Mini Security Series: Cloud Security Part 1
Summary
Cloud computing is a breeding ground for security innovation.
Though, entry barriers are low which has resulted in numerous startups.
We’ll name some likely category winners.
We’ll also discuss the industry’s ripeness for M&A and consolidation, especially after we make it through this horrible market downturn.
Part 2 will cover entry barriers across different areas of the security industry & in Part 3 we’ll discuss why NGFWs are still pivotal for effective security postures.
Convequity’s View on the Cloud Security Market
Cloud security is a huge space for innovation because of the rapid evolution of cloud computing. At the birth of cloud computing orgs first began utilizing IaaS, then startups innovated on IaaS to deliver SaaS, and then emerged PaaS, and then containers >>> Kubernetes >>> serverless >>> microservices >>> API gateways >>> IaC, and whatever else. Once upon a time, one application would be hosted on one dedicated server, but now in the cloud era an application is broken up into various components, each hosted in different clusters/servers/VMs/containers and each connecting to a multitude of microservices.
Figure 1 - Rising Complexity
Source: Datadog
Not only is the vastness, fragmentation/decentralization, and complexity of such environments incredibly arduous to secure, cloud instances (those that host part of an application or workload, for example) are rapidly scaled up and down in elastic fashion in accordance to fluctuating demand, making it nigh on impossible to inventory and do forensics. Furthermore, cloud computing enables such speedy innovation and GTM that a significant portion of cloud instances are ephemeral, meaning cloud environments are always in flux. Then, to add even more complexity orgs have adopted multi and/or hybrid cloud IT operations.
All of this has greatly expanded orgs’ attack surfaces and caused an explosion of data – all of which needs to be secured. And security has always been playing catch up – CSPM for misconfigurations within IaaS, CASB for protecting data within SaaS apps, CWPP for detecting and remediating threats on VMs and containers, microsegmentation and CIEM for enforcing which things are allowed to connect to other things within the cloud and microservices architecture, and shift-left security for building in secure practices as developers write code and use IaC templates. Shift-left is probably the hottest security philosophy right now - there are security startups going the farthest left possible by giving devs the tools to build in security as they write the code for their applications. Though, no doubt there will appear more security gaps when we experience the next wave of computing innovation, be it in the cloud, or the edge, or anywhere else.
So, to summarize, there will continue to be rapid computing innovation as orgs push themselves to digitalize faster, and bring more value to their customers, than that of the competition >>> this will continue to expand the attack surfaces >>> bad actors will continue to look for new ways to exploit and extort >>> and security providers will continue to help orgs prevent and detect these bad actors and remediate their threats.
HOWEVER! There are some considerations for keen investors. Yes, cloud security will grow into a huge market but the entry barriers are low – meaning that the space is already highly fragmented and will become more so in due course. The entry barriers are low because at the end of the day if a new startup wanted to imitate what another cloud security startup was doing, all it requires is some clever code to be deployed in an agent or agentless manner. These cloud security startups have not innovated deep into the tech stack because they don’t need to as they’re leveraging hyperscalers’ IaaS. This is why we’ve seen a proliferation of cloud security vendors and innumerable other SaaS firms. However, it’s a double-edged sword, because if it’s easy for an entrepreneurial developer to set up a cloud security company then it is easy for them to be copied also. The fact, that entrepreneurial developers need to first focus on a niche, is another reason why they can be imitated relatively easy.
In recent years there have been many innovative startups emerge – in recent times PANW has acquired several and ZS has also acquired to a lesser extent, but other hot ones that may be approaching an IPO in the not-so-distant future are Netskope, Snyk, Lacework, and Orca Security. Then, there are young public cloud-native security firms like GitLab (GTLB) and HashiCorp (HCP). And then, there are legacy firms like CHKP and CSCO making acquisitions, and XDR vendors like S and CRWD increasingly making inroads into more cloud security. Overall, the industry is extremely competitive, so in our opinion, as an investor its useful to have an edge of technological information in order to improve the chances of picking long-term winners.
Francis Odum, of Investi Analyst on Twitter, Substack, and Seeking Alpha, mentioned to us that there is probably only enough space for one winner per category. We agree, and if those winners are the startups, then the second order unfolding of events is more acquisitions once the macro situation improves, thus leading to market consolidation. And if there becomes a fierce battle for category-winner BoB startups among the larger security players, due to PANW’s cloud security M&A success thus far, startups are likely to choose PANW ahead of other legacy or even XDR names. Furthermore, if it came down to a bidding war, PANW’s high cash flow generation and shareholder support would also give them advantages versus other names, in our opinion.
Bear in mind, that PANW and other large players won’t be able to scoop up all the BoB startups, however. So, the ones that make it to IPO - like Snyk is provisionally scheduled to do later this year – have a very bright future. And we can’t stress that enough because reaching IPO is not easy. The average Series A startup failure rate is 80% (zero cash returned to investors), and Series B is also 80%, meaning to survive and thrive toward an IPO, a startup needs a rare type of founder/s who have the grit and courage to traverse through tumultuous times.
