Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

The VC View: Cloud Security and Compliance

I’m glad this column is coming out now instead of earlier this year. Cloud security is more topical than ever when considering all the fun things that have happened in 2021 with security startups!

I’m glad this column is coming out now instead of earlier this year. Cloud security is more topical than ever when considering all the fun things that have happened in 2021 with security startups!

Before talking about innovation and startups though, let’s talk about a brief history of cloud security… especially public cloud. Securing the public cloud is still one of the biggest unanswered questions that folks are working to figure out. Leveraging the public cloud just makes sense: few companies are in the business of running their own data centers, they’re in the business of creating value and solving customer problems. While using (multiple, diverse) public clouds is clear, securing it is another question entirely. 

Now, if you take out the datacenter/virtualization-centric vendors calling themselves public cloud solutions, this category was really created a couple of years ago. I give a lot of credit to Palo Alto Networks for calling the space early and showing their interest by acquiring both Redlock & Evident.io in the CSPM space. Then they followed those acquisitions with PureSec, Twistlock, Aporeto and most recently Bridgecrew. A lot of activity since 2018! 

Back in 2018, a lot of folks were (and still are) figuring out how to properly configure their public cloud usage. Since public cloud is “public”, configuration matters because everything is inherently internet facing. The layers of controls built in the datacenter world don’t exist in the public cloud so misconfiguration issues (i.e. open S3 buckets) are immediate issues.

Cloud Security and Compliance

At the same time, practitioners were hesitant to move high-risk workloads to public cloud; they had no attestation data from the public cloud vendors. When customers managed their own infrastructure, they could easily grab the context they needed from the servers. In the public cloud world, getting that data for compliance is an unscalable task when servers are shared among multiple customers.

We’re now in 2021, just three years later, and in that time we’ve seen the amount of public cloud compute spend grow from ~$250 billion in 2018 to ~$400 billion this year and continuing to grow linearly to ~$650 billion in 2024 per Gartner. 

When we start talking about spending hundreds of billions and at that growth rate, it’s natural to say there is going to be opportunity to help make sure that spend is secure. Hence this category and this column.

In many ways, public cloud problems look similar to legacy data center problems. The biggest causes of security incidents are still the same: misconfiguration, vulnerabilities/missing patches, bad passwords, phishing and insecure code. The biggest difference today is the increased exposure from public cloud and the speed at which organizations seek to move their infrastructure and business software there.

Advertisement. Scroll to continue reading.

And because of those similarities, I envision most practitioners who do take on a cloud security project in 2021 will focus on visibility and compliance first. 

Attestation/visibility was always one of the first issues that held folks back from the public cloud. Every company is held accountable by their customers, auditors and their regulators to certain standards. Without data from the cloud providers, leveraging the public cloud was an unsolvable problem for regulated workloads. And while this problem hasn’t been fully solved, with the help of new tooling and integrations, running sensitive workloads in the public cloud is now possible! The difference, however, is a new set of policies before we move onto a new set of compensating controls.

And the reality is that everyone agrees that they have compliance obligations. Enterprises today still have to prove that: 1) they are collecting the evidence to generate asset and user inventories; 2) showing they are actively looking for potential risks, issues & vulnerabilities; and 3) that they are matching their work to industry standards. 

Cloud security is really that undefined right now… and that scares a lot of people. It’s difficult to invest resources to build and implement compensating controls nowadays because the consensus technology/solution could turn out to be something else entirely. So my recommendation for folks working on public cloud this year… instead of fighting compliance, join them. Just like practitioners, some consultants are way ahead of the pack and have a great sense of the future because they’re solving the same problem for multiple customers. Go find those leading-edge advisors and work with them.

[RELATED: Learn More at SecurityWeek’s Cloud Security Summit – July 21]

At the same time, double down on visibility. Look at scaling up your efforts to ingest cloud-related data from multiple sources and controls. Like the SIEM collecting data in the network world, we’re going to also see a platform collecting a variety of cloud-related data in this new world. All with the purpose of making sense of the multitude of activities happening across an organization on the public cloud; just like the SIEM helped to make sense of the activities on a growing network.

And just as we went deeper into the network by deploying EDR agents on our endpoints, cloud visibility is going deeper into the steps that lead up to the software being deployed in the cloud. In essence, the combination of “shifting left” and “cloud security” is going to happen and be called “shifting everywhere.” A logical outcome considering we’ve broken apart the responsibilities of the network administrators of yore and given many of those admin rights to our developers to enable agile development in the modern multi-cloud world.

RelatedVC View: Data Security – Deciphering a Misunderstood Category

RelatedWhat’s Behind the Surge in Cybersecurity Unicorns?

Written By

Will is a Managing Director and a founding team member at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. Focusing on security startups for a decade, he has worked with more than 20 cybersecurity companies to date. In his spare time he’s a foodie with friends, enabling serendipity and building communities.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.