Google Cloud has announced a slew of new AI-powered security features, including new AI agents for continuous security developed by its new subsidiary Wiz.

Following Google Cloud’s record $32 billion acquisition of the Israeli-American cybersecurity startup, the hyperscaler is looking to deploy Wiz agents at a scale that was previously impossible.

To date, Wiz has made the detection of what it calls ‘toxic combinations’ in cloud environments – including misconfigurations, excessive permissions, and overlooked vulnerabilities – its bread and butter.

Google Cloud wants to apply this specialism to its entire platform, as well as those of partners.

While AI can be used to bolster defenses, improperly configured LLMs and AI agents can also complicate cybersecurity strategies and introduce new risks of their own, such as prompt injection attacks.

Google Cloud and Wiz aim to identify these risks in real-time by embedding security into AI as it’s deployed rather than bolting it on after the fact. At Google Cloud Next 2026, both firms have led with a joint message of a deep-set need for AI preparedness.

“One of the things we do is provide the right protections associated with rolling out your AI infrastructure that you can then make available,” said Francis deSouza, COO and president, Security Products at Google Cloud.

“Because [it is] not possible to retrofit security into an IT environment, you need to design it in from the ground up.”

For example, Wiz has launched AI agents that act as automated security researchers and engineers: Red Agent, Blue Agent, and Green Agent.

“Red team is typically contesting from the outside, and the Red Agent actually leverages the deep visibility that we get into cloud environments and identifies all of the potential exposures, all of the APIs that are internet exposed,” explained Yinon Costica, VP Product and co-founder of Wiz.

“The Green Agent actually takes the risk that the, let's say the red agent found, and then it automates the triage process.”

Costica explained that this speeds up a process that normally takes days or even weeks of manual security work. Finally, the Blue Agent takes indications of compromise and automates the investigation process into these threats.

He added that the three agents can collaborate and work with one another to improve defenses. For example, Red Agent can invoke Green Agent after identifying a vulnerability, or Blue Agent can attempt to flag intrusions by Red Agent to test the effectiveness of an organization’s detection capabilities.

All of the agents are managed via Wiz AI Application Protection Platform (AI-APP), an umbrella offering that secures every enterprise AI layer including agents, models, infrastructure, data, and access permissions.

Reflecting on the increasing pace of AI-powered attacks, Costica argued that firms must begin to apply agents to “start using AI against ourselves as much as possible” to identify weaknesses and fix them before attackers find them.

“The goal for this year will be to automate all security processes we know, because that's the only way to go.

“So there are human automations that we've been using in industry, but I think what agents allow us to do is get to the next level of acceleration and automation of security work.”

This sentiment was echoed by deSouza in the event’s opening keynote, in which he warned that hackers have reduced the time between initial access and handoff to secondary threat groups from eight hours to 22 seconds.

Secure interoperability

A core part of the updated security offering at Google Cloud is its interoperability. The hyperscaler has partnered with firms such as Darktrace, Gigamon, and SAP to extend its out of the box security features to their platforms, and also supports end-to-end AI application protection on platforms like AWS, Microsoft Azure, and Oracle Cloud.

Customers can even extend security functions to SaaS tools such as OpenAI and custom-hosted cloud environments.

“It is a multi-cloud world, and we talk to our customers about that all the time saying every company is a multi-cloud company, and will need to continue to be a multi-cloud company,” said deSouza,

In addition to its GCP-native functionality, Wiz supports Databricks and agent platforms including AWS Agentcore, Gemini Enterprise Agent Platform, Microsoft Azure Copilot Studio, and Salesforce Agentforce.

Customers can also extend its security features to external security ecosystems such as Cloudflare AI Security for Apps, Google Cloud Apigee, and Vercel.

Expanding security agents

Alongside the Wiz-developed tools, Google Cloud also highlighted its AI agents for SecOps. These include Dark Web Intelligence, an agent announced at RSAC Conference 2026 that produces organization-specific threat profiles based on Google Threat Intelligence Group’s dark web monitoring.

DeSouza noted that Dark Web Intelligence can identify threats with 98% accuracy, a step above what was previously capable within the security industry.

“Coming up with new rules is a complex process, it can be done by humans but you have new intelligence coming out all the time,” said deSouza, adding that many organizations have thousands of security rules already in place and that adding new ones onto this list can be an overwhelming task.

Additionally, cybersecurity teams can use the Threat Hunting Agent and Detection Engineering Agent to search for active threats and novel attacks, identify gaps in their organization’s cybersecurity, and create automated detection rules based on current threats.

In total, Google Cloud’s Triage and Investigation agent processed more than five million alerts in 2025. The firm said the tool helps teams to complete cybersecurity analysis that previously took 30 minutes in just 60 seconds, using Gemini for reasoning and text generation.

Another new platform, Google Cloud Fraud Defense, is intended to build upon reCAPTCHA services to assess the legitimacy of humans, bots, and agents within business processes and commerce.

The announcements made at Google Cloud Next 2026 represent not only the sum of Google Cloud’s teams but also the innovations of Google DeepMind and the proprietary technologies Wiz relied on prior to its acquisition.

ITPro understands that Wiz uses a mix of backend models, which it chooses depending on customer use cases. But deSouza said that going forward both Google Cloud and Wiz teams would benefit from sharing notes with internal frontier model developers.

“We have an advantage here,” said deSouza.

“Our defense technologies like Wiz work with our frontier model teams, and we know in advance what the model is going to have. And so on day one, we're taking advantage of the cutting edge of defense to protect our customers.”

FOLLOW US ON SOCIAL MEDIA

AI isn’t creating new classes of vulnerabilities, according to research from Wiz – but it is expanding the range of where well-known risks can appear.

Analysis from the cloud security firm found eight-in-ten cloud breaches last year were caused by basic mistakes. Common vulnerabilities, misconfigurations, and exposed secrets all ranked among the leading causes of breaches, Wiz found.

While the company called for enterprises to shore up basic best practices, the situation is being exacerbated by rapid AI adoption, which is creating larger, more complex attack surfaces.

"What changed was not the existence of these risks, but the environments in which they appeared and the speed at which they could be exploited," the company said.

Tried and tested methods

Wiz noted that the most common entry points in 2025 weren’t novel cloud-specific exploits or advanced identity bypass techniques, but familiar weaknesses in exposure management, credential handling, configuration, and end-user security.

Wiz said this highlights that threat actors are still recording success by capitalizing on the basic fundamental mistakes made by enterprises.

Elsewhere, the majority (53%) of pre-access malicious actions were reconnaissance and discovery-related techniques, for example.

This showcases the increased investment among threat actors on mapping environments and testing trust boundaries, according to Wiz.

AI is expanding attack surfaces

More than 85% of organisations are now using some form of AI, according to Wiz, which is creating new attack surfaces for security teams to monitor and shore up.

Notably, researchers warned this is increasing the number of places where familiar issues – such as misconfigurations or exposed credentials - could appear.

Given these services are often tightly connected to sensitive data, privileged identities, and high-value compute resources, the implications for poor practices on this front are dire.

Attackers are using AI at scale

While AI is creating new threats for organisations, Wiz warned the technology is also being used by threat actors to accelerate attacks.

This has become a common recurring talking point in recent months, with a slew of studies warning about the increased use of the technology for nefarious purposes.

Hackers have been observed using AI to dissect threat intelligence reports and reverse engineer malware, for example, or to create more convincing phishing lures.

Wiz noted, however, that attackers haven’t replaced tried-and-tested techniques with AI. Instead, they’re using the technology to accelerate reconnaissance, automate actions, and scale workflows.

Researchers said threat actors are now incorporating AI tooling into operations in a variety of ways, including AI-assisted malware execution, abuse of AI-based CLI tools such as Claude, or Gemini, and for environment reconnaissance after gaining initial access.

What can defenders do?

Given the key initial access vectors highlighted by Wiz, researchers said enterprises should sharpen their focus on identifying which assets are externally reachable and which risks are exploitable from the outside.

Continuous visibility into exposure and potential attack paths can also help teams focus on risks that are realistically exploitable.

Wiz also urged enterprises to treat pre-compromise reconnaissance as a detection opportunity, providing they can react swiftly.

The early part of the operations require malicious actors to not only gain some level of privileged access to a network, but conduct internal reconnaissance to understand where they are and how to accomplish their goal,” the report notes.

“This creates an opportunity for defenders to identify malicious activity before they are able to accomplish their goals.”

The number and severity of incidents involving compromised packages, CI systems, SaaS integrations, and automation workflows showed how inherited trust can extend impact beyond a single environment.

Wiz added that defenders should maintain visibility into trusted relationships across development pipelines, third-party services, and identity federations, and correlate these relationships with exposure and identity risk to reduce downstream impact.

"Security teams that maintain visibility into exposure, identities, and how risk propagates across cloud, development, and AI systems are better positioned to detect and disrupt attacker activity before it escalates."

FOLLOW US ON SOCIAL MEDIA

Cybersecurity vendor Forescout Technologies has partnered with cloud security provider Netskope to expand zero trust security coverage across enterprise networks.

The new integration combines Forescout’s real-time device intelligence with Netskope’s AI, cloud security, and private access controls to deliver zero trust for managed and unmanaged IT, OT, IoT, and IoMT devices.

The pair said the joint solution continuously adapts access decisions based on device posture and risk to ensure zero trust is enforced, regardless of where devices connect.

Unlike traditional zero trust network access (ZTNA) deployments that focus exclusively on north-south cloud traffic, the Forescout-Netskope integration secures east-west communications at the local network level.

In an announcement, Forescout CEO Barry Mainz said the collaboration will help organizations shrink their attack surface as digital environments continue to grow in complexity.

“The volume and variety of device types are exploding, along with the number of applications, users and access points,” he explained.

“By joining forces with Netskope, we are bringing together two best-of-breed solutions, granting customers complete visibility and control over their environments, with policies that automatically adjust as conditions change, and enabling north-south and east-west security policy enforcement.

“This is a gold standard of how ‘Universal’ Zero Trust Network Access is employed in practice, not just as a model.”

Addressing enterprise blind spots

The duo said the move addresses a crucial enterprise challenge in which disparate and disconnected security tools are often managed by siloed teams, creating blind spots and restricting control and policy enforcement.

To overcome this hurdle, the new integration applies granular zero trust policies universally, identifies unmanaged or hidden endpoints, and adapts access decisions in real time based on behavior, device health, and application sensitivity.

Other benefits include improved containment of cyber threats through its east-west local traffic controls, streamlined compliance with frameworks such as HIPAA, NIST, and CIS, as well as automated enforcement to reduce reliance on manual security updates

Sanjay Beri, CEO of Netskope, said a zero trust approach has become essential to secure data and ensure business resilience in the cloud and AI era.

“Our integrated solution with Forescout was designed for the scale, speed, and diversity of today’s modern enterprises, and provides the cohesive, centralized secure access organisations need,” he commented.

FOLLOW US ON SOCIAL MEDIA

Cloud security teams are scrambling to keep pace with expanding attack surfaces, new research shows, largely due to the rapid adoption of enterprise AI solutions.

In a survey of more than 2,800 security executives and practitioners by Palo Alto Networks, 99% said they had experienced an attack against AI applications and services in the past year.

Meanwhile, the firm warned generative AI-assisted vibe coding is in use by 99% of respondents - but is generating insecure code faster than security teams can review it.

Of the 52% of teams that ship code weekly, only 18% say they can keep up with fixing the vulnerabilities the technology creates.

“As organizations aggressively scale cloud investments to power AI initiatives, they are inadvertently opening the door to sophisticated new attack vectors," said Elad Koren, vice president of product management at the firm's Cortex security platform.

Notably, Palo Alto warned attacks are getting faster, with breaches that took an average of 44 days in 2021 now taking as little as 25 minutes.

"The speed, scale, and sophistication we’ve observed over the past couple of years is incredible," said Haider Pasha, vice president and chief security officer, EMEA, at Palo Alto Networks.

Attackers are increasingly exploiting the foundational layers of the cloud, targeting API infrastructure, identity, and lateral network movement. API attacks, for example, are up by 41%, making them a primary entry point for sophisticated threats.

The top challenges for cloud security teams

Meanwhile, 53% of respondents cited lenient identity and access management (IAM) practices as a top challenge, saying that insufficient access controls are now a leading vector for credential theft and data exfiltration.

These findings align closely with a recent study from Okta, which also highlighted growing concerns about identity security.

An August survey from the firm found 85% of security leaders now view IAM as a critical security focus, marking an increase on the year prior.

Elsewhere, long-running issues with tool sprawl are adding insult to injury for cloud and security practitioners. Disparate tools are creating dangerous blind spots, the company noted, with respondents now managing an average of 17 cloud tools from an array of vendors.

The resulting fragmented data and context gaps are prompting 97% of respondents to prioritize consolidating their cloud security footprint.

SOC teams are struggling

Security operations center (SOC) staff are also struggling amidst a surge in cloud-related attacks, Palo Alto found. A key factor here lies in disjointed workflows and isolated data sources between cloud and SOC teams, the study noted.

This lack of alignment is stalling remediation efforts, with nearly one-third (30%) of respondents revealing they take more than a full day to resolve an incident.

To cope, researchers said cloud and SOC teams must merge, with 89% of organizations believing cloud and application security must be fully integrated with the SOC to be effective.

"Our research confirms that traditional approaches to cloud security are inadequate, leaving security teams to fight machine-speed threats with fragmented tools and slow, manual fix cycles," said Koren.

"Teams need more than just dashboards highlighting risks they can never burn down; they must transform with an agentic-first platform that spans code to cloud to SOC to finally operate faster than the adversary.”

FOLLOW US ON SOCIAL MEDIA

Cloud security is a priority for most firms, but breaches aren’t always identified before they have caused substantial damage. In some cases, cloud breaches are going undetected for hours or days, according to research published earlier this year.

While nearly two-thirds of organizations suffered a cloud security incident in the past year, only 9% of breaches were detected within the first hour, according to Check Point’s 2025 Cloud Security Report. Researchers found just 6% of incidents were remediated within the first hour, with 62% of enterprises taking more than 24 hours to fully recover.

The speed at which firms are detecting and responding to cloud breaches is a concern because it could lead to data theft and further attacks, resulting in reputational damage and regulatory fines.

So what is causing companies to miss incidents involving cloud, and how can businesses recover more quickly?

Why cloud breaches are going undetected

Security teams are missing cloud breaches due to cybersecurity alert fatigue, fragmented tools, and clunky legacy applications, according to experts.

Gaps in security can happen because of misconfigured storage or overly permissive access controls, which end up exposing data without triggering alerts, says Andy Green, a partner at Avella Security.

Businesses often fail to enable or properly use logging services such as AWS CloudTrail or Azure Monitor, so suspicious activity goes unnoticed, which just adds to the problem.

“And when monitoring is in use, security teams face alert fatigue, while critical warnings are buried among low-priority notifications and don’t get actioned,” Green adds.

This is made more complex by fragmented, hybrid environments with legacy perimeter defences not designed for cloud scale, which can lead to visibility gaps, says Dray Agha, senior manager of security operations at Huntress.

Simon Driscoll, network and security specialist at ITGL, agrees. “For many organizations, the dispersal of information across multi-cloud means they don’t truly know where all of their data resides anymore,” he says.

“Inevitably, the chance of missing things, or the creation of gaps to exploit, magnifies significantly the more providers used, and the less control companies have.”

The consequences

It’s clear there are issues preventing cloud incidents from being detected and responded to in time. However, the consequences of this can be devastating, allowing criminals to retain access to internal systems, data, and accounts.

The longer an adversary can hide, the greater the impact, says Harlin Lipman, head of information security, Chronosphere. For example: “They can perform account takeovers, privilege escalation, and tactics such as command and control,” he warns.

Operationally, breaches may disrupt critical services, delay projects, or cause downtime – particularly if attackers exploit cloud resources for malicious purposes such as ransomware, according to Green.

Undetected breaches can also lead to regulatory consequences. A cloud security breach that involves customer data is likely to qualify as a personal data breach under the legislation, such as the UK General Data Protection Regulation (GDPR), says Olivia Mulvany, a senior associate at law firm Broadfield.

A personal data breach impacts a firm’s reputation and can result in substantial fines. “Time is of the essence: You need to act quickly,” Mulvany warns.

How to detect and mitigate cloud breaches quickly

The risk is real, but detecting cloud breaches and mitigating them before the damage is done is possible.

It’s important to understand the tools and applications you use on a daily basis and build a defence around the best native integrations, says Driscoll.

“Siloed tooling and poor visibility and control as a result of poor integration and overly complex analysis processes are the biggest blockers to improving detection and response,” he adds.

With this in mind, monitoring across all cloud services can help gain visibility, according to experts.

Depending on which cloud provider you are using, Green recommends tools such as AWS GuardDuty, Azure Defender, and Google Cloud Security Command Center, which “can detect threats early using behavioral analytics and threat intelligence”.

Regular cloud configuration audits using tools or penetration testers can identify and remediate misconfigurations before they’re exploited by attackers, Green adds.

Meanwhile, it’s a good idea to focus on a “zero trust principle” mindset, says Driscoll.

“Verify and validate everything, all the time – no exceptions. Adopt least privilege access rules for all users across data stores. Ensure you have segmentation across your private cloud networks and that conditional access is in place for your public cloud environments.”

In addition, investing in cloud security training ensures teams understand evolving threats and response tactics, according to Green.

He says: “Speed and efficiency come from combining the right tools, well-defined processes, and skilled personnel to act decisively — reducing breach dwell time and minimising potential damage.”

Incident response

As attackers continue to target the cloud, prevention of attacks is key. However, when detecting breaches, it’s important to ensure you can respond quickly, via a solid incident response strategy.

At the heart of this, Lipman advises firms to have “a well-documented incident response plan”.

Everyone in the business should be involved, so it’s a good idea to educate all employees who participate in incident response, according to Lipman.

“Everyone needs to have a clear understanding of their roles and responsibilities, including their position in the call tree to facilitate quick contact in case of an incident,” he says.

At the same time, incident response plans must be tailored to cloud environments.

“This includes identifying which cloud assets are in scope, who is responsible under the shared responsibility model, and how to isolate affected resources quickly,” adds Green.

“For example, removing identity and access management (IAM) roles, revoking API keys, and detaching instances from networks.”

Once the plan is in place and everyone knows their roles, it needs to be tested regularly. For cloud specifically, regular tabletop exercises focused on scenarios involving the technology are “essential”, Lipman says.

It requires investment, so senior management needs to know the importance of securing the cloud and the consequences of not being able to respond in time. Security teams must advocate for the software, hardware, and headcount resources they require to enable this preparation, Lipman advises.

“An organization cannot handle incidents if it is not well-equipped from both a software and personnel perspective, so having the necessary resources is imperative for success,” he concludes.

Cloud storage is used by most businesses, with 78% of respondents to a 2024 PwC survey indicating they’ve adopted cloud across most of their organizations. But many firms are unknowingly opening themselves up to security and data protection risks: sensitive data is being held in 9% of publicly-accessible cloud storage, and 97% of this information is classified as restricted or confidential, according to Tenable's 2025 Cloud Security Risk Report.

Over half of organizations using Amazon Web Services (AWS) ECS task definitions have at least one “secret” residing there. This creates “a dangerous exposure path” in cloud infrastructure entitlements, Tenable said.

Exposed data includes API keys, access and encryption keys and tokens, as well as usernames and passwords, according to the report.

As firms move away from on premises infrastructure towards cheaper and more efficient cloud services, they aren’t always considering the risk. Most companies have already migrated this data over, meaning they have to work backwards to secure it.

“Too often, the convenience of cloud overrides the need for careful consideration, and critical files migrate over by default, or due to expediency,” says Ali Sheikh, digital and cybersecurity expert at PA Consulting. “This transition isn’t always accompanied by robust oversight or shared understanding of risk.”

So why has such sensitive data ended up in insecure cloud storage and what can firms do to gain control over it?

Migration issues

Cloud storage has become the default for businesses moving away from on premises infrastructure due to its flexibility and ease of use. However, in the rush to migrate, many organizations “skip over essential security configurations”, says James Round, cyber security consultant at Pentest People. “We've seen this repeatedly in assessments when clients move to the cloud without applying strict access controls or properly safeguarding sensitive data including personally identifiable information.”

As firms strive for ease of access and the ability to quickly share information across teams, credentials, API keys and other sensitive details can end up being stored in plaintext, says Round.

Bernard Montel, EMEA technical director and security strategist at Tenable describes “numerous instances” of inadvertent exposure, misconfigured access settings and “overly permissive policies” in cloud environments.

For example, developers frequently utilize privilege elevation for short-term access during application or project development, with these privileges revoked once the project concludes. “But this is often forgotten and the access becomes permanent,” Montel warns.

Simple missteps in cloud-based development can “swing the door wide open for attackers”, says Crystal Morin, cybersecurity strategist at Sysdig. For instance, publicly exposed data is “shockingly easy” to find using common free open source tools, she says. “Combine public exposure with misconfigurations, unpatched vulnerabilities, or weak credential management and attackers can breach cloud systems in minutes.”

In fact, about ten minutes is all that stands between a cloud misconfiguration and data leaks or intellectual property theft, says Morin.

Without strong access controls and clear data handling policies, the confidentiality and integrity of critical systems can be “seriously undermined often” without the business realizing until after an incident has occurred, Round warns.

Adding to the issue is the still widespread misunderstanding that cloud providers manage all security, when in fact configuration responsibilities lie with the customer, he says.

If this led to a cloud breach or data leak the consequences could be huge, with customers potentially exposed to hackers and companies falling foul of laws such as the General Data Protection Regulation (GDPR).

Storing confidential or restricted data in exposed locations is “a direct path to compliance violations”, says Kim Larsen, CISO at Keepit.

In addition to fines, firms are exposing themselves to brand damage and operational disruption, says Larsen. “If you lose access to your identity and access management systems such as Entra ID or Okta, you’re not just exposed – you’re locked out of your own company.”

How to gain visibility and secure cloud data

The amount of sensitive data stored in the cloud is a concern, but firms can get a handle on the issue using the right policies and technology.

In the first instance, IT leaders must establish clear cloud storage policies, processes and security controls, and communicate them across the organization, says Sam Peters, chief product officer at ISMS.online.

Businesses should also “thoroughly vet the security posture of their cloud suppliers”, says Peters.

Visibility is key to securing data in the cloud. You need to know what data you have, where it lives, and who can access it, says Larsen. “Classify that data. Encrypt it. Monitor access with defined time limits and remove standing privileges. Don’t assume that just because something’s behind a login it’s safe — credentials are one of the top targets for attackers. “

Regular monitoring is key, Round says. Tools include AWS Security Hub and Microsoft Defender for Cloud, which offer “a centralized view of risks, alerts, and compliance gaps”, he adds.

Combine this with a least-privilege access model, automated alerting, and default denial of public access to build strong cloud hygiene, Round advises. “A proactive approach, supported by continuous review and enforcement of internal policies, is essential for preventing breaches and maintaining control over critical assets.”

When securing cloud data, it also helps to look at things from a different perspective. Richard Cassidy, EMEA CISO at Rubrik urges security teams to “act like attackers, by targeting high-value data first and looking at all the possible ways to access it”. Teams can also look to put stronger controls in place, improve their recovery strategies, and utilize continuous backups much as they would with data held on premises, he adds.

As increasing amounts of data is created and stored in cloud services, gaining control over your own estate is important. Once you have visibility of information residing in the cloud, regular audits, strong authentication and clear policies are essential, according to Sheikh.

It’s important to get all employees on board, so they understand that security is everyone’s responsibility, he says. “Cultivating a culture where everyone, from executive to end user, sees themselves as a guardian of data, shifts security from a technical afterthought to a shared value,” he says.

