In 2019 I embarked on a project to categorize 2,337 vendors of security products. I had to open 2,000 web pages and wade through mountains of marketing jargon. My favorite vendors are the ones that say what they do on their splash page. “We sell network firewall appliances” would be a great example. What I usually find is something like: “We use state of the art AI and ML to protect our clients’ key digital assets.”
I started the project with what seemed an obvious assumption—that cloud security was a distinct category. I put cloud security at the same level as my other major categories:
-Identity and Access Management
-Governance Risk and Compliance
There are a few categories that deserve to be broken out separately because they are relatively new, they are of elevated importance, or they cross boundaries:
So during the first pass of categorization I used cloud security as a separate category. Most “cloud security” vendors have pictures of cumulonimbus clouds on their websites, making it easy to identify them. It was during the final pass before going to press for the Directory that I realized there are actually two very separate categories of ‘cloud security’ vendors.
1. Vendors that have security solutions for cloud deployments. These could be cloud network monitoring, alerting, logging, analysis, and blocking. Or they could be solutions for monitoring configurations and activity on VMs and containers.
2. Vendors that deliver their solutions from the cloud. These vendors have broken away from on prem enterprise software and hardware models. They have dashboards delivered as web apps and at most deploy sensors or control points within the enterprise.
But the products in that first category, those that protect cloud deployments, invariably include data center deployments too. What data center these days is not virtualized, meaning standard configurations of commodity servers running a hyperviser to control VMs? (Well, a mainframe or PDP11 populated data center of course, but those are dying off). In other words a ‘cloud security’ vendor is really a general purpose security provider for modern computing infrastructures.
They may enforce policies across micro-segments (network security) or harden the VMs or containers against attack (endpoint security) or encrypt data in motion or at rest (data security). They may enforce access to cloud applications based on identity (IAM). In other words, all of the cloud security providers can be put into network, endpoint, data, or IAM, categories.
The second category of ‘cloud security vendors’ is just a way to consume security products as a service. The Gartner concept of Secure Access Service Edge (SASE, pronounced sassy) is merely a way to provide Unified Threat Management (UTM) in a distributed set of data centers. Hosting logs from the cloud, as most modern Security Information and Event Management (SIEM) product do, is not cloud security, it is just the logical way to do it.
Thus, I do not track ‘cloud security’ as a separate sector of the IT security industry. That is not to say that cloud security is not a separate discipline. Practitioners must understand cloud architectures and how to defend them. The Cloud Security Alliance, formed to promote best practices in cloud deployments, is still highly relevant. It’s sub-chapters around the world are valuable forums for security practitioners to meet and learn about these best practices. Cloud Security Architect is a perfectly legitimate job title.
The next time you are pitched by a cloud security product vendor, ask yourself what they really do. Are they a network security solution deployed from the cloud? Are they an endpoint solution for protecting containers from exploits? Are they a directory service hosted in the cloud? This perspective will help you, as it does me, to understand the components of the IT security industry.