedule to support time-to-market initiatives. No organisation can afford the lost time and expense of an attempted or successful breach impeding cloud migration progress.

71% of organisations are implementing privileged access controls to manage their cloud services

However, as the privilege becomes more task-, role-, or access-specific, there is a diminishing interest of securing these levels of privileged access as a goal, evidenced by only 53% of organisations securing access to the workloads and containers they have moved to the cloud. The following graphic reflects the results.

An alarmingly high 60% of organisations incorrectly view the cloud provider as being responsible for securing privileged access to cloud workloads

It’s shocking how many customers of AWS and other public cloud providers are falling for the myth that cloud service providers can completely protect their customised, highly individualised cloud instances.

The native identity and access management (IAM) capabilities offered by AWS, Microsoft Azure, Google Cloud, and others provide enough functionality to help an organisation get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to adequately address the more challenging, complex areas of IAM and Privileged Access Management (PAM) in hybrid or multi-cloud environments, however. For an expanded discussion of the Shared Responsibility Model, please see The Truth About Privileged Access Security On AWS and Other Public Clouds. The following is a graphic from the survey and Amazon Web Services’ interpretation of the Shared Responsibility Model.

Implementing a common security model in the cloud, on-premises, and in hybrid environments is the most proven approach to making cloud migrations more secure

Migrating cloud instances securely needs to start with Multi-Factor Authentication (MFA), deploying a common privileged access security model equivalent to on-premises and cloud systems, and utilising enterprise directory accounts for privileged access.

These three initial steps set the foundation for implementing least privilege access. It’s been a major challenge for organisations to do this, particularly in cloud environments, as 68% are not eliminating local privilege accounts in favour of federated access controls and are still using root accounts outside of “break glass” scenarios.

Even more concerning, 57% are not implementing least privilege access to limit lateral movement and enforce just-enough, just-in-time-access.

When it comes to securing access to cloud environments, organisations don’t have to reinvent the wheel

Best practices from securing on-premises data centres and workloads can often be successful in securing privileged access in cloud and hybrid environments as well.

Conclusion

The study provides four key takeaways for anyone working to make cloud migrations more secure. First, all organisations need to understand that privileged access to cloud environments is your responsibility, not your cloud providers’. Second, adopt a modern approach to privileged access management that enforces least privilege, prioritising “just enough, just-in-time” access. Third, employ a common security model across on-premises, cloud, and hybrid environments. Fourth and most important, modernise your security approach by considering how cloud-based PAM systems can help to make cloud migrations more secure.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Private equity firms are snapping up manufacturing companies at a quick pace, setting off a merger and acquisition gold rush, while leaving multi-cloud manufacturing systems unprotected in a Zero Trust world.

Securing the manufacturing gold rush of 2019

The intensity private equity (PE) firms have for acquiring and aggregating manufacturing businesses is creating an abundance of opportunities for cybercriminals to breach the resulting businesses. For example, merging formerly independent infrastructures often leads to manufacturers maintaining — at least initially — multiple identity repositories such as Active Directory (AD), which contain privileged access credentials, usernames, roles, groups, entitlements, and more. Identity repository sprawl ultimately contributes to maintenance headaches but, more importantly, security blind spots that are being exploited by threat actors regularly.

A contributing factor is a fact that private equity firms rarely have advanced cybersecurity expertise or skills and therefore don’t account for these details in their business integration plans. As a result, they often rely on an outdated “trust but verify” approach, with trusted versus untrusted domains and legacy approaches to identity access management.

The speed PE firms are driving the manufacturing gold rush is creating a sense of urgency to stand up new businesses fast – leaving cybersecurity as an afterthought, if even a consideration at all. Here are several insights from PwC’s Global Industrial Manufacturing Deals Insights, Q2 2019 and Private Equity Trend Report, 2019, Powering Through Uncertainty:

• 39% of all PE investors rate the industrial manufacturing sector as the most attractive for acquiring and rolling up companies into new businesses
• The manufacturing industry saw a 31% increase in deal value from Q1 2019 to Q2 2019 with industrial manufacturing megadeals driving deal value to $27.4B in Q2, 2019, on 562 deals
• Year-to-date North American manufacturing has generated 184 deals worth $15.2B in 2019
•  Worldwide and North American cross-sector manufacturing deal volumes increased by 32% and 30% in Q2, 2019 alone