Gobal cybersecurity spending is expected to reach $213 billion by year's end, according to Gartner – a 10.4% increase on 2024 budgets.

New stats from the consultancy show spending will surge well beyond the 2024 figure of $193 billion - and the trend shows no sign of slowing down.

In 2026, Gartner estimates spending to increase by 12%, totaling $240 billion, while end-user spending in the UK specifically is expected to skyrocket 30% to $13.3 billion.

Speaking to ITPro, Ruggero Contu, senior director analyst at Gartner, said this spending surge is being driven by a confluence of issues, including rising cyber criminal threats, compliance-related considerations, and the emergence of AI.

Spending on security software, for example, is an area where there is a huge enterprise appetite, with spending between 2024 and 2026 increasing from around $95 billion to $121 billion.

A key factor behind this increase, Contu noted, is a concerted enterprise effort to shore up cloud security capabilities, particularly in relation to AI workloads.

This isn’t a one-size-fits-all situation, however, and he explained that spending habits will differ based on both the maturity of the organization and where it lies along its own cloud journey.

“If you look at the different segments that compose this broad category, there is a need to apply security to different stages of cloud adoption,” he told ITPro.

“From the development of applications within cloud environments, the security of workloads stored, handled in cloud environments, and testing of third party applications.”

“Now with AI, they need to secure AI-specific configurations and runtime requirements. So we do expect this segment to continue to grow in the next couple of years as a result of this.”

Skills gaps drive security services spending

Security services spending has increased consistently in recent years – from $77 billion in 2024 to an estimated $92.7 billion by 2026. Contu told ITPro this encompasses a broad range including managed services and third-party vendor support.

A major driver of enterprise spending on this front lies in the combination of rising cybersecurity risks and continued skills gaps, with organizations turning to managed services to compensate for a lack of in-house talent.

Indeed, a recent study from CyberSmart shows organizations are relying more than ever on MSPs

“One of the major drivers for security services is the skills gap,” he said. “This is obviously not a new problem. It’s an issue that enterprises across the group have been facing – having the skills and resources within cybersecurity that matches increasing requirements.

“So obviously relying on a managed security provider, or even more so a managed detection and response provider, can help fill that gap.”

Engagement with managed providers spans a range of organizations, Contu added, and isn’t necessarily limited to those that don’t have mature cybersecurity practices.

Those with a higher level of capability often require specific skills that are hard to come by.

As an example, Contu said that one area the consultancy expects to see increasing growth is the area of "cyber-physical systems security” – mainly operational technology (OT).

“That’s a challenging area,” he said. “Particularly because it needs knowledge of both security and industrial infrastructure and the requirement to apply security to that world.”

MORE FROM ITPRO

• How the cybersecurity industry can seize the UK's new £1 billion CyberEM Command
• The UK cybersecurity sector is worth over £13 billion, but experts say there’s huge untapped potential if it can overcome these hurdles
• UK SMBs are ramping up cybersecurity spending – and it’s about time

Cloud computing is fascinating. Whether you’re an IT professional who uses the term ‘cloud’ 150 times a day, or you’re only vaguely aware that ‘the cloud’ stores your photos and files, cloud has become ubiquitous – and it isn’t going anywhere.

However, at the same time, the term 'cloud' has become a vague catch-all. It’s taken for granted, leading to ambiguity about what the cloud is. Managed Service Providers (MSPs) and IT firms offer expertise in cloud, cloud security, cloud posture management, and more. But all too often, the way they discuss it leads to confusion, because speaking ‘cloud’ can be like speaking a foreign language. And like learning another language, unless you’re immersed in it, it’s hard to become fluent.

Cloud is a double-edged sword

MSPs are cloud experts; they’re fluent in the language, but when they’re speaking to those who aren’t immersed in cloud architecture, there’s still a language barrier that’s difficult to overcome and to understand. This results in security gaps and vulnerabilities in cloud infrastructure.

It’s this confusion over cloud that cybercriminals are looking to exploit. They’re searching for the easy way in; they’re looking for the misconfigured bucket which is facing the open internet, they’re looking for human accounts which are vulnerable because they’re only protected with default credentials; identities with long-standing access to cloud resources; or regular accounts which have mistakenly been equipped with administrator privileges – without anybody noticing.

One of the major advantages of the cloud is that it can help organizations boost business efficiency. That said, while the cloud can simplify applications and services for employees or customers, the reality is that configuring the cloud correctly is a complex task. And if this isn’t managed correctly, the cloud quickly becomes a double-edged sword, providing cyber attackers with access to misconfigurations and vulnerabilities that they can exploit as an efficiency tool.

Threat actors know this. That’s why they’re mercilessly targeting the cloud, be it finding ways to gather passwords to access cloud-based user accounts, which it’s believed is how the recent spate of incidents targeting UK retailers began, or be it via searching for unsecured storage buckets facing the internet. No matter the method, cybercriminals are increasingly relentless in their attacks against the cloud, and just like legitimate businesses, the bad guys are moving forward with their cloud-based business models. This creates a business risk that can not be ignored.

Businesses have become reliant on cloud applications and services. It’s a mature concept, but many organizations still don’t fully understand what they’re dealing with or the implications it has on cybersecurity, especially if their MSPs are speaking about the cloud in complex language, which is difficult to translate into actions.

Have they thought about the ins and outs of securing the cloud? Or what would happen if the cloud went down or access was revoked because of a security incident? Would the business still even be able to operate?

Multi-cloud environments

This only becomes more complex in a multi-cloud environment. Not so long ago, when a business rolled out cloud computing, it was likely restricted to using products from a single vendor. That’s now changed, with businesses potentially using Microsoft 365, Amazon Web Services, and Google Cloud, all in the same environment.

Managing one cloud service was already difficult enough, and the addition of extra services, each with their nuances, only further complicates this, especially if the business doesn’t truly grasp the complexities around securing the cloud.

Much of this misunderstanding comes from misconceptions around cloud posture management and who is responsible for managing it. Sometimes, businesses are under the impression that because they’ve outsourced their cloud management to an MSP, securing it isn’t their responsibility.

But this is incorrect; the organization needs to ensure that not only are they aware of any potential security issues, but that they have plans to manage them, and in the worst-case scenario, that means strategies for how to deal with an incident and reduce their business risk.

MSPs are vital

However, MSPs are still key to this. If they’re using complex, difficult-to-understand language about cloud services and security, businesses may not fully understand their role in securing the cloud. It’s therefore vital for MSPs and IT providers to talk about cloud in a clear, meaningful way that's understandable to outsiders.

Businesses employ MSPs because they bring expertise in areas like cloud deployment and security. But it’s still vital for the organisation to do due diligence on who they’re partnering with and what expertise they bring. That partner should be the provider who best understands your business, best understands the challenges the business is likely to face, and is equipped to help find the right solutions for your cloud environment, plus the right security tools and processes to help keep it safe from cyber threats.

The cloud is confusing, and it’s only going to become more complex and more ingrained in environments as cloud-native becomes the norm. Ensuring that it’s protected from cyber threats can only happen if communication around it is clear – if it's ambiguous, organisations are going to find themselves vulnerable to threats and challenges. Strong cyber practices are about exposing and closing cyber risk.

The time to demystify cloud confusion is now.

Trend Micro has announced an expansion of its partnership with Google Cloud that will focus on enhancing AI-powered cybersecurity for complex cloud environments.

The pair’s latest collaboration aims to deliver a multi-cloud, AI-first environment that supports sovereignty requirements, bolsters proactive security, and increases protection against online scams.

At the core of the agreement, Trend Micro’s Vision One Sovereign and Private Cloud (SPC) solution has been integrated with Google Cloud Assured Workloads to help organizations better secure data across public, hybrid, and air-gapped on-prem environments.

Trend Micro said the move will equip organizations with greater flexibility and control over their most sensitive data, while also helping those in highly regulated markets to optimize security and compliance.

“Among hyperscalers, we’ve seen Google Cloud accelerate as the most in tune with real-world demands, standing out not only for its cloud infrastructure but also for its leadership across AI, data analytics and multiple other domains,” explained Bharat Mistry, Field CTO at Trend Micro.

“Google Cloud’s hybrid- and multi-cloud approach—seamlessly supporting both public and private cloud models—reflects the growing enterprise demand for flexibility.”

Trend Micro eyes deeper integration with Google ecosystem

The freshly expanded partnership also broadens Trend Micro’s reach across the cloud giant’s software ecosystems. Organizations can now also access the Trend Vision One platform and Trend Vision One Sovereign and Private Cloud offering via Google Cloud Marketplace to help streamline deployment.

The cybersecurity firm also revealed that its Cloud App Security solution has now surpassed four million downloads on the Google Workspace Marketplace for enterprise deployments.

Additionally, the companies are also collaborating to help tackle online scams.

Trend Micro’s ScamCheck app now utilizes Google Cloud’s Gemini models through Vertex AI for a host of capabilities, including the ability to verify images and SMS content used by scammers.

“By seamlessly extending Google Cloud's native security with Trend Micro's specialized defenses, we empower organizations to accelerate their cloud transformation journeys,” commented Karan Bajwa, president of Google Cloud Asia Pacific.

“This enables them to innovate securely and scale confidently in a dynamic AI era.”

MORE FROM CHANNELPRO

• MSPs emerge as key security partners for mid-market enterprises
• Nearly half of MSPs admit to having a ransomware kitty
• Red Hat targets greater partner autonomy with latest channel updates

The vast majority of engineers are bypassing security controls just to get their job done – and most even retain access after leaving.

This is according to a new survey commissioned by Tailscale, which found 83% of IT and engineering professionals admitted to actively bypassing security controls in order to get their work done.

Drawn from the responses of 1,000 IT, security, and engineering professionals across North America, the survey also found that 99% of companies want to redesign their company’s access and networking setup from the ground up.

Two-thirds said their organization's IT and security policies actively block or misunderstand their workflows and almost half (49%) said their access infrastructure cannot be scaled.

For example, 68% of organizations are still reliant on manual processes to manage network access, using tools such as static firewalls and permissions based on user IP rather than software-defined access.

The findings made clear that this is not where leaders want to be. Though zero trust network access (ZTNA) was pointed to as an aspirational process for respondents to adopt, just 29% said they use identity-based access as their primary model.

The report underscored the shortcomings of relying on manual systems by revealing as many as 68% of respondents retained access to internal systems after leaving their previous employer.

While just under a third (32%) reported having access revoked immediately, 27% said they still had access for several weeks and 13% for a few months. In a small but not insignificant number of cases (6%), former employees could still access internal systems for a year or more.

The report also highlighted virtual private networks (VPNs) as a particular problem, with companies heavily reliant on them nearly twice as likely to report broken access or security workarounds compared to those using modern tools. Only 10% of respondents said their current VPN setup works well, with no major issues, while 90% reported limitations such as security risks, latency, or operational overhead.

“Security and productivity shouldn’t be at odds,” said Avery Pennarun, CEO at Tailscale.

“When developers, engineers, and IT all say the current system is broken — and worse, start working around it — that’s a sign the tools need to change, not the people. zero trust can solve this, but only if it’s actually implemented as a strategy, not just used as a buzzword.”

Tailscale said it expects security-minded organizations to retire or phase out their legacy VPNs by the end of 2026, making way for more flexible, composable solutions.

Over the next two years, it said, there will be a big move towards unified, cloud-native secure access platforms, sometimes referred to as universal ZTNA.

"Nearly every organization says they’re on a Zero Trust journey, which is a polite way of saying they aren’t done, and maybe never will be," the researchers said.

Meanwhile, many companies are juggling too many point solutions, with 92% using multiple tools for network security, and nearly a third using four or more.

Nearly half, though, are actively trying to consolidate their toolsets, and early adopters are moving to identity-first architectures and just-in-time access models that offer better security and a smoother user experience.

And at the same time, AI and automation are on the rise, not just for detecting threats, but also adjusting access dynamically in response to context.

But, the report found, 55% of respondents were sceptical or said they didn’t know where to look for better solutions.

"That knowledge gap is one of the biggest barriers to progress," the researchers said. "Education around adaptive access, AI-enhanced threat detection, and modern zero trust architectures will be critical over the next two years."

MORE FROM ITPRO

• Think AI coding tools are speeding up work? Think again – they’re actually slowing developers down
• Everything businesses need to know about VPNs
• IT leaders are facing major work device blind spots – and it's putting security at risk

Cloud breaches are going undetected for hours or days, according to new research, with security workers pinning blunders on ‘alert fatigue’, fragmented tools, and clunky legacy applications.

While nearly two-thirds of organizations suffered a cloud security incident in the past year, only 9% were detected within the first hour, according to Check Point’s 2025 Cloud Security Report.

Notably, researchers found just 6% of incidents were remediated within the first hour, with 62% of enterprises taking more than 24 hours to fully recover.

Paul Barbosa, Check Point's VP of cloud security, said the statistics paint a concerning picture for enterprises dealing with cloud security incidents. Speed and efficiency, he noted, are key factors in preventing long lasting damage.

"This is an obvious area of concern as any delay opens a window of vulnerability during which attackers can move laterally, exfiltrate data, or cause operational disruption," Barbosa commented.

"The longer an incident takes to be detected and addressed, the greater the likelihood of escalation."

When incidents are detected, two-thirds of the time it's through end users, third parties or during audits, rather than through security tools.

What’s behind the rise in cloud breaches?

The biggest problems identified by Check Point include ‘alert fatigue’, which occurs when security practitioners are bombarded by an overwhelming volume of cybersecurity alerts. This information overload impacts their ability to effectively respond to genuine threats.

It’s an issue that’s been highlighted repeatedly by industry experts in recent years, largely due to the growing number of security tools and solutions used by organizations in daily activities.

Indeed, ‘tool sprawl’ was also highlighted by Check Point as a key factor in the sluggish response times outlined in its report. More than seven-in-ten organizations now operate with more than 10 separate cloud security tools, while almost half receive more than 500 alerts per day, many of which may be false positives.

Fundamentally, cloud growth is outpacing security readiness, Check Point noted. In the past year alone, 62% of organizations have expanded cloud edge technologies like secure access service edge (SASE), 57% have increased their hybrid cloud footprint, and 51% adopted multi-cloud strategies.

"This acceleration, while strategic, is fragmenting environments and straining legacy perimeter-based defenses — many of which were never designed to operate at this scale or complexity," Barbosa said.

Confidence in AI security is also shaky

Unsurprisingly, AI is an important issue for security leaders, with Check Point revealing that nearly seven-in-ten organizations consider AI a strategic priority.

Confidence in defending against AI-powered threats is alarmingly low, however, with only a quarter of respondents saying they feel prepared to handle machine-driven attacks like automated evasion or malware generation.

Meanwhile, application-layer security is lagging behind, with six-in-ten organizations still relying on signature-based web application firewalls (WAFs) as their primary line of defense.

"As evasive app-layer threats and API attacks grow more sophisticated, legacy tools offer limited protection — and adoption of AI/ML-based detection remains inconsistent," said Barbosa.

"There exists a clear need across organizations to modernize the application layer to strengthen overall cloud security posture."

What can organizations do?

Check Point outlined a number of areas that enterprise security leaders should prioritize in the year ahead, including exploring the potential for automated, AI-based threat detection.

Similarly, they should invest in a unified, intelligent architecture that consolidates enforcement across layers and environments, without relying on many disconnected point products or siloed teams.

Naturally, reducing the volume of alerts security practitioners contend with on a daily basis is also a key priority, enabling cyber pros to focus on legitimate threats.

In doing so, the security firm noted this will optimize efficiency in security center operations and deliver long-term benefits.

MORE FROM ITPRO

• Enterprises are facing a ‘cloud security crisis’
• Enterprise AI is surging, but is security keeping up?
• AI is putting your cloud workloads at risk

Google has joined Microsoft in bolstering its sovereign cloud services as tensions grow over US influence on big tech providers.

The tech giant has rapidly expanded its sovereign cloud services in recent years, now boasting more than 42 cloud regions, 127 zones, and 202 network edge locations.

In a blog post detailing the updates, Hayete Gallot, president of customer experience at Google Cloud said the move underlines the company’s commitment to “enabling customers to choose the cloud provider and solution that best fit their needs”.

“We offer customers a portfolio of solutions that align with their business needs, regulatory requirements, and risk profiles,” Gallot added.

So what can customers expect from the new updates?

Google eyes air-gapped solutions

The move by the tech giant includes three dedicated sovereign cloud services, including Google Cloud Air-Gapped, which offers enterprises a standalone air-gapped solution that “does not require connectivity to an external network”.

“This solution is tailored for customers in the intelligence, defense, and other sectors with strict data security and residency requirements,” Gallot said. “The air-gapped solution can be deployed and operated by Google, the customer, or a Google partner.”

The air-gapped solution has been developed using open source components, according to Google, and offers a range of AI, database, and infrastructure services.

Google Cloud Air-Gapped previously received authorization to host top secret materials belonging to the US government.

Setting strict boundaries

Elsewhere, the company unveiled an expansion of the Google Cloud Data Boundary service. This service has been operational for a while now, and gives customers the ability to deploy sovereign data boundaries and thereby control where corporate materials are stored and processed.

“This boundary also allows customers to store and manage their encryption keys outside Google’s infrastructure, which can help customers meet their specific data access and control requirements no matter what market.”

Similar to the air-gapped service, this gives customers access to a raft of Google Cloud products, including AI solutions, as well as confidential computing and external key management capabilities to “control access to their data and deny access for any reason”.

Notably, through this service Google Workspace customers can implement boundary controls to limit the processing of data to the United States or EU and choose a specific country to store data locally.

As part of the update, Gallot revealed the launch of User Data Shield, which leverages Mandiant services aimed at validating applications built on top of the boundary service.

“User Data Shield provides recurring security testing of customer applications to validate sovereignty postures,” Gallot explained.

Google eyes local partner support

The third and final update focuses on Google Cloud Dedicated, a solution designed to help enterprises meet local sovereignty requirements, particularly those in the EU.

Support for the service is underpinned by “independent local and regional partners”, Google said. This was developed alongside Thales as part of a long-standing partnership between the two firms.

Google Cloud originally partnered with Thales in 2021 to build the Trusted Cloud by S3NS for Europe.

“This offering with Thales is designed to offer a rich set of Google Cloud services with GPUs to support AI workloads and is operated by S3NS, a standalone French entity,” Gallot explained.

The service is currently in preview, and has been designed specifically to meet the security and operational resilience requirements of France’s SecNumCloud standards.

Google said it has plans to expand the Cloud Dedicated footprint globally, with Germany the next location on the list.

Sovereignty concerns grow

The move from Google comes amid a period of rising tensions on both sides of the Atlantic, with the EU in particular voicing serious concerns over the influence of US tech companies in the region.

In late April, Microsoft said it would rigorously defend European data from American overreach. In a blog post, president Brad Smith said the company would resort to litigation to protect EU customers from US demands to shut down services.

Microsoft’s stance on the matter comes amid the Trump administration’s apparent irritation over EU rules which it claims have negatively impacted American tech giants.

Trump signed a memorandum earlier this year pledging to defend American companies from "overseas extortion". The memorandum specifically named the EU Digital Markets Act (DMA) as legislation which impedes US firms.

Political maneuvering aside, data sovereignty has become a key focus for enterprises operating in the EU in recent years as a result of legislation aimed at protecting consumers and bolstering data protection standards.

Analysis from OVHCloud in January this year showed 51% of UK organisations now acknowledge data sovereignty as a “crucial” aspect of their data management strategies, for example.

Naturally, big tech providers have invested heavily to accommodate these evolving needs, with Oracle, AWS, Microsoft, and others all launching dedicated sovereign cloud services.

When AWS unveiled the launch of a new sovereign cloud offering in Europe last year, analysts told ITPro that sovereign services are now the “bare minimum” expected from customers in the region.

MORE FROM ITPRO

• Google Cloud is leaning on all its strengths to support enterprise AI
• ‘TPUs just work’: Why Google Cloud is betting big on its custom chips
• Google Cloud wants to tackle cyber complexity – here's how it plans to do it

Businesses are facing a “cloud security crisis” fueled by increasingly fragmented hybrid environments, according to security firm Rubrik.

The company, in association with Wakefield Research, interviewed 1,600 IT and security leaders for its The state of data security in 2025 report and found 90% had suffered cyber attacks in 2024.

For some, the onslaught was relentless, with almost 20% experiencing more than 25 cyber attacks during the year.

The consequences of these breaches can be serious at both a business and personal level, Rubrik warned. Of those respondents that admitted to suffering a cyber attack, 37% said their company had suffered reputational damage and loss of customer confidence.

A further 33% said such an incident had resulted in a forced leadership change.

When it comes to the sources of attack, 28% identified cloud or SaaS breaches as the point of origin. This has led Rubrik to point the finger squarely at the use of hybrid cloud strategies as a source of the problem.

“Many organizations that move to the cloud assume their providers will handle security,” said Joe Hladik, head of Rubrik Zero Labs. “The persistence of ransomware attacks, coupled with hybrid cloud vulnerabilities shows that threat actors are always one step ahead.”

However, this seems to overlook the fact that a similar proportion of attacks came from insider threats (28%).

Nevertheless, 90% of respondents said they were managing hybrid cloud environments, with 35% saying that securing data across a variety of ecosystems was their top challenge, while 29% said it was lack of visibility and control over cloud-based data.

This issue of visibility is something IT decision makers have raised repeatedly in recent years. In a December 2024 blog, Darktrace identified limited visibility as an emerging threat that can lead to misclassification of data in terms of sensitivity and misaligned access policies.

Similarly, research from Fortinet revealed 55% of the individuals it surveyed for its 2025 state of cloud security report found loss of visibility and control to be a major issue when securing multi-cloud environments – another aspect of data sprawl.

Rubrik’s recommendations for how to combat these issues is to follow the fundamentals of cybersecurity in the 2020s: identify where the data is, what it is, and how sensitive it is, both in motion and at rest.

Thereafter, enterprises should implement policies to protect this data and establish what processes and procedures can be used to enforce it. Similarly, IT teams should use automation where possible to enable them to focus on things that need real human expertise to solve, rather than using up their time on drudgery.

MORE FROM ITPRO

• Security researchers set up an API honeypot to dupe hackers – and the results were startling
• Cloud spending soars in financial services
• Surging CNAPP investment is a big opportunity for the channel

Google Cloud has announced a new unified security platform for enterprises, delivering new interoperability and AI capabilities for cyber teams and reducing time spent investigating threats in cloud environments.

Google Unified Security combines products, telemetry, and context from Google Threat Intelligence, Mandiant, Google Security Operations, and Google Security Command Center, to provide organizations with an intelligent overview of threats.

Referred to by executives as ‘GUS’, the offering is a searchable data fabric for enterprise vulnerability, tying together the data and capabilities of the above platforms for better security visibility.

Gemini AI sits at the core of Google Unified Security, as a key enabler for decreasing time to detection for security teams and reducing manual workload. Google Cloud’s internal AI models will power features such as two new security agents that will work alongside human cyber workers on proactive, low-level analysis and producing reports.

A new alert triage agent, available within Google Security Operations, will continuously analyze enterprise environments for alerts and flag any activity it deems worthy of human response.

The second, a new malware analysis agent contained within Google Threat Intelligence, will proactively scan the code for all uploaded files for malicious code. Matching this against known malware examples, it will then provide a detailed summary for security teams.

Both agents will become available to certain customers via preview in Q2 2025, with general availability at a later date.

In a demo, Payal Chakravarty, director of Product Management at Google Cloud, showed a data loss prevention (DLP) alert in Google Chrome Enterprise flagging an incident in which developer has inadvertently copied sensitive data into public LLMs through a Chrome extension.

