State of Cloud Security — Q&A with Tim Prendergast and Noah Carr
Editor’s note: This post originally appeared on the Unusual blog.
Since its inception, cloud computing has polarized IT experts, with many early adopters extolling its value and traditionalists sounding the alarm on security concerns. However, embracing cloud solutions has become increasingly important for the enterprise as we’ve witnessed a massive evolution in how we build, deploy, and run applications, which includes the rise of containers, serverless, and the move to microservices. In addition to technology shifts, COVID-19 has forced enterprise companies to quickly rethink and adapt how they do business — from the way they manage their now fully remote workforces, how they sell their products, and more. Cloud platforms and cloud security are no longer nice-to-haves in the COVID-era, and companies are left scrambling to figure out what services and operations they need to shift to the cloud and how they can protect their data across a distributed workforce.
Tim Prendergast, founder of Evident.io, is a long time supporter of the cloud and has helped guide iconic companies’ cloud strategies, such as Adobe and Palo Alto Networks. We recently sat down with Tim and Noah Carr, Unusual Partner with a focus on enterprise infrastructure and security, to discuss how the cloud ecosystem has changed over the past decade, how the pandemic has impacted cloud adoption, the biggest opportunities for startups entering the cloud security space, how startups should think about their GTM approach, and more.
Can you give us a little background on yourselves?
Tim: I’m a career technologist who has spent a lot of time in the technology operations and cybersecurity space. For the past 10 years, I’ve been playing a lot with cloud infrastructure — since the technology’s inception — originally as an end-customer at Adobe, where we built one of the most recognizable cloud transformations. Based on that experience, I co-founded Evident.io, and built out a category in the cloud security space that led to a great exit to Palo Alto Networks. I was Palo Alto Networks’ first Chief Cloud Officer and helped them transition focus to the cloud with a series of acquisitions and moves that have set them up to be one of the largest cloud security providers out there.
Noah: I joined Unusual Ventures earlier this year with a focus on enterprise — more specifically, I spend most of my time in enterprise infrastructure and security. Prior to Unusual, I co-founded a fund at Point72 focused on early stage enterprise infrastructure and security. Before Point72, I spent 5+ years at Bain Capital Ventures, where I similarly worked closely with the enterprise infrastructure and security entrepreneurs that we invested in and supported, including Tim.
How has the cloud ecosystem changed in the last 10 years?
Tim: Honestly, it’s been amazing to watch this industry evolve over the past decade. In 2010, we were just toying with AMIs on early AWS EC2 services. Now, 10 short years later, we have fully encapsulated, distributed, fault-tolerant containerized services available and no-code application building technology. I think we’ve really seen enrichment come in three ways: Native learnings from cloud providers that feed their innovation, customer-side responsibilities being innovated and delivered by third party companies, and finally, the open source community improving and expanding the suite of tools and services that can be run on cloud by customers. There’s a more robust, richer set of tools and solutions that are purpose-built for cloud environments available, which is helping drive adoption and innovation inside companies.
Noah: The biggest change over the last decade is adoption — competitive enterprises need to move to the cloud and it’s evened the playing field with smaller companies, allowing them to ramp up quicker and have similar resources on hand to compete (when you consider the trends around AI/ML, remote collaboration, and SaaS.) On top of that, we’ve seen a massive shift from a development standpoint given the rise of containers, the move to microservices, the importance of being cloud native, and the amount of open source code used to build applications today. With all of these shifts in cloud infrastructure, we’ve had to rethink managing, monitoring, and security. From a business standpoint, the way we sell software has also changed. If you go back 10 years, most software was sold as a perpetual license. Today, subscription models are the norm. Additionally, a large amount of technology built today is delivered as a hosted solution versus on-prem.
Do you believe the global pandemic and with it, the accelerated shift to remote work has impacted the rate of cloud adoption?
Tim: I don’t think we’ll know for sure until numbers come out about a year from now. I’d look at the incremental peak of, “Oh my God, we have to do something in the cloud,” as temporary, while the long term transition will depend on how companies and organizations evaluate their performance and long-term view of the ecosystem. I have no doubt the pandemic will change the way we perceive the value and viability of a distributed workforce. I don’t know that it will be enough to push companies to give up their sunk costs in physical infrastructure, but early indicators may tilt my views. A good example is Pinterest. They just said, “Forget it. We’re going to pay $90 million and bail out of our 49,000-square foot SF office we built out, rather than move into it and have everyone come into the office.” They realized they could make their business work as is. I think we will see an uptick in the usage of SaaS services and the cloud-delivered solutions that Noah mentioned earlier, as well as remote security improvements — people will be dusting off their ancient VPNs and putting modern zero trust distributed access technologies in place to support their remote staff. Companies will adapt and find ways to support their staff in this new model that we’re all operating under. And a lot of that’s going to be either delivered from the cloud or natively run on the cloud by those organizations in the future. We just won’t know how big of a shift that is until next year when earnings for Amazon, Google, and Microsoft come out to truly understand how much money really poured into that investment that was otherwise going into buildings, tangible infrastructure, etc.
