Check out all the on-demand sessions from the Intelligent Security Summit here.
Last year (2022) was an unprecedented one for cybersecurity, in both good and bad ways. On the positive side, we saw increased use of passwordless and multifactor authentication (MFA) and zero-trust methods; on the negative, the cost of data breaches reaching an all-time high, the rise of commoditized cybercrime (ransomware-as-a-service), and massive breaches of Twitter, WhatsApp, Rockstar and Uber.
What might we see in 2023? VentureBeat posed this question to several AWS security leaders. Here are their top cybersecurity predictions for 2023.
MFA will become pervasive
“MFA [multifactor authentication] adoption will continue to grow for both business and personal use, including increased use of biometric forms of authentication that improve security and convenience (that is, unlocking devices with a fingerprint or face identification).
“By moving in this direction, the future of MFA will combine robust security with usability, ensuring that users have a frictionless experience while improving their security posture. As one of the simplest and most important protections, MFA is being encouraged as a baseline online protection by the FIDO Alliance, NIST and the U.S. government, which recently issued a statement urging all companies to adopt it.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
“The increased prioritization that governments and prominent security organizations have placed on security over the past few years means MFA will need to be used even more to meet increasingly stringent demands and expectations for security.
“Organizations should monitor anticipated advancements in MFA over the next several years to see how they can improve an existing capability or build new MFA capabilities into their organization’s culture and processes.”
– CJ Moses, CISO for AWS security
Increasingly inclusive workforce will address talent gap
“The need to address the continuing security talent workforce shortage will be a top priority for many organizations. In 2023, organizations will increasingly realize that attracting the best talent from diverse backgrounds will not only help fill critical open positions, it will help organizations improve their overall security posture.
“People build, create, think and deliver in different ways, and this is a major benefit when it comes to solving evolving security needs. With a more diverse mindset, different points of view come into play that enable security teams to have new and unique outlooks on both the digital and physical landscapes they must keep secure.
“New ways of thinking can be transformative to cybersecurity teams because it reduces years of bias and groupthink and helps lift limitations on beliefs. Diverse backgrounds and teams also help identify how to support key business initiatives and goals. Security is no longer the ‘department of no,’ it is the ‘department of “how can I help?”‘ — and with a diverse team structure, this type of organizational mindset is enabled.”
– Jenny Brinkley, director of Amazon security
Collaboration will improve preparedness and incident response
“The security industry and the digital environment it supports is benefiting from collaborations seen in 2022, and this trend will continue. The ‘better together’ model will gather momentum in 2023 and beyond.
“For example, as the recently established Open Cybersecurity Schema Framework gains new members, collective defenses will be improved, enabling security teams to correlate more data sources more easily, do their jobs with less time spent on data munging and use enhanced data to proactively improve security postures.
“More companies will see value in contributing to engineering efforts and projects, tools, training and guidelines to help standardize security tools and data formats across the industry, including significant contributions from members of the Open Source Security Foundation (OpenSSF).”
– Mark Ryland, director in the office of the CISO, AWS security
Training best practices will inspire action and improve security
“Training and education are key to implementing good security measures. Even with the most robust and modern tools, security is effective only when people know what to do and how to do it. Anyone who touches data or builds tools and systems to store data must be vested in protecting that data.
“Most employees don’t work in security, nor do they have ‘security’ in their titles, potentially leading them to believe it’s someone else’s issue to ‘fix.’ Organizations of all shapes and sizes must inspire employees to care about security and empower them to take meaningful actions to ensure secure outcomes. Security training needs to include a full-picture mindset that helps everyone embrace security as a business issue at all levels of a company.
“As we continually look for way to engage employees and improve security outcomes, new best practices include developing individualized, multimodal learning plans that contain a mix of presentations, discussions and hands-on labs that creatively appeal to all learning styles. Helping employees clearly understand the ‘why’ behind security best practices is imperative. This can be accomplished through sharing real-world examples, lessons learned and case studies that illustrate why security must come first in everything they do.
“For both tech and non-tech employees, understanding how personal behavior affects security, both positively and negatively, builds the sense of shared responsibility that results in better security hygiene and prioritizes security as a feature — not an afterthought. Multimodal security training is complemented by an ongoing awareness model that cultivates a security culture in a daily effort to inform and engage employees, while augmenting their work.”
– Jyllian Clarke, global head of security training, Amazon security
Embedded security will become more tangible with IaC
“Security remains top of mind, and entities will increasingly move to cloud because they want to ‘shift left’ to embed security early in the product development lifecycle to attain better, more scalable approaches to software development. Now that cloud providers have removed the undifferentiated heavy lifting of building and maintaining data centers and invested in developing secure hardware, the power and flexibility of the cloud allows for entities to spin up and down immutable and ephemeral environments.
