Cloud security: A two-decade journey stepping into the AI era
As cloud computing emerged in the early 2000s, it became clear that securing these digital landscapes would be crucial. This realization marked the beginning of my journey in cloud security.
Today, as we stand on the brink of an AI-driven future, let's reflect on the evolution of cloud security and lessons learned.
Phase 1: Cloud enablement (~2006-2017)
The initial phase was characterized by a focus on enabling secure cloud adoption. We started developing and adopting products to protect Cloud workloads - first protecting VMs and then containers, now collectively known as Cloud Workload Protection Platforms (CWPPs). The Cloud Controls Matrix emerged as a framework for assessing cloud configurations, guiding organizations in establishing robust security practices.
The first wave of Cloud security services focused on helping organizations to securely configure cloud services, define controls, and build early-day guardrails integrating them with landing zones. Our lessons learned, included the understanding of the need to invest in protecting the entire lifecycle of containers and services.
Phase 2: Integration and regulation (~2017-2023)
As organizations continued to grow their Cloud footprints, the integration of Cloud with existing teams and processes became necessary. Organizations started establishing Cloud Centers of Excellence (COEs) and building integrative cross-domain teams. They started adopting Cloud Secure Posture Management products (CSPMs) to monitor and manage Cloud security configurations.
Cloud security services included CSPM configurations and operations, as well as security CoE structure and processes. They commonly included the establishment of Cloud security frameworks and policies, as well as their use for Cloud assessments.
Since Cloud applications natively consume Cloud services via APIs, it is obvious that Application and Cloud security are tightly connected. As a result, organizations and service providers started merging their Cloud and AppSec teams, and CSPMs have evolved into CNAPPs to provide a more holistic detection of threats on Cloud apps.
The awareness of data and identity-related threats has grown, and CIEM and DSPM solutions continued to grow in popularity and adoption. Cloud security services helped to integrate IAM and data protection into cloud management from the people, processes, and tools standpoint.
As regulatory exams assessing Cloud management became more thorough, it became even more critical to clearly define the interpretation and meaning of previously established controls in the new cloud environment. Cloud security services helped to clarify the different meaning of controls for on prem vs Cloud. It was exciting to see audit teams training their team members on Cloud to understand the correct interpretation of frameworks and controls for Cloud.
Phase 3: Cloud in the AI era (2023 and beyond)
With the availability of powerful GenAI solutions, we are now stepping into a new phase where Cloud and AI are tightly interconnected and are changing the way businesses operate.
Since many consume AI over the Cloud, cloud security is the first step in AI enablement. Since both AI and Cloud are breaking down traditional organizational silos, AI and Cloud COEs have similar missions and structures. In fact, everything we have learned in Cloud phases 1-2 above is helpful to enable and accelerate AI.
With these lessons learned, we are now stepping into a new phase where AI is also changing the Cloud. We are seeing extremely promising results where GenAI can manage the Cloud's security posture and replace the manual work of phases 1-2. It is exciting to see the promising results of GenAI in its ability to define the configuration requirements for Cloud services, mapping them to compliance frameworks and controls.
I am excited about the journey ahead where we are getting closer to our dream of Clouds that are self-managed, self-healing, and can self-attest to their compliance with frameworks and controls.
Author:
Alex Shulman-Peleg, Ph.D.
US Cloud Cyber Security Leader, Ernst & Young LLP