PE firms are also capitalising on how many family-run manufacturers are in the midst of a generational change in ownership. Company founders are retiring, and their children, nearly all of whom were raised working on the shop floor, are ready to sell. PE firms need to provide more cybersecurity guidance during these transactions to secure companies in transition. Here’s why:

• According to the 2019 Verizon Data Breach Investigation Report, manufacturing has been experiencing an increase in financially-motivated breaches in the past couple of years, whereby most incidents involve Phishing and the use of stolen credentials
• Manufacturing’s most commonly compromised data includes credentials (49%), internal operations data (41%), and company secrets (36%) according to the 2019 Verizon Data Breach Investigation Report
• 50% of manufacturers report experiencing a data breach or cyber-attack over the last 12 months, 11% of which were severe, according to the Sikich M&D Report 2019
• It’s the smaller suppliers in the supply chain or M&A process that hackers are starting to exploit to bring down many of the world’s largest manufacturing companies. Just ask one of the world’s leading shipping providers, A.P. Møller-Maersk

How to secure multi-cloud manufacturing systems in a Zero Trust world

To stop the cybercriminals’ gold rush, merged manufacturing businesses need to take the first step of adopting an approach to secure each acquired company’s identity repositories, whether on-premises or in the cloud. For example, instead of having to reproduce or continue to manage the defined rights and roles for users in each AD, manufacturing conglomerates can better secure their combined businesses using a multi-directory brokering approach.

Multi-directory brokering, such as the solution offered by privileged access management provider Centrify, empowers an organisation to use its existing or preferred identity directory as a single source of truth across the organisation, brokering access based on a single identity rather than having to manage user identities across multiple directories. For example, if an organisation using AD acquires an organisation using a different identity repository or has multiple cloud platforms, it can broker access across the environment no matter where the “master” identity for an individual exists. This is particularly important when it comes to privileged access to critical systems and data, as “identity sprawl” can leave gaping holes to be exploited by bad actors.

Multi-directory brokering is public cloud-agnostic, making it possible to support Windows and Linux instances in one or multiple infrastructure as a service (IaaS) platforms to secure multi-cloud manufacturing systems. The following diagram illustrates how multi-directory brokering scales to support multi-cloud manufacturing systems that often rely on hybrid multi-cloud configurations.

Manufacturers who are the most negatively impacted by the trade wars are redesigning and re-routing their supply chains to eliminate tariffs, so they don‘t have to raise their prices. Multi-cloud manufacturing systems are what they’re relying on to accomplish that. The future of their business will be heavily reliant upon how well they can secure the multi-cloud configurations of their systems. That’s why multi-directory brokering makes so much sense for manufacturers today, especially those looking for an exit strategy with a PE firm.

The PE firms driving the merger and acquisition (M&A) frenzy in specific sectors of manufacturing need to take a closer look at how identity and access management (IAM) is being implemented in the manufacturing conglomerates they are creating. With manufacturing emerging as a hot industry for PE, M&A, and data breaches, it’s time to move beyond replicating Active Directories and legacy approaches to IAM. One of the most important aspects of a successful acquisition is enabling administrators, developers, and operations teams to access systems securely, without massive incremental cost, effort, and complexity.

Conclusion

The manufacturing gold rush for PE firms doesn’t have to be one for cybercriminals as well. PE firms and the manufacturing companies they are snapping up need to pay more attention to cybersecurity during the initial integration phases of combining operations, including how they manage identities and access. Cybercriminals and bad actors both within and outside the merged companies are lying in wait, looking for easy-exploitable gaps to exfiltrate sensitive data for monetary gain, or in an attempt to thwart the new company’s success.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

• 93% of enterprises are securing remote locations with a centralised approach that rarely scales to secure every endpoint and identity of remote branch locations, leaving an enterprise more vulnerable to a breach
• Enabling network security is the greatest challenge enterprises face when managing a highly distributed network with numerous remote locations
• In an era of cloud-first networks, nine out of 10 companies are still relying on centrally managed networks that don’t scale for remote system users, creating productivity bottlenecks
• 75% of enterprises experience branch and remote location network interruptions several times a year or more frequently, costing an organisation thousands of dollars an hour in lost productivity

The challenges of scaling cloud services to grow a digital business are many and are well-explained in the recent research report, Remote Office Networks Pose Business and Reliability Risk A Survey of IT Professionals (27 pp., PDF, no opt-in), published on August 2019 by Dimensional Research in collaboration with Infoblox. This report provides valuable insights into why scaling cloud services is essential for growing a digital business.

