Security is a chess board. Of the primary fundamentals in chess the King is the most valuable piece and the Queen is the most powerful piece (in terms of potential flexibility/impact). Stay with me... if we relate these rules to security we can assert the following supposition:
If security is our chess board; the adoption of cloud infrastructure and resources increase the size of the board (IaaS, SaaS, and private cloud for this metaphor). Seriously... stay with me... if your board size increases, do you:
If you didn't guess already, the other pieces on the board represent your IT security solutions.
The new game board allows for NEW attack vectors against your King, it doesn't necessarily remove the old ones. By the way, pieces != vendors, they represent solutions to prevent those spaces from exposure and exploitation. Our metaphor is mostly but you saw where I was going right?
Security trends for 2017 seem to lead us towards new technology under the guise that we'e been doing it wrong this whole time and new product X will solve all your security needs. Threatstack summary of Gartner's 2017 Cloud Security key findings confirm what we already know:
Gartner's findings marry well to previous risk analysis; CSA's 2016 study of top 12 threats remain mostly unchanged (including top 5):
Emerging acronyms in cloud security deserve closer inspection which aim to address Gartner and CSA's analysis.
CASBs are security policy enforcement points, placing inline security policies, encryption, identity management, and a host of other features against cloud service consumers and providers. Yes, it's existing technologies wrapped up with a nice bow but is no less important on premise or in the cloud. If you're already playing in the cloud chances are you already have some form of CASB, and if you're a datacenter traditionalist, you definitely have some of these services (TACACS, SSO/Federation services, RBAC). CASB's do encapsulate a lot of disparate solutions into a service offering which may alleviate administrative end point expansion, potentially lowering costs. However, with several new players offering CASB "solutions", there's a lot of contest on the proving grounds before enterprises can add those additional pieces to their security chess board. Remember chess pieces != vendors... they represent solutions.
There are many ways vendors are massaging CWPP definitions to meet their products functionality. Using the term workload as the key jump point, the purpose of CWPP's are to classify data through governance policies, and be apply rulesets to that data in flight and when it lands. This allows InfoSec departments the ability to expand data governance rules to more complex hybrid and cloud deployments to ensure data is landing only where authorized and by only the correct parties. Think SELinux for cloud data; policy-based security policies applied across an organization regardless of data's location. New vendors and existing vendors are deploying CWPP features but unless they can seamlessly integrate into your existing infrastructure and meet your policy needs, you're implementing a half-complete solution. You've left chess board tiles exposed. Can CWPP address a lot of security issues? If your InfoSec program is mature enough, then yes.
CASB and CWPP's are new solutions to old problems and are a welcome addition to the expanding chess board. But don't throw away your existing solutions because they're "old". Traditional vulnerabilities still exist and we re-expose ourselves if we shift focus away to new attack methods. InfoSec's responsibility is to evaluate the changing security landscape and adjust accordingly, not purchase the shiny new toy your CISO saw advertised in the airline magazine. The game's expanding and so should your security solution footprint. Adjust smartly and according to your business requirements. An informed InfoSec team is much more effective than one kept in the dark; looking at you Sales & Marketing Shadow IT! Give me a shout out with your thoughts; if you disagree we can argue security trends until SGDQ. I have my priorities straight.