The Future of Cybersecurity has Arrived
Cybersecurity is shifting to the cloud and with it adopting a Zero Trust Architecture representing a $68B TAM Growing ~10% CAGR.
Welcome to issue #1 of Indiscrete Musings
I write about the world of Cloud Computing and Venture Capital and will most likely fall off the path from time-to-time. You can expect a bi-weekly to monthly update on specific sectors with Cloud Computing or uncuffed thoughts on the somewhat opaque world that is Venture Capital. I’ll be mostly wrong and sometimes right.
Please feel free to subscribe, forward, and share. For more random musings, follow @MrRazzi17
Cybersecurity of Yesterday
Cybersecurity appears to be on the cusp of yet another significant generational change largely due to the proliferation of the cloud and saas-based applications – more and more compute workloads are being moved to the cloud away from “On-premises” and as such creating the impetus for a Zero Trust Model. The easiest way to define Zero Trust is to define what it is not. Let’s begin.
Historically, companies and enterprises hid their data, assets, and employees behind a corporate network (e.g., Local Area Network). Ben Thompson highlights this point succinctly in “Zero Trust Information”:
Networks came first commercially as well. In the 1980s Novell created a “network operating system” that consisted of local servers, ethernet cards, and PC software, to enable local area networks that ran inside of large corporations, enabling the ability to share files, printers, other resources.
The idea of a local area network (LAN) propelled Novell and others for most of the ’80s and ’90s then well, the Internet happened. The Internet described here is the Internet that actually served a utility for most consumers and businesses alike. This was in large part due to the efforts of Sir Tim Berners-lee for creating the first web browser called WorldWideWeb. Soon after, several web browsers were developed such as Mosiac (later Netscape) by Marc Andreeson and as they say, the rest was history.
In this new model, connecting one or many computers to a LAN meant connecting all of the servers and computers on the LAN to the internet. This shift gave way to the notion of deploying perimeter-based firewalls. Put simply, the “Castle and the Moat” architecture. Employees, data, and other assets were considered to be protected given they were “inside” the firewall (castle), and as such insiders (employees) were granted access to key applications and data while the outsiders had no way of getting past the Moat (Firewalls).
Inherently, this presented three problems:
If an Outsider were to breach any part of the network, there would be no way to isolate the applications/employee resulting in the entire network being compromised
If employees weren’t physically at work, they were blocked from the network and be required to use a VPN
Yet, these problems persisted and gave way to the growth of large point-to-point solutions and vendors in the space but in time – with the exponential rise of cloud computing– this model for security is quickly becoming antiquated.
Cybersecurity of Tomorrow: A Shift to a Zero Trust Network Architecture (ZTNA)
Cloud computing has revolutionized how companies and enterprises across the globe develop applications and collaborate. The cloud offers significantly lower upfront costs (capex/opex) and superior flexibility and scalability as compared to traditional on-premise environments both from a performance and security standpoint.
As more applications are being developed and deployed via cloud/saas apps – the primary node of security (e.g., Firewalls) is becoming obsolete. Instead of focusing on securing the perimeter, the premise of a Zero Trust model is based on the user who is accessing the network and the idea is that all users – whether external or internal – should be treated as if they are a potential threat. Insiders (employees & contractors), machines, and people should be treated as outsiders at all times. This focus on identity and access IS the new perimeter.
Core tenants of a Zero Trust Architecture include:
Microsegmentation: Microsegmentation is essentially the premise of disintegrating security perimeters into smaller zones to maintain access for separate parts of a given network.
Least-Privilege Access: Limiting users (humans/machines) to only as much access as they need (e.g., Cloud Instances and SaaS apps).
Multi-Factor Authentication (MFA): Requires users to prove with more than pieces of evidence that a user is who they say they are
Increased Device Access and Posture: Zero Trust systems need to have granular access into their network to ensure that outside of users, devices are authorized to access the network
Today, most major cloud providers (e.g., AWS, Azure, GCP) run what is called a shared responsibility model where security and compliance are shared between the customer and the cloud provider. Most cloud providers as depicted above are typically responsible for securing the cloud infrastructure (Layers 3-4 of the OSI Model1) while the customers are responsible for traffic going to the cloud, data stored in the cloud (or on-prem), and workloads deployed in the cloud. As such, it’s imperative that any tool or product in a Zero Trust Architecture can scale across all layers of the stack. As cloud and multi-cloud architectures grow, it will be increasingly harder to manage all identities, permissions, and data – and the onus of the responsibility will rely on the customer – providing more rationale to add products that help muster a robust Zero Trust Model.
What’s needed in a Zero Trust world and who wins?