The study’s findings reflect how remote branch and production locations’ lack of IT security and site personnel are one of the most challenging constraints to overcome and keep growing their business.

99% or nearly all enterprises with distributed operations suffer adverse business impacts from network interruptions. Of the many causes of network disruption, one of the most common is not directing traffic to the closest point of entry into cloud platforms.

Taking a software-based approach to wide-area networking (SDWAN) is proving effective in improving cloud-based application performance, including Microsoft Office 365 cloud-based application performance. The report shows how SD-WAN is replacing outdated centralised IT models that lack the scale to flex and support new digital business models.

Key insights from the research report include the following:

Enterprises realise the model of relying on centralised IT security isn’t scaling to support and protect the proliferation of user devices with internet access, leaving branch offices less secure than ever before

Every IT architect, IT director, or CIO needs to consider how taking an SD-WAN-based approach to network management reduces the risk of a breach and data exfiltration. 93% of enterprises are securing remote locations with a centralised approach that rarely scales to secure every endpoint and identity of remote branch locations, leaving an enterprise more vulnerable to a breach.

Enterprises are upgrading their core network services, including DNS, DHCP, and IP address management, on cloud-based DDI platforms to bring greater security scale and reliability across their enterprise networks. Enterprises are also devising Zero Trust Security (ZTS) frameworks to secure every network, cloud, and on-premise platform, operating system, and application across their branch offices. 

Chase Cunningham of Forrester, Principal Analyst, is the leading authority on Zero Trust Security, and his recent video, Zero Trust in Action, is worth watching to learn more about how enterprises can secure their IT infrastructures. You can find his blog here.

75% or the majority of an enterprises’ branch offices experience network interruptions several times a year, with 49% of them requiring three or more hours to resolve remote office network outages

Enterprises continue to pay a very high price in lost productivity due to network interruptions and the time it takes to troubleshoot them and get a branch or remote location back online.

Enterprises are upgrading their core network services, including DNS, DHCP, and IP address management, on cloud-based DDI platforms to bring greater scale and reliability across their enterprise networks. Cloud-based DDI platforms enable enterprises to manage networking for hundreds to thousands of remote sites with unprecedented cost-efficiency.

Relying on centralised IT creates many challenges and security threats for remote offices, with the most costly not having IT staff at remote sites

Network security at remote locations is the greatest challenge enterprises face when managing a highly distributed network with numerous remote locations. A contributing factor to security being the leading challenge of managing a highly distributed network is the lack of IT employees at remote branches. 65% of enterprises are routinely sending IT employees to remote branches to resolve networking issues alone.

Travel costs combined with lost productivity from having to send IT technicians out for a week or longer to solve network performance issues is another reason why enterprises are adopting cloud-based DDI platforms.

Enterprises are adopting cloud-based DDI platforms that enable enterprises to simplify the management of highly distributed remote networks as well as to optimise the network performance of cloud-based applications

Dimensional Research’s study reflects how enterprises are meeting the challenge of increasingly complex, distributed networks that have a proliferating number of remote locations and endpoints. The majority of enterprises, 71%, are looking to integrate core network services, DNS, DHCP, and IP address management, into a single cloud-based DDI platform.

The problem is, conventional DDI solutions for branch locations are too slow or complicated for a cloud-first world. The following graphic from the study shows what is motivating enterprises to adopt SD-WAN today:

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

• Between 2018 and 2019, organisations that have deployed artificial intelligence (AI) grew from 4% to 14%, according to Gartner’s 2019 CIO Agenda survey
• Conversational AI remains at the top of corporate agendas spurred by the worldwide success of Amazon Alexa, Google Assistant, and others
• Enterprises are making progress with AI as it grows more widespread, and they’re also making more mistakes that contribute to their accelerating learning curve

These and many other new insights are from Gartner Hype Cycle For AI, 2019 published earlier this year and summarised in the recent Gartner blog post, Top Trends on the Gartner Hype Cycle for Artificial Intelligence, 2019.  Gartner’s definition of Hype Cycles includes five phases of a technology’s lifecycle and is explained here. Gartner’s latest Hype Cycle for AI reflects the growing popularity of AutoML, intelligent applications, AI platform as a service or AI cloud services as enterprises ramp up their adoption of AI. The Gartner Hype Cycle for AI, 2019, is shown below:

Details of what’s new in Gartner’s Hype Cycle For AI 2019:

Speech recognition is less than two years to mainstream adoption and is predicted to deliver the most significant transformational benefits of all technologies on the Hype Cycle

Gartner advises its clients to consider including speech recognition on their short-term AI technology roadmaps. Gartner observes, unlike other technologies within the natural-language processing area, speech to text (and text to speech) is a stand-alone commodity where its modules can be plugged into a variety of natural-language workflows. Leading vendors in this technology area Amazon, Baidu, Cedat 85, Google, IBM, Intelligent Voice, Microsoft, NICE, Nuance, and Speechmatics.

