The Great Cloud Security Debate: CSP vs. Third-Party Security Tools

Anton Chuvakin
Anton on Security
Published in
4 min readAug 21, 2024

--

Do I go to my Cloud Service Provider (CSP) for cloud security tooling or to a third party vendor?

Who will secure my cloud use, a CSP or a focused specialty vendor?

Who is my primary cloud security tools provider?

This question asked in many ways has haunted me since my analyst days, and I’ve been itching for a good, fiery debate on this. So, we did this on our Cloud Security Podcast by Google where the co-hosts divided the positions, researched the arguments in advance of the debate and then just … WENT AT EACH OTHER :-)

The results were so fun and interesting that this blog was born!

The Case for Third-Party Vendor Tooling

These arguments hinge on three primary concerns: trust, consistency, and innovation.

Some observers also highlight the theoretical conflict of interest when a CSP is responsible for both building and securing the cloud (no idea why people say this, as IMHO there is no conflict here). This side also stressed the importance of consistency across multi-cloud environments and argued that dedicated security vendors are more likely to innovate more rapidly. They also may address client needs faster, especially narrow vertical needs.

  • You just can’t trust the cloud builder to secure their own stuff (or “letting the cat guard the cream” as somebody weirdly opined on social media). Third-party vendors promise unbiased security analysis and can uncover security issues that CSPs might deprioritize, benefiting the broader public and individual users. This separation of duties suggests a more objective evaluation of cloud security.
  • Consistency is super critical for multicloud. Third-party tools provide a consistent security framework across multiple cloud platforms. This simplifies management and reduces the need for specialized knowledge in each CSP’s unique security offerings.
  • Startups just build better tools; this is their focus and sole mission; CSPs suffer from “security from a big company” syndrome, being slow and political. Third-party vendors, whose core business is security, are more likely to develop innovative and effective security solutions compared to CSPs, who may view security as a secondary concern.
  • Auxiliary argument: Would you ever trust the CSP to secure the network/environment that belongs to their competitor?

The Case for CSP-Native

These arguments hinged on three primary concerns: deep platform knowledge, built-in security, and seamless stack.

Deep platform knowledge that CSPs possess suggests both robust and “automatic”, default security. The seamlessness of CSP-native tools and the vast (we mean it, BTW!) resources that CSPs dedicate to security also play a key role. CSPs are very well positioned to keep pace with the rapid evolution of cloud services, and secure them as they are built.

  • CSP knows the platform and cloud in general best, can use unlisted or poorly documented capabilities to secure the cloud. Security deeply integrated into the platform is “more secure”, and also better linked with asset tracking, and other IT ops / DevOps capabilities. This deep knowledge translates into superior security capabilities, both practical and conceptual.
  • Built-in beats bolt-on, with fewer seams to break and break through. CSP-native tools offer seamless integration with other services, streamlining workflows, and reducing the risk of security gaps that can arise from stitching together disparate tools. This results in a simpler and more manageable security stack. Recent breaches highlight the risks associated with these integration points, underscoring the advantage of built-in security.
  • Using native tools reduces the number of third-party vendors and solutions you need to manage, leading to a simpler security stack and less administrative overhead. When cloud platforms and security tools share the same foundation, operational teams benefit from streamlined access and workflows.
  • Auxiliary argument: CSP keeps pace with securing new services as they are being launched. And there are a lot of cloud services being launched.

The Verdict

  • “It depends” wins! It really does. No, we are not hedging or fudging. Are you disappointed?
  • To make it practical, we need to answer “depends on what?” Organizational realities: how you use cloud, what cloud, how many clouds, what is your threat model, etc.
  • None of the arguments from either side include a “killer” or a clincher argument that stops the debate and hands the victory to one side.
  • Often starting with CSP-native tools and then supplementing with third-party solutions to address any gaps (if any) is the way to go (this also was Gartner advice in my days, BTW)

Listen to the audio version (better jokes!). And, yes, do read “Snow Crash” if you somehow failed to, before.

Resources:

--

--