Industry Roundup: Addressing The Hybrid Cloud Security Readiness Gap



Doug Cahill
04/11/2018

Over the last few months, some established cyber security brands have made strategic moves while emerging market leaders have announced compelling capabilities and initiatives.

This notable level of industry activity is indicative of an acceleration of market maturity driven by a cloud security readiness gap. That is, most IT and cyber security teams are catching up to secure the cloud services, applications and infrastructure their organization is already using, and to do so, they are retooling their processes, policies, skills and technologies.

But first, let’s set some context. We are way past security concerns gating cloud adoption. Those that cite concerns about the security of public cloud services as the reason for not using them are either required to operate in an air gapped environment, or, quite frankly, are oblivious to the fact that their business units have done an end-run around them to the cloud. What is news, however, is that hybrid clouds are becoming more complicated by virtue of being multidimensional. What are those dimensions?

  • Application containers are contributing to a heterogeneous mix of server workload types. According to research conducted by Enterprise Strategy Group, 56% of organizations now have at least some application containers running in production with another 24% of companies planning to move containers from the lab into production over the next 12 months. Containers will coexist with their virtual machine and bare metal server brethren, representing a heterogeneous mix of server types. And even with such brisk adoption of containers, ESG research reveals that—on average—26% of production workloads will still be run on bare metal servers in 24 months.
  • Organizations are adopting a multi-cloud strategy. In addition to this heterogeneous mix of server workload types, many organizations are employing a multi-cloud strategy. In fact, 81% of participants in ESG’s annual IT spending intentions research study who indicated they are using infrastructure-as-a-service (IaaS) are consuming those services from more than one cloud service provider.
  • There are now multiple types of perimeters to secure. The shift of workloads to public cloud infrastructure, the broad use of SaaS applications, and employee mobility has expanded the definition of the perimeter. These meta-trends create a need to secure data and identity perimeters along with the physical DMZ demarcation perimeter.
  • User-led IT initiatives are creating new seats at the table. As lines of business undertake their own application development in the cloud, they are now participating in defining cloud security policies. ESG research highlights this dynamic with DevOps, compliance, AppDev, legal, security, networking, and operations teams as well as lines of business being directly involved in creating hybrid cloud security policies.

Cloud Security Roundup Doug Cahill

This state of the data center has led to a flurry of industry activities punctuated by a series of acquisitions and notable announcements. Vendors are making moves to broaden their portfolio of cloud security offerings and making announcements to position themselves front and center in this dynamic cyber security market segment.