“This is a clear business enabler: It allows developers to move fast and build security in. It means that with a few keystrokes, Fortune 100s and small startups alike now have the ability to do infrastructure-as-code (IaC), leveraging templatization [and] including security controls, permissioning and guardrailing — in other words, now they can also do security as code. And, they can validate or reason about those permissions, using math-like formal methods.
“These environments with embedded security considerations are the ‘paved roads’ that security teams help define and refine, allowing developers to spin up (and dissolve) environments quickly. The outcome is more automation, less manual review of ‘snowflake’ one-off environments, better builder experiences and security at scale. As cloud adoption increases, ‘cloud’ and ‘security’ will be even more intertwined, as cloud empowers builders to bake security considerations into their code and architecture decisions.
“I look forward to this as one example of embedding security primacy into all teams: Making the secure thing to do, the easy thing to do.”
– Merritt Baer, principal in the office of the CISO, AWS security
Orgs will increase investment and focus on business resiliency
“As digital transformation and cloud adoption programs take hold across all industries, security and operational resiliency will receive increased scrutiny from stakeholders, shareholders, the board of directors, insurers and others. Testing business continuity plans and procedures once or twice a year by the IT department will no longer be sufficient.
“Resilient, highly available technical architectures and supporting business processes must be developed and inspected for what could go wrong in a worst-case scenario. Budgets will include ‘ongoing maintenance and improvement’ line items that will ensure that systems are not only highly performant, but secure and resilient until they are retired. With the power of automation and the scale of cloud technologies, it will no longer be just a dream to rebuild and re-hydrate secure, resilient environments without human intervention.
“Business leaders will become more digitally fluent, and will make investments that truly change the way they do business (innovation, organizational structures, business processes, up/re-skilling) and how they prepare for events that challenge their organization’s resiliency. The C-suite and the board will regularly participate in tabletop/game-day exercises, answering the ‘what if?’ question.
“’What if’: We experience a cyber event (to us or one of our suppliers/partners)?; a business-critical system is unavailable?; we are negatively impacted from an economic downturn/global health emergency/weather-related turmoil/war; or other event.
“With practice, leaders will become more comfortable being uncomfortable and come to terms with the fact that there is no ‘normal’ in business anymore. However, by continuing to learn and transform themselves (there is no ‘end’ to a digital transformation), businesses will become more secure and resilient in 2023.”
– Clarke Rodgers, director of AWS enterprise strategy
“Accelerated digital transformation, remote working, more connected devices, new technology, and demand for mobility and access create ever-growing environments for security teams to guard and protect. More and more security signals from across entire organizations will generate growing volumes of disparate log and event data that must be collected, investigated and responded to quickly to effectively address potential issues.
“In the months and years ahead, increasing deployment of purpose-built tools such as security data lakes will enable security teams to automatically centralize, easily access and more efficiently analyze all security data from cloud and on-premises sources. This greater visibility means more potential threats and vulnerabilities can be proactively identified to help prevent future security events.”
– Rod Wallace, general manager of Amazon security lake
Cloud security will increase with automated reasoning
“Automated reasoning allows us to accurately answer many proactive security questions in seconds — or even milliseconds — which would otherwise take billions of years with brute-force testing. For the foreseeable future, it’s predicted that automated reasoning tools will double in capacity and performance each year. This prediction is based on three observations:
- Practically all automated reasoning tools are based on the translation of problems to satisfiability solvers for mathematical logic. When comparing the past two decades of satisfiability solvers apples-to-apples on the same benchmarks and hardware (thus, allowing us to factor out Moore’s law), we see that they’ve already been increasing in capacity and performance by 20% annually.
- Moore’s law continues to provide us with additional, annually increasing computational power for problems that can be parallelized and distributed.
- Recent scientific results give us a new breakthrough method of distributing the work of satisfiability solving across microprocessors that provides speedups near the theoretical limit from Amdahl’s law.
“When these three points are put together, calculations point to the possibility of annual capacity and performance doubling. This growing capability will unlock new and revolutionary cloud security tools that are unimaginable today.”
– Byron Cook, VP and distinguished scientist for automated reasoning at AWS
Security teams will get more serious about quantum-resistant cryptography
In 2023, organizations will begin to double down on crypto-agility. The National Institute for Standards and Technology (NIST)’s expected first-draft specification from the Post-Quantum Cryptography (PQC) Standardization process and the Quantum Computing Cybersecurity Preparedness Act will drive IT leaders to begin transitioning from classical crypto-systems to new post-quantum algorithms.
We will also see industry and government develop migration strategies for known use cases of cryptography. For example, with the emergence of hybrid key establishment, the use of classical key establishment methods — like elliptic curve Diffie-Hellman combined with a new post-quantum key encapsulation mechanisms such as Kyber — will be used in the first iteration of post-quantum standards to provide long-term confidentiality against potential future quantum adversaries.”
– Matthew Campagna, senior principal engineer for AWS cryptography