Last year, we wrote about the threat landscape we saw on the horizon for 2020 in our SaaS threat landscape post. Focusing on apps like Slack, we honed in on the risks that would matter in 2020. Although our analysis was written well ahead of the COVID-19, some of our concerns were exacerbated as a result of the pandemic. With the pandemic continuing into 2021, we wanted to take the time to review the state of cloud adoption in 2020 and update our threat assessment going into the new year.
Soaring new heights for cloud adoption in 2020
Currently, Gartner estimates that the public cloud services market will grow over 50% in the next two years to $364 billion. That’s over $30 billion more than was projected by Gartner in its 2019 industry assessment. The accelerated growth projection no doubt reflects COVID-19’s impacts on the industry. This new projection, however, is also the convergence of a number of trends from the previous decade, as cloud adoption was expected to accelerate this year, well before the pandemic happened. In fact, IDG’s Cloud Computing Survey, which was conducted right on the cusp of the COVID outbreak indicated that nearly 95% of companies were expecting to be partially migrated to the cloud between early 2020 and late 2021.
When it comes to SaaS specifically, adoption has been fairly pronounced. SaaS continues to be the largest public cloud market segment according to Gartner, making up 42% of the industry. The segment is expected to grow 15% in 2021, from $104.6 billion to $120.9 billion. Additionally, over 70% of organizations will be leveraging SaaS solutions by the end of 2021. With SaaS continuing to play such an important role within organizations, especially as an enabler of remote work, here are the risks we expect to see going into 2021.
1. Organizations will need to strategically manage the systems that are part of their attack surface
As we’ve discussed in this post, 2020 has been defined by an unprecedented amount of digital adoption by organizations. But as companies turn to cloud and other technologies to enable remote work, their security posture may suffer, as many organizations are seeing their attack surface increase substantially. Failure to either implement the tools to manage the cloud systems, networks, and devices storing corporate data or reducing the overall number of places data is stored will result in increased breach risks. Doing both will prove essential for organizational security, though the latter might prove to be more difficult without adopting a means to enforce what applications and devices are sanctioned for corporate use.
2. Increased exfiltration risk will threaten data wherever it lives
Data exfiltration, from either external threat actors or insider threats, continues to be a substantial risk as companies migrate to the cloud. This is a fact not helped by the pandemic which, as stated above, has increased the number of devices and systems containing business-critical data. Just as the pandemic is accelerating the need for cloud within organizations, security teams will likely find that in order to adapt to the post-Covid era they’ll need to embrace a data-centric approach to information security. A data-centric or data-first approach means understanding that data is the new security parameter. Rather than solely focusing on hardening environments, teams need tools that automate data discovery so that they have eyes on their data regardless of where it is. Data-centric security is also well complimented by controls like data loss prevention and identity and access management, which allow you to enforce your data security, acceptable use, and access management policies even in scenarios where your employees break these policies (unintentionally or otherwise).
3. Employees will need to be continuously educated about security best practices in an increasingly uncertain environment
As COVID persists and more employees work from home, cybercriminals continue to set their sights on targeting employees, who in the absence of oversight might adopt bad security habits. Any security program that doesn’t take into account human behavior is doomed to fail. Successful security programs leverage employees as assets by empowering them to be compliant with policy and aid others in doing the same. This is usually through education as well as providing clear lines of communication between IT, security, and the rest of the organization. Organizations that understand this and truly begin to build a culture of security will likely see it pay dividends given that employees have become increasingly vulnerable to cyberattacks post-COVID.
4. Organizations will need to chart a path across an expanding universe of compliance legislation
The amount of data privacy legislation in the world has exploded over the past decade, and it’s likely to continue growing. In the US in this year alone 30 bills were considered (though few were enacted). Most notably, California began CCPA enforcement in early July and extended its data privacy rules with the passage of Prop 24, which will usher in the California Privacy Rights Act (CPRA or CalPRA). Outside of the US, the Brazil’s LGPD (Lei Geral de Proteção de Dados) went into effect, and in India discussions about the country’s Personal Data Protection Bill (PDPB) are ongoing. One of the challenges that companies will face going forward is navigating the unique particularities of these regulatory regimes. While many of these bills are at a high level very similar, companies might encounter difficulties operationalizing all of them simultaneously. For example, early analysis of India’s PDPB suggests that as it is, aspects of it might conflict with the GDPR. If such analyses hold true then companies will face significant costs determining how to navigate the regulatory minefield posed by the limited interoperability of emerging privacy regimes.
5. Last year’s risks remain a persistent part of the threat landscape, too
Although not explicitly mentioned here, everything from last year’s list is fair game. In fact, most of the risks discussed in our analysis last year are exacerbated for organizations that may be struggling with the items on this year’s list. The good news is that the key to mitigating many of these threats revolves around getting a handle on the types of data within your organization’s silos.
Are you interested in better understanding the SaaS threat landscape going into 2021? On Thursday, December 10 at 10 AM PT/1 PM ET we spoke with security industry veteran Ty Sbano of Sisense about securing best of breed SaaS tools in the post-COVID era. Feel free to see the highlights from our discussion or view the discussion in its entirety.