Frankly Speaking 8/18/20 - Cloud providers don't care about security
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
Hope everyone stayed cool this weekend in CA and the Northwest! I don’t think I’ve seen summer thunderstorms and rain in SF, and I’ve lived here 20+ years. When I moved to Boston for my PhD, the summer thunderstorms shocked me. However, those made sense because of the humidity, but dry thunderstorms are something else.
Anyway, enough about the weather…
LET’S BE FRANK
I started this newsletter to do “real talk” about security, cloud, and tech in general — to be “frank” about topics instead of giving some marketing spiel that’s politically correct. According to some newsletter readers, although my topics are informative and provide good points of view, they aren’t controversial enough. This leads to this week’s newsletter topic — cloud providers and security.
tl;dr: Cloud providers are paid based on usage. Security tends to restrict cloud usage. Thus, cloud providers aren’t incentivized to prioritize security.
Many of my VC friends believe that independent cloud security companies won’t deliver value because cloud providers will provide security tools, and the cloud security companies will just be a platform to manage those tools. No surprise! I strongly disagree, and honestly, data shows otherwise. Look at Zscaler, Netskope, Twistlock, Redlock, etc. (all Dell Tech Capital investments). Also, I back up my belief. Just look at the number of newsletters/blog posts I've written around various topics in cloud security. Finally, almost every CISO I talk with don’t believe that the cloud providers will provide sufficient security tools.
The question is why? It seems obvious at first that cloud providers are in the best position to provide security. I agree with that, but that doesn’t mean the incentives align. Let’s start by thinking about the consumer, the seller, and their motivations.
The seller is obvious — the cloud providers. The consumer is usually an organization, but who in the organization consumes the cloud? I argue that it’s typically software developers and DevOps. As I’ve mentioned before, the benefit of the cloud is the ability to quickly deploy infrastructure and run applications, so this makes the most sense. Many cloud-native companies have cloud architects, but the point is that the primary users are not security.
You can probably see where I’m going with this. Cloud providers make money based on usage, and the end user doesn’t care about security. The end user is more concerned about delivering products and features on time. Security is not their concern. That’s the misalignment! The people who care most about security aren’t the primary users. It doesn’t help that security is, by its nature, restrictive and can slow down development if not properly managed.
It’s no surprise that cloud providers don’t prioritize security. There have been misconfigured S3 buckets, WAF misconfigurations (at the heart of the CapitalOne hack), and much more. Why does this happen? Cloud providers make it hard to have security by default because they are focused on usability. Usability results in revenue, and security restricts that. A concrete example. It’s much easier to have a developer open up S3 buckets to the world than to spend time trying to configure the ideal security policy, which could be tedious. This problem is further exacerbated by the lack of visibility for security. It’s not until recently that AWS added default privacy settings to S3, so it’s easier for developers to have basic security. But it’s still had to do! Just ask your DevOps engineers.
Not all is doomed, and it’s not just cloud security companies that will save us. However, I do think there’s a lot of value for cloud security companies right now and for the next few years. At a high level, there needs to be an easier way to do security as part of the cloud workflow and have consistent basic security guardrails across cloud providers.
AWS is starting to do this with GuardDuty and Security Hub, but I believe those offerings are basic and lack the sophistication needed for larger enterprises with mature security programs. It’s starting though, but other cloud providers have to catch up. The lack of consistency is opening up value for independent cloud security companies.
Honestly, it’s not the cloud providers’ fault, and they are doing the best they can. It’s misaligned incentives, which allow for value creation and capture by cloud security companies.
This brings us to the open questions:
Will cloud providers ever prioritize security? If yes, what will drive it? Regulation? Competition? Or should they just give up on security and partner?
What cloud security problems will generate the most valuable companies in the next 3-5 years?
What basic security guardrails should exist in the cloud? How do you establish these standards and integrate them? This has been done to some degree of success for the web and for operating systems.
What security features can be easily integrated into DevOps?
Does SecOps need more DevOps training, or do DevOps need more SecOps training? Talent and resource limitations are big problems right now.
Shameless plug: my portfolio company Soluble is thinking about this in the context of Kubernetes security, and the CEO is Rich Seiersen, former big-time CISO who has written a book on cybersecurity risk. Check out his article on security ROI using analytics, which focuses on cloud security.
As usual, I would love to chat more about this topic. I’ve been spending a lot of time understanding this space and believe it will yield the next 10B+ security company.
TWEET OF THE WEEK
I think people get it now… Stop making us feel bad…
