Blog

Seasons Greetings 2021 and Cloud Security 2022

Seasons Greetings 2021 and Cloud Security 2022

Here's to good security as we roll on into 2022... 

First, I would like to wish you and yours happy holidays in the 2021 holiday season and above all a healthy 2022. After getting my booster shot (Moderna) just 2 days ago and fully recovering from some mild fatigue, I got to thinking about the year just past. In 2021, COVID has dominated our lives in a way that we have not seen since the Spanish Flu from 1918 to 1922 pushing out to 1925 before new normalcy was found in the world. This time around, the cloud industry has responded to this major event with many providers chipping in by the development of COVID related applications for public use (free of charge) for governments where they have a major presence. Other aspects of 2021 in the industry have seen an acceleration of AI-related development by Microsoft in their Azure Platform, a host of announcements at the AWS re:Invent conference covering all product areas from Database to Data Analysis plus more. On the 21st of this month, Oracle Cloud announced a new OCI DevOps platform for CI/CD platforms adding value to options for companies operating in the cloud or going to the cloud.  

My own view is that 2021 has seen another explosion of cloud products from all major vendors that are just great! However, with such progress comes the dark side of the technology industry in the form of organized and highly skilled cybercriminals. Companies have lost an appalling amount of value to cybercrime as COVID has pushed society and business into the digital sphere. It's not hard to see the opportunities that cybercriminals are seeing in the progress cloud providers have made during 2021 with new products adding to their amazing offerings for customers. I think 2022 will be a year of security focus for cloud providers, but more importantly for SaaS companies. For some, the pace of innovation in the cloud poses a threat as much as an opportunity in the midst of what could be a cybercrime wave not seen in years prior to the COVID pandemic making quick learning a requirement, not a luxury.

The lessons learned and to be learned by cybercriminals and responding security teams alike will hold true as a chapter on the evolution of technology over the longer term. Some key points around security I see been played out in 2022 are as follows:

- Configuration management. Misconfigured applications and their infrastructure will become a target as cloud providers continue to up their game in the lower levels of cloud infrastructure. For cybercriminals, the low hanging fruit will include exploits due to misconfiguration at higher levels around applications. Deployments should have process-driven exploration of hardened configuration checks that ensure configuration errors don't make it easier for cybercriminals to get in. CICD can help here if the testing 'security checks' the deployment config, which is not easy to part automate. Combining static tools in a CICD pipeline along with diffs on configuration changes is a good place to start. 

- APIs. HTML traffic is less than 20% of traffic across the internet in 2021 by all accounts leaving a massive 80%+ balance in API traffic. This is partly due to the rise of IoT devices noting the machine to machine communication provides a huge amount of motive to cybercriminals to target APIs. Yesteryear made it ok to grab it all (i.e. data record payload) in an API call and send it across the internet via API but not anymore. 2022 requires careful thought, time and attention to be put into data payloads on APIs, API design, development and application use thereof. Revisiting standing API design in security reviews is good advice for any company with a reliance on APIs to run their business. 

- Social engineering. The basics of good security practices were formed around experience from having to respond to cybercriminals. The social engineering aspect needs to be consistently championed by companies who may have to go through some substantial business, management and cultural changes to become effective at good security practice. The prize lies in a successful digital business and the losses are correspondingly as large. Ensuring security education is a regular feature for all employees in all companies with a digital presence is truly a requirement for the ages.

Well, Christmas eve is certainly welcome and less strange than it was last year, given we are becoming pandemic savvy. As my dearly departed mother once said to me "Draw from your past, don't let your past draw from you!", which is why all companies need to revisit their digital security posture in 2022 and not rely on the past to keep them safe.

Stay tuned for more on Writing in this blog along with articles on other areas of interest in the Infrastructure and DevOps arenas. To not miss out on any updates on my availability, tips on related areas or anything of interest to all, sign up for one of my newsletters in the footer of any page on Maolte. I look forward to us becoming pen pals!

Best Regards

John

Related Articles

image of a project timeline for a Maolte Technical Solutions Limited article on major incidents and digital migration

Major Incidents and Digital Migrations

Image of Jenkins workflow

CICD and Jenkins

Image of a runbook template header on Confluence for technical writing purposes

Effective Technical Documentation