Why an emerging cloud security trend offers ‘good news’ to businesses

While the cloud security market has developed rapidly in recent years, there’s now a wide array of tools to juggle for securing cloud infrastructure and applications.

There are “too many tools,” in fact, said Neil MacDonald, a vice president and analyst at Gartner, speaking at the research firm’s Security & Risk Management Summit — Americas virtual conference last week. Now, however, there’s major consolidation underway in the cloud security tools market, a trend that is “good news” for enterprises, MacDonald said.

In response to cloud security challenges and the growing popularity of the cloud — Gartner estimates 70% of workloads will be running in public cloud within three years, up from 40% today — the demand for cloud security has surged. Research firm MarketsandMarkets forecasts that cloud security spending will reach $68.5 billion by 2025, up from $34.5 billion last year.

But the cloud security tools, and acronyms, are numerous. There’s CSPM (cloud security posture management) for spotting misconfigurations in cloud infrastructure. There’s CIEM (cloud infrastructure entitlements management) for managing cloud identities and permissions. There’s CWPP (cloud workload protection platforms) for securing virtual machines, containers, and serverless functions. And there are additional tools to proactively identify vulnerabilities during app development, such as tools for scanning containers and Infrastructure as Code (IaC).

But now, instead of needing to acquire these different tools and find a way to use them all together, the idea is to have one platform to rule them all: CNAPP.

That stands for cloud-native application protection platform, and it’s an offering that includes all of the tools mentioned above. Or at least, that’s starting to be the case — with many vendors in the process of assembling the different pieces into a CNAPP whole (more on that below). Vendors in the emerging CNAPP space include some of the best-funded startups in cybersecurity along with some of the most well-established companies in the security industry.

Gartner coined the term CNAPP earlier this year — partly in recognition of what was already happening in the market, and partly to encourage further consolidation of cloud security tools under the CNAPP umbrella.

“These walls are coming down,” MacDonald said. “We need to think of cloud-native application protection as a lifecycle problem from development into operations. And there are vendors now that can do most of everything [that’s part of CNAPP].”

Cloud security challenges

While enterprises have accelerated their shift to the cloud during the pandemic, cloud security remains a foremost challenge. A recent survey of cloud engineering professionals found that 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months. Likewise, a recent Gartner survey found that more than a third of companies see lack of security readiness as an obstacle to public cloud migration — ranking as the most common challenge to cloud cited in the survey.

Thus, for customers, the cloud security trend of unifying disparate tools so there are fewer to deal with is worth considering, MacDonald said.

“I think you should have fewer vendors, not more security vendors — do not mistake more security vendors for ‘defense in depth,’” he said, referring to the cybersecurity strategy of deploying multiple layers of defense. “But it also means you should be open to switching vendors, consolidating vendors, switching to one that understands your needs.”

Many cyber vendors have already embraced the CNAPP concept, saying that ultimately, the customers win with a unified offering in the cloud security realm. Some — such as Palo Alto Networks, Aqua Security, and Orca Security — were already offering the key components of CNAPP prior to Gartner coining the term.

For instance, Aqua Security describes its offering, the Aqua Platform, as a “complete” cloud-native application protection platform. And the vendor has seen “high double-digit” revenue and customer growth for its CNAPP so far this year, said Rani Osnat, senior vice president of strategy at the 450-person company.

“Customers are looking for a broader platform,” Osnat said. “Even customers that are relatively in the beginning of their journey understand that from a vision standpoint, they don’t want to slice this up into too many little pieces.”

Simplifying cloud security

Freelance services marketplace Fiverr adopted Orca Security’s platform in part to help simplify the process of ensuring cloud security, said Shahar Maor, chief information security officer at Fiverr, in a statement to VentureBeat.

“There are a lot of complexities in securing public cloud environments,” Maor said. “The value of a CNAPP like Orca Security is that I’ve got a single, comprehensive solution to identify risk, as well as provide actionable insights and value across IT, DevOps, and engineering.”

Along with Orca Security, Palo Alto Networks, and Aqua Security, other vendors offering the capabilities that fall under CNAPP include Lacework, McAfee Enterprise, Qualys, Sonrai Security, and Wiz.

Aqua Security

Aqua Security has offered capabilities for scanning applications during development, including IaC security scanning, since the launch of the company in 2015. In terms of workload protection, Aqua focused on containers at the beginning and added serverless and VMs in 2017 to give it full CWPP capabilities. The company added CSPM through the acquisition of CloudSploit in 2019. Recent enhancements to Aqua’s CNAPP offering have included cloud-native detection and response, which provides monitoring and detection to identify zero-day attacks in cloud-native environments.

“One of the things that make CNAPP such a ‘gospel’ in this market is that unlike traditional security solutions in the past, it covers a very broad set of personas,” Osnat said. “It spans developers and DevOps to cloud admins and security personnel. And that is quite unique in the market. So while nobody expects developers to become security experts, by helping developers embed security into their CI/CD processes, you help solve the problem.”

In March, Aqua Security raised $135 million in series E funding at a $1 billion valuation.

Lacework

Lacework, which was founded in 2014, started out in CWPP and later added CSPM.

“We began by addressing CWPP use cases with automation, without requiring the use of any rules/policies,” said Adam Leftik, vice president of product at Lacework, in an email to VentureBeat. “We later added in CSPM and vulnerability management capabilities with all of the insights necessary to efficiently handle compliance, audit, and risk management needs.”