Noah: I think accelerating is probably the right word here. As we discussed, adoption was already happening, but now that adoption has picked up. To Tim’s point, we won’t know for another year or so whether this shift will be systemic. My guess is yes. Initially when the pandemic started, expectations were we’d be remote for only a few months — “We’ll just put a Band-Aid on it and figure it out later.” Now that the pandemic has persisted to the extent it has and we understand it will continue for the foreseeable future, I believe a systemic change is happening more broadly. This changes how we live, how we buy goods and services, doctors’ visits, exercise, etc. The number of things that are now going digital and need to be supported digitally end up pushing towards more cloud adoption. The way we work has obviously also changed — more collaboration, how we share information, and how we interact with customers, etc. And so, more of that development that may have initially been on-prem is going to have to be pushed to the cloud and all the laggards who were investing in more of that physical infrastructure will now be forced into a cloud world. Based on the conversations I’ve had with leaders — CIOs, CTOs, etc. — living in this COVID world, cloud budgets are expanding. Now that there is this forcing function and people can see that workforces are capable of effective remote work, we’ve started to see large organizations change — even to the extent of people expanding HR practices and thinking about hiring the right talent, expanding the scope of locations they’ll hire talent to get people with cloud experience. And, of course, this all has security repercussions.
Beyond cloud adoption, what are the largest technology market trends that you believe directly impact cloud security today?
Tim: I think the heavy leftward shift of security is a big one — it really does mean predictive security and engineer-driven security practices are becoming more normal and no longer fall into the “that’s not my job” bucket. I also think no-code application development and hosting part of cloud environments is going to be fascinating for security. Can the providers do it all as part of the service and totally abstract security from the customer? Can the third-party security companies get enough access to actually protect those abstracted workloads? We’ll see.
Noah: I completely agree with Tim. Most broader tech trends in some way impact the security market and we are seeing numerous shifts within technology. Look at AI and machine learning adoption and the work companies need to do with sensitive data and workloads in the cloud — it’s just how you stay competitive at this point. Combine that with automation, infrastructure as a code, a general shift to abstracting away infrastructure, and it means security teams have far less control. You lose control of your infrastructure and of what you traditionally think of as your resources. This equates to impacts on security — you don’t have the same visibility you did before and it’s significantly more difficult to manually go in and remediate issues. We are also leveraging a lot more open source technology today, which opens enterprises up to more vulnerabilities and again creates gaps in visibility. This is a huge shift in the market, how we think about security, the code that we’re using — especially if it’s not directly ours, and how we make sure that people don’t find vulnerabilities in what we’re trying to build today. The last piece is this massive trend around remote work and distributed teams. Those trends directly impact a lot of the things that Tim mentioned like how you think about your enterprise perimeter and what you need to do to protect your company as people work remotely.
Given this accelerated adoption and need for improved cloud security, do you believe the market is better served today by a new entrant standalone startup or is it more effective to have a larger platform provide a solution?
Tim: This is a really interesting dichotomy — the emerging startups are really pushing the envelope and trying to make something exponentially better than what exists in the larger platforms. At the same time, they are limited in scope and can’t satisfy all of a customer’s needs. The large platforms do a lot of things well, but often favor stability over innovation and serve the lowest common denominator customers instead of the real innovators. This drives the acquisition cycle we see so frequently — big tech company buys sexy startup to add their super cool capabilities to the larger platform. I personally like the startups because they are eager to listen and deliver solutions to customer pains. Each customer matters more to the startup. It really depends on the maturity of the customer — if they are a bleeding-edge innovator, startups will give them the best return on investment. If they are a technology follower or later adopter, they will do well to use their existing big platform relationships to just add the features they need to their existing commitments.
Noah: This has always been a challenge across our industry, platform versus stand-alone. To Tim’s point, there’s value to both. I’ve always believed where specialization is paramount and organizations have high priorities, it’s harder to trust the large platforms. It’s harder for them to effectively solve these more detailed and complicated problems because it’s not as core to what they do. And to Tim’s point, some of it depends on the organization. If they need to be on the bleeding edge and a startup has built a solution for them, it’s more difficult for them to go with a platform vendor. However, there will always be this “good enough” paradigm that exists within the market. When Tim and team started Evident, there were Inspector and Config Rules from AWS. But again, for the people who prioritized security — where the specialization mattered — they wanted to buy it from a company like Evident that had the expertise, knew how to build a tool that could be easily operationalized, and that came from founders who directly experienced this pain. Even after the first wave of cloud security companies, we still haven’t seen the cloud platforms put forth a competitive enough solution to fully satisfy enterprise needs. The place I see an opportunity is for HashiCorp. Given their position with Terraform and Vault they could potentially release an automated tool that is well integrated, provides effective visibility and could do some level of remediation.
Where do you draw the line between approaching the problem as a security challenge versus a broad engineering or QA challenge?
Tim: Personally, I believe that security has always been a broader engineering/QA challenge and that those departments just refused to acknowledge how much of their job it actually entails. My views don’t jive with big enterprise-land, though, and silos are a real issue. I’ve long advocated the DevSecOps approach where security is embedded in engineering. The ability to osmotically influence each other on a daily basis is a huge win for the organization and product, and ultimately, the end user of the product. If you want to have all domains represented in the quality of the final product, you’d better include them in the planning, preparation, and execution phases. Standalone solutions and the “toss it over the wall” methodology of security issues and remediations don’t work in these integrated process teams. The days of a job where you sit in front of a keyboard and monitor and “operate” these standalone solutions are long gone. Now teams need to — and in some cases do — use more heavily automated solutions and technologies to orchestrate, validate, and even remediate technology functions and issue management.
Noah: I absolutely agree. There’s so much you can do in terms of integrating into these broader engineering solutions, and leveraging APIs, existing tools, etc. It goes back to that initial “triple sale” challenge with selling application security. You’d sell security to the security organizations, but security would have to sell it internally to the developers and the operations teams. Now we’re seeing a lot of these lines blur with the rise of DevOps and DevSecOps — there is this broader convergence happening. And so — Tim mentioned it before — security is shifting left where it needs to, which means a lot more of this work can already be done or should be done and embedded into existing software development and CI/CD processes. Then, we can proactively fix a lot of these issues before they are ever pushed into production. It’s an alignment for those teams internally, especially now that the world is more application-centric, and developers are far more involved with this process. I think we continue to push down that road and it’s the right way to solve the issue going forward.
What are the security implications as a result of the rise of infrastructure as code?
Tim: I think there’s two sides of this coin — the positives and the negatives. The positive aspects are all pretty amazing. You get item import infrastructure, the ability to regenerate new complete infrastructures every time you deploy with no real penalty, and a truly identical dev test and production environment that your QA team can actually get a good read off of. Plus, like Noah said previously, you get what I call a pre-flight auditing of your infrastrastructure and the ability to verify everything is going to come out the way you expect it, so know that that you’re already in compliance and you’re already going to meet your security policy before you even push the button for deployment. Imagine getting the compliance done on an infrastructure template because they’re so accurate in how they portray your environment — it would be so painless compared to where we live today. On the flipside of the coin, if you can spin up 10,000 servers at the push of the button, you can make 10,000 mistakes with the push of a button with infrastructure as code. So, one wrong machine image attached to a template — say something that’s vulnerable to a known exploit — and you could deploy it to a massive infrastructure. It’s really difficult for humans to detect those errors because there’s just too many parameters and components in the infrastructure out there to manually examine. An attacker could potentially find and exploit a mistake at scale before the operational staff and their systems detected it in this type of edge case situation. Similarly, exfiltrating data and data loss can happen on a monumental scale — it’s really easy to kick off a recursive copier back off a large data store and improperly secure and store the results. We saw this with the big S3 exposures in Amazon years ago where someone would mark a tick box in the UI and explore 100 million peoples’ motor information, for example. It touched all of us, no matter if we know it or not in this country, and it touched a lot of people around the world in the same way and can have powerful repercussions. I think the power of declarative infrastructure templates and the pre-flight auditing to secure environments far outweighs the risks, as long as we live in a world where the carbon-based life forms can keep their dirty appendages off the keyboard long enough to let the system do its job, because most of those issues are totally human-inspired and human-led.
Noah: Yes, there’s absolutely a challenge. The existing ways that we try to solve these problems are still manual, and there are people with hands on keyboards trying to fix things. Infrastructure automation is a wonderful thing, but to Tim’s point, you can make massive mistakes, it can explode out of control very quickly and you have far less visibility into all of your infrastructure resources. However, there are now easier ways to solve these problems leveraging automation. With infrastructure as code you’ve been able to simplify environments and make them far more efficient. Automation comes with a lot of responsibility and that means that people need to adapt to it and leverage solutions that integrate closely with those new solutions to make sure that it remains secure.
As the market becomes more application-centric does cloud security need to shift left and be more embedded in CI/CD? Developer-centric?
