SALT LAKE CITY – November 29, 2023 – Venafi, the inventor of machine identity management, today released its predictions for the cybersecurity and cloud native landscape in 2024. AI is introducing new threats and amplifying existing risks, machine identity lifespans are shrinking, and the provenance of code is under increased scrutiny. As a result, next year promises to be a challenging one for the security industry.
“Throughout 2023, companies have ridden a wave of AI innovation, but as they’ve started to experiment with new use cases, risks have been amplified and new threats emerged,” says Kevin Bocek, VP of ecosystem and community at Venafi. “New threats – such as AI poisoning and model escape – have started to emerge while massive waves of generative AI code are being used by developers and novices in ways still to be understood. And on top of this, AI and machine learning run on cloud native infrastructure, making the use of technologies like Kubernetes an even bigger target for attackers. These issues will have a major impact on security in 2024 and beyond if they aren’t addressed.”
Venafi’s top five predictions for 2024 include:
1. In 2024, the “1000x developer” combined with the “1000x hacker” will create the perfect storm for breaches.
“The gathering momentum behind the ‘1000x developer’ movement – whereby developers will become a thousand times more productive with the power of AI – will magnify security challenges in the year ahead. The speed and complexity of securing modern environments is pretty mind-boggling. And businesses are already struggling – 75% of IT and security leaders believe speed and complexity of Kubernetes and containers creates new security blind spots, while 59% of respondents admit to already having experienced security-related issues within Kubernetes or container environments, according to Venafi research.
Complicating matters is the ascent of the ‘1000x hacker’ – AI-enabled attackers who are equally productive and powerful. Organizations can't feasibly hire 1000 cyber pros to compete with these threats. The solution lies in embracing the power of automation operating at machine speed. The only way to keep up is with the power of automation operating at machine speed. If developers are using AI to be 1000x more productive, we need the ‘1000x CISO’ and ‘1000x security architect.’” – Kevin Bocek, VP of Ecosystem and Community, Venafi
2. 2024 will be the year of the AI poisoning attack, as elections are targeted.
“In 2024, AI poisoning attacks will become the new software supply chain attacks. Such attacks will be characterized by threat actors targeting the ingress and egress data pipelines to manipulate data as well as poison AI models and the outputs they produce. With AI being used across a wide variety of business-critical workloads – potentially with very little oversight – maintaining the integrity of such systems needs to be of paramount concern. Small tweaks to AI inputs can change outputs dramatically – either immediately or slowly over a long period. So, any data being fed to AI must be secured. This means establishing the provenance of data and using technologies like code signing to secure it.
At the same time, with major elections taking place globally coinciding with the mass adoption of Generative AI, we are likely to see AI supercharging election interference in 2024. From the creation of convincing deepfakes to an increase of targeted misinformation, the concept of trust, identity and democracy itself will be under the microscope. This will put even greater onus on individuals to scrutinize and make informed decisions as well as on media platforms to root out false content.” – Shivajee Samdarshi, Chief Product Officer, Venafi
3. Next year, regulations will encroach even further into the development space, with changes to data breach liability potentially chilling innovation.
“Next year, the EU will be forced to amend the Cyber Resilience Act, as it’s unworkable in its current form. The Act’s wording around liability for data breaches and open source is worrying. In theory, if a 16-year-old developer writing open source code merely accepts a coffee as a reward for its contribution, it could be held to account if a large organization using its code is breached. So, there must be more clarity in the Act’s language around liability, or people writing open source code in the EU could stop contributing.
And as we move into 2024, we will see an increased focus on ‘Know Your Code’ – underpinned by regulations such as the Executive Order on SBOMs – meaning organizations will need to establish and verify the provenance of the code they are using. Now that AI is being used to generate code, establishing where that code has come from is harder than ever before. Those who fail to do so will soon find themselves at risk, not only from attacks but also regulatory fines.” – Matt Barker, Global Head of Cloud Native Services, Venafi
4. As organizations grapple with scaling security and governance across trust boundaries, machine identity and access management will shift to the workload level in 2024.
“Venafi research shows 76% of IT leaders believe we are heading towards a cloud reckoning in terms of costs and security. Many organizations started their journey with a single cloud provider, requiring them to manage identity and access only within that single environment. However, 69% acknowledge that when moving to the cloud, they dragged a lot of old security problems with them. As maturity has increased, organizations have begun using the cloud in a more distributed way across multiple trust boundaries, all containing identities that need to be managed.
The challenge in 2024 will be ensuring security controls work across environments and can be governed in a consistent way. This necessitates a strategic shift to a more agnostic, distributed way of managing machine identities and controlling access achievable only through authenticating identity and access at a workload level. As a result, the adoption of federated identities, such as SPIFFE machine identities, will rise. This will enable organizations to utilize existing Public Key Infrastructure for strong encryption across workloads, irrespective of where they run.” – Sitaram Iyer, Senior Director of Cloud Native Solutions, Venafi
5. Outages will double in 2024 as machine identity lifespans shrink.
“Shorter machine identity lifespans will create chaos, as outages double or even triple. Google has already announced intentions to reduce public trusted TLS certificate lifespans to 90 days – a crucial step to hampering cybercriminals looking to misuse identities. However, most organizations aren't prepared for this. We’ve seen the impact of certificate related outages recently, with entire payment systems going down, leaving people unable to refuel their car, or buy groceries. As certificate identity lifespans decrease, this will become much more common, unless organizations automate machine identity management. – Kevin Bocek, VP of Ecosystem and Community, Venafi
For additional 2024 predictions, please visit https://venafi.com/blog/venafi-cybersecurity-and-cloud-native-technology-predictions-for-2024/.
Venafi is the cybersecurity market leader in machine identity management. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines—from physical and IoT devices to software applications, APIs and containers. Venafi provides global visibility, lifecycle automation and actionable intelligence for all machine identity types and the security and reliability risks associated with them.
With more than 30 patents, Venafi delivers innovative machine identity management solutions for the world's most demanding, security-conscious organizations and government agencies, including the top five U.S. health insurers, top five U.S. airlines, top four payment card issuers and top four U.S. banks. As a leading provider of open source machine identity management solutions, Venafi is the creator of the open source cert-manager project, which is downloaded more than 1.5 million times a day. For more information, visit https://venafi.com/.