Other additions have included IaC remediation capabilities through the acquisition of Soluble earlier this month, along with other features including an inline vulnerability scanner to help developers find and fix vulnerabilities in their CI/CD pipelines.

“CNAPP represents a mindset shift toward a security approach that includes everyone involved in the business,” Leftik said. “Enterprises have an opportunity to completely rethink their security approach as one overarching continuum throughout development and operations rather than one-off problems that have to be fixed with manual, rules-based processes. As more customers embrace cloud and build in containers, there will be more demand for platforms that can protect cloud-native applications across development and production.”

Lacework raised $1.3 billion in funding earlier this month — one of the largest venture rounds in the U.S. this year — at an $8.3 billion post-money valuation. That followed the company’s $525 million fundraise in January.

McAfee Enterprise

McAfee Enterprise began offering CWPP in early 2017 and added CSPM functionality to the offering in early 2019. The McAfee Enterprise MVision CNAPP also includes container security capabilities via the acquisition of NanoSec in 2019, and data loss prevention capabilities via the acquisition of Skyhigh Networks in 2018. In March, MVision CNAPP added in-tenant DLP scanning facilitating for increased data security, privacy, and cost optimization.

“As organizations continue to benefit from moving more workloads to the cloud, cloud threats are also on the rise,” said Dan Frey, product marketing engineer at McAfee Enterprise and FireEye, in an email to VentureBeat. “McAfee Enterprise expects adoption of MVision CNAPP to continue in step with customer requirements and cloud adoption rates.”

In October, McAfee Enterprise was combined with cybersecurity firm FireEye in a deal orchestrated by their owner, private equity firm Symphony Technology Group. Symphony had acquired McAfee’s enterprise security business in March for $4 billion.

Orca Security

Orca Security has had CSPM, CWPP, and CIEM since its founding in 2019. “We were a CNAPP before the term existed, and we are excited to see the official emergence and recognition for the category,” said Avi Shua, cofounder and CEO of Orca Security, in an email to VentureBeat.

The company recently enhanced its identity and access management risk detection capabilities to cover misconfigurations, events and anomalies, and access traversal. Additionally, a new CI/CD offering includes detection of security issues in the developer pipeline and during deployment before reaching production.

“Security teams are overwhelmed with thousands of meaningless, disconnected alerts,” Shua said. “With a CNAPP, customers can focus on the alerts that matter, get more functionality with fewer cloud security tools — and can finally address the cost and complexity of managing disparate tools.”

In October, Orca Security extended its series C round to $550 million at a $1.8 billion post-money valuation.

Palo Alto Networks

Palo Alto Networks introduced its Cloud Native Security Platform, Prisma Cloud, in November 2019, combining CSPM capabilities from its RedLock and Evident.io acquisitions with CWPP capabilities from its Twistlock and PureSec acquisitions. The company added capabilities including CIEM with Prisma 2.0 in 2020.

Then last week, Palo Alto Networks debuted Prisma Cloud 3.0 — which it described as a CNAPP — with enhancements including the integration of CIEM for Azure and IaC security.

“Customers today have been using a large number of point solutions to address cloud security requirements ad hoc,” said Ankur Shah, senior vice president and general manager of Prisma Cloud at Palo Alto Networks, in a statement to VentureBeat. “As customers build their overall strategy, they want to use a CNAPP that provides comprehensive security across multi-cloud and hybrid-cloud environments.”

The publicly traded company currently has a market capitalization of $51.98 billion.

Qualys

Qualys has been offering CWPP for virtual machines running in the public cloud for the past five years. The company extended the solution to support container workloads and introduced CSPM in 2018. Recent additions to the Qualys CNAPP offering have included detecting misconfigurations in IaC, compliance for containers, and risk-based venerability management.

“With an increasing number of organizations charting the course for their cloud journeys — and no sign of stopping or slowing — securing this journey has become one of the top concerns of customers. With this new focus, there is an increasing opportunity for vendors to address this concern with solutions such as CNAPP,” said Parag Bajaria, vice president of cloud and container security at Qualys, in an email. “Cloud security is fragmented into multiple categories and various point products that address those categories. Due to this complexity, there is often a large amount customer confusion. As a result of this confusion, Qualys is increasingly seeing customers ask for a single consolidated solution.”

The publicly traded company currently has a market capitalization of $5.34 billion.

Sonrai Security

Sonrai Security, which was founded in 2018, started out in CIEM and later added CSPM. The Sonrai Dig offering also includes data security, and the startup “will soon announce new capabilities to our CIEM, CSPM, and data security platform,” said Brendan Hannigan, CEO and cofounder of Sonrai Security, in an email to VentureBeat.

“Cloud security offerings like Sonrai Dig hold the entire future for cloud security specifically and security in general,” Hannigan said. “Old-world data center solutions increasingly will become irrelevant as digital disruption expands the cloud while data centers and enterprise networks decline.”

Sonrai Security announced a $50 million series C funding round in October.

Wiz

Wiz has provided CSPM and CWPP functionality since its founding in 2020. The startup has mainly focused on expanding its CWPP capabilities, recently introducing the ability to scan workloads for malware without needing to install any agents.

“CNAPP will become the de facto cloud security product,” said Yinon Costica, cofounder and vice president of product at Wiz, in an email to VentureBeat. “It will extend all the way from cloud environments to the code developers are writing. The big opportunity here is to drastically simplify cloud security in a way that lets business move faster than ever before — but securely this time. The fragmented approach we had before could never do that.”

In October, Wiz raised a $250 million series C funding round at a post-money valuation of $6 billion. That followed the company’s $130 million series B round in March.