Responding to the alert, a Gemini agent is then able to investigate the situation and confirm the leak to a high degree of confidence, making detailed logs throughout and quarantining the Chrome extension involved. The agent can then go further by updating the company’s policy on the extension to prevent any further data leaks.

Similarly, Chakravarty explained that the agent could continue to investigate and discover other vulnerabilities such as the developer accidentally exposing a virtual machine (VM) to the public internet. It could then correlate any suspicious traffic to the VM with known signatures from active threat actors using data from Google Threat Intelligence.

Brian Roddy, VP of cloud security at Google Cloud, explained that GUS is intended to meet the needs of businesses in an era of increasing attacks by state-backed threat actors and criminal cyber gangs.

“Enterprise infrastructure continues to grow in size and complexity, expanding the attack surface and making defenders’ jobs increasingly difficult and there's separate, disconnected security tools resulting in a fragmented data situation, without relevant context, leaving organizations vulnerable and reactive in the face of escalating threats.”

“So security teams tend to operate at silos, slowed by toils of workflows, making it hard to accurately assess and improve the organization's overall risk profile.

The announcement was made live at Google Cloud Next 2025, the company’s annual conference held in Las Vegas.

Managing AI risk and common vulnerabilities

Google Cloud has recognized that along with the benefits AI presents businesses, improper use or implementation of the technology can also expose organizations to unwanted risks.

In March, Google Cloud announced AI Protection, through which leaders can take stock of the AI models and tools they use across their environment and secure data used for AI.

Model Armor, a feature integrated within Vertex AI, allows leaders to apply specific controls across AI inputs and outputs across their cloud environment, across a wide range of models.

Now Google Cloud has announced new Data Security Posture Management features, which flags and labels sensitive data, puts it under suitable compliance controls, and monitors how it is used for AI directly within the Google Cloud AI portfolio and analytics tools such as BigQuery.

Alongside this, a newly-launched Compliance Manager will work to give users better understanding of their data compliance and help internal teams produce audits to keep on top of reporting requirements. Both features will enter preview in June.

In response to an ITPro question on how Google Cloud customers are tackling issues such as shadow AI, Roddy stated that early adopters are already finding AI Protection useful for detecting unauthorized AI model use within their workplace.

“So what they want to have is the ability to control, what are really the models that are approved and tested and which ones aren't,” Roddy said.

“And in some cases they're willing to let users use more advanced models for experimental purposes. So what this is doing is just giving them a lot more control about understanding what's inside their environment and to be able to make sure that the right models are being used for the right use cases.”

Google Chrome Enterprise Premium is also set to receive new privacy controls, including data masking to automatically hide sensitive information and phishing protection to prevent man in the middle (MiTM) attacks in which malicious sites are disguised as legitimate web portals.

This is in addition to the rollout of existing Google Chrome Enterprise Premium features, such as copy paste prevention and URL filtering, across Android.

MORE FROM ITPRO

• Keep tabs on all the updates from Google Cloud Next in our rolling live coverage
• Google Cloud Next 2025 is the hyperscaler’s chance to sell itself as the all-in-one AI platform for enterprises
• Google Cloud announces UK data residency for agentic AI services

Enterprises are ramping up the adoption of AI tools, according to new research, but the heightened security and data protection risks associated with the technology are causing serious headaches for cybersecurity professionals.

A new report from Zscaler showed a 3,000% year-on-year increase in enterprise AI and machine learning (ML) adoption, based on analysis of over 536 billion AI transactions processed on its cloud platform between February and December 2024.

The US and India were found to be leading the world in terms of AI/ML transaction volumes, with businesses in the UK, Germany, and Japan also showing significant uptake of AI tools.

Overall, businesses around the world sent a total of 3,624 TB of data to AI tools during that period, with OpenAI’s ChatGPT being the most popular application, accounting for 45.2% of transactions.

But while ChatGPT was far and away the most popular tool, Zscaler noted it was also the most widely blocked application, with security leaders stating they were concerned about the lack of visibility into how employees were using it.

AI-enhanced content creation and productivity tools tended to be the most frequently blocked by enterprises, with other commonly restricted applications being Grammarly, Microsoft Copilot, QuillBot, and Wordtune.

The report found enterprises had blocked 59.9% of all AL/ML transactions, which it said signals a growing awareness of the potential risks associated with using these tools, such as data leakage, unauthorized access, and compliance issues.

Businesses are succeeding at reducing AI-driven exposures amid rapid adoption

An analogous report from cloud security specialist Sysdig identified a similar pattern, with 75% of its customers using AI or ML packages in their environments, which has more than doubled since the previous year.

Sysdig revealed that its telemetry showed an eye-watering 500% increase in AI workloads in the last year. This surge was mostly driven by widespread adoption of data analysis tools, the report noted, but the percentage of generative AI packages has more than doubled over the course of a year, rising from 15% to 36%.

Speaking to ITPro, Crystal Morin, cybersecurity strategist at Sysig, said that she and her colleagues felt this huge growth in AI usage was being driven in some part by shadow AI, where employees use AI tools without explicit permission from their employer.

Morin added that businesses are paying close attention to how they are securing AI workloads, however, stating that the proportion of workloads that are publicly exposed to the internet without appropriate security controls has shrunk by 38% in less than eight months.

The report found 12.8% of workloads containing AI packages were publicly exposed in 2025, with only 1% of these representing critical vulnerabilities and 0.5% being in use.

Morin said she felt this was largely the result of businesses and their IT teams placing added scrutiny on how AI is being used in their organization, owing to the level prominence these tools and their associated risks have been given.

“IT and security teams know what to look for, and they are definitely prioritizing it. They’re seeing these packages pop up, they’re getting alerted, and they’re locking them down.”

The fact that such a tiny percentage of these workloads were deemed a critical vulnerability was just very reassuring and showed bolstered security efforts observed across the industry were paying off.

“It’s super exciting to see because there is very low risk of attackers being able to [exploit them], it’s still a concern but a very low risk in comparison to other concerns that we have so that’s a really great security effort there.”

Morin said it was important to emphasize the work being done in this area by cloud security professionals is paying off.

“The story I wanted to tell with this [report] is that we’re doing a good job, cloud defenders have ‘made it’ this year,” she declared.

“If we keep the momentum we can continue making progress as cloud defenders. I think we know enough about defense at this point that we can keep going, continue implementing AI for cloud defense, we know about preventative measures, we know how to defend ourselves.”

MORE FROM ITPRO

• AI agent announcements are a dime a dozen right now – here’s what Oracle thinks it’s doing differently
• Hackers are turning to AI tools to reverse engineer millions of apps – and it’s causing havoc for security professionals
• DHSC eyes infrastructure overhaul amid £114 million IT spending boost

AI cloud workloads are far riskier than their traditional counterparts, according to research from Tenable.

Almost three-quarters (72%) of cloud workloads with an AI package installed contain a critical vulnerability, Tenable found, compared to only 59% of cloud workloads without one.

A key factor behind the higher incidence of critical vulnerabilities is that many AI workloads run on Unix-based systems that themselves run many different libraries, including open source.

Vulnerabilities are also made more critical as the outcome of the exploitation is riskier due to the potential for manipulation of models, tampering of data, and data leakage, the report said.

Other issues include what Tenable called “jenga-style” cloud misconfigurations, in which cloud providers are layering AI services on top of one another to create building blocks that users are unaware of.

For example, 77% of organizations have an overprivileged default Compute Engine service account attached in at least one Vertex AI Workbench notebook on GCP.

This means that whenever a user creates a notebook instance, a Compute Engine instance is created within the user's project behind the scenes. The underlying Compute Engine’s overprivileged default configuration then puts the notebook instances at risk.

The report also found that 91% of firms using Amazon SageMaker have set up risky default administrator privileges in at least one notebook instance, meaning users can change system-critical files.

With 25% of AWS users having configured Amazon Sagemaker and 20% of CGP users having configured Vertex AI Workbench, the rising use of cloud-based AI tools should make these problems a top priority for IT leaders.

Cloud security remains a problem

Though Tenable’s research points the finger at AI-related issues, other analysis from the firm shows that traditional cloud security can be just as much of an issue.

A report from the firm last October found that over a third (38%) of organizations were running at least one at-risk cloud workload. Reasons for this risk included the possession of unused or longstanding access keys.

Datadog published similar statistics, finding that “long-lived” cloud credentials are a risk for firms across all cloud providers with almost 50% of organizations using them.

"In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials," Andrew Krug, head of security advocacy at Datadog, said at the time.

Research from Information Services Group (ISG) earlier in 2024 found that a need for strengthened cloud security was behind a push back towards private or hybrid cloud models.

MORE FROM ITPRO

• Ten cloud security tips every IT leader should know
• Cloud security for SMBs: Simple steps to stay secure
• Hybrid cloud environments are under serious threat from hackers – here’s what you need to know

Google’s acquisition of cloud security startup Wiz could have monumental implications for the sector, according to industry analysts, with the company raising the stakes for both key competitors and security vendors.

The acquisition, announced this week as a $32 billion all-cash transaction, will see Wiz bundled within the tech giant’s cloud computing division. It’s been a long time coming, as well.

Talks last year fell through at the final hurdle amid a raft of concerns, not least of all regulatory considerations and whether it would continue as an independent entity.

Founded in 2020, Wiz has emerged as a leading figure in the cloud security space; the broader industry has become a key focus for enterprise IT leaders in recent years amidst the widespread shift to the cloud, and more recently, hybrid and multi-cloud setups.

Research from CrowdStrike in 2024, for example, noted that the cloud has become a “major battleground for cyber attacks”, highlighting the escalating threats faced by enterprises across a range of industries.

Wiz specializes in cloud native security, providing enterprises with cloud native application protection platforms (CNAPP), threat detection, and incident response capabilities.

It’s the CNAPP element here that will be a key differentiator for the tech giant, analysts believe. These solutions differ from traditional security tools by offering users a unified platform aimed at bolstering security across the entire lifecycle of cloud native applications.

The advantage for enterprises is that by consolidating their cloud security toolkit, they can improve visibility across their cloud estates and better secure applications.

CNAPP has been growing in appeal among IT leaders in recent years. Research from Westcon-Comstor this month, for example, revealed that 84% of UK firms intend to invest in CNAPP solutions over the next 12 months.

Similarly, the market is growing at a significant pace. Analysis from Dell’Oro Group in July 2024 valued the CNAPP market at around $2 billion. But this is expected to surge to over $6 billion by 2028, representing a compound annual growth rate (CAGR) of 25%.

Given the value of the Wiz deal is more than five-times the expected value of the CNAPP market, it’s clear that Google is trying to capitalize on a lucrative opportunity.

Combine that with the need to ramp up multi-cloud security offerings and keep pace with competitors in the space, and the price tag attached to Wiz makes perfect sense.

Wiz deal could be the key to pipping customers

Microsoft has made significant strides in its cloud native security capabilities in recent years through notable acquisitions, according to Andras Cser, VP principal analyst at Forrester.

But Cser noted that while Google Cloud has been developing built-in CNAPP capabilities to bolster GCP security, these tools have “predominantly focused only on protecting GCP endpoints/assets”.

“After Microsoft’s 2021 early acquisition of CloudKnox and development of Defender for Cloud, Google is feeling the pressure to offer a true, multi-cloud-capable CNAPP tool given that so many organizations are multi-cloud today,” he said.

Cser added that, post-acquisition, the consultancy expects most CNAPP capabilities in GCP to be replaced by Wiz’s offering. With the firm bundled under the Google Cloud umbrella, this could become a tantalizing draw for prospective customers.

From a competition perspective, the deal also raises the stakes. With Microsoft’s acquisitions in this domain having placed pressure on Google to react, the Wiz deal will likely have the same effect on Amazon Web Services (AWS), another key competitor in the cloud space.

AWS provides tools such as Guard Duty and Config for customers. However, Cser insisted these “fall short” of the capabilities offered by a CNAPP solution, particularly with regard to multi-cloud coverage.

“If AWS is to maintain its position in cloud infrastructure, it has to beef up its productized, multi-cloud CNAPP (with coverage for CSPM, CIEM, agent-based and agentless CWP, container security, and IaC scanning) and, in general, cloud security offerings.”

The Wiz acquisition could hit vendors hard

While Google got what it wanted from the Wiz acquisition, independent vendors operating in the CNAPP space could feel immense pressure in the coming years, according to Cser.

A host of major vendors, including Fortinet, Palo Alto Networks, Rapid7, Sysdig, and Trend Micro offer CNAPP solutions, and Cser said they can not expect “fierce competition” to stay ahead in features.

“The planned acquisition plus Microsoft’s continued investments in CNAPP and app security will make it harder for these vendors to maintain and realize their growth,” he added.

Allie Mellen, principal analyst at Forrester, echoed Cser’s comments on this front, adding that this will place pressure on vendors to consolidate their offerings.

“Wiz’s key detection and response offering, Wiz Defend, takes a different approach to cloud detection and response,” she said.

“Instead of relying on built-in detection capabilities in its own cloud protection tools, it offers a unified tool solely for detection and response that takes in alerts and data from other tools and does detection engineering on them.”

All told, this reduces alert volumes from the cloud at a “critical time”, Mellen noted, thereby alleviating pressure on security practitioners and streamlining operations.

“With this acquisition, it will put pressure on other vendors to consolidate in a similar way — a big win for security operations teams.”

While some vendors will be bracing themselves in the wake of the acquisition, others are taking a more optimistic approach. Bill Welch, CEO of the aforementioned Sysdig, said there will be advantages for industry vendors.

“Regarding the potential $30B+ Google acquisition of Wiz – as Sysdig’s CEO, I say bring it on! This is great validation for the cloud security market,” he said.

Following communication with CISOs, investors, and cloud partners, Welch noted that one key talking point has emerged - mainly that “being forced into a single vendor is not good for business”.

“Most - if not all - cloud users and multi-cloud, and you can guarantee multi-cloud Wiz customers will struggle once the acquisition goes through. With a Google acquisition, this story ends well for the VCs, founders, and employees, but the customers are the ones who ultimately lose in a deal like this.”

MORE FROM ITPRO

• Google Cloud will make MFA mandatory by the end of 2025
• Google Cloud’s new security AI will explain how you’ve been breached
• AWS users are getting a big security boost with passkey support

Google has confirmed plans to acquire cloud security firm Wiz in a deal worth $32 billion.

The deal marks the biggest acquisition yet for the tech giant, more than double its $12.5 billion buyout of Motorola in 2012, before selling it off again two years later for a fraction of that price.

The tech giant said the acquisition represents an investment to "accelerate two large and growing trends in the AI era" - namely cloud security and multi-cloud capabilities.

The acquisition comes less than a year after negotiations between Google and Wiz over a $23bn deal collapsed amid myriad concerns, including antitrust hurdles, disputes over how the company would integrate into Google, and more.

Reports at the time subsequently suggested Wiz would go public.

Another reported challenge to the last round of negotiations was whether Wiz would remain a separate company or be bundled into Google Cloud, according to reports at the time from the Wall Street Journal.

In a statement confirming the move, which is an all-cash transaction, Google said Wiz will join Google Cloud, confirming the firm's bundling with the cloud services wing.

Bloomberg reported co-founder and CEO Assaf Rappaport had previously said he hoped the company would become an independent security giant to rival Crowdstrike or Palo Alto Networks.

Last year, Rappaport told a TechCrunch conference that turning down the first offer was "the toughest decision ever", adding that "saying no to such humbling offers is tough, but with our exceptional team, I feel confident in making that choice."

Founded in 2020 in Israel but now based in the US, Wiz has reported significant growth in recent years, and was among a host of firms to capitalize on the widespread shift to remote operations during the pandemic. Last year, the firm’s headcount stood at 900, and was valued at $12 billion.

The company counts nearly half of the Fortune 100 as its customers — including Google's cloud rivals AWS and Microsoft — and has previously said it hopes to double its existing $500 million in annual recurring revenue to $1bn.

Why the Wiz deal works for Google

The Wiz deal follows Google's 2022 acquisitions of security firm Mandiant in 2022 for $5.4bn and Siemplify for $500m, highlighting the growing importance of cloud security tools.

Building on this growing security portfolio, Wiz represents a major step forward for the tech giant.

Following the speculation over last year’s acquisition talks, analysts told ITPro the deal made sense for the firm given its position within the broader cloud market and the growing array of threats faced by enterprises using the cloud.

"I think cloud is the major battleground for cyber attacks largely because the cloud is part of everybody’s IT infrastructure at this point," Gartner analyst Charlie Winckless told ITPro.

"The cloud is an increasingly critical, if not already critical part of at least 80% of organizations. And that means cloud security tools have become a must-have for large enterprises.

"They are a necessity, whether provided by the cloud provider themselves – and each of the cloud providers provides these capabilities within their cloud – or for the many organizations that are intentionally or accidentally in a multi-cloud strategy."

MORE FROM ITPRO

• Google will invest a further $1 billion in AI startup Anthropic
• IBM completes HashiCorp acquisition after regulatory approval
• ServiceNow bolsters agentic AI offering with $2.85bn Moveworks acquisition

In an age where cyber threats are more sophisticated than ever, organizations should be looking at adding robust tools to safeguard their networks and users – such as a secure web gateway (SWG).

A SWG (pronounced 'swig') is a critical component of network security designed to filter malicious internet traffic and enforce web usage policies. By intercepting and analyzing web activity, SWGs protect against threats like malware, phishing, and data leaks, ensuring a safer online experience for employees and businesses alike.

The need for SWGs has grown significantly with the rise of remote work after the COVID-19 pandemic, bring your own device (BYOD) policies, and the increased reliance on cloud apps. Traditional security measures like firewalls are no longer sufficient to handle the complexities of modern internet traffic.

What is a SWG?

A SWG acts as a protective barrier between users and the internet, including inspecting and filtering all web traffic. SWGs help organizations to safeguard against threats such as malware, phishing, and data loss, while enforcing internet usage policies.

Malware detection: SWGs scan all inbound and outbound traffic for malicious content, such as viruses, ransomware, or spyware, and use advanced techniques like signature-based detection to identify known threats, heuristic analysis to spot suspicious patterns, and sandboxing to safely examine unknown files.

URL filtering: With URL filtering, organizations can control which websites users can access. SWGs classify websites into categories (eg., social media, gambling, or shopping) and enforce access policies accordingly. For instance, they can block high-risk sites or restrict non-productive browsing during work hours.

Application controls: App control capabilities let SWGs monitor and regulate the use of cloud services, particularly those not sanctioned by IT teams (commonly referred to as shadow IT). By managing app usage, SWGs help prevent unauthorized data transfers and mitigate the risk of sensitive information being exposed through unapproved platforms.

How do SWGs work?

Traffic inspection: First, the SWG intercepts all outbound internet requests from devices on the network. Whether users are accessing websites, cloud applications, or streaming content, the SWG acts as an intermediary.

Policy enforcement: After intercepting the traffic, the SWG applies the organization’s security and compliance policies. These policies may include blocking access to certain websites or application categories, limiting bandwidth usage, or enforcing restrictions on file uploads and downloads.

Threat analysis: The intercepted traffic undergoes rigorous analysis to detect potential risks. The SWG uses a combination of tools, such as malware detection in which it compares files users access with known threats, phishing protection, and content filtering. A SWG can be used to decrypt data This multi-layered analysis ensures that malicious activity is identified and neutralized before it can impact users.

Access decision: Based on the analysis results and defined policies, the SWG either permits or denies the request.

Consider an employee attempting to download a file from an unfamiliar website. The SWG intercepts the request, scans the file for malware, checks the URL against its database of known malicious sites, and applies the company’s internet usage policy. If the file poses a risk or violates policy, it is blocked, and the user is alerted. Otherwise, the download proceeds securely.

All activity passing through the SWG is logged to provide IT teams with detailed reports on user behavior, blocked threats, and policy violations.

Next-gen SWGs vs SWGs

As cyber threats become more sophisticated and work environments grow increasingly decentralized, traditional SWGs are evolving into next-generation SWGs.

Next-generation SWGs build on the foundation of traditional gateways by offering advanced features such as cloud-native scalability, AI-driven threat detection, and integration with modern security frameworks like secure access service edge (SASE). Next-gen SWGs help to monitor all of an organization's cloud assets, identify unused or overlooked cloud applications to eliminate shadow IT, and inspect encrypted data in motion to prevent threat actors from masking attacks in TLS/SSL traffic.

By aligning with frameworks like SASE, these gateways help organizations tackle modern cybersecurity challenges such as adversary in the middle (AiTM) attacks while providing the scalability needed to support a dynamic workforce. With features like AI-powered detection, zero trust alignment, and simplified deployment, next-gen SWGs are redefining what it means to secure users and data in the cloud era.

SWGs are a critical component of modern network security. By intercepting and analyzing web traffic in real-time, SWGs mitigate risks such as malware, phishing, and data leaks, ensuring compliance and productivity in increasingly complex network environments.

UK cybersecurity leaders are planning to invest in cloud-native application protection platform (CNAPP) in 2025 as part of plans to increase security spending, new research from Westcon-Comstor shows.

The technology provider and distributor quizzed 500 chief information security officers (CISOs) and senior security personnel at end-user organizations with 1,000 or more employees across the UK, France, Germany, Italy, and the UAE.

The data revealed that 84% of UK participants intend to invest in CNAPP and cloud technologies over the coming twelve months, outpacing the global average of 83%.

Designed to offer a holistic approach to securing cloud infrastructure, CNAPP technology bundles a range of security capabilities into a single, unified platform for security across the entire development lifecycle.

This planned investment in CNAPP forms part of a wider appetite for cloud security investment this year, Westcon-Comstor said, with large organizations looking to channel partners to help them maximize return on investment.

IT channel engagement priorities

In terms of priorities, the data revealed the top three planned areas for investment as being AI security posture management (AI-SPM), cloud security posture management (CSPM), and application security posture management (ASPM).

In the UK specifically, security leaders also highlighted their intent to invest in software composition analysis, with 45% of survey participants singling the category out as a priority.

As organizations look to the channel for growth opportunities, the study found the majority of surveyed businesses are currently engaged with their channel partners (95%) when procuring and deploying security solutions.

Security leaders named training and enablement as the most valued benefit from channel partners, with 51% of UK participants stating it as their main requirement compared to the international average of 40%.

Elsewhere, 29% said cost-effective access to new solutions was their primary reason for engaging with partners, while 20% highlighted the ability to assist with navigating the cloud security market and identifying the best solutions.

CNAPP adoption

Notably, the survey highlighted the main reasons organizations are looking to CNAPP specifically, with leaders highlighting the need to move away from using multiple cybersecurity tools and instead consolidate capabilities into a unified platform.

By doing so, they benefit from reduced complexity and fewer blind spots, Westcon-Comstor said.

Other key factors include the need to seamlessly integrate security and compliance testing, as well as unification of risk visibility across cloud environments and the application development lifecycle.

As operational responsibilities continue to ‘shift left’ towards developers and architects, 81% of UK-based security leaders stated a need to adopt a DevSecOps approach, outpacing all other markets, as well as the international average of 75%.

“As the cloud security market continues to evolve, we’re seeing CNAPP become the go-to solution for securing cloud workloads,” commented Daniel Hurel, senior vice president of Westcon EMEA Cybersecurity & Next-Generation Solutions at Westcon-Comstor.

“Our research suggests that this presents an opportunity for the IT channel, with particularly strong demand for training and enablement. Partners who establish themselves in this high-growth area stand to reap the rewards in 2025 and beyond.”

Cybersecurity firm Darktrace has announced plans to acquire Cado Security, a UK-based cyber investigation and response solution provider.

