The Evolving Threat Landscape: What’s Next for Security?

In light of the evolving threat of credential abuse, a radical shift in how we view identity is a good step toward stopping attackers and solving cybersecurity challenges.

Lori MacVittie

October 23, 2023

4 Min Read
The Evolving Threat Landscape: What’s Next for Security?
(Credit: Tero Vesalainen / Alamy Stock Photo)

It’s been about 15 years since public cloud stormed onto the scene and established itself as a core component of any enterprise’s digital transformation strategy. Over that time, the threat landscape has changed radically. As such, enterprises need to take that point into account when planning for what's next in security. Here is why:

First and foremost, it’s important to note that while public clouds are a core component, they’re not the only component. To be honest, it never was, but it’s taken nearly a dozen years for the market to realize that the future is, most undeniably, hybrid. Our research has been showing that for nearly as long.

Second, it’s important to understand how public cloud fits in the context of the evolving threat landscape because the fears and security concerns we had when cloud emerged are not the ones we have today.

Back then, most folks were primarily worried about the security of the cloud itself: its underlying infrastructure and systems. Folks eyed “shared compute” as a serious risk and grappled with the shared responsibility model established by AWS and subsequent providers.

The threat landscape changes over time

Through more than a decade of use, there have been many high-profile, public-cloud-related breaches. But digging into the details of those breaches, we find a common theme, and it is not public cloud infrastructure or shared compute. The point of entry for attackers has almost always been a misconfiguration that opened a security hole attackers could drive a truck through. Misconfigured S3 buckets, open administrative access to Kubernetes' consoles, and standard API/app vulnerabilities that could have been blocked with a traditional web application firewall.

These are basic security errors that transcend technology.

And though these remain, the risk posed by identity-related threats is far greater today.

Indeed, one could posit that a decade of misconfigurations and failure to block vulnerability exploits have given rise to today’s identity threats. Every breach leaked more credentials, and every credential deposited on the dark web drives a vast network of attackers whose goal is to take over accounts to get access to data and financial resources. Credit cards. Bank accounts. Payment processors. Corporate assets that can be encrypted and held for ransom.

To say that identity is the biggest threat today is not hyperbole.

  • A combined 47% of cyber-attacks were focused on password credential vulnerability, using password spraying, credential stuffing, and brute force attacks. (Enzoic)

  • Stolen credentials are the primary method threat actors use to access a business. (Verizon)

  • In the first half of 2023, Americans have already reported nearly 560,000 cases of identity theft nationwide, according to the Federal Trade Commission (FTC). That puts 2023 on track to exceed 1 million identity theft complaints — far higher than any pre-pandemic year on record, dating back to 2001.

The importance of protecting identity – and the apparent ease with which attackers can steal it – is made far more difficult by hybrid IT and the inclusion of multiple public clouds in the enterprise architecture.

A Strata survey this year found that “managing fragmented applications and user identities across multiple cloud platforms” was the top concern cited by 67% of CISOs, with only 41% reporting they can enforce consistent access policies. That was a 25% year-on-year decline, which bodes well for attackers looking to compromise credentials to get their foot in the corporate door.

Hybrid and multi-cloud compound security problems

This challenge is giving rise to a significant shift we’re seeing around identity. Many organizations and providers are now looking beyond credentials to emerging technologies like passwordless to help reign in credential chaos. In the latter half of 2023, passwordless support and implementations has skyrocketed. And not just from consumer-facing companies either. It's coming to the corporate world, too, and faster than you might think, especially from companies delivering multi-cloud (hybrid) solutions – from networking to identity management to DevOps.

The threat of credential abuse has reached a critical stage. Attackers have pilfered so many credentials that I, and probably most of you, could use the dark web as a password manager. With the emergence of generative AI, attackers can abuse those credentials faster than we can develop the solutions to stop them. A radical shift in how we view identity is a good step toward stopping attackers and solving cybersecurity challenges associated with identity management across cloud, core, and edge.

Related articles:

About the Author(s)

Lori MacVittie

Principal Technical Evangelist, Office of the CTO at F5 Networks

Lori MacVittie is the principal technical evangelist for cloud computing, cloud and application security, and application delivery and is responsible for education and evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she authored articles on a variety of topics aimed at IT professionals. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University. She also serves on the Board of Regents for the DevOps Institute and CloudNOW, and has been named one of the top influential women in DevOps.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights