Frankly Speaking 3/16/21 - Why cloud security is hard

A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.

If you were forwarded this newsletter, you can subscribe here. For more regular updates,

Follow me on Twitter

Lots of VC activity recently. I’ve been hearing that many funds are using metrics like “capital deployed per week” or “deals done per week.” The stock market is crazy, and I have legitimately lost track of all the SPACs. Will someone make a SPAC ETF? Probably a bad idea…

Anyway, hope everyone enjoyed the Grammys. Honestly, in some way, I am enjoying these “remote” shows, and hope they will keep some part of the format.

Finally, one quick advertisement on behalf of my portfolio company, Soluble. They wrote a blog post comparing all the open-source security assessment tools for infrastructure as code, such as Terraform, etc. Please go check it out!

LET’S BE FRANK

In my last newsletter, I wrote how we should stop forcing security and engineering to collaborate. I got a slew of comments on my LinkedIn post. What’s truly amazing is that it’s obvious who read the whole post and who didn’t. Some people comment after just reading the title and didn’t really get any of the nuances and qualifications that I made in the newsletter itself. I know this is obvious, but it’s REALLY hard to convey all the nuances in the title of my newsletter. But, hey! I appreciate the engagement.

In case, it’s not clear. I do want things to get better between security and engineering. My newsletters are meant as guidance to help companies think more deeply about their products and go-to-market by presenting my interpretation of market dynamics, which I don’t always like but have to accept.

Anyway, this brings us to this week’s newsletter. I discuss cloud security so frequently because I think it’s going to be the biggest problem in cybersecurity in the next decade. In previous posts, I’ve talked about how I think about cloud security from first principles and why the public cloud is changing IT and security.

Recently, we’ve seen a slew of cloud security companies have great acquisitions, such as Bridgecrew by Palo Alto Networks, Auth0 by Okta, Redlock by Palo Alto Networks, Twistlock by Palo Alto Networks, Stackrox by Redhat, etc.

It’s without a doubt that cloud security has generated a ton of value. But why is it so valuable? It’s a hard problem, and it’s hard for legacy datacenter security players to enter the market. These companies have found simple solutions to this increasingly complex problem.

But, why exactly is cloud security a hard problem?

First, there is the organizational issue. I’m not going to elaborate more because I wrote about it in detail in my last post. The summary is that security is used to working with IT but now has to work with DevOps, which has different incentives. Therefore, products have to adapt to this organizational change.

Second, the public cloud is very different from the datacenter. An organization does not have complete control over the network and access. The list goes on, but at the core, they lack the visibility that they previously had. It’s not clear to me whether they have more, less, or the same visibility, but they definitely don’t have the tools and processes to give them the appropriate visibility.

Third, the public cloud introduces different threats, which require new solutions. For example, open S3 buckets were never an issue in the datacenter world. It’s not clear how lessons and solutions translate over to solve this problem. Before, in the datacenter, there was full network visibility. Now, these types of data leakages are harder to detect.

Finally, it’s very common for cloud security startups to disrupt other startups. There is already a next generation of CSPM with Wiz and Orca trying to disrupt startup incumbents Aqua, Lacework, etc. One major reason is that the deployment velocity created by agile and cloud-native allows for more experimentation that leads to quicker maturation. Also, most security products are SaaS, so the product’s infrastructure is a key part of the product (in addition to the software itself). It’s easy for startups to have their backends and architectures be outdated. It’s even more difficult for legacy companies to keep up. For example, recently, we’ve seen a few security companies acquire log management companies to update their backend infrastructure. I’m referring specifically to Crowdstrike’s acqusition of Humio and SentintelOne’s acquisition of Scalyr.

There’s still a bunch of problems to solve in cloud security — some we haven’t even discovered yet! I believe this is just the beginning.

TWEET OF THE WEEK

I love Costco! I can see why it’s hard for Amazon to get into their business. I’m a proud shareholder.