Cado Security offers its services across multi-cloud, container, serverless, SaaS, and on-premises environments, capturing a snapshot of data stored on the device and then conducting forensic investigations to uncover signs of compromise or threats.

Darktrace says it plans to invest to accelerate the growth of Cado's existing products, while also combining Cado's forensic investigation technology with its own ActiveAI Security Platform, enhancing data collection across multiple cloud environments.

Thanks to the richer datasets the agreement will bring, Darktrace also sees benefits for its Cyber AI Analyst solution, which investigates alerts, streamlines investigations, and prioritizes incidents.

"At Darktrace, we have a clear and ambitious strategy: to develop best-in-class cybersecurity solutions for our customers that keep them safe through continuous innovation," said Jill Popelka, Darktrace chief executive officer.

"The addition of Cado's deep expertise in cloud-based data collection and forensics will enhance our ability to protect customers, ensuring they can operate securely and confidently across all areas of their business."

The deal is expected to be completed next month.

Cado was founded by James Campbell, CEO, and Chris Doman, CTO, who will join the team at Darktrace following the acquisition.

Cado's R&D teams in London and Bristol will work alongside Darktrace's established R&D centers in Cambridge, UK and The Hague, Netherlands to boost innovation in its cloud detection and response capabilities.

"Darktrace is an excellent fit for Cado, providing an opportunity for growth and innovation while allowing our team to advance their careers within a dynamic company deeply committed to R&D and to protecting its customers from growing cyber threats," said Campbell.

"Our technologies build on each other's strengths, and we are incredibly excited to work with the Darktrace team to continue to elevate AI-driven cybersecurity capabilities for our combined global customer base."

Darktrace ramps up cloud security focus

Darktrace cites cloud and SaaS platforms as a common entry point for cybercriminals to attempt access to customers' networks.

The firm specifically pointed to recent research in which security leaders identified cloud security as the top area where defensive AI could have the greatest impact.

The acquisition comes as the cybersecurity giant looks to boost its cloud security capabilities, with the firm having invested heavily in this domain in recent years.

In October 2023, the company launched its Darktrace / CLOUD services for AWS, which it later expanded to cover Microsoft Azure.

Darktrace was founded in 2013 by Poppy Gustafsson, with the backing of the late billionaire Mike Lynch’s Invoke Capital.

Gustafsson was replaced as CEO by former COO Jill Popelka in September last year.

The announcement follows Darktrace's acquisition by software investment firm Thoma Bravo in a $5.3 billion deal that closed in October last year.

The companies said the plan was to scale the firm up to become 'a truly global player'.

The tech world, you might argue, has too many TLA’s – What does that stand for? Three letter abbreviations. They consistently proliferate and, when you’re in the know, can be exceedingly helpful. They also do a wonderful job of confusing transcription software and new employees, alike.

One acronym currently used in cyber security is SSE, which stands for security service edge. To double down on the acronyms, SSE is a component of SASE, or secure access service edge. Edge means that these forms of architecture are operating in the cloud versus a more traditional data centre-centric approach.

Clear as mud? No problem, we’ve got you covered. Plus, if you’d like our explainer on SASE by itself, you can find it here. After all, you can never know enough acronyms, if only to make your business meetings easier.

What is SSE in the context of SASE?

Imagine you have a box labeled 'SASE'. Inside are a bunch of services, including network optimization tools, software optimization, and routing options. Beside these is a smaller box labeled SSE, containing tools that purely focus on security via the cloud. As a result, SASE is interested in security and networking, while SSE is focused on just the security portion of those duties. If you’re a business who needs to integrate networking and security under one proverbial roof, then SASE may be a better fit. However, some situations might mean you’re only looking for the SSE tools.

SASE came first, described by Gartner in 2019. SSE arrived later, first appearing in a 2021 report.

What does SSE contain?

In general, SSE includes tools such as zero trust network access (ZTNA), cloud access security broker (CASB), secure web gateway (SWG), firewall as a service (FWaas), remote browser isolation (RBI), and data loss protection (DLP).

SSE is solely designed to protect your company’s data and network and is not focused on network optimization. The consensus is that as cyber security develops, having a framework like SSE allows you to reduce the number of weak points in your company’s IT security because they are being used in a way that ensures they play off of each other, rather than against each other.

In comparison, the networking portion of SASE includes software defined wide-area networks (SD-WAN) alongside other components like network as a service and software as a service acceleration. The idea, in general, is that the two portions work in synchronization to provide an improved, two for one, approach.

Another goal of SSE is to provide a more secure, and easier to operate option compared to fragmented solutions that don’t take advantage of technological innovation in the cyber security space. Or, in Gartner’s own words:

"Security service edge provides a primarily cloud-delivered solution to control access from end users and edge devices to applications (private or delivered via SaaS) as well as websites (and to a lesser extent general internet traffic). It enables a hybrid workforce more efficiently than traditional on-premises solutions. Capabilities integrated across multiple traffic types and destinations allow a more seamless experience for both users and admins while maintaining a consistent security stance."

This consolidation of services is also intended to reduce costs and increase usability. Gartner has published the companies they believe provide the best SSE options. Those include Netskope, Palo Alto Networks, and Zscaler.

Benefits of SSE

As an approach to sustaining the health of your network, SSE’s main selling point is that all of the services intertwined with it provide a broader spectrum solution than choosing individual tools piece by piece.

Proponents of this approach also point to benefits when it comes to user experience — namely decreases in latency and the ability to do away with clunky VPN options. In the current workplace environment — where employees are more likely to be working remotely and/or using their personal devices — SSE allows for an easier process when it comes to scaling and implementing your network security.

The downsides of SSE

As SSE is a framework, it is a broad concept that is not always easy to integrate into your company’s workflows. Some tools that you use on a daily basis might not want to play nice with this new approach. You may struggle to implement it as you muddle through already existing security policies, and your IT staffers may be less familiar with SSE — given its relatively recent emergence on the cyber security landscape. This is similar to many IT innovations, cyber security-related and otherwise.

Network architecture, and its protection, is a world that is ripe for – and rife with – comparisons to architects who exist outside of a data center. After all, doesn’t the castle and moat approach to network security remind you of medieval literature as much as your own IT department? For every 15th-century comparison to 21st-century technology, there is a new innovation waiting to take up its metaphorical mantle. In this case, secure access service edge (SASE).

The term was first used by two Gartner analysts in 2019. While those same analysts were quickly criticized for describing a combination of services that already exist, the term has grown in traction as vendors and companies seek to find different ways to describe their products as they adapt to the current cyber security landscape.

What is SASE?

Taking advantage of the network edge, working outside of the data center, SASE combines a number of already existing products and services to provide an all-in-one solution for network security. SASE is usually sold in the same manner as software as a service (SaaS) products.

Some of the individual components of a SASE offering include:

• Software-defined wide area network (SD-WAN): Instead of a traditional network model, which relies on routers and the data center interacting, an SD-WAN routes your web traffic to vetted existing technology providers – such as Amazon Web Services or Microsoft Azure. While increasing security and decreasing cost, this also reduces latency. If we’re extending the Middle Ages metaphor, then the SD-WAN is the drawbridge that allows traffic to enter the city that is your network infrastructure.
• Secure web gateway (SWG): An SWG product is the person at the gate asking for the secret passcode. It checks all traffic for nasty elements and requires the security policies that your company has implemented be followed. Its job is to keep your data safe.
• Cloud access security broker (CASB): A CASB is a product that manages your security protocols such as single sign on, user authentication, and token management. In our little medieval fantasy land, a CASB is a group of squires who are charged with making sure that the leadership of the community is properly up to speed on the castle’s defences.
• Next generation firewall (NGFW) and firewall as a service (FWaaS): These two products filter incoming traffic and stop any that have malicious intent. Rather than a simple yes or no, an NGFW uses tools like packet filtering and VPN identification to give a deeper and better level of defense. You can think of this like a battlement, a small segment of a castle’s walls that allows you to look out and identify incoming threats.
• Zero trust network access (ZTNA): Rather than a VPN, which gives the user access to a broad network environment, a zero trust network access system gives a user access to just one application. Tired of this medieval metaphor yet? Well, we can liken a ZTNA to the secret passageways that litter many castles, areas that allow servants to dip in and out of spaces without being seen.

One of the key selling points of SASE is its ability, within a cloud-native environment, to combine a wide variety of cyber security offerings into a product that can be implemented quickly and easily.

The benefits of SASE

Although SASE evangelists will offer up a wide variety of benefits, most boil down to four key elements: ease of use, expandability, reliability, and efficiency.

For one, instead of relying on a data center-focused approach, an SASE solution allows a company to lean on resources that are not as constrained and costly. In a world where time is money, an SASE solution that provides reduced latency when compared to other structures can decrease infrastructure cost significantly.

Second, in a remote work environment where creating additional users, workflows, and products, is an everyday business necessity, SASE bills itself as an inherently cheaper and faster solution to keep a business both running and evolving.

Lastly, most companies selling these products point to the fact that the structure of a SASE solution — where you’re covering vast swathes of network security within one ecosystem — allows you to easily monitor network traffic (and solve problems) rather than having to work through convoluted security solutions that are difficult to scale.

The downsides of SASE

Given that SASE is a term first coined just five years ago, this technology is still experiencing the growing pains that come with any developing technology. One concern is that, medieval comparisons aside, the entire topic can be confusing and cause internal chaos as it is implemented.

Another concern is that SASE can be difficult to add to a legacy environment that hasn’t been specifically crafted for newer network security. As with any cyber security solution, the cost of SASE implementation may be prohibitive for small and medium-sized businesses and it’s important that companies identify which parts of a SASE solution will be useful and which ones are not needed for any individual use case.

There is also concern among some industry experts that the nature of a SASE implementation – with network and security being combined – may not fit well with an individual company's current IT staffing choices.

A new directive issued by the US Cybersecurity and Infrastructure Security Agency (CISA) has been met positively by industry experts who say it will bolster cloud security.

Announced on 17 December, the directive will focus on safeguarding federal information and information systems.

It requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and ensure that cloud environments are aligned with CISA’s ‘Secure Cloud Business Application (SCuBA)’ baselines.

CISA will maintain and update a detailed list of in-scope policies and cloud tenants, provide agencies with reporting instructions, and provide agencies with troubleshooting support.

As of this release, CISA has published the configuration baselines for Microsoft 365 only, but the future may see CISA release additional baselines for other cloud products and services.

In recent cybersecurity incidents, CISA said the improper configuration of security controls in cloud environments has introduced substantial risk and has resulted in compromises and unauthorized access.

This directive will push the federal civilian enterprise to a more defensible posture in this regard, by reducing the attack surface of government networks.

CISA directive welcomed by industry

Tech and security experts see this as a strong move from CISA, one that will reduce agency vulnerability to attack and increase security posture in the government.

“CISA’s directive highlights known cloud risks. Misconfigured systems expose agencies to threats. Setting baselines and enforcing them reduces the attack surface. This step, though unsurprising, is critical,” Jason Soroko, senior fellow at Sectigo, told ITPro.

AppOmni CSO Cory Michal echoed this sentiment, calling the directive a “much-needed step” towards improving the organizational security posture of federal agencies leveraging cloud and Software as a Service (SaaS) tools.

“By mandating the adoption of the SCuBA Secure Configuration Baselines, the directive provides a standardized approach to securing SaaS applications and guides agencies to focus on proactive risk mitigation,” Michal told ITPro.

While it aligns with broader cybersecurity initiatives such as zero trust architecture, Michal added, the success of the directive will depend on effective implementation and deployment of appropriate security tooling.

Michal noted the requirements are reasonable and that the directive focuses on measures that are practical and actionable, such as adopting secure baselines.

“These are foundational steps that align with modern SaaS and cloud security models following the Identify, Protect, Detect and Respond methodology, allowing organizations to embrace and secure this new attack surface,” he said.

“Deadlines, lack of funding, and lack of adequate skillsets will be the main challenges in meeting these requirements,” he added.

Private sector will take time to catch up

Though CISA’s new directive is a boon for security in the federal or public sector landscape, the average firm will lag behind the guidance, according to Soroko.

“For a typical mid-sized business, implementing similar controls is costly - tools, consultants, and training strain budgets. They have a hard enough time understanding the merits of MFA,” Soroko said.

“They typically only have IT generalists who are motivated to keep the lights on rather than go through configurations with a fine toothed comb,” he added.

While government guidance often influences private sectors, he said, adoption lags, as many firms resist due to cost and complexity.

“Clear government standards can slowly shift industry norms, but it normally only works if it forces vendors who are selling into government contracts,” Soroko said.

Machine identities such as access tokens and service accounts are being tipped as the next big target for cyber attacks.

According to Venafi's latest research report, The Impact of Machine Identities on the State of Cloud Native Security in 2024, 86% of organizations have had a security incident related to their cloud native environment within the last year.

As a result, more than half have had to delay an application launch or slow down production time, while 45% suffered outages or disruption to their application service. Three-in-ten said the incident meant that attackers could gain unauthorized access to data, networks, and systems.

Similarly, nearly nine-in-ten security leaders said they believe that machine identities – specifically access tokens and their connected service accounts – are the next big target for attackers.

More than half said they'd experienced a security incident related to machine identities using service accounts in the last year.

"A massive wave of cyberattacks has now hit cloud native infrastructure, impacting most modern application environments," said Kevin Bocek, chief innovation officer at Venafi.

"To make matters worse, cybercriminals are deploying AI in various ways to gain unauthorized access and exploiting machine identities using service accounts on a growing scale. The volume, variety and velocity of machine identities are becoming an attacker’s dream."

While access tokens used with service accounts topped the risk list with 56% of respondents, almost as many experienced incidents related to other machine identities, such as certificates.

Venafi attributed this to the growing complexity of cloud native environments, which makes it harder to manage and secure the machine identities that underpin access and authentication.

Three-quarters of security leaders agreed that humans are the weakest link in machine identity security, while 83% of teams say that failing to secure machine identities at the workload level renders all other security obsolete. =

Nearly seven-in-ten described delivering secure access between their cloud native and data center environments as a 'nightmare to manage', while 89% said they're experiencing challenges around managing and securing secrets at scale.

Notably, 83% said having multiple service accounts creates a lot of added complexity. Despite this, nine-in-ten agreed they make it easier to ensure policies are uniformly defined and enforced across cloud native environments.

"Attackers are increasingly zoning in on machine identities in cloud native technologies," said Bocek. "Security teams must prioritize machine identity security to the same degree as human identities."

AI poisoning a key concern

Elsewhere in Venafi’s report, more than three-quarters of respondents highlighted AI poisoning as a leading new software supply chain risk.

AI poisoning refers to techniques whereby AI data inputs and outputs are manipulated for malicious purposes.

"There is huge potential for AI to transform our world positively, but it needs to be protected," said Bocek.

"Whether it’s an attacker sneaking in and corrupting or even stealing a model, a cybercriminal impersonating an AI to gain unauthorized access, or some new form of attack we have not even thought of, security teams need to be on the front foot.

"This is why a kill switch for AI – based on the unique identity of individual models being trained, deployed and run – is more critical than ever."

Three-quarters are also worried about model theft and 73% concerned about the use of AI-led social engineering, while 72% are worried about provenance in the AI supply chain.

Despite this, six-in-ten said senior management has taken its focus off supply chain security in the last year.

Finnish company WithSecure has traditionally offered an impressive endpoint security portfolio and a key feature is all components can be centrally managed from its Elements Security Center cloud portal. The suite is also completely modular so you can pick and choose which components you require.

It includes EPP (endpoint protection) and EDR (endpoint detection and response) modules which have now been unified into the Elements Endpoint Security (EPS) solution and offered under the XDR (extended detection and response) category. Elements Collaboration Protection (ECP) enhances security for Microsoft 365 environments including Exchange, SharePoint, OneDrive, and Teams while Elements Exposure Management (EEM) keeps your network borders safe by providing an overview of your attack surface along with threat identification and mitigation.

There's more as Elements Identity Security protects against compromised Microsoft Entra identities. Overworked security teams may also want to consider the optional co-monitoring service where severe threats are automatically escalated to WithSecure's support teams and you can choose out-of-hours or full 24/7 cover.

That's a lot to get to grips with but WithSecure's new Luminen feature can help cut through the smokescreen. It delivers AI-powered reporting services which generate detailed summaries of security events and provide valuable assistance on remedial actions.

WithSecure Elements Cloud Platform review: Setup

Platform support is excellent as WithSecure can protect Windows and macOS workstations, Windows and Linux servers plus Android and iOS mobiles. The base product also includes patch management for Windows OSes.

Deployment is swift as we could download the relevant agent install file and place it in a central location or email links to our users directly from the portal. After installing the agent on our Windows 10/11 workstations and Windows Server 2022 hosts, it took no more than two minutes to complete the process and connect to our cloud account.

We also tested ECP and found the MS 365 authentication process straightforward with our Exchange, SharePoint, OneDrive, and Teams accounts added in a few minutes. The Elements cloud portal is well-designed with its home page providing a complete overview of your security posture.

Donut charts show all protected computers, servers, and mobile devices with color codes showing their overall status, another keeps you appraised on software updates while the detection and response charts show all open detections and their risk score. We received more charts below showing our MS 365 components, all detections, the top affected mailboxes, and a breakdown of security events.

WithSecure Elements Cloud Platform review: Security profiles

Endpoint protection starts immediately as preconfigured security profiles are assigned to devices as soon as their agent has connected to the cloud portal. It's easy to create new ones as we used the Security Configurations page to clone the predefined ones and tweak them to our requirements.

There's a lot to play with as profiles manage real-time malware scanning, permit users to run manual scans, determine when automatic updates occur, and schedule regular systems scans. Firewall protection using WithSecure or Windows profiles can be enabled and device controls applied to block access to removable devices such as USB sticks.

Web protection services include reputation-based web page scanning, safe search enforcement, browser plug-ins, and content controls with a list of 32 URL categories you can block or allow. The Premium service enables application controls and WithSecure's DataGuard which uses behavioral rules to detect potential ransomware activity.

Businesses worried about the shocking impact of the CrowdStrike fiasco can rest easy as WithSecure has them covered. A feature that's always been available in its security profiles is an option to enable early access to client software updates.

It's simple to apply as we cloned our workstation and server profiles and enabled early access on them with one click. All the systems with these profiles assigned receive client updates and new features at least a week in advance of general release so we could check for stability and provide feedback to WithSecure if necessary.

WithSecure Elements Cloud Platform review: Detection and response

The portal's detection and response page provides a good overview of all security events and you can dive deeper by moving to the security events page which provides a more detailed analysis of each event and the affected systems or services. WithSecure's BCD (broad context detections) page displays a filtered view of detected threats with a full analysis and process tree of suspicious events showing how the potential malware developed and what it interacted with.

BCD shows affected systems with options to isolate them all with one click, run a device scan, and collect a forensics package. Links are provided for the Mitre ATT&CK website for more information and Luminen comes into play as it analyses events, generates a summary, and provides valuable advice on remedial actions – if more help is required, you can elevate the event to WithSecure's security teams.

Reactions to events are swift as when we ran our test app on selected workstations to generate suspicious activity, the portal logged them in seconds and email alerts were received 2-3 minutes later. To test MS 365 responses, we sent emails from Outlook with dubious attachments and suspect web links and WithSecure blocked them immediately, placed warning emails in our inboxes, and logged all events.

Rollback is a smart feature as it provides instant ransomware protection for Windows systems and can initially run in safe mode in a policy where it only reports on unauthorized changes. It tracks apps classed as unknown and if they exhibit any dubious behavior, it closes them down and automatically rolls back all the file and registry changes they made.

WithSecure Elements Cloud Platform review: Is it worth it?

WithSecure works primarily with partners so doesn't publish pricing on its web site. However, it advised us that the base Elements Endpoint Security costs around £37 per device/year for between 100 and 499 devices which looks good value considering how many security features this includes.

The Elements Cloud Platform delivers a remarkable range of protection measures and WithSecure has made them all very accessible in its well-designed cloud portal. Deployment is pleasingly simple, Luminen provides valuable remediation assistance and the suite's modular design means you only pay for what you need.

‘Long-lived’ cloud credentials are still a major risk for organizations across all cloud providers, according to new research from Datadog, and nearly half or organizations are using them.

These cloud credentials never expire and are a major security risk, often leaked in source code, container images, build logs and application artifacts - indeed, they're the most common cause of publicly documented cloud security breaches.

They're widespread across all major clouds, often old and sometimes even unused, with 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications having an access key more than a year old.

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog.

"In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials."

The good news is that more organizations are now using cloud guardrails as cloud providers start to enable them by default. Nearly eight-in-ten S3 buckets are covered by an account-wide or bucket-specific S3 Public Access Block, up from 73% a year ago.

However, more than 18% of AWS EC2 instances and a third of Google Cloud VMs have sensitive permissions to a project, putting organizations at risk by allowing any attacker compromising the workload to steal associated credentials and access the cloud environment.

Similarly, one-in-ten third-party integrations have risky cloud permissions, the study found, allowing the vendor to access all data in the account or to take over the whole AWS account.

Meanwhile, 2% of third-party integration roles don't enforce the use of External IDs, allowing an attacker to compromise them through a "confused deputy" attack.

"To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use," advised Krug.

In the wake of the study, Datadog said organizations should make use of mechanisms that provide time-bound, temporary credentials. For workloads, this can be managed with IAM roles for EC2 instances or EKS Pod Identity in AWS, Managed Identities in Azure, and service accounts attached to workloads for Google Cloud.

For humans, the most effective solution is to centralize identity management using a solution like AWS IAM Identity Center, Okta, or Microsoft Entra ID, and to avoid the use of individual cloud users for each employee, which can be highly inefficient and risky.

Concerns over risky cloud credentials continue

Stolen and exposed cloud credentials were identified earlier this year as 2024's biggest cloud security risk.

Managed detection and response company Expel said that identity threats accounted for nearly two-thirds of all incidents investigated by its security operations center, and that cloud infrastructure incidents were up by 72% across the last year.

Notably, stolen or leaked credentials responsible for two-in-five incidents, highlighting the scale of the issue.

More than nine-in-ten of the incidents it detected or responded to occurred in AWS, with just 4% split evenly between GCP and Azure. This was despite the fact that around half the company's cloud customers use AWS, around a third use Azure, and roughly 17% use GCP.

Collaboration between cloud providers and the unification of cross-environment data will be critical to cybersecurity in the multi-cloud world, according to AWS CISO Chris Betz.

Responding to a question on how the hyperscaler approaches multi-cloud and hybrid cloud security, Betz told ITPro that he thinks about it in two key ways, the first being collaboration.

“One of the things that I love about the security community is how small a community it is,” Betz said.

Among fellow CISOs, there is a clear sense of being on the same side, he added. Security execs from different companies or providers are not adversaries, rather, their adversaries are threat actors.

“I frequently have conversations with my peers. I pick up the phone and talk to them on a regular basis. We share information about current threats,” Betz said.

“Because we're all focused on a common enemy, that collaboration is incredibly important,” he added.

This appears to feed into the firm’s ethos on multi-cloud. Betz noted that “the partnership between the clouds remains incredibly important because we recognize that customers operate in that space - we recognize that adversaries are outside.”

AWS has invested heavily in multi-cloud security capabilities in recent years. A key factor in this sharpened focus has been driven by the fact many customers are ramping up multi-cloud adoption as part of their cloud modernization strategies.

AWS offers solutions that automatically go multi-cloud, Betz said, as well as environments that allow customers to bring data together from multiple clouds to bolster visibility and ensure consistent observation of environments.

