by Keith McCammon

3 minute read

Having spent a few years using, maintaining, and building security products of every conceivable shape and size, it’s become apparent how uniquely risky it is to invest in building cloud[1] security products.

There are good reasons to build a cloud security product:

  • Every aspect of cloud adoption is growing at a meaningful clip and shows no signs of slowing. “Cloud customers” as an addressable market is huge.
  • Cloud products are numerous, can change at any time, and are thus easy to adopt but hard to master.
  • Cloud security concerns are very real, and cloud customers are willing to spend money on cloud security products to reduce risk.

But there are very real risks from a vendor (particularly startup) standpoint:

  • Because cloud security concerns are very real and cloud customers are having to spend additional money on point cloud security products to reduce risk, they are rightfully pressuring cloud vendors to improve the overall security posture of their products.
  • A cloud security product cannot, in general, take any preventive or corrective action that the cloud product itself does not support.
  • The cloud product vendor can, by definition, see everything that both the end customer and the cloud security product are doing (either directly or via inference).

The net of the above is that, when any cloud security problem becomes enough of a business risk to the cloud product vendor, the cloud product vendor can simply make that problem go away.

The same is true for entire classes of attacks, which a standalone product or team can focus on and solve by playing whack-a-mole, but that the vendor can oftentimes address by making the class of attack go away. Good examples of this include things like secure defaults for cloud-based storage (make the “oops I put it on the Internet” problem go away) and default multi factor authentication (make the “I got phished” problem go away).

Vulnerability half-life and the cloud

The half-life of security vulnerabilities affecting cloud-based products is nowhere near what we’re accustomed to based on decades of complex, multipurpose, customer-managed software. When building for the latter, there will always be enough attack surface and enough configuration and/or version drift to justify relatively expensive security solutions. This means that vendors building security products can expect to be paid back on their investment, and for a meaningful amount of time.

Cloud security problems only live as long as the cloud product vendor wants them to live. And as a result of (healthy) customer expectations—e.g., better security defaults—we can expect both software and configuration vulnerabilities in cloud products to be addressed with increasing efficiency and effectiveness.

Upstreaming of controls

The most effective security controls become features of the platforms they were designed to protect. Years ago, host-based firewall and application control were significant product niches. Over time, they became flagship features of larger third-party security product suites. Today, we can’t imagine an end-user operating system that doesn’t include both of these controls.

Cloud security products are no different. But unlike consumer or end user devices, where solutions may exist but are optional and/or won’t be adopted overnight, solutions to cloud security problems are oftentimes not optional and are literally “adopted” overnight.

The net of this is that many cloud security products run the very real risk of becoming obsolete, sometimes overnight and with little warning. Early entrants into the cloud posture management space felt this, as Amazon and Microsoft moved aggressively into a mix of stronger default posture, log and alert aggregation, and more.

It’s not all doom and gloom

The beauty of cloud products, including cloud security products, is that it’s far easier to build, maintain, and support than on-premise software. So, the cost to prototype, deploy, and support cloud security products may be lower than other types of security products (particularly endpoint- or device-based products, which can be notoriously high friction).

I also said that many cloud security products run the very real risk of becoming obsolete. There are plenty of cloud security needs that are much more durable than wrappers around eventually-native technical controls. In most cases, these will be cloud-optimized products that address evergreen problems, many of them operational. A few examples include:

  • Log aggregation and analytics
  • Threat detection, investigation, and response
  • Incident management

Still, security startups must be thoughtful about the level of investment they’re willing to make and how much of a moat they can establish, understanding that cloud security problems in particular are almost always addressable upstream, and will eventually be addressed upstream.

[1] Cloud is defined for the purpose of this article as the combination of infrastructure- (IaaS), platform- (PaaS), and software-as-a-service (SaaS).

Categories:

Updated:

You May Also Enjoy

Improving CISA KEV data integrity

3 minute read

tl;dr - Sometimes CISA removes Known Exploited Vulnerabilities catalog records. It would be awesome if they marked them as withdrawn and/or superseded instead.