Full-bodied Zero Trust Models must have their employees prove their identity before accessing trusted and critical data (even the CEO). In addition to access, it’s crucial that employees’ roles are limited when accessing data. Each employee should be given enough access for them to do their job, but no more. Identity authentication is a key tenant in a successful Zero Trust Model and is driving demand for companies such as IDP providers (e.g., Okta, Ping Identity, and Auth0) and Data Loss Providers (DLP) (e.g., Varonis, Code42, and upstarts like Nightfall). Cloud-based network security providers serve as another core tenant in a Zero Trust model by enforcing security user traffic destined to the cloud or the public internet. In this space, Cloudflare and Zscaler are beneficiaries of the security spend that is now shifting away from the old hub-and-spoke model of security perimeter firewalls (e.g., CHKP, PANW) to cloud-delivered network security.
The shift to cloud-delivered network security also improves efficiency in cloud-based applications by getting rid of the need to backhaul traffic which is used to run security like protocols at HQ. The concept of a global-distributed workforce has been around for some time but COVID-19 and underlying cloud-based infrastructure has further accelerated the global acceptance of working-from-home and working from anywhere increasing the importance of enforcing a Zero Trust security model.
In J.P. Morgan's 2020 CIO Survey, CISO/CIOs pointed to Identity Access Management (IAM) as the top cloud security priorities, following the same ranking in 2019. Identity became a critical pillar for enterprises during COVID-19 as employees adopted a distributed remote model and as more applications moved to the cloud away from the corporate network. In the same survey, Endpoint Security rose from the #4 concern to #2 in 2020, which is largely due to the increased laptop and device deployments as employees adopted the new reality of work-from-home as well as the acceleration of cloud workload migrations. COVID-19 has also accelerated the use of collaboration tools like MSFT Teams, Slack (now Salesforce), Zoom, to name a few, and any cloud-based repository (e.g., Google Drive, OneDrive) which creates inherent risk around internal/external users having permission to access data that they should be able to access. Cloud-native security providers that are building products in Identity, Privileged Access Management, Data Loss Protection (DLP), Secure Web Gateways (SWG), Cloud Access Security Brokers, Endpoint Protection sectors which are bucketed under the larger umbrella of a Zero Trust Model will have plenty of evergreen opportunities ahead of them given the macro-trends of cloud-based security.
$68B Cloud Security Market Growing ~10% CAGR
Cloud security spend is estimated to reach $68B by 20242 and is expected to grow at a 9.7% CAGR through 2024. It’s anticipated that the majority of spend will be within the Application Security, Cloud Security, Data Security, and Identity Access Management Sectors representing a total addressable market of ~$15B with a 13% CAGR.
Incumbents are losing their foothold
As the cybersecurity landscape continues to evolve to support a Zero Trust Architecture, the evolution is coming at the expense of legacy incumbents who were once seen as leaders in their sector. Traditional firewall vendors like PANW, FTNT, and CHKP are starting to lose their foothold to the likes of younger upstarts. This is a canonical example of how industry upstarts can disrupt incumbents and ultimately the winners are going to be younger providers in the space providing a superior product, experience, and aiding the ease to digital transformations taking place worldwide thanks in large part to the tailwinds of COVID-19.
….Leading to mass consolidations
As entrants gain a stronger foothold in the cloud security market, incumbents are looking to consolidate across the industry as best represented by large M&A sprees as of late. Most notably, Symantic’s acquisition of Luminate, Crowdstrike’s acquisition of Preempt Security, Okta’s acquisition of ScaleFT, Akamai’s acquisition of Inverse. What these large incumbents have that most entrants don’t is entrenched networks of customers and partners making it easier to cater to the high-end of the market (usually defined as >$1mm ACV) which in theory should make it easier to sell more differentiated products to their existing install base and make it easier to break into adjacent markets but as the saying in start-up land goes, “the battle between every startup and incumbents comes down to whether the entrant gets disruption before the incumbent gets innovation.” Early data suggests that entrants may be poised to win propelled by the tailwinds of the cloud and outdated hardware-based security models but it’s too early to say.
Conclusion: The Acceleration of Zero Trust
There are several trends for which COVID-19 further propelled – one indisputable trend is the rise of Digital Transformations.
“We’ve seen two year’s worth of digital transformation in two months”, Satya Nadella, CEO of Microsoft
The majority of users are now working remotely across the globe and organizations are forced to consider alternate ways of achieving robust security controls. There is anecdotal evidence that increasingly, cybersecurity budgets are shifting to accelerate their spending on cloud security at the expense of legacy on-premise providers. With it, the growing adoption of cloud-based security solutions supports a Zero Trust Network Architecture (ZTNA) and Secure Access Service Edge (SASE) architecture which is comprised of Identity, Endpoint, Data Loss Prevention (DLP), Cloud Access Security Brokers (CASBs), Secure Web Gateways (SWGs), and Privileged Access Control providers.
COVID-19, globalization, cloud computing (incl. multi-cloud deployments), and the rise of smartphones/devices have given way to a new way of work and with it have created the next generation of security. Zero Trust Security is here to stay with one remaining question – will the entrants win assuming they can find distribution or will the incumbents win assuming they can find innovation.