Security leaders can evaluate the emerging technologies on this Hype Cycle to help their organizations make secure use of the public cloud.
Cloud computing has proven battle-ready. During COVID-19, the cloud demonstrated it can support unplanned and unexpected needs. Organizations may no longer question its utility, but security remains a commonly cited reason for avoiding it.
In reality, the public cloud can be made secure enough for most uses.
“Even for the most reluctant organizations, there are now techniques such as confidential computing that can address lingering concerns,” says Steve Riley, Senior Director Analyst, Gartner. “You can stop worrying about whether you can trust your cloud provider.”
For example, a retailer and a bank could cross-check customer transaction data for potential fraud without giving the other party access to the original data.
While confidential computing is highly useful in theory, it isn’t plug-and-play. Gartner anticipates a five- to 10-year wait before it is in regular use.
Here are three technologies from the Gartner Hype Cycle for Cloud Security, 2020, to action right now.
Secure access service edge
Secure access service edge (SASE), pronounced “sassy,” supports secure branch office and remote worker access. SASE’s cloud-delivered set of services, including zero-trust network access and software-defined WAN, is driving rapid adoption.
Gartner predicts that by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at the end of 2018.
“Watch out for slideware, especially from incumbent vendors”
COVID-19 has highlighted the need for business continuity plans that include flexible, anywhere, anytime, secure remote access at scale, even from untrusted devices. SASE enables security teams to deliver secure networking and security services in a consistent way, to support digital business transformation and workforce mobility.
SASE is in the early stages of market development but is being actively marketed by the vendor community, with more than a dozen SASE announcements over the past 12 months.
User advice: “Watch out for slideware, especially from incumbent vendors that are ill-prepared for cloud-based delivery as a service model,” says Riley. “This is a case in which software architecture and implementation matters. True SASE services are cloud-native.”
Cloud security posture management
It is becoming increasingly complex and time-consuming to answer the critical question “are my public cloud applications and services configured securely?” Even simple misconfiguration issues represent a significant risk, as evidenced by several public data disclosures last year.
For enterprises that have a multicloud strategy, cloud security posture management (CSPM) assures business and security leaders that their cloud services are implemented in a secure and compliant way across multiple cloud infrastructure as a service (IaaS) providers.
User advice: “First, investigate your cloud provider’s own risk posture assessment capabilities to see if they will satisfy the requirement, even if they fall short of commercial offerings,” Riley says. “Also check if any products you already have include CSPM capabilities.”
Cloud access security brokers
Unlike traditional security products, cloud access security brokers (CASBs) are designed to protect data that’s stored in someone else’s systems. They enable organizations to achieve consistent security policies and governance across many cloud services and demonstrate that cloud use is well-governed.
“We recommend seeking one-year contract terms over lengthier ones”.
The pace of Gartner client inquiry indicates that CASBs are a popular choice for cloud-using organizations. Although Gartner’s latest spending forecast shows slowing growth for all security markets, CASBs’ expected growth remains higher than any other information security market at 33% in 2020. This high-benefit technology has entered the mainstream and the number of vendors has stabilized.
User advice: “Differentiation among vendors is becoming difficult, and several have branched beyond SaaS governance and protection to include other features such as CSPM and user and entity behavior analysis (UEBA). Given continued feature expansion and relative ease of switching, we recommend seeking one-year contract terms over lengthier ones,” says Riley.