Eight new AI-based technologies are included in this year’s Hype Cycle, reflecting Gartner enterprise clients’ plans to scale AI across DevOps and IT while supporting new business models

The latest technologies to be included in the Hype Cycle for AI reflect how enterprises are trying to demystify AI to improve adoption while at the same time, fuel new business models. The new technologies include the following:

• AI cloud services – AI cloud services are hosted services that allow development teams to incorporate the advantages inherent in AI and machine learning
• AutoML – Automated machine learning (AutoML) is the capability of automating the process of building, deploying, and managing machine learning models
• Augmented intelligence – Augmented intelligence is a human-centered partnership model of people and artificial intelligence (AI) working together to enhance cognitive performance, including learning, decision making, and new experiences
• Explainable AI – AI researchers define “explainable AI” as an ensemble of methods that make black-box AI algorithms’ outputs sufficiently understandable
• Edge AI – Edge AI refers to the use of AI techniques embedded in IoT endpoints, gateways, and edge devices, in applications ranging from autonomous vehicles to streaming analytics
• Reinforcement learning – Reinforcement learning has the primary potential for gaming and automation industries and has the potential to lead to significant breakthroughs in robotics, vehicle routing, logistics, and other industrial control scenarios
• Quantum computing – Quantum computing has the potential to make significant contributions to the areas of systems optimisation, machine learning, cryptography, drug discovery, and organic chemistry. Although outside the planning horizon of most enterprises, quantum computing could have strategic impacts in key businesses or operations
• AI marketplaces – Gartner defines an AI marketplace as an easily accessible place supported by a technical infrastructure that facilitates the publication, consumption, and billing of reusable algorithms. Some marketplaces are used within an organisation to support the internal sharing of prebuilt algorithms among data scientist

Gartner considers the following AI technologies to be on the rise and part of the Innovation Trigger phase of the AI Hype Cycle: AI marketplaces, reinforcement learning, decision intelligence, AI cloud services, data labelling, and annotation services, and knowledge graphs are now showing signs of potential technology breakthroughs as evidence by early proof-of-concept stories. Technologies in the Innovation Trigger phase of the Hype Cycle often lack usable, scalable products with commercial viability not yet proven.

Smart robots and AutoML are at the peak of the Hype Cycle in 2019

In contrast to the rapid growth of industrial robotics systems that adopted by manufacturers due to the lack of workers, smart robots are defined by Gartner as having electromechanical form factors that work autonomously in the physical world. They learn in short-term intervals from human-supervised training and demonstrations or by their supervised experiences including taking direction form human voices in a shop floor environment. Whiz Robot from SoftBank Robotics is an example of a SmartRobot that will be sold under the robot-as-a service (RaaS) model and will originally be available only in Japan.

AutoML is one of the most hyped technology in AI this year. Gartner defines automated machine learning (AutoML) as the capability of automating the process of building, deploying, or managing machine learning models. Leading vendors providing AutoML platforms and applications include Amazon SageMaker, Big Squid, dotData, DataRobot, Google Cloud Platform, H2O.ai, KNIME, RapidMiner, and Sky Tree.

Nine technologies were removed or reassigned from this years’ Hype Cycle of AI compared to 2018

Gartner has removed nine technologies, often reassigning them into broader categories. Augmented reality and virtual reality are now part of augmented intelligence, a more general category, and remains on many other Hype Cycles. Commercial UAVs (drones) is now part of edge AI, a more general category. Ensemble learning had already reached the plateau in 2018 and has now graduated from the Hype Cycle.

Human-in-the-loop crowdsourcing has been replaced by data labeling and annotation services, a broader category. Natural language generation is now included as part of NLP. Knowledge management tools have been replaced by insight engines, which are more relevant to AI. Predictive analytics and prescriptive analytics are now part of decision intelligence, a more general category.