Tim: Yes. Yes. There’s no more to be said other than: YES — IT’S ABOUT TIME PEOPLE.
Noah: Yes. At this point, security teams are setting the guard rails. And then the onus is on the development team or DevSecOps professionals. Historically, devs cared primarily about deploying code, not making sure it was secure. Now we have that convergence and we need to continue to push in that direction, especially as we abstract away infrastructure and backend work. Developers can continue to focus on building applications. We just need to embed security in that development process, so security doesn’t become a blocker.
How does this market shift change how startups in this market should think about their GTM approach?
Tim: I don’t think they should change their go-to-market approach a lot, but I think they should reevaluate a bit. Startups in this market should be heavily selling to the pain-bearers — those who are suffering most and stand to reap maximum benefit from your solution. Just because somebody could buy your product doesn’t mean that they understand the intrinsic value of what it will mean in their day-to-day if they were to have the product. Selling the true value of what you have as a product is key to the right people, specifically how you can tie it in and amplify the value of what they already have and how you can free up human brains/hands to do more important work goes a long way to getting into the door with organizations. Everyone is competing for the same human resources, the same budget. You really have to differentiate in what makes you the best partner for the organization or customer and how you’re going to make their lives better in very short order. The days of one-year long proof of concept evaluations and things like that are long gone. You got days or weeks to prove that you have the best technology to solve their particular issue. And if you can’t do that, they’re not going to talk to you again for two or three years until the life cycle passes by. You have a very short window in which to very quickly demonstrate value, find the champion inside an organization, and then get them to become a customer. And now, you have to do all of this remotely in the COVID-19 era. So, it’s really an approach that no longer depends on taking people to lunch and having these long in-person meetings, but more focused on can your company and its products stand on their merits and actually do really well inside these organizations?
Noah: Even before we hit the global pandemic companies were selling less and less top down. The world is becoming more developer-centric — developers have far more power within an organization to make the decisions around buying different technologies like security, especially as we see the convergence around DevSecOps. Now, it’s more about getting broader adoption and to Tim’s point, getting people excited about what you’re building. My suggestion would be to think about what you can open source. How can you leverage that open source to drive adoption and iterate on a solution that solves an acute pain? For example, can you show some level of cloud resource visibility early on? By finding that beachead use case and wedge that you can give away for free, you’ll be able to drive adoption and build a strong community of developers and security professionals who love you. That community can guide your product direction for years to come by telling you where the pain is most acute and which features really matter to build next.
What do you think the biggest opportunity is for startups entering the space?
Tim: I think it’s the same as it has always been — the biggest opportunity is to innovate on the groundwork laid by your predecessors. There’s unrivaled computing power, data storage capacity, and network capacity at your fingertips. How do you reframe the problem statement and use infinite infrastructure capacity to unwind the legacy mess that has been left at most organizations? How do you get butts out of those legacy seats and put them in the driver’s seat of innovation? Don’t think about how you do X better than the incumbent — think about how your ability to do that is unlocking new opportunities for the people who embrace your product. I think that’s really the mindshift difference that will make a big change in cybersecurity. We see a lot of startups in cybersecurity that are basically feature companies — the idea that’s a one-trick pony. And they raise money and then they never go anywhere specific as a scaled company because they run into walls where they’re not contemplating all the problems a customer has and they’re not a platform. I think that’s a dead end approach from the beginning. In order to build companies that truly scale and solve mass customer issues, we need much more thought going into what problems we’re solving, rethinking the questions we’re asking about security, and truly innovating with this new power at our fingertips that we didn’t have before.
Noah: Tim is exactly right. So many people — especially in security — build these features for a singular problem that they see, but don’t take the next step of asking, “What does that grow into? How do I leverage that into a broader platform?” I see the opportunities to build better visibility in and control of your cloud resources. Additionally, I think there needs to be a next generation of IAM that really understands who is accessing what, who is allowed to access what, and when they can access. Most existing solutions today I’ve seen don’t even come close to the granularity needed to effectively solve the current IAM problem. Largely, technology that is application-centric, plays into this DevSecOps convergence, and continues to shift security left, I believe will have a leg up going forward. It’s all about adoption. As Tim mentioned, a lot of these feature-based companies fall down because they’re just never operationalized internally. Sometimes they’re able to sell and get that early traction around the space, but what builds a longstanding company is the ability to understand who is using your technology and make them successful. So much of it is having the right UI/UX today. So, how do you make sure that it’s operationalized internally? Continue to be dynamic and iterate on customer feedback, figure out what’s need-to-have vs. nice-to-have, what is the next piece that fits into this platform puzzle, and adapting your longer-term product vision as you go along.