Released in 2023, Amazon’s Security Lake centralizes organizational security from across AWS providers, SaaS providers, on-prem systems, and clouds into a data lake. This allows users to act more quickly and simply across hybrid and multi-cloud environments.

“We continue to build systems that allow for bringing the data together to have a consistent view of what happened,” Betz said. “And I think that's something that we're going to continue to see the industry do at large, and remain important for us and for our customers.

The multi-cloud era

Betz’s comments come just weeks after AWS and Oracle announced a partnership focused on supporting multi-cloud environments. The offering allows for the use of Oracle database services within AWS.

Multi-cloud was the focus point at Oracle CloudWorld 2024, the event where this partnership was unveiled, and customers across the board are operating on increasingly larger cloud environments that bring together different vendors.

For example, research from OVHcloud earlier this year found that 64% of IT decision-makers (ITDMs) in the UK see their use of multi-cloud increasing over the next two years.

But while multi-cloud is growing in appeal for enterprises globally, this approach can have its pitfalls, especially with regard to complexity. Research from PwC earlier this year revealed IT leaders have grown concerned with the levels of complexity associated with multi-cloud security, for example.

“Many leaders of large organizations assume security is taken care of by cloud providers. Even if they recognize that’s not enough, many struggle to pinpoint where to invest resources to strengthen their cloud security. This is often because of the sheer complexity of their multi-cloud hybrid environments,” PwC said.

More from CloudPro

• Partnerships are Oracle's key to success in the "multi-cloud era"
• Storage architectures must change to meet the needs of AI
• How Snowflake is helping customer navigate new and emerging challenges

Over a third (38%) of organizations are running at least one cloud workload that is highly at risk for multiple reasons, a report from Tenable has found.

A combination of high privileges, critical vulnerabilities, and public exposure defines these high-risk workloads, with Tenable stating that they are prime attack targets for malicious actors.

Tenable created the report by analyzing telemetry data from billions of cloud assets across various clouds, between January and June 2024.

Breaking these issues down, the report found that over three-quarters (84.2%) of organizations possess unused or longstanding access keys with highly excessive permissions – which could lead to identity-based attacks.

The report's analysis of AWS, Google Cloud, and Microsoft Azure revealed that 23% of cloud identities, both human and not, have severely excessive permissions. This figure rises to 35% in AWS alone.

Critical vulnerabilities also persist, the report said, with CVE-2024-21626 having remained remediated in over 80% of workloads 40 days after it was published. CVE-2024-21338 was also found to be prevalent.

The report found that 74% of organizations have publicly exposed storage assets within their IT environments, including some storage assets that secure sensitive data. This issue is linked to excessive permissions.

Kubernetes was identified in the resort as a concern for this sort of exposure; 78% of organizations have publicly accessible Kubernetes API servers, around 41% of which allow inbound internet access. What’s more, 58% of organizations also have cluster-admin role bindings, giving some users unrestricted access to entire Kubernetes environments, while 44% run containers in privileged mode.

The report offers a few suggestions for managing the risk created through these issues. Businesses should closely monitor access to Kubernetes for example, and ensure containers are only privileged when necessary.

Organizations should regularly rotate credentials and avoid using access keys that last for long periods. They should also prioritize remediating vulnerabilities and minimizing exposure by reviewing public assets.

When a cybersecurity incident implicates both a vendor and a customer, it’s not always clear where responsibility lies. While customers lack oversight on a tool’s underlying security, the provider lacks oversight on how securely the tool is being used.

Under the ‘shared responsibility model', the division of roles seems fairly straightforward. Crowdstrike’s definition, for example, states that the cloud provider is responsible for monitoring threats to the cloud and its infrastructure, while customers are responsible for the protection of data and assets within the cloud environment.

Speaking to ITPro, Nick Godfrey, director of the office of the CISO at Google Cloud, says the answer is a new approach to responsibility in the public cloud landscape, the shared fate model.

Godfrey outlines how the shared responsibility model was developed to deal with the new territory cloud represented.

“As we shifted into the cloud, we needed to be able to draw a line to say, ‘What’s the customer responsible for?’ For example, the cloud provider would, in that model, be responsible for the physical environment, the data centers, and some of the physical networking and computing that underpin the cloud,” he explains.

“Conversely, the customer would be responsible for the identity and access management of who in their organization has access to their applications on top of the cloud. The complexity comes because the point of delineation varies depending on what type of cloud you’re using.”

The cloud ecosystem comprises a number of different technologies and depending on what the businesses have implemented, the responsibility of the cloud provider could reach deeper into the organization.

For example, Godfrey notes, software as a service (SaaS) solutions such as an HR portal used by employees are virtually always limited to managing identity and access data within that portal. In contrast, infrastructure as a service (IaaS) tools often burden the customer with far greater responsibility for securing that storage and maintaining the virtual network it runs on.

Godfrey argues new complications like these have exposed the limitations of the shared responsibility model, and that the framework assigning needs to evolve to reflect this growing complexity. Although helpful, the boundaries delineated under the shared responsibility model are too rigid, Godfrey claims, which can lead to security gaps.

Making the step from shared responsibility to shared fate

The distinction between shared fate and shared responsibility models centers around the extent to which the cloud provider works alongside the customer to understand how to configure and design their cloud. Godfrey tells ITPro that early definitions of shared responsibility saw documentation given to customers outlining best practices but that they were largely left to defend their cloud alone.

Shared fate, by contrast, is defined by an increased focus on working with the customer, alongside tailoring one’s cloud products so that they are easier for businesses to use out-of-the box.

Godfrey breaks down where he thinks shared fate can really help organizations into three core areas:

Collaboration on the entire environment

The first areas in which shared fate goes beyond shared responsibility in helping businesses hit the ground running with their cloud deployment. Shared fate can help businesses hit the ground running with their cloud deployment, as vendors develop partnerships with customers, says Godfrey.

At Google Cloud, Godfrey says he’s implemented a dedicated team of cloud professionals to work with their customers on the cloud transition. In any set of circumstances, it's vital for service providers to reach out to the cyber leaders within their customer organizations to update legacy attitudes to fit modern cloud security.

Giving customers resources

Another aspect of a shared fate model is providing customers with frameworks, best practices, and resources.

This includes guidance on how they should think about identity, and how to secure specific types of workload in their cloud environment, Godfrey adds.

Changing default behaviors

Finally, Godfrey thinks cloud providers need to put in the work behind the scenes and change how they think about the default configurations of their products.

“If the fundamental job of a customer in securing the cloud is figuring out which configurations and architectures they need to have in order to be secure, then we can do a better job as an industry by making the default configurations for the products and services that they instantiate in their environment secure by default,” he says.

“This means ensuring that if there’s a security-critical feature or function, it should be on by default.”

Most of this work needs to be done before the customer even receives the product. This is another reason for cloud providers to work actively with each customer, to understand which default settings and configurations would be most useful for them based on their processes and workflows.

Debunking the myth that CISO and CTO are naturally opposed

Godfrey, a former CISO, thinks one aspect of a mature cloud strategy that goes overlooked is its ability to unify the aims of security executives and technology leaders, where there can often be friction. He adds that one of the megatrends Google Cloud has identified driving cloud adoption is its ability to transform security assurance in development pipelines .

“I think cloud is an interesting opportunity for totally debunking that myth, by having both those parties sit down and agree on a set of shared outcomes they’re looking for, a shared north star,” says Godfrey.

“Because if you think about it, every CIO would like agility, the ability to provide new technologies that will feed the business needs and so on, and in order to do that, they’re incentivized with cloud to build high-quality CI/CD pipelines, lots of automation, the ability to deploy very quickly, the ability to pull it back if it didn’t work. That’s exactly the environment the CTO wants,” Godfrey notes.

Through the right shared fate model and approach to the cloud, Godfrey adds, leaders can bake security into development pipelines from the outset.

“So we actually work quite closely with CIOs as well to say that, ‘you know, actually you want the same things’, and so I genuinely think you can massively enable innovation, agility, and improve security at the same time with the same approaches.”

Shared responsibility is creating confusion in cybersecurity

The shared responsibility model can be applied broadly across cybersecurity. Difficulties are created, however, when a cybersecurity incident affects both parties. If the use of a product leads to a breach or attack, then the product vendor will likely have to in some way address the issue.

Speaking at a media briefing for Proofpoint Protect London 2024, Proofpoint’s EVP of cybersecurity strategy Ryan Kalember outlined some of the complexity shared responsibility can create.

“So when everybody moved to cloud the first time and SaaS services became a thing it was ‘we're responsible for the application layer and kind of the infrastructure underlying that,’... but there are all these things that you, as an end user of that, can configure, and you're responsible for those,” Kalember says.

Within reason, any security product be poorly configured, Kalmeber adds, noting that’s created difficulties for Proofpoint in how it balances security and customer decision making.

“This is a complicated problem for us because, in this shared responsibility model, we're not going to force our customers to change configurations around their trust of Microsoft,” Kalember explains, referring to a spam campaign involving Proofpoint and Microsoft in August.

In the spam campaign, a user configuration of Proofpoint’s platform was abused to relay emails via Microsoft 365 tenants.

“We don't want this to happen, but we also can't totally overhaul our customer's configurations without consulting them and working with them,” Kalember said.

“We have to nudge them progressively more aggressively over time to just say, ‘Hey, we would really love you to not be doing this, because this is being bounced off of you from Microsoft and going to other people,’” he added.

How responsibility is divided then becomes a tricky problem to solve, as vendors are forced to question what role they play in managing the implementation of their tool, rather than just the security of the tool itself.

“If you let people set up what is effectively a giant data lake of very sensitive information, in most cases, behind a password and nothing more, what is your responsibility for that?” Kalember asks.

“That's exactly the sort of question that we're trying to struggle with,” he added. “We can even put it in the contract that ‘We don't want you to do this,’ but we're not going to go to the admin with a cattle prod and say, ‘You can't do this’”

There are still options. Kalember said Proofpoint was having an internal discussion on how aggressive it should be in telling users they’ve made an unwise decision with their product and has considered making certain configurations “very hard to do”.

The latter option could come into play for Amazon S3 buckets, for example, which have have been notoriously left open to enable cyber attacks. Amazon now makes it very difficult for users to configure buckets in that way.

“We're trying to adopt more of those principles when it comes to ways that our own products can be configured in a risky way,” he adds.

Venafi’s Machine Identity Summit 2024 was both a statement of where the company is headed under its new owner and a reminder of its leadership in the machine identity space.

Taking place at the same time as CyberArk’s $1.5 billion acquisition of Venafi was finally made official, the event acted as a stage to justify the move and explain how customers could benefit from the combination of either company’s decades of experience.

The benefits of the acquisition for CyberArk are clear: while the firm has been doing identity security for the last 25 years, it has stated that the addition of Venafi’s portfolio will allow it to deliver “end-to-end machine identity security at enterprise scale”.

Venafi’s public key infrastructure (PKI) and machine identity solutions will complement the wider array of identity security offerings in CyberArk’s portfolio, with the promise of a single dashboard unifying the two alluring customers.

This appears to meet customer demands, with Ricardo Lafosse, CISO at Kraft Heinz, using his time on stage to repeatedly call for “one dashboard, please!” when asked for his thoughts on the acquisition. Lafosse compared the combination of CyberArk and Venafi to Terminator 2. Hyperbole and pop culture aside, what Lafosse likely meant by this was that combined, the two firms can offer a far more comprehensive identity solution.

He added that customers of the combined firm will now get a far more comprehensive picture of their security, allowing them to make data-driven decisions on their identity controls.

This will be the big takeaway for most customers. Gone are the days of compartmentalized identity management and security workflows, if CyberArk’s claims are to be taken at face value.

Hybrid and multi-cloud will cause headaches for identity management

At its event, Venafi unveiled specific updates to its Control Plane for Machine Identities solution aimed at improving the overall experience for customers. This, it says, will be central to any unified solution coming down the line.

Another major theme of the conference was highlighting how increased adoption of hybrid and multi-cloud environments was fuelling an explosion in the number of machine identities firms need to manage.

Jeff Hudson, CEO at Venafi and now CEO emeritus under the new CyberArk umbrella, said the combination of on premise and public cloud distributed across multiple providers has created innumerable new silos. Across all of these, he added, firms will need to track machine identities.

The ongoing embrace of CNCF has also drastically changed the types of identities being generated, as well as their lifecycle, only exacerbating the complexity for security practitioners.

Venafi wants to capture the corresponding demand from enterprises for visibility across these silos, as well as provide automation to help deal with the sheer volume of assets whose identities need to be monitored, rotated, and secured.

At its 2024 Summit, its announcement of new additions to TLS Cloud Protect that will now allow security teams to natively integrate it across AWS, Azure, and GCP, should go some way in doing that.

Actively securing identities is the next challenge Venafi wants face

Hudson made some bold remarks on stage in Boston, claiming we are entering a new era of identity and cyber security in which Venafi will focus on securing identities over simply managing those identities moving forward.

Future-facing aspects of the event included repeated discussion of the post quantum threat, which Venafi thinks should now be taken seriously by businesses. Specifically, consideration of the quantum threat at Machine Identity Summit 2024 centered on the considerable threat quantum poses to the underlying encryption techniques underpinning the majority of identity systems in use today.

Speaking onstage at the Summit, Colin Soutar, MD of risk & financial advisory at Deloitte & Touche LLP, pointed to expert projections that there is a finite probability we see a quantum computer within the next decade.

Firms should not be burying their heads in the sand on this threat, however nebulous it may appear, and Venafi wants to show it is keenly aware of how identity security is threatened by potential quantum-based attacks.

Accordingly, Venafi announced new post-quantum cryptography integrations looking in Control Plane, including support for the new NIST-approved post-quantum algorithms in the latest versions of TLS Protect and COdeSign Protect.

Kevin Bocek, chief innovation officer at Venafi said overall, the new strategy outlined by Hudson was very much driven by the threat landscape, in which identity-based attacks are core to many hugely disruptive malicious campaigns.

Leaders must reorient their approach towards identity security, according to Bocek, to ensure they have an active process to manage the security of identities at all times.

Venafi, in its new role within the CyberArk ecosystem, is in a good place to leverage its new partners’ long history in securing these identities. When it comes to fending off theoff the identity-based attacks of the future.

Microsoft says it's identified a financially motivated cyber criminal group that uses open source tools to target hybrid cloud environments.

Known as 'Storm-0501', the group has been hitting a range of US organizations, including government, manufacturing, transportation, and law enforcement, carrying out data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware attacks.

First spotted in 2021, the group first targeted US school districts, but later moved on to more opportunistic attacks as a ransomware as a Service (RaaS) affiliate.

It's been using a number of ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. It has also recently been targeting hospitals.

"Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environments to cloud environments," Microsoft said in an advisory.

"They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises."

The group's access techniques include the use of stolen credentials and known exploits to find over-privileged accounts - for example through known vulnerabilities in Zoho ManageEngine, Citrix NetScaler and ColdFusion 2016 applications.

"After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust," Microsoft said.

"Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase."

Stolen credentials have allowed Storm-0501 to move laterally across the network to reach a domain controller, and then deploy ransomware across the devices in said network.

It's been spotted exfiltrating sensitive data from compromised devices by using the open source tool Rclone and renaming it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe.

The renamed Rclone binaries were used to transfer data to the cloud using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads.

Once the group achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, it deployed the Embargo ransomware across the organization.

"Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom," Microsoft explained.

"Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid."

Microsoft said it's recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync.

This, the tech giant said, helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.

Brazil's Public Defender's Office for Human Rights is one of the many organizations that has jumped on the firewall bandwagon and it’s easy to see why. Thanks to its hybrid mesh firewall setup, the office faced 99% fewer suspicious emails and practically non-existent security incidents that once climbed to 500+ a year.

It's not just a one-off success story — firewalls have been our first line of defense against cyber threats since the 1980s and are still going strong, even with a flood of other cybersecurity solutions on the market.

But how do firewalls fit into today’s remote-first, distributed, and cloud-driven IT world where networks are constantly shifting, threats are more sophisticated, and data is sprawling across multiple environments?

The answer is firewall as a service (FWaaS)— a cloud-based solution that centralizes traffic inspection by combining next-generation firewall (NGFW) capabilities with unified threat management (UTM).

Traditional firewalls are built to handle traffic within physical office spaces. FWaaS moves your firewall to the cloud where it can scale up or down to fit modern IT needs. It also helps take a lot of the heavy lifting off your IT team's shoulders with built-in advanced analytics and real-time, granular visibility across multiple micro-perimeters.

It’s an approach garnering a lot of enterprise interest right now, with the global FWaaS market valued at $2.53 billion (£1.92 billion) by Grand View Research in 2022 and expected to grow to $12.2 billion (£9.27 billion) by 2030.

How does FWaaS work?

FWaaS directs all network traffic—whether from in-house systems, remote users, or cloud-based resources—through a cloud-based firewall.

Brian Soby, a former Salesforce security director and partner at Freefly Security raves about FWaaS, calling it a "Swiss Army knife" for security.

“FWaaS integrates intrusion prevention systems (IPS), firewalls, and virtual private networks (VPNs) into one powerful tool for improved threat detection," he tells ITPro. This all-in-one approach is a big selling point when you're talking to people about cybersecurity.”

The integrated firewall scrutinizes network traffic with deep packet inspection and creates a strong perimeter defense. Later, an IPS detects policy violations and protocol anomalies inside the network that manage to bypass those barriers, while the VPN ensures secure, remote access to employees over the cloud.

Unlike traditional firewalls that require individual configuration, FWaaS provides a unified console where IT teams can control security policies and enforce compliance across the entire network.

FWaaS also gatekeeps the IT network by employing a software-defined perimeter (SDP) for a dynamic and secure boundary around your internal resources. The idea is built on zero trust network access (ZTNA) where only authenticated and authorized users can access your network.

The benefits of FWaaS

Even though its still nascent, cloud native FWaaS is working its way into organizations' security setups, thanks to ease of management and dynamic threat protection.

One of the biggest long-term benefits of FWaaS is its ability to create a resilient and cost-effective IT environment. “FWaaS shifts IT from a CapEx to an OpEx model, making it more cost-effective,” explains Lloyd Hopper of AlgoSec.

This shift means IT admins don’t have to spend on physical appliances or deal with the headaches of repairs, and replacements. Oliver Page, CEO at CyberNut adds to this, noting, "The providers handle security updates and management, which translates to lower maintenance costs for us."

Here’s a look at some of the other benefits of FWaaS:

• Flexibility: FWaaS helps by breaking the network into smaller, isolated zones using micro-segmentation, each with its own security rules. This setup makes it harder for threats to move around within the network and handles the complexities of distributed and multi-cloud environments. Traditional firewalls, however, are usually built for a single, static perimeter and don’t offer this kind of flexibility.
• Deep integrations: FWaaS takes a flexible approach to network security by teaming up with cloud-native tools like Terraform. This means teams get automated security policy management, infrastructure as code (IaC), and smooth updates across cloud environments.
• Hardware-free scalability: FWaaS can autoscale based on traffic load and sudden spikes without needing new hardware. It also handles auto-updates and integrates smoothly with cloud orchestration tools so IT teams can tweak security policies and settings in real-time, based on cloud capabilities and incoming traffic.
• Zero trust security: Unlike traditional firewalls, which rely on a static perimeter approach and assume internal traffic is safe, FWaaS enforces granular, policy-based access controls to continuously validate user identities, device health, and access requests.

Things can more smoothly as IT teams harness the power of AI. Page notes that FWaaS, when combined with AI and machine learning (ML), can offer better prevention. This is because AI can analyze vast amounts of data and use it to detect and block threats, an advantage traditional firewalls cannot offer.

Where does FWaaS sit within SASE?

Secure access service edge (SASE) brings together FWaaS, WAN, SD-WAN, and security service edge (SSE) to secure distributed teams and remote users with a global firewall policy. IT teams can now break down security siloes by enforcing the same set of security rules consistently across all users, no matter where they're located.

“Both FWaaS and SASE are cloud-based and work well with other cloud services and applications to offer a cohesive, decentralized security solution,” explains Page.

FWaaS also offers edge-based deployment that aligns well with SASE’s principle of providing security closer to the network edge. Placing the firewall closer to users and devices allows it to inspect and regulate traffic at its source to enable secure communications right from the point of entry.

Alongside other SASE security tools, FWaaS can enable real-time, 360-degree visibility into network traffic and identify patterns, or anomalies that might make IT systems vulnerable.

For example, FWaaS alerts the ZTNA system to temporarily restrict data access if any suspicious activity is detected from an employee's device. Or if it identifies a website that shows signs of a social engineering attack, the system notifies a secure web gateway to block site access for everyone on the network.

Another benefit of FWaaS is that it can dynamically learn from threats. By analyzing the data and feedback it collects from SASE-enabled tools, FWaaS can continuously improve its own detection algorithms and reduce the risk of false positives.

“FWaaS-SASE integration is valuable in today’s increasingly distributed and cloud-centric environments, providing effective threat prevention and data protection while supporting the dynamic needs of modern businesses,” says Hopper.

More and more businesses are opting for the hybrid cloud approach, meaning they share the burden of their cloud storage requirements across both cloud - whether public or private - and on-prem.

This sort of environment works well for several reasons, allowing enterprises to reap the benefits of different systems simultaneously while also minimizing their relevant downsides.

With firms such as Atlassian altering their business strategies to reflect this surge in hybrid cloud popularity, it’s worth noting exactly why this approach is so popular.

For example, hybrid cloud users benefit from both the enhanced scalability and flexibility of a public cloud provider while also ensuring their more sensitive data can remain in a centralized on-premise location. 

Splitting workloads between two very different systems has its disadvantages, though. Keeping on top of complexity across different environments can be difficult, especially concerning security. 

Hybrid cloud security can cause a world of problems for the typical IT decision-maker (ITDM), as threat levels grow exponentially the more spread out the ecosystem is and the more application or data sprawl is present.

Just as the relevant threats are evolving though, so too is hybrid cloud security. Cyber security systems are ever-changing and adapting to meet the needs of enterprise customers operating on a hybrid cloud. 

The hybrid cloud problem 

Data management is a fundamental concern from a security perspective in a hybrid cloud world. Any enterprise will need to work with a vast array of different data streams, some more sensitive or security-intensive than others. 

Where businesses may wish to process some of the more sensitive data in private clouds or on-premises data centers, they will also likely want to process other data through the public cloud in the interest of efficiency. 

Problems occur when navigating between these different environments. Any security decisions made regarding a business's public cloud must be reflected in some way in the business's private cloud or on-premises systems. 

This doesn’t mean that security decisions in different environments will be the same, it just means that one will have to take the other into account in order to be at its most effective. 

Hybrid cloud environments are also complex by their very definition, making security and visibility difficult. Experts have lamented the growing complexity of hybrid cloud environments for years now and they’re only getting more difficult to manage as size increases. 

Findings from 451 Research showed that over half (51.8%) of respondents consider hybrid cloud storage to be less secure, putting poor security at the top of this technique's disadvantages. 

“Hybrid cloud at its peak has on-premises and public cloud workloads operating as one cohesive identity. But achieving this is near impossible, as architectures are vastly different,” according to Forrester analyst Tracy Woo in a blog post from last year.

Hybrid cloud security evolution 

Luckily, CIOs and CISOs looking to secure their hybrid cloud environments have many, ever-evolving options to choose from when it comes to implementing secure frameworks in their systems.

Companies are constantly innovating in terms of solution provision for hybrid cloud. Take a recent announcement from Dell, which promised to “simplify” hybrid cloud management with its Apex Cloud platform. 

Other, more security-focused innovations and developments are also prevalent in the industry, and independent bodies and analysts offer a wealth of advice on how best to achieve a secure hybrid cloud environment. 

