The Future of Security in the Cloud Era
High quality cloud security talent is scarce, and the public cloud is highly susceptible to sophisticated data exfiltration attacks. Here are three key opportunities for next-gen security startups to explore.
By Harshjit Sethi, Sidhant Goyal and Mayank Porwal
Published September 19, 2022
The security market has undergone a transformational change as companies move software from on-premise servers to the cloud, creating new opportunities and new winners as the nature of the problem evolves.
Not so long ago, in the on-prem era, security was a relatively well-defined problem statement. Large warehouses owned by a company were transformed into climate-controlled physical data centres that housed servers, which hosted software used by their customers and employees. These servers were interconnected to build a network, and traffic entered and exited from a few countable gates. The most important element of security was the watchman at the gate, known as the network firewall, that inspected the nature of the traffic – every request and data packet – and blocked anything that appeared anomalous or malicious. Additionally, employee devices such as laptops (aka endpoints), were secured as well since they interacted with the public internet, stored sensitive data and hosted their own applications. Agents, or software processes running on individual endpoints, monitored user activity and restricted high-risk user actions, while antiviruses constantly scanned software downloaded at endpoints for any untoward activity. IT teams responsible for enterprise security used special software such to detect, triage and respond to security threats and vulnerabilities in real-time. Across all these layers, the on-prem era created many legendary companies like Splunk, McAfee, Fortinet, and Crowdstrike, to name a few.
Fast forward to today’s cloud environments, where compute and storage is now rented by the hour from the likes of AWS, Azure, GCP and other hyperscalers. These servers are no longer static machines you see, know and trust; they are external resources maintained and operated by a third party. Software deployed on these rented servers is now containerized (code neatly packaged into Docker images deployed in an isolated environment with shared compute), and the lifecycle of these containers is orchestrated by independent software such as kubernetes, which constantly spins containers up and down. Computing in the cloud is ephemeral: code that is executed on one server at one moment may move to another server in the next. Unlike an on-prem world, there is no defined perimeter to protect. It changes constantly. What’s more, sensitive data is stored on third party SaaS applications and managed databases in the public cloud. Employees access this data from a multitude of devices, including personal mobiles, and identity is far harder to establish.
Code has migrated from monolith to microservices, and references hundreds of third-party codebases, SDKs, libraries and open-source projects, each of which has its own set of vulnerabilities.
The shift to the cloud has created new technological challenges and pain points:
- The cloud perimeter is entirely diffuse, massively expanding the attack surface.
- Code now has multiple external dependencies. Security breach is a severe business loss.
- There are several new avenues for human error.
Key Opportunities for Next-Gen Security Startups
Net net, the public cloud is highly susceptible to sophisticated data exfiltration attacks that can cause irreparable harm to a company’s reputation. What’s more, high quality security talent is scarce, and cloud security talent even more so. We believe these pain points represent three key opportunities for next-gen security startups.
1. Securing cloud infrastructure: The first key problem faced by cloud-native Chief Information Security Officers (CISOs) was the lack of visibility. “Where am I exposed and what are my risks?” was the question that loomed on top of their minds. Misconfiguration of cloud resources in particular (e.g. publicly exposed S3 buckets, unrestricted outbound ports) was the attack vector they worried most about. Gartner recently estimated this would be the cause of more than 99% of cloud breaches by 2025. Existing security vendors were quick to react to the new customer need. Palo Alto Networks introduced Prisma Cloud, Checkpoint acquired Dome9, while Zscaler, Crowdstrike, Tenable and many others introduced their own cloud-native security suites, leveraging existing distribution to scale. Palo Alto’s Prisma Cloud rapidly emerged as a market leader: we estimate that in less than five years of launch, the product is in the vicinity of $500 million standalone ARR!
While the first wave of solutions solved for visibility, they had two shortcomings. First, most of the products worked via agents deployed in the cloud, and as a result they required a ton of customer-side onboarding, long implementation cycles and time-to-value. Second, many of these first-gen solutions generated a laundry list of threats and vulnerabilities, without effective prioritization or context. Cloud security teams do not have the bandwidth to solve for every vulnerability that exists, or figure out if something being flagged is a false positive. This opened the door for the emergence of a second wave of cloud security vendors, like Wiz, Orca and Lacework.
These companies drove innovation by building agentless solutions: they read hyperscaler APIs at regular intervals to create a snapshot of a customer’s production environment and deeply analyzed the model for flaws and vulnerabilities. Simply put, previous generation products were akin to a CCTV system, where camera direction and tuning was set manually and checked periodically, while the new approach is like taking a series of photographs of the cloud from APIs to create a parallel model of the system, which can be tested continuously for weaknesses. In the new approach, turning on read-only access to hyperscaler APIs brings time to value down to a few hours, instead of weeks or months.