Sources:

Hype Cycle for Artificial Intelligence, 2019, Published 25 July 2019, (Client access reqd.)
Top Trends on the Gartner Hype Cycle for Artificial Intelligence, 2019 published September 12, 2019

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

• 87% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types, based on Verizon’s Mobile Security Index 2019.
• 66% of IT professionals say security is their most significant concern in adopting an enterprise cloud computing strategy.
• Enterprises are predicted to spend $12.6bn on cloud security tools by 2023, up from $5.6B in 2018, according to Forrester.

Jack Dorsey’s Twitter account getting hacked by having his telephone number transferred to another account without his knowledge is a wake-up call to everyone of how vulnerable mobile devices are. The hackers relied on SIM swapping and convincing Dorsey’s telecom provider to bypass requiring a passcode to modify his account. With the telephone number transferred, the hackers accessed the Twitter founder’s account. If the telecom provider had adopted zero trust at the customer’s mobile device level, the hack would have never happened.

Cloud security’s weakest link is mobile device passwords

The Twitter CEO’s account getting hacked is the latest in a series of incidents that reflect how easy it is for hackers to gain access to cloud-based enterprise networks using mobile devices. Verizon’s Mobile Security Index 2019 revealed that the majority of enterprises, 67%, are the least confident in the security of their mobile assets than any other device.

Mobile devices are one of the most porous threat surfaces a business has. They’re also the fastest-growing threat surface, as every employee now relies on their smartphones as their ID. IDG’s recent survey completed in collaboration with MobileIron, titled Say Goodbye to Passwords found that 89% of security leaders believe that mobile devices will soon serve as your digital ID to access enterprise services and data.

Because they’re porous, proliferating and turning into primary forms of digital IDs, mobile devices and their passwords are a favorite onramp for hackers wanting access to companies’ systems and data in the cloud. It’s time to kill passwords and shut down the many breach attempts aimed at cloud platforms and the valuable data they contain.

Three reasons why killing passwords improves your cloud security

Killing passwords improve cloud security by:

• Eliminating privileged access credential abuse. Privileged access credentials are best sellers on the Dark Web, where hackers bid for credentials to the world’s leading banking, credit card, and financial management systems. Forrester estimates that 80% of data breaches involve compromised privileged credentials, and a recent survey by Centrify found that 74% of all breaches involved privileged access abuse. Killing passwords shuts down the most common technique hackers use to access cloud systems.
   
• Eliminating the threat of unauthorized mobile devices accessing business cloud services and exfiltrating data. Acquiring privileged access credentials and launching breach attempts from mobile devices is the most common hacker strategy today. By killing passwords and replacing them with a zero-trust framework, breach attempts launched from any mobile device using pirated privileged access credentials can be thwarted. Leaders in the area of mobile-centric zero trust security include MobileIron, whose innovative approach to zero sign-on solves the problems of passwords at scale. When every mobile device is secured through a zero-trust platform built on a foundation of unified endpoint management (UEM) capabilities, zero sign-on from managed and unmanaged services become achievable for the first time.
   
• Giving organizations the freedom to take a least-privilege approach to grant access to their most valuable cloud applications and platforms. Identities are the new security perimeter, and mobile devices are their fastest-growing threat surface. Long-standing traditional approaches to network security, including “trust but verify” have proven ineffective in stopping breaches. They’ve also shown a lack of scale when it comes to protecting a perimeter-less enterprise. What’s needed is a zero-trust network that validates each mobile device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to any device or user. If Jack Dorsey’s telecom provider had this in place, his and thousands of other people’s telephone numbers would be safe today.

Conclusion

The sooner organizations move away from being so dependent on passwords, the better. The three reasons why killing passwords improve cloud security are just the beginning. Imagine how much more effective distributed DevOps teams will be when security isn’t a headache for them anymore, and they can get to the cloud-based resources they need to get apps built.

With more organizations adopting a mobile-first development strategy, it makes sense to have a mobile-centric zero-trust network engrained in key steps of the DevOps process. That’s the future of cloud security, starting with the DevOps teams creating the next generation of apps today.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Bottom line: Amazon’s Identity and Access Management (IAM) centralises identity roles, policies and Config Rules yet doesn’t go far enough to provide a Zero Trust-based approach to Privileged Access Management (PAM) that enterprises need today.

AWS provides a baseline level of support for Identity and Access Management at no charge as part of their AWS instances, as do other public cloud providers. Designed to provide customers with the essentials to support IAM, the free version often doesn’t go far enough to support PAM at the enterprise level. To AWS’s credit, they continue to invest in IAM features while fine-tuning how Config Rules in their IAM can create alerts using AWS Lambda. AWS’s native IAM can also integrate at the API level to HR systems and corporate directories, and suspend users who violate access privileges.

