Although the initial disruption of the COVID-19 pandemic has lessened for businesses, a significant outcome is the substantial acceleration of digital transformation it triggered.

A recent survey conducted by Twilio indicated that 97% of global enterprise decision-makers feel the pandemic hastened their organization’s digital transformation efforts, and furthermore, 79% of those surveyed reported an increase in digital transformation budgets due to COVID-19.

As technology increasingly drives competitive advantage, the cloud is a vital component in realizing this potential and influences areas ranging from data and analytics to the contemporary workplace. Cloud-based infrastructure offers greater flexibility, scalability, and cost-efficiency, while also empowering organizations to develop applications more quickly and meet evolving service demands.

Despite the considerable attention and enthusiasm surrounding the cloud’s capabilities, its development is still in relatively early stages. During a recent keynote at AWS re:Invent, AWS CEO Andy Jassy noted that expenditure on cloud computing currently represents only 4% of the total IT market. Additionally, a survey of CIOs by Barclays revealed that enterprises currently operate 30% of their workloads in the public cloud, anticipating an increase to 39% in 2021.

It is now apparent that the transition to the cloud presents obstacles, and larger organizations are often hesitant to proceed. Flexera’s State of the Cloud 2020 report highlighted key cloud challenges, identifying security as the primary concern. This sentiment has been consistently expressed in discussions with CISOs and security teams at Fortune 500 companies, who are cautious about moving away from their existing security operations. Some of the main issues raised include:

• Reduced control. When utilizing public cloud providers, organizations must cede authority over certain aspects of backend management. This is particularly challenging for large enterprises accustomed to customizing products, as the cloud environment cannot be fully tailored and is limited to the provider’s platform offerings.
• Absence of standardization. Each cloud provider possesses its own unique solutions and complexities. Coupled with unpredictable update schedules, this creates a lack of transparency regarding interoperability, making it difficult to consistently apply policies across different environments.
• Demand for new expertise. A shortage of qualified personnel is a leading challenge for enterprises. A recent report on cloud transformation obstacles found that 86% of IT leaders believe a talent deficit will impede cloud projects in 2020.
• Established on-premise infrastructure. While the cloud is currently popular, large enterprises have long relied on on-premise applications tailored to their specific environments. Shifting to the cloud is not merely a technical undertaking, but also a potentially contentious and philosophical shift for individuals who have built their careers around existing systems.
• Unrealistic expectations for cloud-native solutions. While it would be ideal for all companies to build and operate infrastructure like Netflix or Uber, legacy environments—including applications written in older languages and the inherent complexity of decades of operation—often lack direct cloud equivalents, particularly in security tools.

It’s evident that, despite security concerns, innovation in cloud and infrastructure will continue to advance. Simultaneously, the security sector offers a range of available tools. Numerous market analyses suggest a highly saturated security market, but in the context of cloud security, is there still potential for further development?

Initially, the cloud disrupted the workplace through the adoption of SaaS services, often implemented to circumvent restrictive organizational security controls that hindered productivity. This highlighted the growing trend of IT consumerization and the increasing delivery of back-office applications as SaaS. In response, security measures began to focus on visibility and access control solutions to address the problem of shadow IT and unauthorized access to sensitive data.

This initial response led to the creation of the cloud access security broker (CASB) category, encompassing companies such as Netskope, SkyHigh Networks, Elastica, and Cloudlock, with Netskope being the last remaining independent entity.

Infrastructure soon followed the SaaS trend, and the adoption of IaaS began to reveal weaknesses in the ability to monitor and restrict traffic within the data center, whether in the cloud, on-premise, or a hybrid environment. Data breaches at companies like Target and Anthem underscored the need for improved segmentation between internal systems, leading to the adoption of a zero trust strategy. Companies like vArmour, Illumio, CloudPassage, and Dome9 assist organizations in establishing more stringent policies regarding machine-to-machine communication.

However, successful attacks do not necessarily require sophisticated methods. According to Verizon’s 2020 Data Breach Investigation report, misconfiguration errors—such as unsecured S3 buckets—are becoming more frequent and are as common as social breaches and more prevalent than malware. A fundamental aspect of security is consistently implementing basic best practices. In response to these recurring errors, cloud security posture management (CSPM) tools from companies like Fugue, Datadog, and Palo Alto Networks emerged to help teams implement and continuously monitor for correct configurations in IaaS and PaaS.

Despite investing in controls to monitor and enforce policies, limit user and network traffic, and strengthen resources, security professionals believe these solutions are effective for prevention, but detection and response present a distinct challenge. Due to limited resources, a skills gap, and the increasing complexity of the cloud ecosystem, identifying potential threat vectors—such as account compromises and privilege escalation—has become more difficult.

This is an evolving field with new companies concentrating on providing detection and response capabilities for both SaaS (Obsidian, Altitude Networks, AppOmni, SightD) and IaaS (Capsule8, Wiz, Bridgecrew, Orca Security, Permiso). Some argue that these capabilities are simply features that can be integrated into existing security technologies or added to infrastructure and application monitoring platforms.

Regardless, cloud adoption is continually increasing, meaning its security ecosystem will require the ability to not only observe what is happening, but also to recognize what to look for and understand its implications.