Cybersecurity and Data Privacy Trends in 2020
In the coming year, data breaches stemming from cloud misconfigurations will continue to plague companies that adopt cloud without having the proper strategies and solutions in place. This trend dominated headlines month after month in 2019, and unfortunately, most companies are not mobilizing quickly enough to strengthen their cloud security programs and practices in order to see a decline in the number of cloud misconfigurations in the year to come. Identity and access management (IAM) will also emerge as an area of cloud where most organizations will quickly lose control if they fail to adopt robust technologies to stay ahead, like we saw with Capital One.
Proper integration throughout the mergers and acquisitions (M&A) process will be highlighted in 2020, as companies hope to avoid a similar fate to Marriott after it inherited an already-breached Starwood database. Finally, the enactment of the California Consumer Privacy Act (CCPA) in January will spur Congress to introduce the idea of a federally regulated data privacy law to avoid a patchwork of differing regulations from each state.
- Cloud misconfigurations will continue to cause massive data breaches. As enterprises continue to adopt cloud services across multiple cloud service providers in 2020, we will see a slew of data breaches caused by misconfigurations. Due to the pressure to go big and go fast, developers often bypass security in the name of innovation. All too often this leads to data exposure on a massive scale, such as the First American Financial Corporation's breach of over 885 million mortgage records in May. Companies believe they are faced with a lose-lose choice: either innovate in the cloud and accept the risk of suffering a data breach, or play it safe with existing on-premise infrastructure and lose out to more agile and modern competitors. In reality, companies can accelerate innovation without loss of control in the cloud. They can do this by leveraging automated security tools that give organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time. Automation also grants enterprises the ability to enforce policy, provide governance, impose compliance, and provide a framework for the processes everyone in the organization should follow-all on a continuous, consistent basis. Companies can innovate while maintaining security, but they must adopt the proper cloud strategies and solutions.
- New Year, New Threats. As companies continue to invest in new technology, we will see the introduction of new and advanced tactics, techniques, and procedures from malicious third parties that seek to either exfiltrate critical customer, company, and partner data or even interrupt or disable business operations. Companies often make the costly assumption that they will be safe from threats just by investing in additional security tools for every new technology or service that they adopt. This piecemeal approach to security is both extremely expensive and immensely inefficient. In fact, because we don't know what the most pertinent threats will be in a year from now, the best approach is for companies to invest in holistic security solutions that are capable of evolving and scaling with a company over time.
- IAM is the new perimeter, and it is harder than you think. Everything in the cloud has an identity, and the relationships are complex, so scoping to least privilege or adopting zero trust sounds great, but is really difficult to do. In 2020, security professionals are going to realize that IAM is an area where they can lose control rapidly, and it is very hard to take back. Approaches and strategies from the datacenter world don't necessarily transfer, and companies need to rapidly invest in the process and in supporting tools (including automation) to stay ahead in this complex landscape. The repercussions of poor IAM governance are substantial and sometimes unpredictable. For example, a former AWS employee was able to access over 100 million Capital One customers' records by bypassing a misconfigured web application firewall, performing privilege escalation, and as a result, obtained access to a swathe of customer information.
- Increased caution around M&A deals. Learning from the mistakes of Marriott, companies going through M&A deals in 2020 will prioritize comprehensive evaluations of cybersecurity and risk. Before Marriott acquired Starwood in 2016, it was reported that Starwood suffered a breach of North American customers' credit and debit card data after threat actors implanted malware on the company's point-of-sale registers. Eventually, Marriott became aware of its breach of about 383 million Starwood guests' data when a security tool flagged a database query from an unauthorized user who had admin privileges. Although Marriott later found out that the intrusion went undetected for four years before acquiring Starwood, they still had to pay more than $120 million to the U.K. Information Commissioner's Office for violating GDPR, and the hotel giant can even face additional punishments from other data privacy mandates, including the soon-to-be-enforced CCPA. While M&A is an important part of many companies' growth plans, organizations will become increasingly wary of suffering a similar fate as Marriott. In 2020, organizations will place cloud security at the forefront of the M&A process by including thorough audits of how the acquisition or merger target is operating cloud services. In a multi-cloud world, companies will need solutions that provide complete visibility across all clouds and cloud services and encompass an approach to bringing these into their security and compliance posture via automation.
- Federal data privacy law on the horizon. With the enactment of CCPA and the introduction of additional ideas for state-regulated data privacy laws across the U.S., all roads point toward the creation of a federal data privacy law. It is highly unlikely that a federal law will be passed in 2020, but it will be likely that Congress prioritizes the idea and begins discussing criteria for such a law. A patchwork of slightly differing data privacy laws in each state would discourage businesses (especially SMBs) from operating across state borders. Having to comply with multiple, varying data privacy laws is a thorn in the side for large companies, but it is devastating for SMBs, and it is a major deterrent for international corporations that have to comply with other mandates, such as GDP. CEOs of Amazon, AT&T, Dell, IBM, and other companies that comprise the Business Roundtable have already sent an open letter to Congress asking for a federal data privacy law, and the Internet Association, which boasts Dropbox, Facebook, Reddit, Snap, and Uber as members, has also made a push toward a federal law.
About the Author
Chris DeRamus is the chief technology officer (CTO) and co-founder of DivvyCloud, a cloud security posture management (CSPM) platform that provides real-time analysis and automated remediation across cloud and container technologies. As CTO, DeRamus leads the engineering teams while driving new innovation, and he has a passion for finding new ways to deliver security, compliance, and governance to customers running at scale in hybrid cloud environments.