In the following sections, we’ll cover the various areas of cloud security and mention some names that should perform well in the future.
CSPM
Cloud Security Posture Management, or CSPM, came onto the cloud scene to help ITOps configure IaaS properly and to follow best security practices and benchmarks for hosting stuff in the cloud – it has since expanded to include SaaS and PaaS. CSPM software will alert IT/SecOps, for example, if data storage is exposed directly to the internet, or alert that there isn’t any encryption on a database, or alert that there is no login requirement to a certain host – all vulnerabilities bad actors look to exploit.
Typically, CSPMs are agentless, which means no agent is required to be installed on the hosts. Instead, CSPM uses the cloud provider’s APIs to fetch data about the hosts and monitor things.
CSPMs are a must-have for all cloud-using orgs, but they cannot secure cloud environments on their own. Because they are agentless, they can’t stop and remediate threats – in essence, they can only guide on the correct configurations and alert when they detect misconfigurations and anomalous behaviour.
Here are some of the top CSPM providers:
PANW’s old firewall rival, Check Point Software Technologies: In 2018, CHKP acquired BoB CSPM specialist Dome9 to bolster their IaaS and SaaS security efforts. It is a solid product but CHKP’s execution has been poor – we speculate that CHKP is generating less than $100m of revenue from cloud solutions, which is < 5% of total revenue.
Orca Security has a next-gen expanded version of CSPM that can detect malware, unauthorized lateral movements, data at risk, and IAM risk – which kind of merges CSPM with EPP, CASB, CIEM, and vulnerability management. A key USP of their offerings is that everything they do is agentless – quick deployment and zero resource drain on hosts. Orca also has tight back-end integrations with their own SIEM and SOAR, which makes us think they are a Compounded Startup (a reference to the short piece we wrote on 9th May 2022). Thus far, secured a total of $632m in funding (currently at the Series C stage) with a valuation of $1.8bn (that is pre-market meltdown, however) on $85m in annual revenue. It’s possible Orca could IPO within the next couple of years.
Lacework is another next-gen cloud security startup with an innovative CSPM that aims to add relative value versus rivals via better risk prioritization, more context enrichment, and making compliance easier. Like Orca, Lacework has a broad platform that extends beyond CSPM, delivering solutions in agentless and agent-based forms. Thus far the company is at Series D of the funding stages, has a valuation of $1.9bn (again, pre-market meltdown), and is generating revenue of c. $280m per year with triple-digit growth. It’s very possible that Lacework will do an IPO not long after the macro picture gets better.
PANW acquired agentless multi-cloud CSPM provider RedLock in 2018, and the founders have been a bedrock for PANW building out the Prisma Cloud platform and given the success of Prisma Cloud we infer that RedLock’s revenue will have increased multifold – benefitting by being a leading CSPM solution and from cross sales within the vast PANW portfolio.
CRWD built their CSPM in-house and released to the market in late 2020 and it forms part of a broader cloud security platform.
ZS acquired CSPM startup Cloudneeti in 2020 and has since added more solutions to create a fairly comprehensive platform.
A major shortcoming in CSPMs has emerged due to the rise of Infrastructure-as-Code [IAC] templates. Devs have been using IaC to make the provisioning of IaaS repeatable and automated. Consequently, devs have been rapidly scaling out infrastructure across cloud environments with little consideration for the security aspects. As one would expect, this results in CSPMs firing off innumerable threat alerts in which ITOps and SecOps must trudge through and remediate. Clearly, this is offsetting the majority of the ROI of setting up in the cloud in the first place.
Shift Left: IaC & Code Security
IaC
CSPMs are detective in nature whilst shift-left security is preventative in nature. To avoid firing umpteen alerts per every IaaS provisioning, why not build in security as the IaaS is being provisioned? This is the essence of IaC shift-left security – it is about enabling devs to use IaC templates to configure IaaS securely and to use automation to provision IaaS efficiently.
Following its Feb-21 acquisition of Bridgecrew, PANW has a next-gen IaC shift-left security solution. Throughout 2020, Bridgecrew had over 1 million downloads and since then PANW has quintupled that download rate, so it has already become a highly popular tool for devs. We would say the somewhat legacy players in this space include Ansible by Red Hat and CloudFormation by AWS, and the next-gen rivals for PANW/Bridgecrew include Terraform by HashiCorp, GitLab, and Snyk (IPO provisionally scheduled for later this year).