The new era products also do a great job on prioritization by creating a framework around what is an outage, how frequently it happens (normal vs anomaly) and its business impact. The ability of these vendors to produce an intelligent and informed rank ordering of pressing security issues that must be attended to, as well as rich context on each issue to facilitate remediation, sets them apart. Propelled by Covid tailwinds, this wave of cloud security vendors is seeing incredible pull from the enterprise market. Wiz, for one, has witnessed one of the steepest revenue ramps in the history of enterprise software.
We think that in the next decade, intelligence in security software will become the norm. The most successful cloud security platforms will be able to detect, prioritize and remediate critical security issues with little human interaction (except perhaps approving suggested remediations).
2. Securing the code: In December 2021, a zero-day vulnerability was identified in a popular open-source logging framework called Log4j used by developers building on Java. The vulnerability enabled attackers to use Log4j to remotely inject and execute malicious code from a public URL, and eventually take control of any internet-connected service using this framework. At the point of discovery, it was estimated to affect nine out of 10 enterprise cloud environments. All you had to do was to patch the latest version of Log4j to fix this, but in the time it took for word to spread a massive amount of damage was done. The attack highlighted how dependence on an open-source library with an inherent vulnerability had the potential to handicap some of the world’s largest enterprises, from AWS to Apple to Twitter to Cloudflare. The message was powerful: writing secure code is mission-critical to security.
This incident is a small part of a broader movement towards ‘shift-left’ security. The key insight is that the detection and remediation of vulnerabilities, before they enter the production environment and become threats, is highly valuable, and choices made by individual developers today have a meaningful impact on an enterprise’s security posture tomorrow. Snyk, a 7-year old startup that started as an open source project to help developers scan their source code to detect vulnerabilities in connected open source projects, is a great example of a company that’s emerged in this space. Today Synk is a full-fledged tool with features such as ‘fix pull requests’ designed to eliminate vulnerabilities in a few clicks and insert security test suites into the CI/CD pipeline, as well do next-gen SAST (static application security testing). Many successful companies like Veracode, Checkmarx and SonarQube already offered code testing – but Snyk emerged as leader on the back of superior dev experience and bottom-up GTM, boasting an impressive 2.5 million dev base today.
We are very intrigued by the tailwinds in this segment. Making systems secure by design at the time of writing code or configuring resources, rather than only increasing budgets to monitor production environments, is the way to scale security in the cloud. Tools that auto-suggest the most secure version of a selected codebase directly in the IDE, and can predict vulnerabilities in the source code that are most likely to be exploited in production, will be very valuable.
3. Preventing human error: Most of us have either experienced an email phishing attack or know someone who has. Companies like Proofpoint, Mimecast, Barracuda, Fortinet and Symantec have built large businesses to help eliminate business email compromise. While there is merit in using email gateways to analyze mails, this approach ignores the source of the issue itself: human behavior. A recent FireEye incident report indicates that more than 90% of sophisticated cyberattacks are targeted at humans, with the bulk of them performed over email. It is after all a human being who clicks the link on a phishing email, who responds to a socially-engineered message with sensitive data, or who mistakenly sends a sensitive email to an unintended set of recipients.
With the shift to the cloud and the emergence of mobile phones as the dominant platform for communication, a set of companies like Tessian and Abnormal Security started to solve for human layer security in email. The core insight was to baseline ‘normal’ email behavior for every employee across multiple dimensions – typical login times, devices and geographies, tone of communication, frequency of communication with each recipient – to identify errant or anomalous behavior with a degree of confidence. For instance, a login to an email account from a mobile device in Asia at 7pm for a US-based employee is likely anomalous, but if there has been another ‘normal’ login from a laptop in the US just prior, it is indicative of account takeover. Market demand for human layer security has been robust: it is one of few examples where end-users actually grow to love a security tool and are thankful to IT and security teams for helping them avoid career-limiting mistakes.
Just like email security, we think a new crop of security companies focusing on eliminating human errors across a wider set of applications will emerge. Infrastructure security might be one such vertical: human error is often to blame for cloud misconfigurations. A tool that knows sane defaults and proactively warns DevOps/SREs of vulnerabilities introduced by configuration changes might create value. Employee interactions with SaaS applications may be another vertical: just like email, these apps contain sensitive data of great interest to bad actors. In the future, we imagine that human layer security will monitor the full breadth of activity in enterprise software tools, to detect and prevent high-risk human error in real-time.
These are just some of the opportunities emerging in cloud security. While the sector may appear crowded with many large, high-performing companies, we believe many of the challenges of cloud security are yet to be comprehensively solved. If you’re building in this space, reach out to us.