• News
  • Columns
  • Interviews
  • BW Communities
  • BW TV
  • Subscribe to Print
BW Businessworld

Cloud Security - The Origin Story

There have been multiple winners in many categories in the last 10 years which have approached the security transformation from different angles. It will be useful to summarize the key ones. Here come some acronyms:

Photo Credit :


“If you're not confused, you're not paying attention.” ― Tom Peters, Thriving on Chaos: Handbook for a Management Revolution 

If you are one of those business leaders who have had a hard time keeping up with the acronyms and must-have-now technology categories that Cybersecurity industry analysts come up with regularly, you are almost definitely not alone. It’s also a challenge to keep up with the ever-growing estimates of the amount of data getting generated, the average number of Cloud services an enterprise uses, and, not the least, the billions of dollars getting invested in Cybersecurity startups (almost 21 billion USD in 2021 according to one estimate). In this series of articles, I will try to distill the key current themes, categories, and underlying drivers in the Cloud Security segment. We will then move on to the ongoing consolidation and what to do about it. We will cover adjacent Cybersecurity categories like Identity, Threat Protection, Security Incident and Event Management (SIEM), Email Security, etc., in a separate article and, finally, we will look at the emerging opportunities that will probably translate into the next wave of security unicorns and decacorns. 

Not too long ago, Cybersecurity was relatively simple. All your applications, data, devices, and users were in your office. In this world, as long as the perimeter was secure, i.e., all your traffic from and to your offices was passing through some on-prem appliances with the security logic built-in, everything was secure. The logic itself was relatively straightforward where you could allow or block certain ports, protocols, internet categories, and applications depending on how far back we wanted to go. There was a VPN for corner cases when a user really needed remote access. But then, one fine day, the applications started moving out with the Salesforces of the world and your data started to move out to S3, Box, Dropbox, and many other storage services. The devices and users were moving out for a while and events like COVID accelerated that trend to a point where there was absolutely nothing left within your physical parameter.  

The above evolution, of course, has translated into many extremely valuable opportunities for the Cybersecurity industry and, as with most disruptive technology transformations, the majority of the winners have come from start-ups rather than earlier incumbents. I happened to read a document from 2011 this week that outlined key emerging categories and main players at that time.  While the categories, by and large, are still relevant, almost none of the winners were from the list, and the overall market cap of the new players adds up to 150+ billion USD right now.  

The key high-level themes have also been similar to other industries. There has been a phased but relentless movement for the services to be Cloud-based. The first wave was the replication, by and large, of the same services delivered from the cloud. If there is hardly any data, applications, and users in the office, there is no reason for that appliance with the security logic to be hosted in that office.  Why not host the security logic on the cloud and route the traffic to the nearest point of presence (instead of sending everything back to the appliance sitting in an office) and pay by usage? Faster, cheaper, and makes so much sense! The following wave was for unique use cases which were only possible in the cloud model, for example, try sharing a file for only your company users from a non-cloud storage mechanism. Also, like most industries, the proliferation of APIs has meant opportunities for new players to leverage multiple sets of APIs to cater to emerging use cases either by just aggregating or combining that with proprietary technologies or delivery models. 

There have been multiple winners in many categories in the last 10 years which have approached the security transformation from different angles. It will be useful to summarize the key ones. Here come some acronyms:

  • CASB: The Cloud Access Security Broker category is one of the key categories to emerge with a focus on visibility, monitoring, and control of shadow IT i.e. services being used that are not sanctioned and hence not secured by the company IT department. These consist of the main functionalities below: 

  • Risk Insights: The initial killer use case was analyzing customer logs along with proprietary data about risks associated with individual cloud services to share insights like the total number of cloud services in a customer environment, percentage of services that are high risk, amount of data getting uploaded into high-risk cloud services, etc. This visibility was unprecedented for business decision-makers. The next question, of course, was about controlling the now visible risk. 

  • API: This mode leverages APIs for additional visibility and control. Common use cases, for example, are listing the top users that are downloading the maximum amount of data, revoking access for any external parties for a certain subset of the company data, etc. 

  • Inline: This mode provides the most comprehensive coverage by actually steering the application traffic to CASB cloud and applying granular policies. A common example would be a policy only allowing downloads with no data protection policy violations for cloud applications with medium risk. 

  • Cloud SWG: The cloud-based Secure Web Gateway category started with the entire web traffic and applied policies like blocking key categories. This is a broader set of traffic but with typically less granular visibility and control.  For example, the policy mentioned in the inline CASB section may not be feasible for NG-SWG. 

  • ZTNA: This Zero Trust Network Access category covered the use case of providing access to private applications hosted in the private or public cloud without the use of VPNs (which typically provide access to the entirety of network resources once the connection is established). 

  • Honorable mentions here would be emerging categories like Container Security, IoT Security, API Security, and continuous configuration assessment categories like CSPM (Cloud Security Posture Management) and SSPM (SaaS Security Posture Management). 

Still with me so far? Great! In the next column, let’s talk about how these related technologies and delivery models are consolidating into one and why you should pay attention.

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.

Amit Kandpal

The author is a Cybersecurity and Customer Success leader with over 20 years of experience in leading and scaling post-sales by enabling consultative customer engagement leading to predictable and measurable outcomes. Amit has been an early member and leader of the Customer Success functions for three category-creating hyper-growth enterprise startups - Medallia which went public in July ‘19 and was acquired by Thoma Bravo for 6.4 billion in Oct ‘21, Skyhigh Networks which was acquired by McAfee for $750 million, and currently, Netskope, a Cybersecurity leader in the SASE space. Amit is a graduate of Indian Institute of Technology, Kharagpur, a PGDBM from MDI Gurgaon, and has a Master's degree in Business Management from Stanford Graduate School of Business.

More From The Author >>