Cloud transformation has become a strategic advantage for many organizations, providing convenience, cost savings, and near-permanent uptimes as compared to on-premises infrastructure. At the same time, the move to the cloud has also increased the attack surface, resulting in an uptick in criminal activity targeting cloud environments. As we roll into 2023, fears about a potential recession and a corresponding desire to cut costs are renewing the urgency to move to the public cloud.
For organizations to successfully secure cloud environments, they must understand the critical risks that can be exploited by attackers to infiltrate cloud environments. As with legitimate activity in the cloud, attackers continue to evolve their approaches, so the challenges faced in 2023 will be different than those faced in 2022 and prior. Here are my top 2023 predictions:
Multicloud environments will continue to compound security challenges
Multicloud offers numerous benefits from avoiding vendor lock-in to reliability, agility, and cost-efficiency. The downside of multicloud is that it dramatically increases complexity—particularly regarding security. The number of services available from the top three public cloud providers (AWS, Azure, and GCP) will surpass 1,000 from 750 today. In an effort to embrace agility and innovation, infosec teams will need to find ways to support these news services as soon as they are available. This will drive enterprises to invest in automated tools that map new services to security and compliance frameworks like NIST, CIS, and others, as those services are made available.
Securing developer environments will become the most critical component
The continuous growth and diversity of application deployments are creating an extensive attack surface for malicious actors. We have seen SolarWinds, Kaseya, and Spring4Shell experience cybersecurity incidents and Log4j demonstrated how many organizations can be impacted due to software vulnerabilities. Securing developer environments will become one of the most critical components for organizations in 2023.
DevSecOps tool sprawl will begin to consolidate
According to Gartner, of the organizations that have implemented a DevSecOps pipeline for cloud security, "these organizations have manually stitched together DevSecOps with 10 or more disparate security tools— some old and some new— each with siloed responsibility and view of application risk." Recognizing the overhead with managing so many tools, and the challenges with achieving consistent policies across cloud providers and services, InfoSec teams will increasingly standardize on broader platforms such as Cloud Native Application Protection Platforms (CNAPP) at the expense of point products such as CSPM, IaC scanners, and CWPP.
Focused approach for data protection
Monitoring and protecting sensitive data across multicloud environments is an unsolved problem for many organizations. When production workloads are moved between multiple public cloud environments, it becomes difficult to track data or access permissions. In 2023, organizations need to adopt new toolsets, new mindsets, and a greater effort to detect, classify, and enforce policies to secure sensitive data. Data protection must be at the center of every cloud security strategy to avoid increasingly high-profile, complex cyberattacks and data breaches.
Do more with less
The current economic climate is pointing toward a trend of tighter budgets in 2023. To combat this challenge, leaders will be consolidating tools, processes, and expertise with a more collaborative approach considering common security denominations across cross-functional teams. It is expected to be ROI focused to boost efficiency and reduce complexity. Essentially, do more with less.
Cybersecurity hiring will continue to remain a challenge
Cybersecurity hiring will continue to remain a challenge heading into 2023 leading CISOs to focus even further on improving the efficiency of their teams. One of the best ways to drive efficiency is to ensure that teams are focused on the most impactful activities at all times. Risk-based prioritization will drive efficiency improvements, allowing teams to meet their goals despite a lower-than-expected headcount.
How to stay safe in 2023
Based on our experience of investigating attacks and related incidents, security leaders need to focus on the following tactics and techniques:
- Cloud security approach and strategy: With the prevalence of large-scale cloud-native deployments, adopting a more modern, agile, and integrated cybersecurity approach is mission-critical.
- Selecting the right tooling: Shifting to robust security with the right solutions and level of expertise, over security layers and threat intelligence.
- Prioritizing visibility: Gain insight and control over the complex cloud environment covering threats, risks, and vulnerabilities in the cloud.
- Data security in focus: Secure data in large, dispersed environments with a strategic, integrated data protection and DLP approach.
- Threat intelligence, advanced correlation, and machine learning techniques: Use a combination of advanced techniques to stay ahead of bad actors and proactively reduce risk.
- Automating and maintaining continuous compliance standards.
- Team collaboration: Distribute and delegated security responsibilities with automation across the organizations.
Interested to learn more about how to secure your organization's activities in the cloud in 2023? Click here for Zscaler’s perspectives.
This blog is part of a series of blogs that look ahead to what 2023 will bring for key areas that organizations like yours will face. The next blog in this series covers enterprise security predictions for 2023.
This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2023 and our ability to capitalize on such market opportunities. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2023.
Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law.