GitLab and Snyk have an advantage over PANW in regards to shift-left at present because they also do the code security – which is the other component of shift-left that we’ll discuss next. At the moment PANW doesn’t have a robust code security solution so investors will need to wait and see if/when PANW makes an acquisition or builds something in-house. Though, in regards to IaC security in its own right, given Bridgecrew’s momentum - indicating its BoB status - along with PANW’s breadth of adjacent security solutions, we think PANW will do very well in this space. And the success of Bridgecrew post acquisition is quite amazing when bottom-up SMB adoption isn’t part of PANW’s genetics – so it really highlights how good PANW are at integrating startups and generating synergy.
The following chart shows the monthly downloads of Android apps to give you a rough insight into the potential size of the IaC security market. If most of these apps are having their IaaS provisioned via IaC templates (which we presume is the case), then this is a huge TAM – and bear in mind that the chart doesn’t include iOS and internal applications, which probably doubles the TAM.
Figure 2 - Number of New Android App Releases via Google Play per month
Source: Statista
Code Security
As well as a shift-left movement to bake security into IaaS/IaC provisioning right from the beginning, there is a shift-left movement to bake security into the code that the dev is writing as she/he creates the application. This is done via Static Application Security Testing, or SAST, whereby the dev will scan their code for vulnerabilities every so often as they code up their application. Historically, SAST has resulted in lengthy scan times and excessive numbers of false positives, so they have not earned the respect of the dev community at large.
Snyk has a next-gen SAST solution that conducts security testing in real-time without impinging dev productivity and provides thorough context-aware explanations about vulnerabilities discovered. GTLB is another next-gen player in this space but with a more holistic strategy for supporting DevOps.
Snyk has raised $1.4bn in funding, is at Series F, has a valuation of $8.5bn (pre-market meltdown), and is generating annual revenue of c. $125m – an extremely rich valuation of 68x sales. GTLB had its IPO in Oct-21, and currently has TTM revenue of $190m, growing at c. 70%, and has a P/S of 22x, which looks way more attractive - and GTLB has an 88% gross margin which is impressive.
Both of these vendors are next-gen leaders in shift-left security because of 1) the quality of their software, because of 2) their breadth across the shift-left space, and also because of 3) super organic adoption across the dev community. As already touched on, we’re eager to see how PANW plans to compete against Snyk and GTLB in the near future.
Shift-Left Diagram
It might help to visualize the concept of shift-left security on a diagram. The following diagrams apply for both IaC and code security. The first diagram below illustrates the typical developer workflows (not DevOps, just kind of non-best practice workflows in the cloud or on-prem). The second diagram shows that when applying shift-left, security is built in right when devs are writing code or using IaC to provision infrastructure, and the shift-left software speeds up workflows with heavy use of automation. Additionally, there is also a much tighter feedback loop with quality assurance and compliance checks, and all this is encompassed by a robust CI/CD framework.
Figure 3 - Typical Dev Workflows
Source: Convequity
Figure 4 - Dev Workflows Following Best Practice DevSecOps & Shift-Left
Source: Convequity
We infer the shift-left ROI for orgs should be extremely high. Not only will it vastly improve security and hence reduce security incident-related costs, it also rapidly speeds up the time to market. We should see great future demand for the aforementioned vendors.
CWPP
Cloud Workload Protection Platforms, or CWPPs, primarily protect server workloads at runtime. It entails having an agent installed on the hosts that can detect and remediate threats (malware, suspicious lateral movement, fileless attacks, etc.) and also communicate in a bidirectional manner with a central control plane. In essence, CWPPs detect and respond to anomalous behaviour and identify vulnerabilities across containers, VMs, and microservices. Additionally, with the control plane being fed the telemetry from the agents, CWPPs have good network visibility across the cloud in order to understand the bigger picture.
The agent component makes CWPP similar to endpoint security which is why the likes of CRWD and S have ventured into this space. Some of the other main players are:
PANW - their CWPP is included in Prisma Cloud and they have agent and agentless options.
Orca Security - an agentless CWPP that heavily leverages the cloud provider’s APIs.
Lacework – their broad cloud security platform has its roots in CWPP. They have agent-based and agentless options.
Wiz – is another next-gen CWPP with integrated CSPM. Before the market collapse it had a valuation of $6bn on only $25m.
As a sidenote, ZS doesn’t offer CWPP but the literature on their website spins it to make it sound like CWPP when in fact it is their workload microsegmentation solution. This type of bending the truth is partly why we don’t like ZS. We’ll park that there for now but if you want a report on why we don’t think ZS is a true BoB leader, then let us know in the comments section.
CIEM & Microsegmentation
Cloud Infrastructure Entitlement Management, or CIEM, is essentially the IAM (Identity & Access Management – something like OKTA) for the cloud. Basically, CIEM gives IT/SecOps complete visibility about which users and machines/functions/services have access to other machines/functions/services, and allows teams to swiftly set least privilege access policies.
