A Review of 2019 Trends
This was a particularly interesting and challenging year for security, cloud computing, and DevOps. It has been exciting to watch organizations and individuals transition to the public cloud and adopt DevOps culture and processes. Many are now reaping the benefits of these technological shifts.
Consolidation and adoption of serverless and event-driven architectures was also significant in 2020, as was the increasingly rapid release of managed services, such as Google Cloud Run, AWS EventBridge, and Azure Sentinel. Despite the number of cloud-native services that became mainstream tools, the majority of security incidents (such as data leaks) have continued to be the result of simple mistakes, like misconfigured S3 buckets.
As organizations adopt cloud-based infrastructures, serverless architecture, and managed services, understanding how to properly configure cloud services becomes a critical component of a good security strategy.
The last several months of 2019 witnessed the widespread adoption of Kubernetes and services devoted to observability and AppSec. Other notable trends were the remarkable evolution of Microsoft Azure, which positioned itself well by winning a $10 billion JEDI contract, and Google Cloud’s release of Anthos, a modernization platform that appeals to hybrid and multi-cloud customers. These moves made Microsoft and Google competitive players in the public cloud industry—a space once dominated by AWS.
Predictions for 2020
1. Observability and Intelligent AI/ML Analytics
One of this year’s hot topics was observability and all of its components, such as monitoring, tracing, analytics, and alerting. Is observability a new thing? Not really. It is an old term based on control theory, which is a mathematical concept used in engineering to describe how internal mechanics can change based on feedback. This year, a lot of very effective observability tools and services were launched including the Logz.io Cloud Observability Platform, providing users with great visibility into and instrumentation over their workloads. Because of the increase in the use of artificial intelligence and machine learning, we’ll likely see a lot of interesting UEBA (User and Entity Behaviour Analytics) features, such as prediction and recommendations on top of observability data, in the upcoming year.
2. Automated Security in the CI/CD Pipeline
Having an established and effective CI/CD (continuous integration and continuous delivery) pipeline is a requirement for any development team. Having proper application security testing at this stage—before new code is deployed—is critical. Given that there are well-established and widely used services available for both CI/CD (e.g., Jenkins, CircleCI, and GitLab) and automated security testing, we can expect that security will assume a more prominent role in 2020.
Automated CI/CD security tools, such as Snyk, Aqua, and SonarQube are becoming more user-friendly and broadening their appeal. Plus, public cloud vendors are now beginning to pay extra attention to CI/CD tooling and services, an area in which they traditionally haven’t invested much effort. As a result, we can expect 2020 to yield more news like the Microsoft acquisition of GitHub or the announcement of services such as AWS Image Scanning for Container Registry.
3. DevSecOps Practices (Such as Security Threat Model Workshops)
With DevOps tooling and practices becoming part of the standard development process, there will be an increased focus on proper configuration and best practices.
Security is an area that is still somewhat unknown to developers, but practices such as security threat modeling workshops are slowly becoming more commonplace.
With the rise of the shift-left movement in information security – an approach which makes security an integral part of the software development process rather than something that is simply taken care of later by a security audit – developers are slowly taking more and more responsibility for security. Given the current maturity of available tools and best practices, next year will be a groundbreaking one for DevSecOps.
4. Serverless and the Zero Trust Security Model
2019 was a good year for serverless and the rapid adoption of managed services. Organizations and developers are increasingly aware of the benefits of serverless technology, which include reduced operational overhead and a decrease in the amount of custom code required to develop great products and services. Having expertise in configuring and leveraging these managed services, especially with respect to Identity and Access Management, is now critical. We can expect that in 2020, the Zero Trust Security Model will become better known and more widely adopted—making this knowledge even more important.
5. Kubernetes Security and Hybrid Cloud Adoption
Kubernetes took the industry by storm this year. The project, which enables automating deployment, scaling, and management of containers, was graduated from the Cloud Native Computing Foundation. It quickly became part of our vocabulary and was adopted rapidly throughout the world.
Part of Kubernetes’ popularity is a result of its ability to run both on-premises and in public cloud using containers (e.g., Docker). Since Google Cloud, AWS, and Microsoft Azure all provide managed Kubernetes services, to some people, the term Kubernetes has become synonymous with the ideas of vendor neutrality and hybrid cloud platforms.
A dangerous security vulnerability was discovered in Kubernetes this year, once again calling attention to the importance of security, updated software, and good configuration. In addition, we saw Google Cloud and Microsoft Azure launching Anthos and Arc respectively—big moves that were made to attract customers looking for hybrid or multi-cloud solutions. In 2020, we can expect Kubernetes to become even more popular as it tackles its maintenance and operational overhead concerns with projects like KNative.
With cloud computing and DevOps tooling and culture forming today’s engineering reality, we can expect 2020 to yield interesting developments in cloud security on multiple fronts, including hybrid and multi-cloud, observability, Kubernetes, cloud-native applications, and serverless.
In the area of security, we are likely to see some of the same basic mistakes (such as misconfiguration of object storage) result in data breaches. The tooling to prevent those mistakes already exists in the form of managed services being released by cloud providers. However, since those security functionalities and services are generally not enabled by default, it is extremely important that engineers keep up with the new developments and possibilities—which we can expect to see more of in the next year.
Making a mindset change, such as the one brought about by adopting DevSecOps or committing to security threat modeling workshops, is a lot more important than learning and adopting a new tool. Having good day-to-day practices, like using the least privilege principle or designing your application architecture using a zero-trust approach, fosters a proactive attitude towards cloud security.
Judging by these last few months of 2019, 2020 should be full of interesting developments in cloud security. We’ll be sure to keep you posted on them as they arise!