People are no longer in charge of their cybersecurity. Cloud apps are the culprit
By ARNAV SAHU
ith the advent of remote work, companies – including those in legacy industries – have been forced to adopt SaaS (software as a service) and cloud tools to stay competitive and agile. Modern, cloud-based platforms like Zoom, Slack, Salesforce have become critical to enable knowledge workers to collaborate efficiently from their homes. As beneficiaries of this tailwind, public cloud hosting providers like AWS, Microsoft Azure and Google Cloud have seen phenomenal success. According to Gartner, the spend on cloud providers is forecasted to increase to $178 billion in 2022 from $141 billion in 2021.
But while public cloud providers have made it easy to use modern software tools, the shift to the cloud has led to big cybersecurity challenges. Cybersecurity for the cloud-first world is a paradigm shift from traditional, on-premise security. In the previous situation, customers hosted their applications in their own data centres and had full control of their environments and security. Customers operated in a “walled castle” – where the network and applications were secured and controlled by them.
However, when customers adopt public cloud providers, security is a shared responsibility model between them and the cloud providers. For example, if a customer stores data in the AWS data centre, the customer has to configure and manage their own security policies. Despite not having full control of data in the AWS data centre, security breaches are still the customer’s responsibility. In this regard, customers adopting public clouds are no longer in full control of their own security. Security concerns are often one of the top barriers to cloud adoption.
Moreover, cloud environments are more complex to secure. Modern cloud customers often employ an architecture called microservices, in which each component of an application (e.g. search bar, recommendation page, billing page) is built independently of each other. There could be up to 10x more workloads (e.g. virtual machines, servers, containers) and microservices in the cloud than on-premise. This increased fragmentation and complexity leads to access control issues and increases the probability of errors – for example, if a developer leaves a sensitive password in an AWS database that can be exposed to the outside world. Simply put, the attack surface area is larger and more complex in the cloud.
Outside of product complexities, the shift to the cloud has led to an inversion from a top-down to a bottom-up sales pattern, where security buying decisions are made by developers, not CISOs (Chief Information and Security Officers).
Second, the early adopters and power users of cloud are modern start-ups and mid-market customers, where buying decisions are more decentralized. Traditionally, security decisions at large enterprises were made by CISOs. Such sales processes involved lengthy proof of concepts and negotiations, and the CISO made the buying decision for the rest of the organization. Start-ups and mid-market customers, meanwhile, often give their developer teams the autonomy to make security buying decisions directly. For example, in one of the customer councils I attended, a CISO at a fast-growing fintech start-up admitted that his developers had full autonomy to choose which security products to buy.
This new bottoms-up sales model fundamentally disrupts how security software gets built and sold. Selling to developers is a different model than selling to the CISO. Developers prefer self-serve features – they often like to try and experiment with products before buying them. This requires a product-led sales model – building self-serve and freemium capabilities and attracting a large inbound, top-of-funnel of free users. This new sales model is completely different to the how traditional security incumbents operate, which rely on a sales-led model – hiring big sales teams who sell large deals to CISOs in an outbound fashion.
Traditional security incumbents such as Palo Alto Networks, Cisco, Fortinet, Checkpoint were created when on-premise-centric architectures were common. Their products do not scale for the cloud-native architecture, and their sales teams have not adapted to new product-led sales motion. The shift to the cloud has created new opportunities for start-ups to disrupt the security industry entirely. Large security incumbents like Palo Alto, Checkpoint, Fortinet alone have a combined market cap of over $100 billion. Cloud security is going to be a much bigger market. It’s exciting to watch the change of guard.
https://theprint.in/world/people-are-no-longer-in-charge-of-their-cybersecurity-cloud-apps-are-the-culprit/1052848/