Cloud Security: factors that make it a unique market
In this article, I am looking at several factors that enabled cloud security to evolve differently from other types of categories
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Introduction
Anyone with experience working in cybersecurity knows that the cloud security category is somewhat unique. Unlike other areas of security, it is much less divided into small use cases built by different companies: when customers buy a cloud security product, they expect it to address several areas, including vulnerability management, detection and response, compliance and reporting, as well as cloud security posture and data security posture. This doesn’t happen with other market segments such as endpoint security where these areas are seen as separate markets. Cloud seems to have formed a more tight-nit domain (cloud security) rather than giving birth to segments with the word “cloud” added up front (cloud data loss prevention, cloud intrusion detection system, cloud security information and event management, cloud vulnerability assessment, etc).
In this article, I am looking at factors that enabled cloud security to evolve differently from other types of categories.
A big thanks to Prahathess Rengasamy for his feedback, perspectives, and comments.
Factors that accelerated the emergence of the cloud security market
The desire of customers to do everything in one place
If there was no demand for a holistic cloud security solution, maybe the cybersecurity industry would not have developed the way it did. Fortunately for us and players such as Wiz and Orca Security, customers are tired of having to negotiate tens of contracts and deploy teams to stitch together dozens of distinct tools not designed to work with one another from the ground up. Enterprises are often looking for “all-in-one”, the so-called platform solutions that can address multiple use cases across the same attack vector. Note that the desire is there on-premise as well, sometimes, but it seems a lot harder to achieve compared to the cloud.
Customer demand is a powerful motivator that most definitely played a role in pushing security entrepreneurs on the path of developing a cloud security market category.
Ambitions of founders and the room for IPO
Most people in the industry are familiar with the fact that platforms (collections of tools built together to solve a multitude of problems) are much more valuable than the so-called point solutions (products designed to solve one specific problem). That is not surprising: the more use cases a company can address, the more the customer spend it can capture, and the bigger it can grow.
We have seen that for a cybersecurity company to become public or exit at a unicorn valuation, it needs to build a platform. CrowdStrike, Palo Alto, Sentinel One, and many others illustrate this point quite well. Cloud security with all its complexity and ever-growing demand for cloud computing presents a great opportunity for platform creation that is still up for grabs, it seems.
Factors that made cloud security different
Although the presence of customer demand, the ambitions of founders to build a security platform, and the potential for lucrative exits are most definitely powerful motivators, simply because someone would like to build an all-in-one platform does not make it feasible. Endpoint security is a good example: while many entrepreneurs would like to have built platforms, that doesn’t change the fact that endpoint security is a collection of tens of separate products, and only a few - such as the above-mentioned Palo Alto, CrowdStrike, and SentinelOne - were able to build holistic solutions.
There are two factors distinctly unique to cloud security that made this market category possible.
The powerful APIs of cloud providers
When we look at most areas of security, it becomes clear that building a product that offers a holistic coverage of an asset type is hard. Different companies have different endpoint platforms, and building an agent for Windows is very different from building an agent for Linux (both tasks can take a year or two to complete). Asset discovery, asset management, vulnerability management, detection and response, and other critical components of security work differently for different platforms. To top that off, different companies are using different solutions for log management, automation, and adjacent use cases; a vendor entering the space would need to find a way to support the legacy tooling deeply embedded in the organization’s infrastructure. All these reasons make it clear why no single startup would be able to quickly build a product that covers all possible use cases for all types of endpoint platforms in one place. A similar problem applies to other areas, such as application security where some organizations use GitHub, others rely on GitLab, as well as a dozen other tools securing the code and other core components of software applications present at different stages of the software development lifecycle.
Cloud is a different beast. Since the cloud was designed to be infinitely scalable and API-first, cloud providers have built powerful APIs. This made it possible for one company to implement most of the logic and build most of the components needed to secure the cloud. Each of the cloud providers - AWS, Azure, GCP, Digital Ocean, and others have the ability to extract data, so cloud security vendors just need a way to normalize it to the common format, and map similar concepts across different platforms.
This API-first nature of the cloud is the primary reason why the cloud security vendors were able to move fast and build security platforms for the cloud from the ground up - something that wasn’t possible for other asset classes before. Today, we see other asset classes starting to move to this model too, for instance, API-driven EDR.
The ability to leverage existing concepts
Cybersecurity as we know it is a result of an evolution that unfolded over the past several decades. When we look at some of the oldest areas in the field, namely network and endpoint security, it becomes evident that all the concepts we have today are a result of years of research, knowledge sharing, reactively responding to new threats, and iterating on different products.
The process by which new concepts were introduced to the industry is easy to understand. We’ve got workstations, so we needed to secure those. When we realized that it’s quite hard to keep track of all the endpoints in our environment, we built asset discovery. When we started seeing computer viruses, we built antivirus solutions to detect and remove them from the system. When we realized that not all bad actors can be identified by checking signatures, we introduced behavioral detections. When it became clear that every asset has many vulnerabilities but not all of them are being exploited, and we cannot fix everything, we introduced a concept of vulnerability management. When we became concerned with handling everything at scale, infrastructure-as-code, policies-as-code, and detections-as-code were conceived.
The cybersecurity vendor market as we know it is, at the fundamental level, a series of attempts by different entrepreneurs to implement concepts we as an industry have discovered, and identified as something that’s needed.
By the time cloud security became a need, most concepts - from asset management to vulnerability management, detection & response, everything-as-code, etc. were already well understood. This means that the founders of cloud security companies were able to move fast and implement what was already built for other asset classes.
Limitations of the cloud platforms
One of the areas that remain to be solved for the cloud is incident response although we see that a) Cloud APIs also enable automated incident response (think of Torq, Tines, and the likes), and b) companies such as Gem Security focus on incident response in the cloud. Since the cloud was built for scale, every millisecond something changes, and that change is recorded. Most of the incident response relies on audit and access logs. Unfortunately, not only is it hard to make sense of this machine-scale volume of data, but the storage of this data is prohibitively expensive. Cloud security platforms today have very transitional access to data, so
customers have no choice but to rely on other tools for long-term storage.
A part of the challenge is that many companies want all of their data in one place. To solve this dilemma, cloud security providers would need to become data platforms - data lakes or security information and event management (SIEM) providers purpose-built for storing and querying massive amounts of telemetry. Until all of security becomes cloud security which in itself is very unlikely for decades to come, the cloud security market category isn’t going to consume all other security solutions.
Closing thoughts: starting from a clean slate
Cloud security has seen a lot of headwinds. First, the continuous increase of companies that leverage cloud capabilities makes this a fast-growing market. Second, since there are only three big public cloud providers that matter - AWS, Azure, and GCP, companies building cloud security solutions have the ability to focus. Third, cloud security players got the ability to start from a clean slate: build a new type of product while using all the existing knowledge base from other areas of security, and leverage the advantage of powerful APIs to make it happen quickly.
All this combined with the lucrative valuations and exit scenarios via IPOs available to security platforms that execute well, made founders of cloud security providers laser-focused on owning cloud security as a whole. I have high confidence that in the years to come, the cloud security space will see several impressive exits.
Despite all the positive developments, some challenges remain. From data storage to keeping up with the ever-increasing complexity of the cloud, many hard problems are waiting for solutions. Importantly, not every problem should be solved by buying a tool. For those interested in a practitioner’s take on cloud security and building vs buying security solutions for cloud-native organizations, I highly recommend Rami McCarthy’s talk at fwd:cloudsec - Beyond the AWS Security Maturity Roadmap.