Presentation from fwd:CloudSec on expanding cloud security quadrants
In a closed door session, Jeremy Snyder presented a cloud security framework about expanding cloud security quadrants at fwd:CloudSec, July 2022 in Boston. This is a public version of that content.
I've worked in and around cloud security for a long time. Some of the experiences have included:
Building a secure cloud environment for multiple companies that I cofounded, like The Sharing Engine or FlockData
Helping customers design and execute secure cloud migrations at REAN Cloud
Working with some of the largest cloud footprints in the world while leading sales, business deveopment and solution architecture teams at DivvyCloud
Working on corporate development at Rapid7
So one of the questions I get asked most frequently is this:
What is the future of cloud security?
I decided that the audience at fwd:CloudSec was the right audience to test out some of my hypotheses, based on my observations. It was also the perfect opportunity, because it was a session operating under Chatham House rules, so what was discussed in Boston, stays in Boston. However, after the event, I had a number of people ask me what I had shared. So here's a very abbreviated
I have a four-quadrant model of cloud security, as follows, where each quadrant has its own security challenges / use cases, and implementors:
Top left quadrant: pre-production operating system and application layer. Development teams and application owners work on removing vulnerabilities for applications or containers or 3rd party dependencies, as well as doing code analysis.
Bottom left quadrant: pre-production infrastructure layer. DevOps teams define infrastructure-as-code templates that can be analyzed for the potential introduction of vulnerabilities or data exposures.
Top right quadrant: production run-time, operating system and application layer. Information security and application teams monitor and respond to problems in these environments.
Bottom right quadrant: production infrastructure layer. Cloud teams, cloud security teams and some infosec teams deal with misconfigurations that leave components exposed.
So what has happened so far, and what's happening next with the cloud security space?
The cloud security space has arguably been the hottest space in cybersecurity in the last 3+ years, with a whole wave of new entrants, acquisitions, new attack surfaces uncovered, plus a whole wave of breaches and cyber incidents. What did we discuss?
Can big cyber companies buy their way into this market? Yes, definitely. It's been proven.
If they do that, what's the first product that they buy and why? Normally, CSPM. It's happened at least 5 times as the first purchase. CSPM's core value as an initial category entry is two-fold: 1) it addresses the most common breach vectors, so it's a huge percentage of the real-world use cases; and 2) CSPM has inventory. Inventory is almost always necessary for building solutions on top of.
But CSPM is not enough any more. Attacks have gotten more complex and multi-vector, traversing layers up and down the stack.
CSPM is also reaching a data tipping point - there's so much data that solutions need to be built on top of CSPM to help correlate and prioritize information.
That, coupled with an overall frustration of owning too many security products, has led to product expansion, in the shift from CSPM to CNAPP.
CNAPP has definitely expanded beyond the original bottom-right quadrant. The real questions are how high up the stack, and how far to the left can CNAPP go with any efficacy? And with that expansion, are we still talking to the same people, teams or budgets?
If you're interested in the full presentation, please contact us and we will share a post-event recording of the content with you privately.