Rethinking Connectivity in a Cloud
As cloud adoption accelerates and security risks evolve, the need for a modernized connectivity model has become critical. CISOs have since been probed to rethink how connectivity is granted. Moving away from the traditional hub-and-spoke model, many are adopting a proxy-based architecture that connects users directly to applications rather than devices to a VPN. This approach takes place in a cloud-based application-first architecture. Organizations take old security controls and unify them on the cloud, connecting everything to this central framework.
Evolution of Cloud Security
The adoption of Cloud Area Networks (CANs) has changed the tenets of cybersecurity in a manner compact with use cases. On the one hand, the new structure allows additional controls to be applied before connections are permitted. On the other hand, Cloud workloads introduce another real-time stream of data for SOC analysts to tackle and new entry vectors for attackers to target. This raises critical procedural questions: Will enterprises use specialized cloud-based security tools? Or will they integrate their cloud telemetry into existing data lakes?
AWS is a $100B business
Growth of Cloud Security Solutions
Organizational Cloud adoption is not new; this past decade was an obvious growth period for providers, such as AWS, Microsoft Azure, Google Cloud. The global cloud computing market is projected to reach $750B in 2024 and grow at a CAGR of 15-21% through 2030, buoyed by the rise of LLM’s and their need for GPU. Migration to the cloud applies to not only data but also building, testing and implementation environments, which broadens the attack surface. Despite increased exposure, there has been a lag in prioritizing cloud security among CISOs. And in that time, there has grown a burgeoning market for startups building cloud security solutions.
Cloud Security Posture Management (CSPM)
CSPM is a set of security tools and processes that serves as a springboard for enterprises securing their cloud migration. CSPM strategies work by monitoring cloud infrastructure and activity for potential risks and compliance violations. They identify misconfigurations such as open ports or unencrypted data storage, allowing organizations to respond to suspicious activity or breaches in their cloud environments.
The CSPM category has driven growth among startups, including Wiz, a $355M ARR cloud visibility platform. Like its peers – Orca Security, Snyk, Lacework – Wiz provides a product that is agentless, meaning that it can be deployed in a matter of hours with little to no human intervention. The CSPM tool connects to the cloud over API to perform a scan of the environment 1-2 times a day. The limitation here is a diminished real-time visibility and overall volume of cloud telemetry the tool can gather, leaving gaps in a customer’s cloud environment evaluation.
Further upstream, startups are innovating to bypass this model limitation. Upwind and Sweet Security operate “at runtime” which gives security teams the most accurate, real-time view of what’s happening in their cloud environments, enabling customers to fill gaps between development and production.
Wiz announced its $1B round at a $12B valuation at RSA in San Francisco this month
Gem Security was acquired by Wiz in a $350M transaction in April 2024
Cloud Detection & Response / Cloud Investigation and Response Automation (CDR/CIRA)
Implementing micro-segmentation and a Cloud Security Posture Management (CSPM) strategy are essential for cloud security, but they alone do not guarantee complete safety. Threats extend beyond CSPM’s preventive measures. Attackers can still find their way into a cloud environment by exploiting API vulnerabilities, hijacking Kubernetes clusters or through brute force attacks on user credentials. Rewards for solving these challenges are massive and have prompted the creation of new categories within Cyber.
CIRA – a practice still in its infancy – allows organizations to detect, investigate and remediate incidents that have already occurred. Where CSPM functions as preventative, CIRA is its counterpart reactive. CIRA solutions (Cado Security, Gem Security) gather data from within the environment – including infrastructure & application logs, network traffic, API calls, and endpoint data – then employ behavioral analysis, anomaly detection and threat intelligence to detect compromisations. SOC analysts can also write in custom detections to flag anomalies in a stream of log data. When threats are detected, CIRA systems automatically mitigate the damage caused by a breach by quarantining suspicious files or remediating misconfigured scripts. CIRA providers also provide post-incident review to identify lessons learned and improve future response strategies.
For comprehensive security, CISO’s should opt for a stack of CSPM and CIRA. Startups such as Upwind and Sweet Security have coded both into their offerings. Integrating the two solutions offers a layered defense, shielding an organizational network’s preventative and reactive needs.
Where are we heading?
As we saw with Crowdstrike last month – even an ostensibly robust cloud strategy can bring organizations to their knees. Crowdstrike, which specializes in providing cloud-native endpoint protection and threat intelligence, experienced a significant global outage caused by a faulty update to their Falcon sensor software. The update led to widespread system crashes affecting around 8.5 million devices, including critical infrastructure in sectors like healthcare, aviation and government. Crowdstrike’s outage is estimated to have cost Fortune 500 companies $5.4B in losses.
This incident underscores that even dominant players can face significant vulnerabilities, and that there are still opportunities for startups to disrupt incumbents by offering more resilient, innovative, and adaptive solutions in cloud security and AI. The opportunities discussed herein are a product of maturing enterprise cloud programs and more recent rise of AI in the enterprise sector. For a large corporation, a cloud security program that begins with CSPM could pave the way for adopting more advanced categories in the future.
—–
We at Lotus are incredibly excited by new innovations in Cloud and Cloud Security. If you are an investor, researcher, or founder in the space: reach out at ayla.j@thelotuscapital.com – I would love to chat with you.