- Cloud security is among the hottest areas of cybersecurity and has huge TAM potential.
- It's a great growth driver for PANW, which is why we've conducted extensive research into the market.
- This is a report to round-up the research thus far into the cloud security market. For convenience, PANW and other individual cloud security reports are listed in the Intro section.
- In this round-up report, we recap on the broad trends, both historical and those we anticipate in the future.
- We also revisit the strengths and potential weaknesses of each vendor covered thus far.
Note for subscribers: In the coming months we intend on replicating what we've published on PANW its surrounding startup cloud security competition, with S & CRWD and their surrounding startup endpoint competition, and then FTNT and its surrounding startup OT security competition. The general public investment community does not incorporate the private/startup competitive dynamics. Diving into this cloud security series of research has substantially increased our understanding of PANW, and we hope the same will occur when we apply the same approach to S and FTNT.
As a subscriber you will be aware that, since September 2022, we have published a number of reports focusing on individual cloud security leaders. We published Orca in September, Lacework in October, PANW’s Prisma Cloud in November, Wiz in December, and Aqua in January. We have since retitled these reports to make it clearer that they are each part of a series on cloud security.
The reason for delving into these startup names was to develop a deeper understanding of PANW’s competition, as well as to better evaluate the potential of S, CRWD, ZS, and NET, as these names have before been hyped in connection with "cloud security".
Cloud security is the fastest growing major subsector of cybersecurity and PANW’s Prisma Cloud is one of the market leaders. Hence, we believe that cloud security offers PANW a huge TAM and durable growth, and therefore we wanted to dig deeper into understanding the surrounding competition.
CNAPP (Cloud-Native Application Protection Platform), a platform description coined by Gartner in 2021, is what the major market leaders are making a beeline toward. The broadest of integrated platforms to eliminate blind spots, reduce context switching, and improve overall security efficacy within the cloud, is the holy grail in cloud security.
Many rivals have different background experiences and have hence approached cloud security from different angles. There are many components to consider in their quest to becoming the truest CNAPP. They need to incorporate the table stakes type of stuff such as CSPM for compliance use cases, but also, they need to expand to shift-left and shift-right security. They also need to consider whether or not to incorporate real-time protection – decisions made today that will be pivotal for the future.
All of this is very much encompassed by the trilemma we’ve presented a number of times during the research series. In an ideal cloud security world, enterprises want comprehensiveness, ease of deployment, and timeliness. At present it is almost impossible for a single vendor to score high in all three. However, it may be doable in the future, and those vendors that can strike the best tradeoff will most likely prevail as the major winners in the race toward CNAPP.
For convenience, here is a list of the reports published thus far in the Convequity Cloud Security Series, retitled for clarity and in chronological order.
Broad Cloud Security Trends: Past & Future
We think it’s important to understand the historical trends, in order to anticipate the future trends of cloud security. As depicted in Phase 1 of the following chart, during the early-to-mid 2010s, the major focus was on configuring things properly in the public clouds. The CSPM term emerged to describe software that can help orgs check for misconfigurations among their cloud assets and to offer guidance on best standards of practice.
During this period, real-time protection was also a major focus. In the preceding castle-and-moat architecture, enterprises were enjoying the benefits of real-time protection with firewalls and endpoint AV agents. As they migrated, or expanded, to the cloud, many enterprises attempted to apply the same real-time tools to secure their clouds. Likewise, network-rooted cybersecurity vendors attempted to sell these tools under the pretense they were capable of securing cloud environments. In the early days of the cloud, it's possible such traditional tools were in fact adequate as the volume of workloads was not huge.
However, as cloud usage grew, gradually throughout the 2010s it became common knowledge that it is futile to attempt to secure entire cloud environments with endpoint agents and other traditional tools. Cloud computing is far too ephemeral, with compute instances constantly being fired up and terminated, for deployment of cloud-wide endpoint agents to be manageable. Most orgs settled for leveraging a good CSPM vendor (possibly that had a solid innovation roadmap), having agents deployed on only the core and/or more permanent instances, and using IR (Incident Response) units for when breaches did inevitably occur.