  • Controlling their own destiny: Palo Alto Networks. Palo Alto Networks has embraced this shift to public clouds that would otherwise threaten its core firewall business with a one-two punch—a high-profile Epic Cloud Security Event and its stated intention to acquire Evident.io. The former conveyed how the company’s set of products secure hybrid and multi-cloud environments with the tech from the Traps endpoint security product being applied to prevent exploits targeting cloud-resident workloads, Aperture’s data security controls being extended to support AWS S3 storage buckets, the Wildfire service providing threat intelligence, and Panorama tying it all together with centralized cloud-delivered management. The Evident.IO product closes the configuration management and compliance gap in the product portfolio and provides an offering for DevOps pros looking to integrate security into their continuous integration and continuous delivery (CI/CD) processes.
  • To the left and up the stack: Trend Micro acquires Immunio. At the end of last year, Trend acquired Immunio to complement its Deep Security server workload offering with an innovative approach to runtime application self-protection (RASP) to block exploits targeting application vulnerabilities. As is the case with static and dynamic application security testing, RASP should be built into the CI/CD pipeline as an immutable security control for immutable infrastructure. To make this a reality, Dev and security teams need to close their own gap—the security perception that DevOps moves too fast and the DevOps perception that security will slow them down.
  • CASB + CWPP: McAfee acquires Skyhigh Networks, and Symantec announces CWP for Storage. Because of the massive migration of data assets to cloud stores, securing cloud apps is nothing short of a strategic imperative making cloud access security brokers (CASBs) a critical security control, or more accurately, set of controls. McAfee’s purchase of Skyhigh Networks not only expands its product portfolio, it complements the company’s cloud workload protection platform (CWPP) for breadth and depth of coverage across all things cloud. Meanwhile, Symantec extended its CWPP product with a new edition, Symantec CWP for Storage, that focusses on securing AWS S3 storage buckets. CWP for Storage prevents data loss by discovering misconfigured S3 buckets and scans these objects for malware leveraging the multiple detection technologies for Symantec’s endpoint security product. With both CASBs and CWPPs bringing data loss prevention (DLP), threat protection, and more to cloud stores, vendors such as a McAfee and Symantec will need to rationalize these features sets via use-case-based product packaging. That process starts with integrating disparate technologies into a unified cloud security architecture.
  • Threat-Hunting-as-a-Service (THaaS): AWS acquires Sqrrl. Ugh, THaaS sounds ridiculous and takes “aaS” a bit too far, but that’s the idea behind Amazon Web Services acquiring Sqrrl, which is a good thing. Sqrrl deserves a lot of credit for championing threat hunting as a proactive approach to incident response. But threat hunting requires some heavy lifting in the form of resources and skills. The “service-izing” of the robust Sqrrl no-SQL, cell-based database and analytics platform should make threat hunting accessible to more customers. With AWS already having gone below the workload water line of the shared responsibility security model with a set of customer-facing security services such as Amazon Macie, Amazon Inspector, and Amazon GuardDuty, the Sqrrl buy may be indicative of strategy to go off platform and all in on hybrid cloud security.
  • Connecting the dots: Oracle is acquiring Zenedge: While this acquisition hasn’t officially closed and Oracle is not yet discussing integration plans, it’s clear the DYN DNS dots connect with Zenedge’s web app firewall and DDOS mitigation capabilities to protect application tiers deployed across the dimensions of a hybrid cloud. Offered as a managed service in Zenedge, Oracle is getting a contemporary cloud security technology by virtue of its API security capabilities, which is a central cloud security capability for the API-driven, micro-services-based architecture of modern applications. Zenedge is also complementary to Oracle’s Palerra CASB offering, which has always been differentiated by its support for IaaS environments.
  • Configuration management meets security, continuously: VMWare acquires CloudCoreo. Cloud-native companies such as CloudCoreo embody how immutable infrastructure should be secured by vetting configurations via integration with the continuous integration and continuous delivery processes to identify and remediate misconfigured services and workloads before they are deployed to immutable production environments. CloudCoreo allows VMWare to tout this DevOps-oriented approach for securing hybrid cloud environments, a natural play for VMware Cloud on AWS.
  • Encryption optionality: Cyberark acquires Vaultive. The need to secure cloud-resident sensitive data has led to customer demand for more control over how those data assets are encrypted. In addition to services such as bring-your-own-key (BYOK), single-tenant cloud-resident HSMs that provide customers more control in the form of custodianship, the Vaultive tech acquired by Cyberark offers the ability to apply field-level encryption along with access auditing across cloud apps, a complementary fit with the company’s Conjur (also acquired) technology for secrets and privileged account management.
  • Securing the exposure layer: Netskope extends its CASB platform: Netskope landed its own one-two punch series of announcements over the last few weeks by announcing support for IaaS platforms and Netskope for Web. Thematically, by extending the purview of the company’s DLP and threat protection capabilities from cloud apps to IaaS services such as S3 storage buckets and web properties, Netskope is offering an integrated platform that secures the external entities to which end-users are exposed. Part of Netskope’s secret sauce is its threat research team that is at the forefront of investigating and reporting on cloud-specific threats, offering reports and blogs on how cloud apps are employed as a vector by adversaries to introduce a range of threats.
  • Breadth and depth: Google’s 20 New Security Controls. I attended an impressive event Google held in NYC in March at which the company’s cloud business unit announced 20 new security controls across Chrome Enterprise, Cloud Identify, GCP, and G Suite. It’s a long list of security announcements that serve to help close the readiness gap with too much ground to cover in this real estate, but, thematically, Google’s announcements focus on securing the perimeter dimensions cited above: identity and data. Speaking of data security, enterprises should first understand the data privacy concern with Gmail was for consumers only and is now a thing of the past—the company’s business offerings treat customer data as private. With that issue off the table, customers should evaluate the native set of security controls for Google’s browser, laptop, productivity suites and IaaS platform on their functional merits. Google also announced a series of partnerships for the implementation of a hybrid cloud security strategy. Of note from the event is the point that uniformity provides the basis for a strong security posture. I agree—snap the baseline and look for anomalies in the context of hardened configs and what is known to be normal behaviors. Containers are foundational to this approach and is an area in which Google is clearly indexed.
  • ‘But how?’ Threat Stack announces a Cloud SecOps Program. More cloud-aware security tech is all good, but what’s the plan?  According to ESG’s research, nearly a third of respondents reported that building a cloud security strategy spanning heterogeneous public and private cloud environments is among their organization’s top three priorities.   With this in mind, organizations need to start with assessing their current state with a benchmark against a plan. It is in this context that Threat Stack announced a Cloud SecOps program that offers a prescriptive series of steps by stage to improve an organization’s cloud security posture. Recognizing that some businesses will need more than technology to do so, Threat Stack also now offers a co-managed service.
  • Container security: a wave of activity. The same ESG research on container adoption reveals concerns around securing containers that hearken back to the issue around VM sprawl.  There has been an appreciable amount of innovation and activity from the vendor community to help customers address container sprawl and the container dimension of the hybrid cloud security gap. Pure play container security companies Twistlock, Aqua Security, and new entrant Layered Insight have been educating the market on the need to secure the container continuum from build through ship to run, starting with scanning registry-resident images to assure that only vetted and trusted images are deployed to production. Cloud security player CloudPassage extended its platform last summer with a rich set of container security capabilities that includes the ability to visualize inter-container relationships. Capsule8 offers runtime security with a prevention approach that aims to disrupt attacks targeting Linux server workloads of types. CWPP vendors are also offering or readying container security capabilities creating a feature v. product debate. Another container security debate is related to the pros and cons of competing implementation options (host-level versus privileged containers versus on-board binary sensors), a topic that warrants its own blog.

Cloud Security Roundup Doug Cahill

On the buy side of the equation, organizations are increasing their spending on cloud security. ESG’s research highlights this trend with 43% of organizations indicating they intend to significantly increase their spending on cloud application and/or cloud infrastructure security.

Such roundups are like thanking important people in an acceptance speech—they’re prone to unintended exclusion. Apologies for that. I will be sharing additional findings and analysis of ESG’s hybrid cloud security research, including a closer look at container security and automating security via integration with the CI/CD toolchain, at next week’s RSA Conference. I hope to see you there.

For more on ESG’s cyber security research and analysis, click here.