The US National Security Agency (NSA), for example, advises standardizing vendor-agnostic cloud tools to help organizations monitor security across different environments. 

This helps mitigate the risk of silos and skill gaps across multiple systems, where discrepancies between configurations and unnecessary data flows can create added security issues. 

Forrester’s Woo advises that businesses go further than simply adopting hybrid cloud strategies. Instead, they should set up an internal “cloud center of excellence” that can focus on training users in managing hybrid cloud environments.

Enterprises should also try to build “reusable assets” that “avoid reinventing the wheel.” This means that assets should be written in low-code formats that can be easily adapted as businesses move forward.  

There are also various cloud management solutions to choose from, designed to encourage collaboration between a business's different environments. These can help to control endpoint security more easily, as well as ease the burden of IT management overall. 

AI and hybrid cloud security 

As with every technology in the current landscape, AI promises to breathe new life into the management of hybrid cloud security by offering tools that help to automate complex security processes. 

AI already shows great promise in overhauling security as a whole, with tools from many of the big names in tech offering solutions to the already overburdened CISO through visibility and workflow optimization.

Google’s intended acquisition of security firm Wiz is a clear example of this, despite it being called off by the latter. The move showed a clear desire on behalf of Google to increase its offerings in the cloud security market, suggesting that it’s top of mind for the tech giant.  

The industry will no doubt see more tools geared towards hybrid cloud environments specifically, with solutions designed to manage risks across both public and private clouds, as well as within on-premise storage. 

Hybrid cloud has surged in popularity in recent years amidst a widespread enterprise shift toward incorporating both public and private storage capabilities. 

During the early days of the global cloud shift, public cloud reigned supreme. But increasingly, hybrid and multi-cloud approaches have gained traction among enterprises globally. 

Multi-cloud, for example, which includes organizations using a combination of two or more cloud service providers, has also been gaining traction. Research from OVHCloud found nearly two-thirds (64%) of enterprises expect their use of this approach to increase in the next two years. 

Meanwhile, Cisco’s 2022 Global Hybrid Cloud Trends report found that 82% of IT leaders had adopted a hybrid cloud approach. This method has a number of key advantages, not least of all flexibility, enabling organizations to host workloads both in the cloud and on-prem depending on their individual business needs. 

There’s more to hybrid cloud than just flexibility, however. Analysis from 451 Research notes that enterprises adopting a hybrid approach can also unlock cost benefits and heightened operational resilience. 

“More enterprises are finding that a hybrid environment - one that uses on-premises resources in coordination with public cloud services - offers the best of both worlds,” it said. 

Notably, hybrid cloud can enable organizations to reduce risk by running certain applications on private infrastructure, rather than in the public cloud. In regulated industries, in particular, enterprises may seek to air gap applications or workloads, or to maintain data residency and compliance. 

The 2024 ISG Provider Lens Private/Hybrid Cloud – Data Center Services report, for example, found that hybrid cloud adoption is being driven by heightened security and compliance risk concerns among enterprises. 

Cisco’s Global Hybrid Cloud Trends report also specifically highlighted these considerations as key contributory factors to the appeal of hybrid cloud. 

“One factor in the maturing of cloud operations is managing risk by being selective about where workloads and data are placed,” the report states. 

“Hybrid environments can give security teams options that allow them to balance placement, putting some workloads in public clouds while keeping others on-prem, or using different regions for data residency requirements.”

Air-gapping, in particular, has come to the fore since the emergence of generative AI in late 2022. Employing a hybrid cloud approach has become a key tactic for organizations adopting the technology, allowing them to experiment and tinker with applications in public cloud environments, and thereafter bringing them on-prem to bolster security and safety. 

But while hybrid cloud does offer marked benefits, it does pose unique cybersecurity challenges for enterprise IT leaders. 

Increased complexity

Cloud security in a broader sense has become a major focus for enterprises globally in recent years, with research showing a significant rise in the volume of attacks targeting cloud environments. 

Thales’ 2024 Cloud Security report found nearly half (44%) of organizations have experienced a cloud data breach, and 14% reported a breach in the year between June 2023 and June 2024 alone.

Practitioner sentiment on cloud-related security threats is also growing, according to the ISC2 2024 Cloud Security Report. 

The majority (96%) of respondents expressed “significant concerns” over security within the public cloud specifically, marking an increase from 95% in the year prior. 

With the public cloud, security teams typically contend with a single, uniform environment. Multi-cloud and hybrid cloud approaches, however, which include environments spanning multiple cloud providers - or a combination of on-prem and off-prem workloads and applications - add a degree of complexity that many enterprises aren’t prepared for.

Managing security across disparate or siloed environments poses serious challenges about data governance, compliance, and identity management in particular.

Research from the Cloud Security Alliance (CSA), for example, specifically highlighted identity and credential management as a key risk for hybrid cloud operators. 

“The lack of a decentralized and unified identity management solution may cause account information inconsistency between clouds, resulting in discontinuous log audits and failures to trace resource misuse.”

Similar research from Expel in January 2024 found two-in-five cloud infrastructure incidents were directly attributed to compromised credentials. 

With this in mind, the CSA recommends organizations adopt a “unified identity strategy” to ensure that cloud identities do not exist in disparate directories or systems. 

This should be underpinned by robust multi-factor authentication (MFA) practices for privileged accounts, the CSA noted, while automated monitoring tools for cloud accounts. 

Misconfiguration is also a leading concern for security teams operating in a hybrid cloud environment, research shows. Managing multiple environments can increase the likelihood of errors, thereby creating the potential for additional vulnerabilities. Analysis from Thales, for example, highlighted cloud misconfigurations as the leading cause of breaches for organizations last year.

The complexity of hybrid cloud environments is further exacerbated by a distinct lack of visibility for security teams, with one-quarter of organizations unable to identify the root cause or source of a breach, according to research from Gigamon. 

Again, this combination of on-prem and off-prem environments can create a clouded picture for security teams responding to threats. Gigamon’s research noted that one-third of respondents cited blind spots as one of their top concerns. 

Organizations pursuing a hybrid cloud approach are increasingly turning to zero trust practices to bolster security capabilities and improve visibility within cloud and on-prem environments, research shows. 

Skills deficits are hampering hybrid cloud security capabilities

The global cybersecurity skills shortage has become ubiquitous across the global technology landscape. ISC2’s 2023 Global Workforce Study found the workforce gap has reached a record high, with four million security professionals needed to fill this gap. 

When it comes to cloud security skills the situation is equally dire, according to ISC2. Around 93% of respondents to ISC2’s 2023 Cloud Security Report said they were  “moderately to extremely concerned” about a growing cloud-related skills deficit. 

This issue isn’t limited to hybrid cloud, however, with organizations operating in a public and multi-cloud approach also contending with skills shortages. 

What separates hybrid cloud though again lies with the inherent complexity of this approach. Managing security across multiple environments requires a wide range of skills, and a lack of expertise in one - or more - of these domains could potentially increase exposure. 

“Embracing a hybrid or multi-cloud strategy requires a robust framework for managing complexity, ensuring data protection across environments, and a broader skill within security teams,” the report notes. 

“The security skills shortage not only impacts the ability to defend against cyber threats effectively but also constrains organizations’ capacity to innovate and leverage cloud technologies fully.”

Cyber attacks may be an inevitable part of modern life but that doesn’t mean that businesses simply have to put up with them. Indeed it is possible to have both a proactive and reactive stance when it comes to securing your organization. The reality is that this does take hard work and constant evolution of strategy to move from theory to reality and remain safe from harm. 

Take this year’s hack on The New York Times for instance; It was a GitHub repository that was breached at the start of the year after a 4Chan user claimed to have stolen “basically all source code belonging to The New York Times Company”. That cache was estimated to be around 273GB of data including IT documentation, infrastructure tools, email marketing campaigns, ad reports, and source code for other NYT-owned platforms like Wordle. 

This example highlights that there are many ways to get inside a modern company, and knowing how to identify the risks and mitigate cloud-based cyber threats is the best way to keep your organization and its data safe.

Cloud-based security 

When people talk about cloud security, they are generally referring to securing cloud-based computing systems such as online storage platforms, and SaaS applications – essentially anything that uses, stores, or transfers data. Making sure these systems are safe requires a host of different elements, some strong government-level regulation, and every person in the company adhering to best practices at all times.

Cloud providers that host services on their servers via ‘always-on’ internet connections will have a responsibility to maintain a high level of security – particularly as it builds trust among its customers. However, cloud security is also the responsibility of the client and an understanding of both is key to a healthy cloud security setup.  

At a very basic level,  this will include data security and data retention, identity and access management, IT governance, and legal compliance. It will cover backend systems like servers and also include all endpoints used within an organization, such as laptops and desktops. With large enterprises, this is often an ever-growing map of possible entrances for unauthorized parties to test. 

Expect the worst

Historic and emerging/evolving threats were a key focus for the Cloud Security Alliance’s (CSA) recently published  top threats for 2024 report

“It’s tempting to think that the reason the same issues have remained in the top spots since the report was last issued stems from a lack of progress in securing these features. The larger picture, however, speaks to the importance placed on these vulnerabilities by organizations and the degrees to which they are working to build ever more secure and resilient cloud environments,” said Michael Roza, co-chair, Top Threats Working Group, and one of the paper’s lead authors.

The top threats in listed order were:

“Given the ever-evolving cybersecurity landscape, it’s difficult for companies to stay ahead of the curve and mitigate their financial and reputational risks. By bringing attention to those threats, vulnerabilities, and risks that are top-of-mind across the industry, organizations can better focus their resources,” said Sean Heide, the CSA’s technical research director. 

As negative as it may sound, planning for the worst possible scenario is arguably the best advice when it comes to cybersecurity. If you have a plan in place you will give yourself every chance of fighting off whatever comes your way – and trust us, something will come up eventually. Having a strategy in place for the worst-case scenario(s) will help to fortify defense systems and protocols, and also enable a robust response should a threat surface.

But where should you start? Detection systems that monitor network traffic or system activities, particularly those of a malicious nature, are a great first to have on the list. These will give you generated alerts and can even trigger automated responses, taking the burden away from thinly stretched IT teams.

Endpoint detection and response services are also key. These are designed to protect individual endpoints such as the computers, laptops, and mobile devices your staff uses, as well as the myriad IoT devices in your network. However, when we talk about endpoints, we also mean the communication apps that you access through them. Here, users are in the firing line for phishing attacks via email or Whatsapp, but a good threat detection program can monitor those activities. The end user will have a report button, but a detection system can spot the patterns and see whether there is a significant volume for a targeted attack, and stop it as early as possible. 

Managed detection and response 

A managed detection and response (MDR) service offers a more holistic approach to endpoint security. An MDR is an outsourced service that identifies and responds to threats as soon as they’re discovered – here it can address the significant problems that cause today’s businesses the most headaches. 

It also helps with skill shortages and tight budgets; while larger organizations may be able to properly train or hire security professionals, smaller and medium-sized businesses may lack the skills to directly deal with complex threats. Enterprise companies may also face challenges when deploying complex endpoint detection systems, particularly if they’re short on time and expertise. A good MDR suite, however, will integrate EDR tools into its security implementation and make them an integral part of the detection, analysis, and response protocol. 

Even enterprises that have the necessary budget to hire professionals to tackle cyber threats still struggle to recruit enough people. An overlooked issue in cybersecurity is the sheer volume of alerts that IT teams receive daily, making it nearly impossible to spot all the malicious ones. Forget trying to correlate those threats and see the wider patterns, as they’ll be unable to keep up. Smaller teams will be completely overrun.  

An MDR, however, is designed to mitigate gaps in cybersecurity skills by taking the weight off in-house teams. That’s not to say that you won’t need any trained professionals, however. An MDR service will provide recommendations for changes based on its interpretation of security incidents. A skilled professional will be needed to contextualize the threat and dig deeper into the hows and whys of the event – a human touch is still an important part of the security strategy. 

There’s never been a more important time to understand how hackers target the cloud. While the cost and scalability benefits of the cloud are undeniable, it’s also a vast attack surface that opens any firm - regardless of size, industry, or even geographical location - up to the interest of hacking groups. 

Almost every business now has a cloud environment to worry about, with PwC’s 2023 Cloud Business Survey finding that 78% of business executives had extended cloud across the majority or the entirety of their business. With this in mind, leaders must know the main avenues of attack for the cloud and the myriad strategies threat actors may explore to breach, infect, or destroy their valuable cloud assets.

A chain is only as strong as its weakest link and when it comes to valuable cloud assets it really is imperative that leaders know where and how their attack surface can come under strain.

Vulnerabilities leave the door unlocked

Extending the metaphor of that weak link, existing vulnerabilities within a business’ cloud environment are the first port of call for any hacker.

Cloud misconfiguration is of particular concern, as it could allow sensitive data to be leaked onto the public internet, or allow hackers to enter systems outright without the need for authorized access.

In Splunk’s State of Security 2024 report, misconfigured systems were identified as the most frequent threat vector with 38% of attacks arising from these mistakes. These user errors can be simple to overlook but enable serious attacks on the cloud

For example, Home Depot recently suffered a data breach that arose from a misconfigured software as a service (SaaS) application and researchers have discovered misconfigured access controls within NetSuite’s SuiteCommerce which could allow hackers to steal customer data. 

Misconfigurations are the path of least resistance for hackers – once identified, threat actors can launch successful attacks in less than ten minutes. 

To stay ahead of the threat, it’s important that IT teams keep a close eye on cloud configurations, using third-party tools if necessary to help them monitor potential weak points and close gaps in their defensive wall before hackers take notice.

Attacks driven by subterfuge

An effective attack vector for targeting the cloud is credential theft. Login details for company accounts can be obtained directly through data breaches, found on hacking forums in the wake of a breach, or stolen through targeted social engineering and phishing attacks on employees.

Credential theft can be especially difficult to detect because attackers will appear to be legitimate users. Identifying which accounts have been subject to credential theft can be as simple as checking whether users have been implicated in recent data breaches to the trickier task of identifying which user accounts are exhibiting anomalous behavior.

One of the main ways in which businesses can combat this threat is via identity management protocols as well as through investing in identity and access management (IAM) solutions. These can automatically identify anomalous behavior and be used by security teams to strip users of certain privileges from a central console.

Just because your organization hasn’t been noticeably breached doesn’t mean that it’s safe. Some threat groups choose to quietly breach firms and then skulk in their IT estates for years. 

During this time, hackers gather data on users to identify who has privileged access, what behaviors will and will not fly under the radar, and the times of day that their victim will be most vulnerable to attack.

Attackers can benefit from entering systems as quietly as possible to do more damage down the line, using the interim to collect more information or identify potential vulnerabilities that they can exploit to steal valuable information or disrupt cloud services.

Once attackers have breached an enterprise cloud environment, they are often able to move laterally throughout systems to wherever their attacks will do the most damage. 

It's in situations like these that businesses can benefit from zero trust network access (ZTNA), in which no one user profile is treated as automatically safe as a matter of policy. 

Malware and other forceful attacks

Once inside a network, attackers will often seek to spread malware such as cloud ransomware is a top threat to businesses. 

One of the main reasons hackers will target the cloud with ransomware is because it makes for excellent leverage with which to pry a payment from their victims. Not all businesses may choose to pay the ransom demanded by their attackers – but threat actors know that few businesses can stand cloud downtime for too long without reputational damage and severe loss of profits.

A growing concern of the past few years has been the lowering barrier to entry for would-be ransomware groups, as the ransomware as a service (RaaS) becomes more entrenched. This allows any hacker to purchase effective strains of ransomware via the dark web and then use it against victims’ infrastructure and cloud. 

Hackers can also use dark web services such as Dark Utilities C2 to launch other campaigns such as distributed denial of service (DDoS) attacks.

Undoubtedly the most blunt way hackers opt for when targeting the cloud is a DDoS attack. This approach sees threat actors overwhelm a website or cloud instance with a massive number of access requests to knock it offline. Like cloud ransomware, this attack methodology is all about maximum damage, and bouncing back will hinge on whether a business has a concrete backup strategy. 

But even cloud ransomware comes with the promise – however untrustworthy – of data decryption if the price is paid. DDoS attacks tend to be far more two-dimensional, the downtime being the entire point rather than the means to a profitable end for the perpetrators.

Often, attackers will leverage the combined output of a botnet, a horde of infected devices they control around the world. Using these zombie IoT networks, they wield DDoS capabilities measured in the millions of requests per second (rps) – Google Cloud measured a 398 million rps attack in 2023.

Some firms offer mitigation against DDoS attacks, but they remain an effective avenue of attack for threat actors and are on the rise.

Recovering from a DDoS attack can be a complex process. On the one hand, leaders will be keen for their systems to be brought back online as quickly as possible to stem reputational damage and loss of revenue – a particular concern if the attack successfully knocked out front-end systems like the homepage of your company’s website. 

Leaders must also ensure their cloud environment is restored intact and give security teams the time to have complete confidence that everything is configured correctly when it’s stood back up.

This cuts to the heart of the problem for businesses looking to thrive in the cloud. Operating in this modern environment is a constant balancing act of making the most of the expansion and tools at your disposal and keeping one eye on how each cloud instance could be compromised.

Knowing what’s out there is essential, but this process never ends. Leaders must constantly refresh their understanding of threats and bad actors and keep their employees trained to deal with the latest cloud threats.

As cloud computing continues to reshape the landscape of modern business, the surge in cloud adoption is accompanied by growing concerns about security. A recent survey by the Cloud Security Alliance (CSA) in February 2024 found that more than 77% of organizations feel unprepared to handle the security threats that cloud environments present. This sentiment is compounded by the fact that many organizations struggle to achieve full visibility in their cloud environments, with only 23% reporting optimal transparency.

“As cybersecurity threats evolve, organizations must adapt by seeking better visibility into their code-to-cloud environment, identifying ways to accelerate remediation, strengthening organizational collaboration, and streamlining processes to counter risks effectively,” says Hillary Baron, senior technical director for research at the CSA. 

As cloud infrastructures become the backbone of modern enterprises, safeguarding these environments is crucial. This is where unified cloud security comes into play—a holistic approach designed to provide comprehensive protection across complex, multi-layered cloud environments.

This strategy promises to streamline operations, enhance threat detection, and simplify compliance across multi-cloud landscapes. With the complexity of managing different cloud services and providers, the unified approach is no longer a luxury but a necessity. As cyber threats grow in sophistication, organizations must rethink their security strategies, ensuring they are equipped to handle emerging risks.

Understanding unified cloud security

Unified cloud security refers to an integrated approach that consolidates security measures across various cloud environments, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). This model centralizes security management, enabling organizations to monitor and control their cloud resources from a single platform. Unlike traditional security models, which often operate in silos, unified cloud security offers a comprehensive view, breaking down barriers between different cloud services​, according to the 2024 State of Multicloud Security Report by Microsoft. 

"Ultimately, multi-cloud security has multiple considerations that security teams must account for. It is not a check-the-box endeavor," says Andrew Conway, vice president, Security Marketing at Microsoft.

"Rather, security teams must continuously enforce best practices from the earliest stages of development to runtime, identity and access management, and data security. Not only must these best practices be enforced throughout the full cloud lifecycle, but they must also be standardized across all cloud platforms."

Key components include centralized management, integrated threat intelligence, and automated compliance checks. The goal is to provide seamless protection across multiple cloud providers and environments, ensuring that security policies are consistently applied. As organizations increasingly adopt multi-cloud strategies, the complexity of managing disparate security solutions has become apparent. A unified approach simplifies security operations and enhances the ability to detect and respond to threats in real time, making it an essential strategy for modern enterprises.

The growing need for unified cloud security

With the rapid adoption of cloud technologies, businesses face new security challenges. A recent study by Microsoft revealed that the average multi-cloud environment has 351 exploitable attack paths, highlighting the complexity of managing security across diverse platforms​. Multi-cloud strategies offer flexibility and resilience, but they also introduce fragmented security practices, increasing the risk of breaches. 

The Thales Cloud Security Study (published March 2024)reports that 44% of organizations experienced a cloud data breach in the past year, underscoring the urgency of a unified security approach​. As organizations deploy more SaaS applications, with over 60% using more than 25 apps, managing security becomes even more complex​. 

"Compliance is key. In fact, companies that had a good hold over their compliance processes and passed all their audits were also less likely to suffer a breach,” says Sebastien Cano, senior vice president at Thales Cloud Protection and Licensing. 

“We’ll start to see more compliance and security functions coming together. This would be a huge positive step to strengthen cyber defenses and build trust with customers." 

Unified cloud security addresses these challenges by offering a centralized management system that provides visibility and control across all cloud environments. By integrating security tools and processes, businesses can reduce vulnerabilities and improve their overall security posture, ensuring they are better prepared to tackle the evolving threat landscape.

Key benefits of unified cloud security

Unified cloud security offers several critical advantages that address the challenges posed by modern cloud environments. Firstly, it provides centralized management, allowing security teams to monitor and control cloud assets from a single dashboard, reducing complexity and enhancing efficiency​. This centralization simplifies the management of security policies and ensures consistent application across all cloud platforms. 

Secondly, integrated threat intelligence enhances threat detection and response capabilities. By consolidating data from multiple sources, organizations can quickly identify and respond to potential threats​. Thirdly, automated compliance checks streamline regulatory compliance, reducing the burden on IT teams and minimizing the risk of human error​. As regulatory requirements become more stringent, automated tools ensure organizations remain compliant without manual intervention. 

Finally, unified cloud security solutions are designed to be scalable and flexible, adapting to the changing needs of businesses. This scalability is essential for organizations looking to grow their cloud environments while maintaining robust security measures.

Challenges, considerations, and best practice

Implementing unified cloud security has its challenges. Misconfigurations are a leading issue, accounting for 36% of cloud breaches due to human error and inadequate change control mechanisms. Effective management tools are essential to prevent unauthorized access and data exposure. Another critical challenge is identity, credentials, access, and key management. With 80% of breaches involving compromised credentials, weak password policies, and lack of multi-factor authentication remain vulnerabilities that need addressing​.

What’s more, the dynamic nature of cloud environments introduces complexities as new assets and services are continuously added, necessitating continuous monitoring and adaptation to emerging threats​. The widespread adoption of cloud services often outpaces the development of comprehensive security architectures. This gap is exacerbated by a shortage of skilled professionals in cloud security, increasing the risk of misconfigurations and ineffective security measures​. Organizations must prioritize training and strategic alignment to overcome these hurdles effectively.

To strengthen cloud environments, unified cloud security demands an integrated approach, blending various defensive strategies. Centralized security management is crucial, enabling enhanced visibility and control across disparate cloud resources from a single platform. This central oversight is complemented by robust identity and access management policies that ensure only authorized personnel can access critical systems and data, often fortified by multi-factor authentication and stringent access controls. 

Additionally, encrypting data both at rest and in transit forms a fundamental barrier against unauthorized access. Regular security assessments, including audits and vulnerability scans, are essential to identify and address potential risks promptly. Moreover, maintaining compliance with evolving regulatory standards helps organizations navigate the legal complexities of digital data management, ensuring they meet industry standards and avoid penalties. These practices, when consistently applied, significantly strengthen the security posture of cloud-based infrastructures.

Embracing a unified future

Unified cloud security is essential in the face of increasing cloud adoption and sophisticated cyber threats. By providing centralized management and integrating advanced threat detection capabilities, unified security solutions enhance an organization's ability to protect its digital assets. However, challenges such as misconfiguration, identity management, and expertise gaps must be addressed to fully realize the benefits​.

