In 2014, in the wake of the revelations of the comprehensive domestic and foreign spying efforts of the U.S. National Security Agency (NSA), organizations of all kinds will be bringing their own security to their public cloud installations, predicts Eric Chiu, president and cofounder of cloud infrastructure control and security company HyTrust. That security will mainly take the form of high-end encryption, with individual client companies, rather than the cloud service providers, controlling the encryption keys.

Until recently, companies for the most part avoided data encryption because of the large extra compute load it created and the complexity of key management. However the Snowdon revelations have changed that.

“You should encrypt your Amazon instances so even if they take that data it is useless,” he said. “If you hold the keys, then you have control. Even if the NSA subpoenas the data from cloud provider it doesn’t have the keys, so it cannot decrypt your data.”

Encryption is also becoming increasingly popular with companies for protecting their internal sensitive data against breaches, such as those that happened to Vodaphone, Target, and Adobe in 2013, involving customer personal identification.

Cloud security automation will increase

“Just as companies are focusing on an overall orchestration of their architecture with software-defined infrastructure (SDI), so they will drive for more automation of management and security in the cloud,” Chiu said. “That’s important for us because we are all about automating security.”

Policy will become a major focus

“In cloud environments where workloads are dynamic and mobile, you need to make sure that security as well as other capabilities are embedded in the workload and move with the workload as policy,” Chiu says. “This embedded security is important not just inside the customer zone data center, where workloads can move from cluster to cluster or from development to test to production, but also when workloads move between private and public clouds.” With the popularity of hybrid cloud, this is becoming increasingly important.

The choice will no longer be private versus public cloud

Companies increasingly will implement a combined private/public/hybrid cloud strategy to provide business units with freedom of choice and to solve for agility. However, he said, data security and governance will remain a critical need. “That will drive customers to develop a security strategy that spans both public and private policy so that data remains encrypted and can only be accessed by the right person in the right environment. So it isn’t public or private, it’s both.”

Supply chain consolidation with continue

Organizations will continue to seek to consolidate their supply chains and will want those systems to be more integrated and automated to support the acceleration of the pace of the move to public and private cloud environments that we will see over the next year. That includes security products as well as hardware. Security vendors, Chiu says, need to move their technologies forward into the cloud environment or be left behind. And companies in the market for security products should seek vendors that can bring them a full, integrated security management package that covers private and public cloud environments as well as traditional “bare iron”.

Private cloud will develop into two camps

Chiu says the private cloud market is already bifricated. “Out-of-the-box” customers want pre-built and integrated systems on converged infrastructure from vendors like VCE and HP. The other group want to create their own systems, often on open source technologies. VMware on a converged infrastructure box is the most popular solution for the first group. The custom builders are increasingly moving to OpenStack and KVM. They often need to bring in an Open Stack systems consultant because of the amount of complex knowledge required to work with what is an immature environment still. “We’re seeing traction for OpenStack developing in particularly in the large government and big financial organizations,” Chiu says. “So it isn’t for the general Fortune 1,000 yet, it is really for organizations with large compute needs.”

Companies will look to automate governance in the cloud

Internal corporate governance processes are typically antiquated and cumbersome, Chiu says. It can take weeks for all the separate groups involved to sign off on a project. That becomes a huge issue as companies respond to the increased pace of development in the cloud, where to keep up companies have to spin up new environments n minute or hours and product new versions of apps in days. “Companies will need to automate those processes so that approval is a one-to-two day process, rather than taking weeks,” Chiu says.

Insider threats will continue to be the leading cause of security breaches

Cyber-attackers, says Chiu, “are after the crown jewels. The easiest way to gain access is from the inside of the network.” Too many companies today rely on a “hardened perimeter” defense, with multiple firewalls on the border of the company network but little defense in depth to protect resources once an attacker gets past that perimeter. To defeat that strategy, the bad guys have long since developed several sophisticated strategies to enlist the help of insiders — employees with legitimate access to the network. These include the direct — gaining the cooperation of an employee — and indirect — tricking an employee to reveal his password and other credentials, or to carry malware into the organization where it can create a tunnel through the perimeter, for instance. Employees too often use the same passwords for their business access as for their personal e-mail and social media accounts, making those passwords more vulnerable.

Accidental deletion of large numbers of VMs by a legitimate employee doing his normal work is another increasing danger. Today an IT tech can accidentally delete dozens of VMs with a slip of a finger on a keyboard.

To protect against these dangers, companies need to institute more internal security measures including access controls to prevent employees from accessing data and systems they should not, and role-based security that specifies what employees can access by their role rather than creating individual custom access for individuals. Companies also need to revoke credentials of employees who leave the company immediately.  Finally companies should consider instituting “two-person policies” that require that an individual get supervisor sign-off before instituting major actions such as the deletion of multiple production VMs.

Data center consolidation will drive greater efficiencies

Next-generation data center architectures will consolidate all operations in a single environment and use logical boundaries rather than physical air gaps to separate multiple private clouds. This multi-tenant approach will facilitate the creation of a private cloud environment that serves the entire organization while maximizing automation and simplifying management.

Software-defined networking (SDN) will be the next step in virtualization

Finally, Chiu predicts that next year large numbers of companies will start SDN pilots, and early adopters will start moving SDN into production environments by year’s end. Software-defined storage will become the final component of the virtual architecture starting in two or three years.