Phase 2 of compliance really started to get going in 2020, amid the onset of the pandemic ramifications. Indeed, compliance assistance software was needed during the 2010s, and was packaged into the CSPM vendor offerings. But the sudden rush to the cloud in 2020 was a major turning point for compliance requirements. Beforehand, many orgs were dipping their toe and testing the water, and then they were suddenly compelled to shift more ops to the cloud and hence the primary focuses were compliance, compliance, and compliance. At scale, enterprises then needed to quickly get a handle on how compliance within the NIST, ISO, and SOC 2 standards worked in the cloud, as well as understanding cloud-specific standards pertaining to the likes of DMTF and Cloud Working Group. Then, of course, there were (and still are) the data privacy laws, such as GDPR, CCA, HIPAA, and PCI DSS, that became more difficult to adhere to when orders of magnitude more data started flowing in and out of the cloud.
Hence, as enterprises increased their cloud operations, a primary requirement was to seek a vendor that had really broad compliance capabilities and was super quick to deploy. The timing of Wiz’s PMF + GTM strategy was both fortuitous and brilliant, and capitalised on this need immaculately, leading to them becoming the fastest software company in history to reach $100m in ARR. Other purely agentless vendors, like Orca, also experienced great demand as enterprises needed a broad platform that was easy to deploy. During the same period, real-time protection took the backseat as enterprises viewed noncompliance as a greater business risk than stopping threats in real-time.
Phase 3 depicts that of the growing attention toward shift-left and shift-right security during the present time, or the 2022-24 period. As it became clearer that the opening door for most breaches can be traced back to something not done right during the application development stage, the philosophy of shift-left has garnered much attention. Checking for vulnerabilities, misconfigurations, and threats earlier in the developing of an application and further down the software supply chain, builds in best practice security as early as possible, thus leading to tighter defenses and huge cost savings (related to breach responses, remediation, possible ransom payments, brand damage, needing to recode the application at fault, etc.).
Then, we’ve seen an increased focus on shift-right ops within the cloud. Cloud-native security vendors have designed their platforms to be very interoperable with SIEMs and data lakes. This is so they can easily feed their customers’ data into the data layer for MSSPs, IRs, or in-house SOC teams to leverage as they hunt and respond to threats. Actually, it has been interesting to observe that because the SIEM industry has become a legacy data backend, and until recently not many innovative alternatives have come forth, the likes of Wiz and Orca have developed somewhat of a SOAR that lays atop the SIEM and abstracts away many of the challenges of operating a SIEM.
Resultingly, as enterprises have deployed both shift-left and shift-right into their cloud operations, real-time protection has experienced a further decline in interest.
If an org has strong prevention (shift-left) capabilities and strong detection and respond (shift-right) capabilities, and also has a solid CSPM solution that can detect for misconfigurations/vulnerabilities in production environments, then why take on the hassle of deploying and maintaining agents for real-time protection?
On many occasions, if a threat is present in an enterprise’s environment, then it is better to not eliminate that threat in real-time, and instead monitor the actions of the perpetrator for a while before ousting them. This helps the shift-right ops, or SecOps teams, see the bigger picture and identify the attack pathways being exploited, thus leading to more effective remediation and an ensuing stronger defense frontier.
To summarise, CSPM/compliance + shift-left/shift-right forms the majority of the cloud security focus right now, but eventually we do believe that real-time protection will experience a surge in new interest. Naturally, as compliance-focused software, shift-left, and shift-right mature, innovation and attention will turn to something else. And, as is happening already, agents are being packed into smaller and smaller form factors, meaning in the not-too-distant future it’s possible that the attention will revert back to agent-centric real-time protection. Smaller and more efficient form factors will mean the deployment and usage of agents will take on a more ephemeral and scalable nature to match that of cloud-native workloads.
For this evolution in cloud security to occur, vendors need to work on making agent deployments more scalable, automated, and able to match the ephemeral nature of cloud workloads. Not only that, agent vendors need to explore more cost effectiveness that can undercut some expensive agentless solutions that rely on computationally intensive SideScanning (Orca's patent-pending technology) and snapshotting (more generic term for taking a snapshot of disk storage).
But it does look as though this is the roadmap for many leading vendors. Since we first shared the above maturity curve chart, we’ve heard rumours that Wiz is developing agent software to add to its platform. To us this is a huge indicator that agent-based security for the cloud isn’t dead, and very much reinforces our belief depicted in the above chart >>> that there will be renewed demand for real-time protection in the near-future.
In the following subsections, we’ll briefly discuss which leading cloud security vendors are the strongest in the key areas outlined above.