Real-world examples from the finance and healthcare sectors illustrate the tangible advantages of adopting a unified approach, showcasing improvements in efficiency, compliance, and resilience against threats. As businesses continue to expand their cloud environments, prioritizing unified security solutions is crucial to safeguarding their operations and maintaining customer trust. Moving forward, organizations must invest in training and strategic alignment to stay ahead in the ever-evolving cloud security landscape​.

Publicly accessible AI platforms may be exposing your corporate data on the internet, new research warns.

Legit Security recently published an investigation into security issues affecting the infrastructure underpinning many businesses’ AI applications, suggesting these systems could also be susceptible to data leakage and data poisoning.

The research highlighted risks associated with two popular types of publicly accessible AI services: vector databases and LLM tools. 

Vector databases used to store unstructured data for AI applications, allowing the systems to search the database according to similarity instead of exact matches.

Researchers found these databases often lack basic security guardrails, highlighting  a number of cases where they found publicly accessible instances allowing anonymous access with no permission enforcement. 

This meant that anyone with network access to the server would be able to read sensitive data inside, including metadata, as well as the embeddings – the numerical representations of words, images, or videos used by LLMs.

These embeddings could be used by attackers to reverse engineer the transformer used by the model to recover input data, according to research from the Hong Kong University of Science and Technology.

These systems are also vulnerable to data poisoning attacks, the report noted, whereby attackers alter databases so it changes the behavior of the AI applications built on that dataset.

Legit Security offered a number of examples of how this attack could unfold. For example, hackers could modify a vector database and make a client-facing chatbot instruct customers to download and install malware on their devices.

Another example suggested chatbots used for medical consultations with access to historical patient data could be manipulated into providing false or dangerous advice.

In addition, researchers warned the software installed on servers hosting these vector databases contain vulnerabilities that attackers could potentially exploit to exfiltrate or poison the data they contain.

Almost half of scanned Flowise servers vulnerable to “simple authentication bypass vulnerability” 

Legit Security’s investigation used scanning tools to identify a number of publicly accessible vector database instances, checking for required authentication and whether it was possible to extract data from the system.

The researchers found around 30 servers with evidence of corporate or private data, such as private company emails, customer PII, financial records, and prospect resumes and contact information. 

It found some of these servers were susceptible to data poisoning, including one storing patient information for a medical chatbot, company Q&A data, and a real estate agency’s property data.

In each of these cases, the attackers would not have needed to exploit a vulnerability or use specific tools to read the data, and were able to use the REST-API or Web UI to modify or delete data.

In addition to vector databases, the report found publicly exposed LLM tools suffered from a similar lack of security layers, highlighting one particular tool – Flowise – a low-code LLM automation service.

Tools like Flowise have access to a wide range of sensitive data including private company information , application configurations, and prompts. 

Many businesses integrate these tools with external services like the OpenAI API, AWS Bedrock, Confluence, or GitHub, the report noted, meaning any credential leakage related to the integrations could lead to an even wider breach upstream.

Researchers scanned for public instances of Flowise servers and found the majority were password-protected, but warned it found a number of “simple vulnerabilities” in early versions of the platform. 

For example, 45% of the 959 servers assessed by the researchers were found to be vulnerable to an authentication bypass vulnerability (CVE-2024-31621).

Moreover, scanning the data in the servers it found a “couple dozen secrets”, including OpenAI API keys, GitHub access tokens, URLs with database passwords, as well as API keys for Pinecone vector databases. 

Businesses should reevaluate what platforms their developers are using, Legit Security advised, and should immediately implement a strict permissions system to prevent anonymous access. 

“If possible, do not publicly expose these services, and manage access through private networks,” the report added.

Another precaution the report suggested is to ensure that any client PII and other sensitive information are removed from the data used by their AI services, to avoid potentially costly data leakage.

Google’s rumored acquisition of cyber security startup Wiz makes sense for the tech giant and would represent a bold effort to bolster its cloud security capabilities, analysts have told ITPro. 

Speculation over a potential move began circulating over the weekend, with initial reports from the Wall Street Journal suggesting the deal could be worth $23 billion, making it Google’s most expensive acquisition ever.

This alone speaks volumes, according to Charlie Winckless, VP analyst for cloud security at Gartner. He told ITPro that an acquisition of this size represents a major signal of intent for Google.

“It’s an extremely large acquisition,” he said. “And it’s very much tied into Google’s cloud approach. It’s [Wiz] a very strong brand with strong capabilities in the cloud native application protection platform (CNAPP) space.”

Notably, Winckless said the valuation touted for this deal is larger than the estimated market capitalization of the CNAPP market.

Specializing in cloud security, Wiz is a relatively young company, having been founded in 2020. The company’s flagship tools provide users with a cloud native security platform that offers threat prevention and rapid incident response capabilities.

With organizations shifting en-masse to the cloud during the onset of the Coronavirus pandemic, a sharp demand for cloud security services saw the company expand rapidly. In the space of four years, the New York-headquartered firm’s headcount has grown to around 900, and earlier this year it was valued at $12 billion.

It boasts around 40% of Fortune 100 companies as its clients and works with a number of leading brands including Salesforce, BMW, as well as AWS and Microsoft – Google’s leading competitors in the cloud space.

This rapid growth underlines the insatiable appetite for cloud security tools in the enterprise, Winckless noted.

“They are a necessity, whether provided by the cloud provider themselves – and each of the cloud providers provides these capabilities within their cloud – or for the many organizations that are intentionally or accidentally in a multi-cloud strategy,” he said.

“These tools provide consistent visibility across major hyperscaler environments. bring together many of the components of cloud risk.”

Google Cloud CEO Thomas Kurian is believed to be the key proponent of a move to acquire the startup, according to the New York Times, which again highlights where the company’s intentions lie.

Any potential acquisition would markedly improve the tech giant’s capabilities amidst what is an increasingly perilous time for organizations operating in the cloud.

Cloud security threats have increased rapidly in recent years. With enterprises now hosting much of their critical data in the cloud, these environments are viewed by threat actors as a highly lucrative target - especially sophisticated, state-backed ransomware groups.

Research from CrowdStrike earlier this year, for example, noted that rapid growth in this domain means the cloud is becoming a “major battleground for cyber attacks”.

With this in mind, it makes sense that Google would want to further add to its portfolio and provide cloud customers with a wider array of tools to contend with rising threats.

“I think cloud is the major battleground for cyber attacks largely because the cloud is part of everybody’s IT infrastructure at this point,” Winckless said. “The cloud is an increasingly critical, if not already critical part of at least 80% of organizations.

“It’s newer and requires the same security outcomes but must be delivered with different tools and different approaches. That means there’s an exposure there for organizations.”

Wiz acquisition will “jump-start” Google’s cloud security goals

Notably, Winckless said this acquisition will “jump-start Google’s presence” in the cloud security market. The company already boasts an impressive roster with regard to cybersecurity, having acquired Mandiant in 2022 as part of a $5.4 billion deal.

That same year saw Google acquire Israeli startup Siemplify in a $500 million deal to further bolster its ‘Chronicle’ cloud security initiative.

What this acquisition also signals heavily, however, is the company’s continued efforts to improve multi-cloud security capabilities. While public cloud still dominates the industry, enterprises are increasingly moving toward a multi-cloud approach, whereby they use two or more major cloud providers.

Earlier this year, the firm expanded its Security Command Center Enterprise to provide users with extended security capabilities across multi-cloud environments, such as AWS. With this acquisition, Google will essentially be hedging its bets by expanding security tools to work across a wider range of providers.

“Wiz has better coverage and moves into Azure,” Winckless said. “So it really moves them very far forward in this and associates them with a strong brand in the security space. Mandiant was, and is, a very strong brand.”

Google’s counterparts in the cloud computing space have been expanding their multi-cloud security capabilities, Winckless noted, which may be a key motivating factor in this deal.

“We have seen efforts from the other cloud providers, Microsoft in particular, to expand their coverage of other clouds with Microsoft Defender CSPM. And this really puts Google head to head with that offering in that space.”

Dr Marc Manzano, general manager for cybersecurity at SandboxAQ, echoes Winckless’ thoughts in this regard, adding that Google has traditionally lagged behind AWS and Azure on this front.

“Following its acquisitions of Mandiant and Siemplify, the potential acquisition of Wiz highlights Google's ambition to dominate the cloud security space,” he said.

“Wiz's technology can be utilized to protect infrastructure across AWS, Azure, and other cloud platforms, so this move would enable Google to build connections to other cloud providers"

Researchers at cybersecurity platform Qualys have uncovered a critical security flaw in OpenSSH’s server (sshd) in glibc-based Linux systems, which could potentially impact over 14 million internet-facing servers.

CVE-2024-6387 is an unauthenticated remote code execution (RCE) vulnerability that could grant threat actors full root access if exploited successfully.

The blog noted this flaw marks the first security vulnerability affecting OpenSSH in nearly two decades, and is especially dangerous by virtue of the number of enterprises that rely on the tool for remote server management.

Qualys’ Threat Research Unit (TRU) labeled the flaw the ‘regreSSHion bug’ due to the fact it is a regression of a previously patched vulnerability CVE-2006-5051, initially reported in 2006. 

Regression here refers to the mechanism by which a security vulnerability, once fixed, is reintroduced into an environment through a subsequent software update.

This regression bug was reintroduced in October 2020 in OpenSSH 8.5p1, according to Qualys, and highlights the importance of rigorous regression testing to prevent the resurrection of known vulnerabilities.

CVE-2024-6387 affects the default configuration of OpenSSH and does not require any user interaction, therefore posing a significant risk of exploitation.

Using services like Censys and Shodan, Qualys identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet. 

Furthermore, anonymized data from Qualys’ attack surface management cloud service CSAM 3.0 revealed approximately 700,000 external internet-facing instances are vulnerable. 

This would make up 31% of all internet-facing instances of OpenSSH in Qualys’ global customer base.

“About as bad as they come” - CVE-2024-6387 is triply dangerous

Ray Kelly, fellow at the Synopsys Software Integrity Group, said the combination of RCE, root access, and broad distribution makes this vulnerability particularly worrying, and patching all vulnerable instances is not going to be a simple task.

“This vulnerability is about as bad as they come. A trifecta of Remote code execution, root access, and a widespread distribution across Linux servers makes this a hot target for threat actors,” he explained.

“Although an OpenSSH patch is available, deploying it across all affected systems—potentially impacting 14 million OpenSSH instances—poses a significant challenge.  This vulnerability could persist for a long time, reminiscent of the Heartbleed vulnerability in OpenSSL from 2014."

Synopsys’ principal consultant, Thomas Richards, added he predicts there will be a spike in exploitations of IoT systems as a result, as systems are increasingly treated like one-time-use devices and are not updated frequently.

"I suspect we’ll see a rise in compromises of embedded and IoT systems, as many consumer models are meant to be disposable and rarely get updates. A vulnerability like this could be used by attackers over a long period of time, as older systems do not get updates or as organizations are slow to patch."

Qualys recommends enterprises immediately apply patches for OpenSSH, limiting SSH access through network-based controls to reduce the risk of attack, as well as implementing robust network segmentation to minimize the disruption a successful intruder could cause.

Cloud breaches have been rising steadily in recent years, according to a new report from Thales, with nearly half of firms having recorded a serious incident. 

Analysis by Thales shows that 14% of firms experienced a cloud breach in the last year, and the most common cause was human error and misconfiguration.

The firm warned that threat actors are also ramping up exploitation of known vulnerabilities, with 28% of all recorded breaches due to this. Similarly, a failure to use multi-factor authentication (MFA) was behind around 17% of all breaches.

The main targets were SaaS applications, cited by 31%, followed by cloud storage at 30%, and cloud infrastructure at 26%.

These attack surfaces are increasing, Thales warned, which involved a survey of nearly 3,000 organizations with revenues of between $100 million and $250 million.

Two-thirds of organisations are now using more than 25 SaaS applications, and nearly half of corporate data is rated as being sensitive. Despite this, however, data encryption rates remain low, with fewer than 10% of enterprises encrypting 80% or more of their sensitive cloud data.

"The scalability and flexibility that the cloud offers is highly compelling for organizations, so it’s no surprise it is central to their security strategies," said Sebastien Cano, senior vice president for cloud protection and licensing activities at Thales.

"However, as the cloud attack surface expands, organizations must get a firm grasp on the data they have stored in the cloud, the keys they’re using to encrypt it, and the ability to have complete visibility into who is accessing the data and how it is being used."

Data sovereignty considerations boom amid rise in cloud breaches

Cano added that new considerations such as data sovereignty and growing scrutiny of privacy practices means it’s vital that organizations bolster cloud security capabilities moving forward.

Nearly half of organizations said it's more difficult to manage compliance and privacy in the cloud, compared with on-premises.

Companies are modernizing and increasing their investments to meet these new security challenges, however. For those that prioritize digital sovereignty as an emerging security concern, most chose to refactor applications to logically separate, secure, store, and process cloud data ahead of other measures such as repatriating workloads back to on-prem.

Future-proofing cloud environments was the leading driver behind digital sovereignty initiatives, cited by more than three-in-ten organizations, while adhering to regulations came in at a distant second at 22%.

The rise in cloud attacks comes amid a renewed focus on cloud migration among enterprises globally. In a recent study by Gartner, the consultancy predicted that by 2027 more than 70% of enterprises will use industry cloud platforms.

This marks a sharp increase compared to the 15% recorded in 2023, Gartner noted.

As a result of this, the consultancy said it expects cloud security investment to grow by 24% in 2024.

The UK’s Ministry of Defence (MoD) is developing a strategic cloud project, with the aim of consolidating its existing network architecture and preparing for full-scale cloud adoption in the future.

Harry Gazzard, a solutions architect contractor working for the MoD, presented its approach to developing this cloud network at InfoSecurity Europe 2024.

There are a multitude of threat actors, from organized crime groups to state-sponsored cyber attackers, who would seek to breach the MoD’s cloud network. Therefore, security is naturally a key focus for the project’s development.

The MoD is following the 'secure by design' approach, a UK government framework produced in collaboration with the National Cyber Security Centre (NCSC). It seeks to ensure projects take cyber security into account from the design phase onward and that those responsible for projects are accountable for secure upkeep and the elimination of outdated practices.

Instead of relying on established techniques or making assumptions, the team behind the MoD’s cloud transformation has gone back to basics by asking themselves ‘What does secure by design actually mean?’ 

Although the sensitive nature of the MoD's work prevents the team from being entirely transparent development throughout the process, Gazzard stresses the MoD's security-first design strategy will ensure a secure platform is built. Some form of independent oversight can still be implemented under this system, with the appropriate non-disclosure agreements in place. 

A root and branch approach to attack vectors

One of the key risks facing the cloud platform is malware. In 2020, Anne Neuberger, who was then the director of the cyber security directorate for the US National Security Agency (NSA), identified that 92% of all malware was delivered through the domain name system (DNS). Malware has become an ever-evolving threat vector, with older malware being re-weaponised. Code from older malware can be shared – or stolen – and used in the creation of new malware attacks.

Rather than focusing on attacking the malware directly, the cloud architects are targeting the traffic distribution systems in order to block the malware before it can be deployed within the network.

The DNS is a naming database in which domain names are located and translated into IP addresses. Most activities over the internet rely on the DNS to connect users to remote hosts. The mapping of DNS is distributed across the internet, with governments and other organizations typically having their own assigned ranges of IP addresses and domain names. As such, the DNS became a key focus for deploying cyber security: without a secure DNS platform, the integrity of any cloud architecture could be undermined.

As the MoD air-gaps its critical systems from the wider infrastructure to ensure they remain secure, it is less concerned about direct attacks. But with its secure by design approach at heart, it recognizes there is always value in adding additional protection.

Though its systems are air-gapped, this does not mean they do not talk to other systems at all. For example; critical patches and updates still need to be deployed. Although updates may be uploaded through optical disks or flash drives, the air-gapped systems are still effectively connecting to the outside world, albeit in a controlled manner. There is also the risk of a compromised device being brought into the premises and connecting to the network.

The potential threats facing cloud platforms also include indirect attacks, such as distributed denial of service (DDoS) attacks and DNS poisoning (otherwise known as DNS spoofing and DNS cache poisoning). DNS poisoning is a cyber attack in which attackers insert false information into the DNS to redirect users to a malicious website.

In regard to control channels for screening data packets, one particular challenge is that DNS can be effectively rendered blind if the packets are no longer transparent. This is especially the case with HTTPS. It is designed to protect users by encrypting DNS data, but this also prevents oversight.

Greater automation for threat monitoring

The MoD is taking a proactive approach to security; focusing on detection and prevention by automating processes for advanced DNS Protection, to enable a swifter response to emerging threats. There is continual monitoring, as the threat landscape is constantly changing.

Gazzard highlights the challenges the project faces, most notably the struggle of  creating a platform that is secure whilst simultaneously meeting the needs of multiple departments. With this in mind, the MoD is expanding its internal cloud, with multi-tenant architecture that has the ability to scale, whilst remaining compartmentalized to prevent information leakage.

Many of its existing networks are shifting from being on premise platforms to ones that use shared cloud architecture. The MoD is enabling the different groups within them to build their own platform within the cloud.

Part of its threat monitoring will be reviewing remote system logs that can report emerging threats. This allows cyber security analysts to identify emerging trends within the threat landscape and to adapt their security posture accordingly.

In recent years, hacking has become industrialized, with DNS being used by malicious actors as a tool to profile users. Awareness of these multifarious threats has meant the UK’s MoD can develop a global cloud platform with a robust end-point security protocol that can protect the organization from attacks.

Updating systems presents several challenges for developing the cloud architecture, as there are stringent policies in regard to importing and exporting data. There are also devices with legacy hardware requirements that will need software updates or to be replaced with a newer version.

Rather than relying on an annual security review, it is shifting to ongoing security assessments, whereby systems are continually assessed to ensure they are adequately protected. Any systems that are identified as being outdated will require investment to become compliant with the new systems, whilst retaining functionality.

Amazon Web Services (AWS) is adding support for FIDO2 passkeys as a multi-factor authentication (MFA) option, as the cloud giant prepares to boost the security requirements around more user accounts.

Back in October last year, AWS said it would begin to require MFA for the most privileged users on an AWS account, starting with AWS Organizations management account root users.

Starting next month, root users of standalone accounts (by which AWS means those that aren’t managed with AWS Organizations) will be required to use MFA when signing in to the AWS Management Console.

This policy change will start with a small number of customers and increase over a period of months. Customers will have a grace period to allow them to upgrade to MFA, and they will be reminded about it at sign-in.

AWS said this change does not apply to the root users of member accounts in AWS Organizations. It said there will be more information about the MFA requirements for remaining root user use cases, such as member accounts, later in the year.

MFA can come in many forms but generally means going beyond the classic user-name-and-password combination which, it has turned out, is a pretty flimsy way of securing accounts online. That’s because passwords are too easy to crack or re-use across different services.

They’re easily shared, lost or stolen, all of which is why many data leaks and hacks often start with attackers being able to access systems with some form of legitimate but compromised credentials. Stolen credentials or leaked credentials has been seen as one of the biggest risks to cloud infrastructure.

As cloud security improves, attackers are finding that obtaining valid credentials is an easier route. According to research by IBM earlier this year, cloud account credentials make up 90% of the for-sale cloud assets on the dark web.

As AWS extends the need for customers to use MFA it is also giving them another option to choose from in the form of FIDO2 passkeys.

“When used as MFA, passkeys provide enhanced security for human authentication in a user-friendly manner. You can register and use passkeys today to enhance the security of your AWS console access,” said Arynn Crow, senior manager of user authentication products for AWS Identity.

“This will help you to adhere to AWS default MFA security requirements as those roll out to a larger group of customers starting in July.

“We strongly encourage you adopt some form of MFA anywhere you’re signing in today, and especially phishing-resistant MFA, which we’re excited to enhance with FIDO2 passkeys.”

Passkeys are already used widely to improve account security (you can already use them to secure your Amazon shopping account for example). Passkeys are FIDO2 credentials, which use public key cryptography to provide strong, phishing-resistant authentication, but can be backed up and synced across devices and operating systems rather than being stored on physical devices like a USB-based key.

Whether you want to use passkeys or something else, AWS said that any type of MFA is better than no MFA at all.

“MFA is one of the simplest but most effective security controls you can apply to your account, and everyone should be using some form of MF,” the firm said.

AWS points out that phishing and social engineering attacks that target users who use one-time codes for MFA, like the ones sent to your phone, have increased.

Because using this option means you need to read the number or code from the device and enter it manually, attackers can also try to get users to read the code out to them instead, thereby bypassing the value of MFA. Passkeys aren’t vulnerable to this.

AWS said that if your organization is already using another form of MFA like a non-syncable FIDO2 hardware security key or authenticator app, the question of whether or not you should migrate to syncable passkeys is dependent on your or your organizations’ uses and requirements.

“Because their credentials are bound only to the device that created them, FIDO2 security keys provide the highest level of security assurance for customers whose regulatory or security requirements demand the strongest forms of authentication, such as FIPS-certified devices,” the cloud giant said.

Cisco has unveiled the first fruits of its $28 billion acquisition of Splunk, with a series of integrations combining the duo’s observability technologies.

Cisco completed acquisition of Splunk – its biggest ever – earlier this year. Spunk’s products collect security information and event management across a customer’s enterprise technology infrastructure to spot any sort of anomalous behavior.

Now, Cisco has started some integrations between its monitoring tools and those from Splunk. Observability tools collect and analyze data from infrastructure and networks to spot – and hopefully – resolve issues before they impact the business.

In the keynote on the second day of Cisco Live, Tom Gillis, general manager for security products at Cisco, said the combination of Cisco and Splunk will unlock data that’s invisible to security teams right now.

Network security was services that came in a box, but that is now being broken up into smaller pieces nearer to the user – secure access services edge (SASE). But the next step for security is even more fine-grained security controls aimed at unlocking more internal data with technologies like Cisco’s recently announced Hypershield product, he told the audience in Las Vegas.

Diving deeper into data and applications will also create three orders of magnitude more data than security teams are looking at today, Gillis said. This, he noted, is where Splunk comes in.

Cisco said that, as a result of integrating these tools, organizations would have improved visibility across their environments including on-premises, hybrid, and multi-cloud, while using real-time analytics for faster, more accurate detection, investigation, and response.

“By bringing together Splunk and Cisco observability solutions, customers now have unified visibility across their entire digital footprint so they can detect, investigate and resolve problems faster to create a reliable, resilient experience for their users,” said Tom Casey, SVP and GM for products and technology at Splunk.

“Having full control over their data helps them make more targeted, effective and smarter investments in their digital systems and services, allowing them to better leverage their entire digital footprint to attract more business and grow the company.”

Cisco said new unified experiences across Cisco and Splunk observability products enable better efficiency and accuracy in troubleshooting hybrid environments.

For example, a new single sign-on (SSO) feature will help simplify and streamline shared workflows between Cisco AppDynamics and Splunk products.

Meanwhile, the introduction of context-aware deep linking will enable Cisco AppDynamics customers to switch straight to logs in the Splunk Platform as part of their troubleshooting workflow, which should result in faster mean time to resolution. 

Single Sign-on and Log Observer Connect for Cisco AppDynamics, part of the preview of the Unified Observability Experience, will be generally available in the third quarter of 2024

Cisco also showcased a raft of other integrations during the day-two keynote. This included the launch of Splunk Log Observer Connect for Cisco AppDynamics. Available in July, this combines the Splunk Platform with Cisco AppDynamics APM to drive faster, in-context troubleshooting across on-premise and hybrid environments.

Cisco said this integration allows SaaS and on-premises customers to analyze logs when troubleshooting application performance issues.

Similarly, the Cisco AppDynamics integration with Splunk Enterprise/Splunk Cloud and Splunk ITSI will allow users to correlate application metrics and events from AppDynamics with other data about systems and services in Splunk Enterprise and Splunk Cloud.