It’s a very valuable software because setting permissions for the fragmented scores of infrastructure components is very time-consuming and hence oftentimes admins tend to assign excessive permissions thus creating what is referred to as the ‘permissions gap’.
Figure 5 - Cloud Permissions Gap
Source: UpGuard
There are numerous next-gen startups in this field and also some more well-known names like ZS and players with identity roots such as SailPoint and CyberArk (though not likely next-gen products). PANW and FTNT also have very solid CIEM solutions that has emanated from their lengthy experience in delivering application-aware and identity-aware solutions within their NGFWs. Additionally, in 2020, PANW acquired a next-gen microsegmentation startup called Aporeto which facilitated the management of machine/workload identities and they have since appeared to improve it and now its part of Prisma Cloud.
Microsegmentation is very closely associated with CIEM, and kind of works together with it. It is a solution that gives IT/SecOps the big picture view of their infrastructure, all the connections, and highlights vulnerable and/or unnecessary connections. From there, policy can be swiftly enforced to prevent, for example, web servers in Cluster A from connecting to Machine XYZ hosting a database – if such a connection is unnecessary, of course. And many microsegmentation solutions incorporate CIEM. For a full lowdown on microsegmentation check out our Oct-21 Illumio report and/or our Jan-22 “Technical Overview of Segmentation – The Panacea to Stopping Ransomware” report.
CASB
Cloud Access Security Broker, or CASB, is a solution that monitors the usage of data inside SaaS apps and offers complete visibility of an org’s SaaS app (sanctioned and shadow IT) usage. There is a distinction between in-line and out-of-band CASB, however. In-line CASBs are usually bundled with other inline inspection technologies like firewalls, intrusion detection/prevention systems, and SWGs, and hence are architecturally positioned somewhere between the client/user and the SaaS app hosted in the cloud. Out-of-band CASBs are not positioned inline and hence do not inspect connections flowing into SaaS apps – instead, they use the SaaS apps’ APIs to monitor activity and data-at-rest inside the SaaS apps.
It appears that Gartner values out-of-band CASB somewhat more than in-line CASB because they have recently rejiggled the concept of SASE and trimmed it down to SSE – which includes Zero Trust, SWG, and out-of-band CASB. At the time of Gartner’s SSE Magic Quadrant report, Cloudflare didn’t have a commercially available out-of-band CASB – they do now that they’ve acquired Vectrix though – and so they didn’t even feature in the report. And we agree with Gartner in that out-of-band CASB is the more valuable because it does deliver better protection and detection.
Anyway, I digress! There are again numerous players in the CASB space. Not surprisingly, Orca Security, with its skill in API leveraging (which enables them to do a lot of cloud security without an agent) offers CASB as part of its platform. For us, Netskope (IPO probably at some point within next 12 months) is the out-of-band CASB leader, with only PANW capable of competing with them. FTNT and ZS are also major players, however. CASB was the first cloud security area to receive a lot of hype (around 2013-2015), and subsequently the market has consolidated (CSCO acquired CloudLock and McAfee acquired Skyfence), lost its hype, and now it remains as a must-have but just a small part of the bigger picture.
CNAPP
Cloud Native Application Protection Platform, or CNAPP, is the latest emerging concept within cloud security. It brings together all that we have mentioned in this report into one cohesive platform. There isn’t one vendor that yet offers the full CNAPP – that is, CSPM, Shift-Left, CWPP, CIEM, and CASB – though PANW is the closest to getting there first.
The following diagram attempts to summarize the race toward CNAPP. Please note that the loose timeline only corresponds to roughly when the solution first came to market, it doesn’t correspond to when each vendor brought their version of the solution to market.
Figure 6 - The Race for CNAPP
Source: Convequity
There are tons of innovating startups in this area of CNAPP, each claiming they do something unique. In reality, most startups are going to have their unique edge within a niche problem space imitated by another startup or a larger security player. This is why the long-term winners are most likely to be the ones that deliver BoB next-gen solutions in one singular harmonious platform. Going forward it looks like the value is going to come from a blend of BoB and breadth, so investors should consider the companies with the best all-round platform and the ability to make smart acquisitions to fill in gaps quickly, if it can’t be done in-house.
We don’t want to sound like a broken record (although I’m sure we do), though PANW is really the best positioned to prosper the most within the cloud security industry. We expect them to become a cloud security giant in a few years. At the core of cloud security are the containers, and PANW has hands-down the best technology and talent in regards to this thanks to their roots back to GOOGL (Nikesh Arora is former GOOGL Business Executive that has leveraged his connections to bring in a lot of talent), a company that probably has the best sources of container management talent pools and technology.
This container expertise is well demonstrated by PANW releasing the industry’s first containerized NGFW in 2020 – something that hasn’t been emulated by rivals 2 years later and counting. So, we believe PANW’s deep first principles understanding of security coupled with the container knowhow is a great competitive advantage for them to become the number one winner in cloud security.