 Hello, and welcome to this episode of Security Angle. I'm Shelly Kramer, Managing Director and Principal Analyst here at theCUBE Research. And today I am joined by my colleague and fellow analyst, Joe Peterson. Joe is also a member of our CUBE collective community of analysts. Joe, welcome, it's great to see you. You too, great to be here. Absolutely, so today we are going to tackle the topic of cloud security trends that we see ahead in 2024. So for starters to lay a little background, according to security today, global cloud spending is expected to grow more than 20% in 2024. We're seeing, of course, more organizations implement a cloud-first approach, no surprises there. But the reality of it is, is assets shift to hybrid and multi-cloud environments, security strategies need to shift too, and they need to be top of mind as those nasty threat actors are always looking for opportunities to exploit vulnerabilities across interconnected cloud deployments. Some research from HelpNet Security pointed out that attackers are adapting as organizations adopt a cloud-first approach. And you know what, that's happening across the board. And that's some of the things that we talk about in this series. I mean, threat actors are highly motivated. Doing dirty deeds is incredibly financially rewarding. And so they are as trying to stay as far ahead of the curve as humanly possible, right? So as we continue to see mass migration to the cloud, cyber criminals are going to follow suit. We know that in 2024 we are going to see an increase in sophisticated cyber attacks, targeting cloud architecture, cloud infrastructure. We anticipate seeing attackers more frequently targeting newer cloud technologies like container-based and serverless resources. Data is going to continue to be recognized as not only the lifeblood of every business, but an invaluable asset, and that is incredibly important. And we're going to see attackers shift tactics to adapt as businesses move toward a cloud-first approach. The primary motivation, of course, is the amount of sensitive data that they can obtain from data breaches. And that sensitive information, I mean, it could be personally identified, if PII, personally identifiable information, it could be all different, it could be what am I thinking about? It could be proprietary data. It could be trade secrets. It could be all kinds of information that they could get access to. So this is really important. So the six cloud trends of 2024 that we believe you and your security team need to be paying a lot of attention to are zero trust model, implementing AI and ML for cloud, cybersecurity mesh, secure access server edge, or SASE, automation of DevSecOps, and cloud native platform and tools. Oh my gosh, pretty soon I'm going to quit talking. So anyway, to quickly wrap this up and to toss it over to you, Joe, you know, I'm going to start with zero trust. And the concept of zero trust has been around since about 2010, when Forrester research analyst, John Kinnevag, created the zero trust security model. Two years after the devastating colonial pipeline attack and we've seen strong advocacy from the US government and others, we are still really no closer to seeing zero trust architecture wildly adopted. That is concerning. And the only exception it seems on that front as it relates to zero cloud architecture has been, the adoption of that has been with cloud service providers. So what do you think? Yeah, I mean, absolutely. So let me take a step back. I'm a huge fan of zero trust network access, replacing VPN technology because VPN is 20 years old and it really doesn't fit the way we work today, which is either hybrid or remote. Right. But implementing a zero trust stack is complex and can be complicated. So there was a great article by Henry Newman in E-security Planet and Henry asked the question, whether or not zero trust can be implemented outside of the cloud. And Henry made a couple of assertions that I tend to agree with. He said that the cloud service providers have a huge advantage over traditional hardware. So that means server and network and software vendors for three reasons. And here are Henry's reasons. He thinks that CSPs control the software stack. So they don't have to have network monitoring, multi-factor monitoring, OS monitoring and they integrate, coordinate and correlate everything between on their own stack. The hardware stack is also controlled by them. So for the most part, the CSPs built their own hardware and they've been building their own CPUs, some of them. So they build their own network devices. Everything is integrated into that CSPs supply chain, as it were, or stack. And then he further says that the entry points are monitored closely. So when you connect to a CSP, everything is monitored by that cloud service provider. If you have a breach, they might know it before you do because there was some, you know, anomalistic behavior going on. They would see that first. And that's your job. That's your job, right? So you're paying them for that, right? So if we're looking at a zero trust architecture back to, I do agree with him. There have been really no publicized large hacks of CSPs other than the hacks that started by getting into customer sites then to the CSP or databases left open by a customer, right? So I kind of think that, yes, do zero trust network access. And there's some other things that you can do in a zero trust architecture, but you may wanna really think about your bench and if you're able to pull it off. So the next trend that is in our list of six is AI and ML. And I feel that you showed that I'm starting to feel like every cloud conversation that I have is really an AI ML conversation and it's starting to be a synonymous term. What is going on with that? Well, I absolutely agree. That said, I'm gonna go back a minute and touch on your point about VPNs. And, you know, in a prior episode of this series, we talked about the reality that VPN is old technology and VPNs recognize the device and that's no longer good enough on the protection front and a zero trust network is where it's at. And you know how when sometimes I come across something that is such a great example that I just use it over and over and over again. And one of these is an example from a conversation that Z-scalers Jay Chaudhry had on the cube, I think it was at VMware Explorer. I'm not exactly sure of the event but I think that could have been it. But anyway, he gave such a great example illustrating why a VPN really isn't the best protection. And I love this. So I'm gonna give you, I'm gonna give you this explanation again. So here's what happens