Is there still room in the cloud-security market?

While the initial shock of the COVID-19 pandemic has subsided for businesses, one of its main legacies is how it ushered in a tidal wave of accelerated digital transformation.

A recent Twilio survey revealed that 97% of global enterprise decision-makers believe the pandemic sped up their company’s digital transformation, and on top of that, 79% of the respondents said that COVID-19 increased the budget for digital transformation.

As technology becomes the driving force of competitive differentiation, cloud plays a key role in making this a reality and impacts everything from data and analytics to the modern workplace. Cloud-based infrastructure promises more flexibility, scale and cost-effectiveness, as well as enables enterprises to have more agile application development and keep up with service demand.

What’s clear is that despite shortfalls in security, innovation in cloud and infrastructure will charge ahead.

Even with all of the hype and excitement around cloud’s potential, it is still early days. In his recent keynote at AWS re:Invent, the AWS CEO Andy Jassy mentioned that spending on cloud computing is still only 4% of the overall IT market. And a Barclays CIO survey found that enterprises have 30% of their workloads running in the public cloud, with the expectation to increase to 39% in 2021.

It’s become clear that the movement to cloud has its barriers and that large enterprises are often skittish to make the jump. Flexera’s State of the Cloud 2020 report outlined some of these top cloud challenges, citing security as #1. This has been widely apparent in conversations that I’ve had with Fortune 500 CISOs and security teams, who are wary of the shift from their current state of security operations. Some of the major concerns brought up include:

  • No longer your own master. When working with the public cloud providers, companies must relinquish control to some aspects of back-end management. This is tough for large enterprises who have a history of customizing products because you can’t completely tailor the environment to your liking and are limited to what’s on the cloud service provider’s platform.
  • Lack of standardization. Each cloud provider has their own solutions and own intricacies. Add to that other pitfalls, like an unknown cadence of updates, there is an opaqueness to interoperability and policies can’t be uniformly applied across environments.
  • Requires a new skill set. Lack of resources/expertise ranks among the top challenges for enterprises. A recent report on challenges in cloud transformation found that 86% of IT decision-makers believe shortage of talent will slow down 2020 cloud projects.
  • On-prem just works. Cloud is in vogue, but large enterprises have been running their applications on-prem for years and have them suited to their environment. The shift to the cloud is not only a technological endeavor, but a political and philosophical battle that people have built their career on.
  • Cloud-native is unrealistic. It would be great if every company built and ran their own infrastructure like Netflix or Uber, but there are nuances to legacy environments, such as applications built in outdated languages and scale of complexity from decades of operation, and there isn’t always a cloud analog for security tools.

What’s clear is that despite shortfalls in security, innovation in cloud and infrastructure will charge ahead. At the same time, the security industry isn’t without its fair share of tools. There are a number of eye-numbing market maps out there that seem to suggest that the security market is highly saturated. But when it comes to cloud security, is there room for more?

When cloud first started to disrupt the workplace, it was through the use of SaaS services that were adopted to bypass organizational security controls that were hindrances to productivity. It was evident at this point that the consumerization of IT was a real phenomenon and that back-office applications were becoming increasingly delivered as SaaS. Security in response started to deploy visibility and access control solutions to mitigate the problem of shadow IT and sensitive data access.

This first wave created the cloud access security broker (CASB) category that includes companies like Netskope, SkyHigh Networks, Elastica and Cloudlock, among others, of which Netskope is the last remaining independent company.

Infrastructure soon followed the SaaS movement and IaaS adoption started to expose the cracks in the ability to see and restrict traffic inside the data center, whether that was in the cloud, on premise or a mix in between. Breaches from Target to Anthem showed the need for better segmentation between internal systems and zero trust became a prevailing strategy. Companies like vArmour, Illumio, CloudPassage and Dome9 help organizations set stricter policies on what machines can talk to which.

But attacks don’t need to be complicated to be successful. According to Verizon’s 2020 Data Breach Investigation report, misconfiguration errors, like unsecured S3 buckets, are increasing and are more common than malware and equal in occurrence to social breaches. One of the biggest threats to security is not doing the basics. In response to these recurring errors, cloud security posture management (CSPM) tools from companies like Fugue, Datadog and Palo Alto Networks emerged to help teams implement and continuously monitor for proper configurations in IaaS and PaaS.

Despite investing in these controls to monitor and set policies for access, limit user and network traffic, and harden resources, security folks believe that these solutions are useful in prevention, but detection and response is a whole new animal. Owing to the lack of resources, the skills gap and the compounding complexity of a continuously evolving cloud ecosystem, identification of potential threat vectors, like account compromises and privilege escalation, has become a lot more hazy.

This is a growing domain with new players focused on bringing detection and response capabilities to SaaS (Obsidian, Altitude Networks, AppOmni, SightD) and IaaS (Capsule8, Wiz, Bridgecrew, Orca Security, Permiso). It could be argued that this is just a feature and can be added into existing security technologies from incumbents or added onto infrastructure and application-monitoring platforms.

Nevertheless, cloud usage is only growing, which means its security ecosystem will require the ability to not just see what’s happening, but also recognize what to look for and what it means.