While cloud adoption has been picking up steam for years, there is evidence that last year may have been a tipping point for investment, as technology research firm Gartner tracked a 41% increase in cloud security spending by CIOs over the past year, from $595 million in 2020 to a $841 million in planned spending in 2021. Of all the investment categories, cloud security was both the smallest and the fastest growing, indicating there could be plenty of room for further growth in the future.
“We have a few investments in different aspects of cloud security, but I think the combination of modern infrastructure and policy-as-code is a trend that I’m watching very closely,” Chenxi Wang, a general partner at venture capital firm Rain Capital, told SC Media last month when asked where the next cyber investment unicorn may come from. “And looking at how to build [a] security pipeline – not just security products, but a security pipeline from design to remediation and back in a completely automated fashion, I’m looking for companies that will plug into the pipeline stage and really transform the business of security.”
For now, a small cohort of companies are blazing new trails in the cloud adoption space, positioning themselves to reap both the benefits of more mature security operations and the increased IT complexity and security headaches that come with it.
According to new research from ESG that includes a survey of more than 500 IT and security personnel who sit in the SOC chain of command, can be classified as “cloud evangelists.” These are organizations are ahead of their peers when it comes to cloud adoption or moving their security tools to the cloud.
The ESG report highlights broad happiness from the cloud evangelist cohort, who tend to report higher rates of satisfaction with the impact of their cloud investments compared to other groups as well as an increased willingness to adopt other new or emerging technologies.
It also creates a more complex, multi cloud or hybrid environments that come with added security considerations. For example, evangelists were far more likely to report that their cloud adoption strategies have opened their organization up to new and more complex cyber attacks, that it highlighted their organization’s lack of security visibility over cloud assets and exposed limitations in their current security toolset.
Joseph South, senior cloud engineer for industrial supply company Grainger, told SC Media that many organizations find that many of the same security tools and applications they purchased or built in the past don’t really translate to a multi-cloud environment.
“A lot of the security tools that most companies have built their entire security program around aren’t always the best fit for the cloud, because to have a successful application in the cloud you have to have microsegmentation of all the different services and processes so it can rapidly expand in accordance to the demand you’re putting on that application,” said South in an interview. “What we run into a lot is a lot of these applications aren’t able to expand with the cloud, they aren’t able to be as agile as you’d want.”
This can be particularly pronounced in areas like identity and access management. According to research from cloud security vendor Strata set for release later this week, as many as two-thirds of larger enterprises utilize three or more public and private clouds in their operations, often to create redundancy, avoid vendor lock in with a specific cloud provider and take advantage of new capabilities. But along the way it can also render many traditional security tools and processes – like those used for identity and access management – obsolete or ill-suited.
“We know that the use of multi-cloud is not only increasing, but making legacy systems work securely with cloud apps and identities requires rewriting each app — which can take years and cost millions,” the Strata report states, adding later in its conclusion that “There is no way to apply governance across clouds with siloed identities [while still] adhering to the privacy regulations in various countries.”
South estimated that in many cases, an organization will need to ditch or rebuild as much as 85-90% of their original security stack.
“A lot of times what you have to do is reevaluate your security stack and you really have to take a look at them and [ask] can I combine some of these tools with another solution? Can I eliminate two or three solutions by implementing this other cloud based solution that can not only perform my security functions in my on-premise environment but also in whatever cloud environment I go into,” he said.
Often, this need necessitates a change in internal security practices to leads to the purchase of cloud-specific security tools. When respondents in the ESG survey were asked about their highest security priorities moving forward, (26%) reported the need for a dedicated SIEM system focused on the cloud environment, while another 25% want more advanced analytics to enable faster response to cloud threats.