when a user gets on a network using a VPN or being on a network with firewalls. And here's how Jay described it. I come to visit you, I stop at the reception desk, they check my ID and they give me a badge and they go, hey, go inside, your meeting's on the seventh floor and you just walk in and you wander around and you go wherever you need to go. He's inside, he could snoop around. They wouldn't know if he went to where he was supposed to go, if he went to the restroom, if he went somewhere else, they don't know. So that's what happens with network security and a VPN. And that kind of gives me pause a little bit, right? That's why I love this example so much. So in the zero trust model, you stop at reception, they get your ID, you get a badge and then they say, come on, let me escort you to room blah, blah, blah. And this is the only room you're escorted to and it's the only room you're in and you don't even know, you don't even know that you're in room 22. And once your meeting happens, they're gonna escort you out. And then he went on to give the example, someplace where they're really security savvy, like somewhere at the DoD, Pentagon, whatever, they're gonna say, hey, Jay, we're gonna blindfold you, we're gonna take you to the meeting and then they're gonna blindfold you again and take you out. And I just love that example because so many of us, every person on the planet hasn't experienced this, but the reality of it is most of us have walked into a corporate headquarters and office building, whatever, given our ID, gotten our badge and we can really relate to that example. So I love that just clear way of thinking about a VPN and how it's not really the best protection anymore. So anyway, back to your question. Back in January, of course, we know Microsoft really rocked the technology industry and announced a $10 billion investment into open AI. Amazon has invested in Anthropic in September, about $4 billion. That helped, of course, boost Amazon stock and Google has invested about $2 billion in Anthropic as well. So we've seen a total of about 16 billion invested thus far and by the way, I'm sure that's just a tip of the iceberg, but that's just for the tech. That's not for other capital investments like data center space and that sort of thing. So capital spending by Google, Amazon and Microsoft has jumped to a combined 42 billion for the three months up to September, according to payments.com. So it's clear that to the point that you made, Joe, hyperscalers are investing in all things AI and we're starting to see some guidance come out as it relates to end users about securing AI. And I will tell you every conversation I have, whether it's with you Joe or with our clients or with somebody in the industry, AI security is top of the list and it's top of mind. And with good reason, I mean, everybody is thinking about or dipping their toes in or getting waist deep in all things AI and you have to have a security posture around this. It's just critically important. So anyway, I love the fact that we are seeing guidance come out about this and I love the fact that we're seeing this attention on AI security. Yeah, I mean, I'm beating that drum all the time, right? Because it's daunting for the leadership, meaning many of them have had the forethought and the strategic awareness to put in policies for the employees, right? But the problem becomes enforcing the policy. So we're starting to see some great thought leadership come out from the hyperscalers. Back all the way back in January of 23, Google announced their secure AI framework or SAIF. And it's a good look at what's important. So SAIF has six core elements. The first is expand strong security foundations to the AI ecosystem. The second is extend detection and response, bring AI into its own organizations, or sorry, into an organization's threat universe. Third, automate defenses to keep pace with the existing and new threats. Fourth, harmonize platform level controls to ensure consistent security across the org. Next, adapt controls to adjust mitigations and create faster feedback loops for AI deployment. And then the last one is contextualize AI system risks in surrounding business processes, probably easier said than done. But Google is also drinking their own champagne. So they have taken five steps internally to support and advance a framework that works for all. And I'm sure that AWS and Microsoft are doing the same thing. Yeah. Organizations looking to chart a course. NIST has published a really beefy, I wanna say it's 63 pages. I'm busy reading it. AI risk management framework. And it is so chock full of great guidance that I suggest enterprise IT leaders read it. I'm gonna include a link to that in our show notes that are in the viewing audience. I think that that definitely is something to dive into in your free time as opposed to Netflix and chilling. You can, you know, AI risk management framework to chill. We're buying stuff like I do on Instagram. There's that. That's right, that's right. I'm gonna talk now a little bit about item number three on our list, which is cybersecurity mesh. So this is a defense strategy that independently secures each device with its own perimeter, like firewalls and network protection tools. And many security practices use a single perimeter to ensure and to secure rather an entire IT environment, but a security mesh uses a holistic approach. Gartner coined this term, security mesh architecture, CSMA. And as more assets are moved into a multi-cloud environment, it's becoming so much easier for attackers to access them. And that's really why IT leaders need to start thinking about security as a platform where everything works together. And the answer, of course, is it lies in securing the right platform and consolidating tools where it makes sense. And you start by asking yourself, you know, how do we connect the different cybersecurity tools? CSMA gives you the ability to leverage a reduced vendor footprint, which is good, right? I see that as reducing risk along the way, but also while deploying best-in-class solutions through this integration. CSMA is a significant shift away from the traditional perimeter-based security models that we're familiar with, and it's really shifting toward a more decentralized, device-centric approach to network security. And I think it's a relatively new concept, but we believe that it's going to become more relevant and more widely embraced as organizations continue to face cybersecurity threats that not only evolve, but grow at an exponential rate. Oh yeah, totally agree. I mean, this is definitely a trend we're gonna just be continued to