In short, native IAM capabilities offered by AWS, Microsoft Azure, Google Cloud, and more provides enough functionality to help an organisation get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to fully address the more challenging, complex areas of IAM and PAM in hybrid or multi-cloud environments.

The truth about privileged access security on cloud providers like AWS

The essence of the Shared Responsibility Model is assigning responsibility for the security of the cloud itself including the infrastructure, hardware, software, and facilities to AWS and assign the securing of operating systems, platforms, and data to customers. The AWS version of the Shared Responsibility Model, shown below, illustrates how Amazon has defined securing the data itself, management of the platform, applications and how they’re accessed, and various configurations as the customers’ responsibility:

AWS provides basic IAM support that protects its customers against privileged credential abuse in a homogenous AWS-only environment. Forrester estimates that 80% of data breaches involve compromised privileged credentials, and a recent survey by Centrify found that 74% of all breaches involved privileged access abuse.

The following are the four truths about privileged access security on AWS (and, generally, other public cloud providers):

Customers of AWS and other public cloud providers should not fall for the myth that cloud service providers can completely protect their customised and highly individualised cloud instances

As the Shared Responsibility Model above illustrates, AWS secures the core areas of their cloud platform, including infrastructure and hosting services. AWS customers are responsible for securing operating systems, platforms, and data and most importantly, privileged access credentials.

Organisations need to consider the Shared Responsibility Model the starting point on creating an enterprise-wide security strategy with a Zero Trust Security framework being the long-term goal. AWS’s IAM is an interim solution to the long-term challenge of achieving Zero Trust Privilege across an enterprise ecosystem that is going to become more hybrid or multi-cloud as time goes on.

Despite what many AWS integrators say, adopting a new cloud platform doesn’t require a new Privileged Access Security model

Many organisations who have adopted AWS and other cloud platforms are using the same Privileged Access Security Model they have in place for their existing on-premises systems. The truth is the same Privileged Access Security Model can be used for on-premises and IaaS implementations.

Even AWS itself has stated that conventional security and compliance concepts still apply in the cloud. For an overview of the most valuable best practices for securing AWS instances, please see my previous post, 6 Best Practices For Increasing Security In AWS In A Zero Trust World.

Hybrid cloud architectures that include AWS instances don’t need an entirely new identity infrastructure and can rely on advanced technologies, including Multi-Directory Brokering

Creating duplicate identities increases cost, risk, and overhead and the burden of requiring additional licenses. Existing directories (such as Active Directory) can be extended through various deployment options, each with their strengths and weaknesses. Centrify, for example, offers Multi-Directory Brokering to use whatever preferred directory already exists in an organisation to authenticate users in hybrid and multi-cloud environments.

And while AWS provides key pairs for access to Amazon Elastic Compute Cloud (Amazon EC2) instances, their security best practices recommend a holistic approach should be used across on-premises and multi-cloud environments, including Active Directory or LDAP in the security architecture.

It’s possible to scale existing Privileged Access Management systems in use for on-premises systems today to hybrid cloud platforms that include AWS, Google Cloud, Microsoft Azure, and other platforms

There’s a tendency on the part of system integrators specialising in cloud security to oversell cloud service providers’ native IAM and PAM capabilities, saying that a hybrid cloud strategy requires separate systems. Look for system integrators and experienced security solutions providers who can use a common security model already in place to move workloads to new AWS instances.

Conclusion

The truth is that Identity and Access Management solutions built into public cloud offerings such as AWS, Microsoft Azure, and Google Cloud are stop-gap solutions to a long-term security challenge many organisations are facing today. Instead of relying only on a public cloud provider’s IAM and security solutions, every organisation’s cloud security goals need to include a holistic approach to identity and access management and not create silos for each cloud environment they are using.

While AWS continues to invest in their IAM solution, organisations need to prioritise protecting their privileged access credentials – the “keys to the kingdom” – that if ever compromised would allow hackers to walk in the front door of the most valuable systems an organisation has. The four truths defined in this article are essential for building a Zero Trust roadmap for any organisation that will scale with them as they grow.

By taking a “never trust, always verify, enforce least privilege” strategy when it comes to their hybrid- and multi-cloud strategies, organisations can alleviate costly breaches that harm the long-term operations of any business.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.