Cisco AppDynamics will also be available on Microsoft Azure, the company told attendees. This expansion of cloud-hosted observability brings Cisco AppDynamics APM service.

Cisco AI integration with Splunk gathers pace

AI has been a key topic so far at Cisco Live 2024, so it was inevitable that there were going to be some Splunk integrations in this domain. 

At the day-two keynote, the firm unveiled the launch of Cisco AI Assistant for Cisco AppDynamics. Integrated into the AppDynamics Help Center, the new AI Assistant uses generative AI technology to help identify and support the workflows used by security teams.

Advanced AI in Splunk IT Service Intelligence (ITSI) was also revealed by the networking giant. This uses AI and machine learning capabilities to help teams quickly and easily configure and implement dynamic, adaptive thresholds, and manage and optimize configurations.

This means, for example, users will be able to fine-tune alerts with machine learning and look at slowly changing dimensions in KPIs that humans might not spot. The updated Splunk TA for AppDynamics and Splunk ITSI App for Content Packs will be generally available in June.

Throughout its Sphere 2024 event in Helsinki, WithSecure has worked to paint a clearer picture of its path in the enterprise security space, with a focus on restoring confidence in the mid-market through a modular package of cloud security solutions and services.

Beginning his opening keynote Antti Koskela, interim CEO at WithSecure, says he wanted to do something different with the company’s events, epitomized by its ‘co-security unconference’ tagline.

Elaborating on this in conversation with ITPro, he explains he wanted WithSecure’s event to stand out from the crowd with a more pronounced focus on the cyber security big picture. This was evident from the beginning of Sphere 2024, with the keynote lineup dominated by thought leaders from outside the organization.

The term ‘co-security’, has received some scrutiny in the past for lacking a clear definition. But at Sphere 2024, the company leaned into this as emblematic of its collaborative approach with its partners and customers. Through its announcements at the event, WithSecure has laid out its strategy and emphasized the opportunities it can leverage along the way – a far cry from the company's lack of direction just two years ago.

Co-security as a unique selling point

The major product launches at the event added context to the term, all of which fall under the company’s flagship, cloud-native Elements Cloud platform. Each was framed in terms of how they fit into this vision of collaboration between WithSecure, its partners, and the end user.

Koskela outlines how the Elements Cloud embodies their co-secure objectives through a collaborative, modular security platform targeting mid-sized organizations. He believes this approach differentiates WithSecure’s offerings from some of its larger competitors.

“Often in security, in the large company playbook, you buy tools and you hire teams who work 24/7 and then you have a massive security operations center. So the minimum is usually seven people and the cost for that would be anywhere between $700,000 to $1,000,000 just for the people cost, and these mid-sized companies don't have that kind of money.”

In contrast, Koskela explains, WithSecure is targeting a model where these medium-sized organizations have access to their co-security services as modular capabilities as part of Elements Cloud, while still able to offer the software as a standalone solution for those who don’t need the extra support.

“The key word is modularity, so we adjust our model to the way our partner wants to work,” he tells ITPro. “Some of our partners are pure [managed service providers] (MSPs), they are security providers and they don’t need anything from us, they just take the software – and that’s perfectly fine.”

Koskela contrasts this approach with that of WithSecure’s larger competitors, which he says lock customers into paying for a complex web of products they lack the personnel to properly leverage.

“[Organizations] in the mid-market usually have maybe one IT  person that looks after them,” he notes, adding “When you buy large bundled licenses … you are alone and end up buying a lot more for the services..

“Because once the licensing guy has sold it, you never see them again, and then you need to contact the service partner to actually run a [security operations center] (SOC) for you, and that’s going to cost you”.

Moving forward, Koskela says, WithSecure will work to position itself as the more flexible enterprise security option for medium-sized companies. Its modular approach and ongoing support will be available either in-house or through partners.

In this sense, WithSecure’s efforts to clarify where it sees the future of the business have been largely successful.  The strategy itself looks to put the company in a good position within the security market, considering the ongoing issues smaller businesses are experiencing with managing a complex attack surface in an increasingly hostile threat landscape.

The company’s other verticals – WithSecure Consulting and Cloud Protection for Salesforce, leftover from the split with F-Secure in 2022 – are separate from their Elements strategy. Koskela adds that WithSecure will continue to look for strategic options in this area and doesn’t rule out the potential for divestment in the future.

A limited by design approach to generative AI

The biggest announcement of Sphere 2024 was the official launch of WithSecure’s generative AI platform Luminen, which Koskela says will be a core part of the company's mid-market appeal.

Luminen will be natively embedded into Elements Cloud and promises to bring intuitive human user experience to security dashboards, to boost situational awareness through natural language explanations of security events.

This sounds much like many of the other generative AI plays we have seen in the security industry over the past few years, such as Copilot for Security or Gemini in Security Command Center. But WithSecure’s approach aims to largely sidestep the AI hype and direct comparisons with hyperscaler AI tools, with a focus on cost-effective value. 

Carefully dubbed a generative AI ‘experience’, Koskela explains that WithSecure doesn’t want to be seen as adding to the pile of yet another security AI copilots in what is already a crowded market. Luminen is intended to bring a more integrated experience without the security risks associated with chatbots.

To achieve this, WithSecure says it will ‘take ownership of the prompt’, with Luminen disallowing users from entering custom prompts to lessen the risk of hallucinations. Instead, customers choose internally generated prompts rooted in their enterprise data.

Not only does this remove the chance for malicious actors to jailbreak the system using prompt engineering techniques, it also ensures Luminen’s capabilities are only being pushed when really needed. 

The rush to get in on the generative AI boom has led to a number of products hitting the market without a clear business use case, and Koskela said he didn’t want  Luminen to fall into the same trap, noting the sustainability concerns associated with generative AI and its intense data demands.

It’s a refreshing approach in an incredibly saturated space, reflecting a wary attitude around new technologies lacking precise value propositions. It’s clear  that WithSecure is looking to meet the worries of its customers when it comes to the security or energy impact of generative AI, having made a point of limiting Luminen to vital and valuable tasks.

This has been echoed throughout Sphere 2024, as WithSecure executives worked to avoid vague promises of what could be possible in the future.

WithSecure’s considered approach to entering the generative AI market reflects a newfound clarity around its co-security strategy. With its Elements Cloud targeting mid-sized enterprises through a flexible cloud security software and services ecosystem and its straightforward generative AI platform aiming to simplify security management, WithSecure has made significant progress in demonstrating a viable strategy to compete in the enterprise security space.

Since spinning out from its consumer-focused parent company F-secure in 2022, WithSecure has struggled to carve out a distinct lane in the enterprise security space.

Facing an uphill battle against well-established competition, WithSecure has repeatedly fallen short of profitability and missed this goal at the end of its FY 23.

Despite this, the firm has a potential path to profitability by expanding its cloud security platform as organizations look to consolidate their security portfolios, which have become increasingly complex as a result of the cloud transformation.

WithSecure’s Elements cloud security products have given the firm something of a foundation on which to build on since being launched in 2021, but its beleaguered on-premises segment and consultancy services have continued to decline.

But with the advent of generative AI in late 2022, WithSecure could finally be on the road to finding its niche. The demand for AI-powered security tools has accelerated rapidly over the last year, and with use-cases on the potential of AI tools in security showing promising signs, this represents an opportune moment for the firm to capitalize.

The firm predicts the majority of cyber risks associated with the adoption of generative AI tools come from how these models are integrated into systems and workflows, rather than the models themselves. 

Accordingly, WithSecure could find a happy hunting ground in helping organizations integrate LLMs into their IT systems securely, providing services around AI governance, AI risk modeling, and penetration testing for LLM applications and infrastructure underpinning the models.

As businesses, especially those without the resources of large enterprises, contend with ongoing skills shortages stifling their access to the technical expertise needed to implement generative AI solutions, this could leave an opening for WithSecure to firmly establish itself in the enterprise cloud-consulting space.

WithSecure showed its bullishness on generative AI with two recent announcements, the first offering partners early access to its new exposure management technology that uses LLMs to prioritize and recommend steps customers can take to remediate vulnerabilities and reduce their threat exposure. 

The second is the launch of Luminem, WithSecure’s new generative AI ‘experience’ that will be available through the Elements Cloud. Much like analogous security copilots on offer from some of its larger competitors, Luminem will offer a variety of  automation and optimization capabilities to streamline security workflows. 

At SPHERE24, WithSecure will need to demonstrate where the unique value of its solution lies, and why Luminem is more than just them catching up with similar solutions from Cisco, Fortinet, and Check Point. 

WithSecure needs to clear up its messaging

WithSecure still suffers from a lack of clarity around its vision for co-security, a buzzword it has bandied around for the last few years as a differentiator for the business in the crowded enterprise security ecosystem.

Co-security was the talk of the town at SPHERE22, without necessarily a clear vision of what it actually meant apart from a vague sense that the security community needs to embrace collaboration. This, WithSecure proposes, is necessary to manage interwoven IT estates and contend with an increasingly hostile threat landscape. 

Over the course of 2023, WithSecure introduced a series of products to expand upon its co-security vision, one of these being a co-monitoring service launched March 2023 which promises to alleviate some of the burden of staying on top of network alerts by using WithSecure’s inhouse team to deliver 24 hour monitoring. 

Yet without more substance behind the concept, the firm could struggle to get buy-in from customers. Generative AI, however, gives WithSecure the chance to flesh out the concept moving forward.

It’s clear WithSecure has not given up on its cyber consultancy services, despite stiff competition from competitors like McAfee or Trend Micro, and the AI explosion could present a lifeline it desperately needs, but if it is to keep its head above water, its cloud portfolio will need to continue to prop up its revenue generation.

Cloud will remain WithSecure’s cash cow as it looks to expand its exposure management capabilities

Since the demerger, WithSecure’s route to stability was seen to be targeting mid-sized companies with its cloud security platform. This is a path to capturing the growing demand from the industry from cloud infrastructure solutions, which has only grown in demand since generative AI became widespread.

WithSecure updated its strategy in October 2023 to formalize its effort to push its Elements Cloud portfolio to mid-market customers through its partner network. It stated it was exploring strategic options that included a full or partial divestment from its underperforming cyber consulting and Cloud Protection for Salesforce segments.

At SPHERE23, WithSecure built out its Elements platform unveiling a new Cloud Security Posture Management (CSPM) product, a tool that will give enterprises automated identification and remediation tools for risks associated with their cloud infrastructure.

Identifying the established trend of companies moving towards hybrid, multi-cloud infrastructure, and anticipating the rush to adopt generative AI technologies, WithSecure’s CPSM solution aims to help customers eliminate breaches caused by misconfiguration of cloud assets.

Gartner predicted that through 2025, 90% of organizations that fail to control how they use the public cloud will “inappropriately share sensitive data”. On top of this, the well established digital skills gaps will mean many firms lack the in-house expertise to ensure their systems are configured properly.

Continuing to expand its security solutions for cloud infrastructure and meeting the demand for these tools at mid-sized organizations will be integral to WithSecure’s continued success.

Whether or not this will happen remains to be seen, and the company’s reliance on its cloud security arm suggests that if WithSecure is not able to capture the new demand from the medium-sized enterprises, it’s path to recovery could be rocky.

VMware has issued a security advisory detailing critical flaws in its Workstation and Fusion hypervisor products after making them available to individuals for free.

On 14 May, VMware disclosed a series of security vulnerabilities in the two hypervisor solutions, providing workarounds and warning customers to patch their systems as soon as possible.

The first and most serious of these was CVE-2024-22267, a critical use-after-free vulnerability in the products’ vbluetooth device. The flaw has a CVSS rating of 9.3, the company revealed.

VMware warned that a hacker with local administrative privileges on a virtual machine could exploit the flaw to execute code as the virtual machine’s VMX process running on the host.

The second security issue, CVE-2024-22268, is a heap buffer-overflow vulnerability affecting the Shader functionality in Workstation and Fusion, rated 7.1 on the CVSS. 

If exploited correctly, the flaw could give an unauthorized actor with access to a VM with 3D graphics enabled the ability to force the target system into a denial of service (DoS) condition.

Also rated 7.1 on the CVSS, VMware disclosed another high-severity vulnerability – CVE-2024-22269 – which is an information disclosure flaw in the bluetooth device that could allow an attacker with admin privileges on a VM to read sensitive information contained in the hypervisor memory.

Finally, CVE-2024-22270, is another information disclosure vulnerability with a 7.1 CVSS rating that could give attackers access to information in the hypervisor memory, this time in Workstation and Fusion’s host guest file sharing (HGFS) functionality. 

Not the best timing for VMware

The day before it warned customers of the security problems affecting the two hypervisor products, VMware also announced it would be making Workstation Pro and Fusion Pro free for personal use.

Workstation Pro is VMware’s hypervisor solution for Windows and Linux devices, whereas Fusion covers customers using Mac systems.

They allow users to build ‘local virtual’ environments to install a variety of operating systems (OS) to build and test software.

The move has been touted as a gesture of goodwill by Broadcom amidst continued controversy over changes made since its acquisition of the firm last year. 

The acquisition has received stern criticism from various stakeholders due to Broadcom’s decision to overhaul the licensing structure for many of VMware’s most popular products.

Shortly after the acquisition in November 2023, Broadcom wasted no time announcing it would be axing over 50 standalone cloud services from VMware, including its popular Aria SaaS offering.

With its Workstation Pro and Fusion Pro announcement, VMware said the motivation behind the move was to “simplify how we bring VMware Desktop Hypervisor apps to market”, while ensuring both free and paid users received regular support and maintenance.

Enterprise users will find VMware has reduced its product group offerings down to a single stock keeping unit (SKU) for users who need licensing for commercial use. This simplification will eliminate over 40 other SKUs which VMware hopes will make quoting and purchasing their desktop hypervisor apps easier than ever.

Each day, security leaders read about how cybercriminals’ tactics are becoming ever more sophisticated. Deepfakes and AI-powered phishing scams deliver social engineering campaigns that are more convincing than ever. Bad actors conceal their malware with encryption, hiding their movements with the same tools used by organizations to preserve data security. In this landscape, the case for zero trust has never been higher.

In a recent survey of UK security leaders, almost half (47%) cited attaining zero trust as critical to security confidence, and more than 8 in 10 (85%) report having open conversations around zero trust at the board level. And yet, skepticism remains around how this can be achieved, with one third of respondents describing zero trust as ‘unattainable’.

The result is a tableau of cautious optimism. Although the majority of security professionals are embracing the tenets of zero trust, many remain aware of the complex journey that lies ahead of them. Channel partners have a critical opportunity to demonstrate their expertise and finally fulfill their customers’ security goals.

Understanding the necessity for zero trust

Since its inception in 2010, the zero trust model of ‘never trust, always verify’, has split opinion. After its initial reception as a revolutionary best practice, the complexity of implementing zero trust, complete with macroeconomic pressures, led many to see the model as an unattainable ‘buzzword’.

With zero trust being written into compliance policies, organizations are increasingly aware of the need to implement and demonstrate their zero trust infrastructure to stakeholders, investors, and partners. The question now is, how?

It’s a scenario akin to the cloud revolution that played out over the last two decades. 

Organizations understood that the cloud presented cost savings, scalability, and efficiency, but laying out a strategy for cloud adoption and hybrid cloud security was far more than a tick box exercise. It required a mammoth digital transformation effort – one that many businesses are still adapting and enacting today.

Zero trust presents a similar journey, and there has always been a knowledge gap for end users around what zero trust truly is and how to achieve it. Except, unlike cloud, zero trust is not a market category, nor a segmentation. Instead, it is a way of thinking and structuring networks and protocols that can center around a number of authentication methodologies, from MFA and biometrics to device certification. 

A zero trust network architecture means zero trust principles are built into the very network of an organization in order to be fool proof. This stack of complementary monitoring and security solutions, built to satisfy each organization’s specific risk register and appetite for friction, comes together to make zero trust a reality.

Just as the channel supported organizations with the cloud, partners are now essential to the success of zero trust as a mindset, guiding these strategies from start to finish.

Lighting the path

So how can channel vendors and partners alike support their end-users in achieving this vital and elusive framework?

True zero trust networks need to focus on three core pillars: deep observability, authentication, and segmentation. The first pillar is especially crucial for this exercise. No zero trust strategy can operate effectively so long as there are security blind spots for bad actors to exploit. 

Many organizations overestimate the level of visibility that they have within their organization: 39% of UK organizations report having the visibility to support zero trust, and yet just 29% can decrypt and inspect encrypted traffic – a common vehicle for malware. True zero trust rests on a foundation of real-time, network-level visibility, and this includes monitoring east-west traffic for behavioral anomalies between sub-perimeters and insights into encrypted data in transit.

The recent push towards vendor specialization will be an asset for partners in this climate. With expert, in-depth knowledge, partners can map out stacks of effective and complementary products that can build out a zero trust architecture without requiring a massive technological overhaul.

If they aren’t already, channel partners need to start asking their vendors about their zero trust capabilities and compatibilities to ensure that they are meeting their customers’ true goals and displaying their expertise to inspire confidence. For vendors, embracing ‘coopetition’ could facilitate a smoother zero trust journey, in which customers are offered best-of-breed capabilities without being limited by incompatible solutions.

Restoring faith in zero trust

For the partners equipped to support their end users’ zero trust journeys, customers’ ambitions spell an opportunity to grow revenue whilst nurturing end users and vendors alike. With consolidation at the forefront of all levels of the channel, successfully tailoring IT advisories and implementations to customers’ needs can not only reduce risk but also security spend. At a time when skepticism is high and budgets are tentative, this is an invaluable way to build trust with customers.

Zero trust is an area of ambition at best and a topic of deep uncertainty at worst, but the delay between zero trust becoming mainstream as a concept and its widespread, real-world adoption is an indicator that businesses need support and guidance. As IT infrastructure experts, channel partners who hone in on bridging this gap will be able to foster even greater trust, demonstrate their understanding of complex implementations, and ensure a baseline of security confidence for their customers.

Microsoft's Defender for Business (MDB) is its Defender for Endpoint system, rebranded for businesses with fewer users. How does it stack up?

Microsoft has been selling variations of its Defender product for almost 20 years, but it has evolved considerably since its first release. The product began in 2005 as Microsoft AntiSpyware, a rebranded version of GIANT Company Software, which Microsoft had acquired the previous year.

Microsoft made its relabelled version freely available for Windows XP and up and quickly relabelled it as Windows Defender, which was released for general availability in 2006 with a rewritten core engine. It eventually became a full antivirus product, rather than just an anti-spyware offering, and took over from Microsoft Security Essentials.

As Microsoft is wont to do, it continued rebranding over the years. In 2017, it renamed the product to Windows Defender Antivirus, and then ditched the Windows Defender brand altogether a year later, replacing it with Microsoft Defender to reflect its new-found support for other systems.

Now there are different versions of Microsoft Defender targeting different needs. Microsoft Defender for Endpoint targets businesses with Microsoft 365 E3 and E5 licenses, restricting it to customers with over 300 seats. There is also a version for customers with under 300 users, bundled into a Microsoft 365 Business Premium license.

Individual users also have choices; If the free Microsoft Defender Antivirus product included in Microsoft's operating system is not enough, they can buy Microsoft Defender for Individuals as a consumer product, bunched with Microsoft 365 Personal or Family licenses.

This left a key group out in the cold: smaller organizations with multiple endpoints to administer which were unwilling to pony up for a premium productivity software license. These companies might have a single admin responsible for everything, from provisioning machines to securing them, so any product that they use had better be simple enough to suit people limited on time. In 2022, Microsoft expanded support for that group by launching a version of Microsoft Defender as a standalone product for businesses with multiple users. Microsoft Defender for Business (MDB) was born.

Microsoft Defender for Business: Setup

MDB is simply Microsoft Defender for Endpoint (MDE) with a new label, as is evident by the MDE branding still in the documentation. There was an MDE lab to help admins evaluate the product, but Microsoft shuttered it in January 2024. Instead, you'll have to jump straight into MDB with a free trial. After signing up, you can deploy according to which architecture model you have, ranging from cloud-native through to on-premises deployment or even evaluation without management tools in a small demilitarised zone (DMZ). You can deploy the Defender agents to several client types: Windows servers; Windows, MacOS, or Linux clients; or iOS/iPad OS and Android mobile devices. This extension of support for different platforms has been a big move for Microsoft, which wants to provide security information about your devices no matter whose software they're running.

Depending on your client, you can choose deployment via group policy or simply by running a local script, among others. You can also onboard devices already enrolled with Microsoft's Intune mobile endpoint manager, which was our chosen route.

Enrolling devices in Intune works seamlessly by running Microsoft's Company Portal app on the client, but our experience subsequently enrolling devices with Defender was patchy. While Intune supported our Windows Home installation, MDB did not (it will support Pro and Enterprise versions, though). That could be limiting for small businesses that might want to allow staff to access business resources from their home devices.

We were also able to register an iPhone and control it via Intune, but after setting up connectors between Intune and MDB we couldn't make the iPhone appear as a managed device in Defender. Doubtless, the fault was on our side, but we noticed similar complaints on Reddit, with one person noting that the success of iOS enrolment in MDB was "a coin flip". After diligently following the documentation and spending hours troubleshooting, we couldn't help but wonder how a harried admin wearing multiple hats in a small business IT department might fare.

We were eventually able to register a Mac with both Intune and MDB, although we were forced to download not just one installer file for the Mac but several policy files from Intune to get it MDB-ready.

Microsoft Defender for Business: Features

Assuming you can get past the setup niggles, there's a wealth of information available via the MDB interface, which features a dashboard-style setup displaying top-level information at a glance.

You can move these cards around and add others, configuring an admin dashboard that makes sense for you. If you want to drill down, you can access the sidebar to see detailed information on various aspects of your security environment. Incidents and alerts flag up worrisome occurrences on your fleet of devices that might need further investigation. Another, Exposure management, offers a top-down view of your fleet's weakest points, with the ability to explore your attack surface visually, and summarise your overall performance in areas ranging from ransomware protection best practices to the number of vulnerable endpoints that have been involved in incidents.

This section also lets you further investigate your security score, which is an overall metric that Microsoft gives you based on a range of factors. As you can see, our fake company has a long way to go, although we did get more points after updating the security profiles on our Mac.

You can also drill down into specific devices, getting recommendations for actions to better secure them. If that version of Mozilla running on your PC is looking a little long in the tooth, MDB will let you know about it:

Another section, Actions and submissions, lets you review suspicious emails, files, and URLs submitted by users. Having these in one place gives admins a useful foundation for investigating what could be an attack campaign targeting their organization.

MDB also has a threat intelligence feed that gives you insights into ongoing threats out in the wild, along with a learning hub that offers training in various administrative tasks.

Microsoft Defender for Business: Is it worth it? 

There is lots to use here, if you have better luck onboarding your devices than we did. It's also worth noting that although MDB does a lot more than simply detect viruses, Microsoft's core client antivirus engine has also earned respect in the market. Defender Antivirus client that communicates with MDB garnered a Best Advanced Protection accolade from the AV Test Institute in 2022, notably for its excellence in warding off more sophisticated ransomware attacks. However, it lost its crown in the 2023 awards.

MDB is a feature-filled tool for security admins and provides a single view of your organization's endpoint security across the board, but we found setup a little more painful than many other Microsoft enterprise tools that we've tried. You might find yourself working a little harder to deploy it across some non-Windows platforms, but if you're mostly a Microsoft shop, it might be for you. Its availability as a component in a Microsoft 365 Business Premium license is a good way to build more security visibility across a user base that will already be using Microsoft products and services extensively across their systems.