see. I think that overall CSMA helps providing multi-layer defense against cyber threats, and it makes it more difficult for attackers to successfully penetrate an organization's network. So in case folks are wondering, there's five components, because it is a newer tool or an idea, a concept. First of all, there's APIs. Second component is a really strong analytics and intelligence process. So think about everything disparate coming into more or less one place, distributed identity management, consolidated approach to policy management, and a really great dashboard. I love this one, that everybody in the org can see and better understand. So instead of like all these little silo dashboards that give you a view into one thing, the idea is to give you a broader view across things, which I like. So yeah, if we move on to our fifth cloud security trend, we believe we're gonna see the automation, more automation of DevSecOps, and I'm kind of here for it. Oh, I am as well. And you know what? I'm gonna make a comment on visibility and dashboards and access to those dashboards across the organization. We did a research study a couple of years ago in partnership with Dell. And some of the things that we asked in our survey was do you have visibility? Do you use a dashboard? And we asked about instances of cyber attacks and how many cyber attacks on average they experienced at such and such time basis and everything else. And what was so fascinating and not at all surprising is that the folks who said they had not had any cybersecurity threat instances were generally speaking the folks who had no visibility. They weren't using a dashboard. They couldn't see what was happening across the organization in real time. And so they thought they were good. And conversely, the people in our study who did understand the importance of visibility and who were using dashboards were seeing, they were having instances of threat attacks on a regular basis and instance mitigate, instance mitigate, but it's just so interesting to me. Oh yeah, we don't have anything to worry about. We have no idea what's going on inside our network, but we're pretty sure we have nothing to worry about. And that scares the heck out of me. Yeah, right. That's how we get these really long dwell times, just that. That is it, absolutely. So DevSecOps automation, the process of automating the integration of security into DevOps, continuous integration and continuous deployment pipelines. This automation is cool because it drastically reduces the number of errors that occur when security, I'm sorry, it reduces the amount of errors when security analysis is performed manually, makes perfect sense, right? And so while DevSecOps makes security a shared responsibility of Devs and the operational team and security teams, DevSecOps automation empowers everyone and gives everyone the tools that they need to ensure that code and configurations are secure without the need of everybody in the equation becoming security specialists. There are a bunch of vendors in this space that have software available, people like sync, checkmarks, synopsis, GitLab and contrast security. They're really interesting. I'm sure we're going to see that list of vendors continue to grow, but this is really something that is evolving very quickly and I think we'll see more of that. Yeah, and I'm encouraged because for the longest time, I'm encouraged by a DevSecOps role to begin with because for the longest time we had silos, right? We had the Dev folks with the op folks, we had the security folks, right? So the fact that everybody's coming together and swimming in the pool is a great thing because it means that we're putting security in the front of the process, right? And the thinking is that we're gonna greatly reduce some of the time to deploy by doing, by being basically proactive. So the application security market in general has really taken off. It's estimated to be 11.62 billion in 2024 and it's gonna basically more than double that by 2029, at 25.92 billion. I mean, that's a lot of bananas there. And it's eventually doubling, a little more than doubling in the space of five years. Yeah, exactly. But last but not least on our list for cloud security predictions is cloud native platforms and tools. So any guess, Shelley, what the cloud native security market is worth and who some of the players are in that space? Well, you know, I don't need to guess because I've got some research in front of me from virtue market research. Global cloud native platform market was valued at 9.77 billion and is projected to reach a market size of 35 billion by the end of 2030. So even more dramatic of an increase than the application security market. And by the way, if you're interested in application security and security, I would be remiss not to mention that we covered that topic in last week's show. So I will include a link to that in the show notes as well, so check that out if that's on your list. But I digressed. So projected to reach a market size of 35 billion by the end of 2030, this market over the six year period, it's the market is projected to grow about 20%. The vendors in the space includes some very familiar names, Palo Alto, CrowdStrike, Checkpoint, Trend Micro. This is again, a rapidly growing space and one we expect to see more movement in. Yeah, and I'm just like a little half a side prediction. I think we're gonna see a consolidation to what's known as CNAP, cloud native application protection platform from some of these little point solutions that have happened over time out of necessity. It's just maturing, right? So that's, you know, we saw that with Sentinel-1's purchase of pink safe, right? Because they have a CNAP solution and that enhances Sentinel-1's offering. So you're absolutely, I think you're absolutely right. You're always right. Oh God, you know what? We need to record that and have you recording for my husband. Your husband, I'm happy to do that. She's always right. I mean, perfect, right? Perfect, well, those are our predictions for 2020, our cloud security predictions for 2024. That's it, six cloud security predictions. I will very quickly recap them. Zero trust model will become more and more important to begin to be embraced even more and that's a good thing. We'll see the implementation of AI and ML for cloud, cybersecurity mesh, SASE, automation of DevSecOps and cloud native platform and tools. So with that, we're gonna wrap our show, the security angle today. And Joe, thanks so much for spending time with me. It's always a pleasure for our listening and viewing audience. Thank you as well. And we'll see you again next week.