November 25, 2020
The cloud can be a dark and stormy place. Let’s take a look at the vendor landscape surrounding the exceptionally hot area of identifying and mitigating cloud security risks.
Terms You Might Hear
- Cloud Data Protection
- Cloud Guardrails
- Cloud Infrastructure Security Posture Assessment (CISPA)
- Cloud Posture Management (CPM)
- Cloud Access Security Broker (CASB)
- Cloud Workload Protection Platform (CWPP)
- Cloud services can be incredible for your business agility and extremely complex and challenging to manage securely.
- Cloud services are continually evolving. Regulation and cybersecurity best practices for the cloud are continually evolving. It’s hard to keep up with the pace of change and get secure, let alone stay secure.
- Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes.
- Per Gartner, “at least 99% of cloud security failures will be the customer’s fault.”
- The models of securing and tracking compliance of server resources that work in the data center do not extend well to the Infrastructure-as-a-Service (IaaS) cloud. You can’t effectively use what you may already have.
- Governing the use of the cloud at a company by committee is not preventative. As such, Shadow IT is born and just about anyone with a credit card can deploy services in the cloud without proper security controls in place.
Enter the Cloud Security Posture Management (CSPM) product market space.
- New technical and architectural models of operating require evolved techniques and models to become secure and compliant. CSPM products provide continuous cybersecurity monitoring and compliance to detect, prevent, and fix cloud misconfigurations. This could be a cloud virtual machine, a service, an application environment, or a whole cloud tenant.
- CSPM products allow for cloud guardrails. Companies can programmatically specify what kind of resources will be allowed vs. not allowed in the cloud to limit your attack surface and ensure regulatory compliance.
- CSPM products can ensure consistent application of security policies across the cloud footprint. They can make changes in the cloud if services are abused or deployed without meeting standards.
Players in the Space
- AppOmni (Series A funding in 2020)
- Checkpoint / Dome9
- Cloud Conformity
- CloudCheckr (Series B funding in 2019)
- Crowdstrike / Falcon Discover
- FireEye / Cloudvisory (Acquired by FireEye in 2020)
- JupiterOne (Series A funding in 2020)
- Orca Security (Series A funding in 2020)
- Palo Alto / Evident.io
- Rapid7 / DivvyCloud (Acquired by Rapid7 in 2020)
- Tugboat Logic (Series A funding in 2020)
- Zscaler / Cloudneeti
Product Space Predictions
- CSPM products will become a universal need for companies of all sizes that have any cloud footprint and workloads. Regulators and auditors have had a consistent focus on cloud security and drive widespread adoption. This is no longer a nice-to-have.
- CSPM products drive the conversion of security into operations and operations into security. This change makes certifications, audits, and compliance that much easier.
- A convergence of cybersecurity written policies and real-time cloud controls will drive the adoption of Policy as Code (PaC). PaC is like pushing security and compliance into Infrastructure as Code (IaC) to make security a standard part of cloud operations. JupiterOne is already doing this.
- The need for adoption of CSPM products will increase with an organization’s speed of adoption of serverless functions like AWS Lambda. How will this evolve as companies push to low-code and no-code and XaaS services? Only time will tell.
- Cloud Service Providers (CSPs) like Amazon and Microsoft will continue to deploy these types of CSPM features into their existing cloud services. This will further increase CSP lock-in, but who better to secure the cloud than the CSPs themselves? Then again, one CSP won’t help you with a multi-cloud strategy and independent vendors could pick up the slack and better support your company.
- CSPM products will become the multi-cloud glue. They will help customers see how to make security and compliance consistent across Cloud Service Providers (CSPs).
Product Space Opportunities
- Show me the zero trust - or lack thereof. CSPM products could show the relationships of accounts, services, and servers to a given cloud entity, helping customers understand if they are actually achieving that zero trust state they all want. This would be a great first step to getting your zero trust approach in order.
- Visualize the blast radius. Combine the view of user and services permission rights, accessibility to and from the Internet, and vulnerability/patching data to see what the real vs. perceived impact is if something gets compromised in the cloud. RedSeal has been doing this for years at the data center level.
- Loop CSPM products into DevOps from a Change Management standpoint. Keying off the auditability theme, connect into code repositories and CI/CD pipeline workflows to see what code was pushed and who pushed it. This can help with post-deployment oversight and reinforce best practices.
- CSPM products simplify operational management and overhead for IT operations and developers alike. The less time you have to think about your overhead, the more time you can spend delivering value.
- CSPM products can let you visualize your biggest risks. Use this information to guide prioritization efforts to close your most significant gaps.
- CSPM products provide a connection between monitoring for security and compliance and automation. This has been an evolution in the CSPM space, and one now that entrants into the products space cannot afford to skip over. It’s not enough to just see, but you also have to fix and prevent issues.
- This type of product has only become available because of the cloud. The services you can deploy in cloud environments are standardized, and the underlying technology is the same. Traditional data center deployments will have dozens, if not hundreds, of bespoke architectures and deployments that require many different teams with fractured ownership. This creates a nightmare for consistent compliance.
- CSPM products alone cannot eliminate all security risks in the cloud, there needs to be cultural and procedural changes at the business level to really mitigate risks.
- Cloud Security Posture Management Deals - significant recent acquisitions in the CSPM space.
- Cybersecurity Startup Lands $20.5M Series A Funding - the story behind Orca Security from March 2020.
- The Capital One Breach - a breakdown by Krebs on Security.
- Why You Need a CSPM Now - view from the Cloud Security Alliance (CSA), the de facto source of cloud security truth in the industry.
- Investing in the CSPM Space - Gartner’s take on the market space.
Looking for more insights and analysis? Check out the Pro version of this newsletter, where you’ll find:
- 8 Predictions for the product space (33% more)
- 5 Opportunities for the market to capitalize on (67% more)
- 9 Key Insights for Players and Buyers to win (80% more)
When you subscribe to the Pro version, you’ll get access to the pro version of this issue and all past and future issues.