In Part 1 of this two-part series, we put a magnifying glass on some of the top cloud security trends and lessons learned in 2016. In Part 2, we’re going to look at where we believe cloud security is headed over the next year.

This two-part series is adapted from a recent webinar we hosted with Threat Stack’s Director of Products, Vikram Varakantam, and OneLogin’s CISO, Alvaro Hoyos. In it, we discussed Gartner’s 2017 cloud security report and shared our own perspective on where the market is heading.

(Note: GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.)

You can listen to the full webinar recording above. Below, read what Vikram and Alvaro have to say about the future of cloud security in 2017, based on Gartner’s latest report.

Prediction 1: Balancing the Shared Responsibility Model

Attacks against cloud deployments succeed because customers, not providers, fail to fully address their portions of the shared responsibility model – Gartner Predicts 2017: Cloud Security Report

You may be familiar with the cloud shared responsibility model. Amazon does a great job of

explaining it, and we have discussed it many times. Infrastructure as a service (IaaS) providers like AWS, Google Cloud Platform, and Microsoft Azure are always putting money into security to provide the safest infrastructure for businesses to operate on. However, this doesn’t mean that companies can ignore their part in security. In fact, security breaches usually happen — not because a cloud provider lacks security — but because organizations don’t protect their data and applications within public cloud infrastructure.

In 2017, we predict that companies will become smarter about security by taking the time to understand what they’re ultimately responsible for and implementing the necessary controls, tools, and processes. For tips on where to start, check out these posts.

Prediction 2: Retooling and Paradigm Shifts

Treat the cloud as an opportunity to apply fresh thinking and to adopt new methods for defending information from attack. – Gartner Predicts 2017: Cloud Security Report

In 2017, we expect that many businesses will go through a significant change. Transitioning to the cloud provides a chance for a new way to think about security. We urge companies to evaluate their risk levels, clarify their main goals, and start using new ideas to improve cloud security this year. Think of it as a chance to hit the “reset” button.

The areas where we recommend that companies retool their approach include:

  • Tighter feedback loops (via workflows and automation)
  • Centralized access (via API-enabled solutions, automation, and orchestration)
  • Compliance adherence (via better tooling and reporting)
  • Cloud governance (via better oversight for tools, users, and infrastructure)

Note: We cover each of these areas in depth in the webinar recording.

The beauty of the cloud is that you have plenty of options for building the right cloud security posture for your organization. Our Cloud Security Playbook is a great place to learn more about the options that are available to you.

Prediction 3: Favoring Out-of-the-Box Security Tools

The best security solutions will be those that integrate natively into the IaaS environment. – Gartner Predicts 2017: Cloud Security Report

Moving to the cloud is in itself a significant undertaking, so layering on security shouldn’t add extra work. The best security tools can integrate natively into the cloud infrastructure you’re already using, whether it be AWS, Google Cloud Platform, Azure, or even a hybrid mix of public cloud and on-premise infrastructure.

Case in point: Alvaros chose to use Threat Stack for OneLogin, because Threat Stack could immediately deploy across their entire AWS infrastructure without any extra customization required on his end. Not only that, but Threat Stack also works effectively with workflow apps including Puppet and Chef, communication channels such as Slack, and alerting tools such as PagerDuty. Out-of-the-box solutions like this make the process of integrating security as easy as possible.

Since speed and efficiency are the name of the game in 2017, we predict that companies will start looking for vendors who can fit neatly into their existing cloud environments.

Prediction 4: Governance in the Cloud

Develop a plan for the effective utilization and governance of SaaS. – Gartner Predicts 2017: Cloud Security Report

Alvaros and Vikram unanimously agreed that governance will be the big buzzword of RSA 2017 this year. That’s because, in the cloud, just about anyone can sign up for a new SaaS tool or spin up a new server, but where does oversight come in, if at all?

Governance in the cloud sets standards for how to use cloud services. It enables the development of policies on, for example, how to integrate new services or spin up new servers to ensure that they’re set up securely and that they have the right level of monitoring and user access controls going forward.

We believe that, in 2017, more and more companies will begin implementing controls and processes to ensure cloud governance. The key, however, will be to do so in a way that doesn’t hinder progress and innovation — and that can be done through automation.

Prediction 5: Bringing Ops and Security Closer Together

Utilize the cloud IaaS provider’s native security capabilities in conjunction with secure DevOps practices and tools, to automate security controls throughout the application life cycle. – Gartner Predicts 2017: Cloud Security Report

Just as we predict that governance will play a stronger role in the operations of many companies, we believe that the integration of security into DevOps practices will continue as a strong trend in 2017.

Many cloud processes, such as the managing of security groups, lend themselves to an automation model whereby they can be integrated into the greater DevOps pipeline. This is great for security. Companies will always face constraints around security, so bringing it into DevOps helps to make it a team-wide effort and not a separate (often forgotten) discipline.

Companies can begin bringing security into DevOps by developing processes that outline how to handle security-related tasks like:

  • How to provision a new server or user
  • What to do when a vulnerability is detected at 2 a.m.
  • How to approach a new exposure on Linux when it arises

Encoding these processes can help ensure that security is carried out uniformly so it can scale as a company grows and become embedded in the company culture.

Taking on Cloud Security in 2017

Security has come a long way in just the past few years. While there is still much more to be done, we’re at an inflection point where companies are asking “how should we do it” instead of “why should we do it”, and they’re looking for best practices like the ones outlined above to secure the cloud.

We encourage all companies to consider each of the five areas covered in this post as well as the best practices laid out in Part 1 of this series.

For more cloud security tips, be sure to subscribe to our blog, and for guidance on how to develop your cloud security strategy in 2017, download a free copy of our Cloud Security Playbook.