The recent Capital One data hack and breach that compromised sensitive information for 106 million people, including 140,000 Social Security numbers and 80,000 bank account numbers, was executed by a single hacker who exploited a well-known vulnerability in cloud-based SaaS applications – misconfigured web application firewalls (WAFs).
According to the FBI criminal complaint, the hacker made a “number of connections or attempted connections to Capital One’s server from TOR exit nodes.” In other words, they started knocking on a bunch of virtual doors until they found one that was unlocked.
Once they were inside the firewall, the entire hack took just three commands. The first obtained security credentials to access Capital One’s folders, the second listed the contents of the folders, the third extracted the data. But the key vulnerability was the initial unlocked door.
Unfortunately, as enterprises shift to cloud and SaaS technologies, misconfigured cloud services and applications are leaving too many unlocked doors. In a recent 16 Minutes podcast, I covered the importance of enterprises shifting from transitive trust to zero trust security. In this post, I want to discuss how security startups can help enterprises securely transition to cloud and SaaS technologies by providing a single control plane to manage cloud configurations.
The New Security Threat: Misconfiguration
With on-premise software, security breaches were typically the result of stolen security credentials or missing software patches. In the 2017 Equifax hack, for instance, hackers accessed the network because a software patch hadn’t been applied. Today, cloud-based software has increasingly automated software patching, making it less of a vulnerability.
The Capital One breach highlights the new security concern for corporations: cloud-based software that is configured with incorrect or too broad permissions. For Capital One, network access combined with an over-privileged system account enabled a Server Side Request Forgery hack that tricked the storage services into giving the hacker all of the contents stored within a bucket – a file folder that is the most basic container for storing objects and their metadata in the cloud.
In the era of cloud and SaaS, enterprise security starts with getting and maintaining the right permissions and settings across a heterogeneous landscape of software. While cloud and SaaS vendors strive to make individual offerings more secure, the modern enterprise is a multi-cloud environment with a growing number of SaaS tools and applications.
Today, enterprises manage cloud configurations one tool or application at a time. For startups, this is an opportunity to provide security services across cloud vendors.
Getting Security Startups out of the Features Desert
Most cloud security startups, especially CASBs (cloud access security brokers), tend to follow a similar pattern. They talk to customers and identify a single security feature or collection of features that a single cloud provider does not yet offer. They go deep on AWS or Azure, adding features, such as specific security controls, and selling those to customers. But if a startup can provide value on feature X for a specific cloud vendor and customers want that feature, sooner or later the cloud vendor will provide it natively.
Cloud vendors are incentivized to add security features and controls to their proprietary platform. AWS, for instance, has a feature to tell someone if an S3 bucket is available to the public, but it does not have a console to manage security of Google Cloud or Azure. As a result, enterprises can manage security within cloud platforms, but they do not have a single tool to manage security features across cloud providers to spot configuration issues – and they are not incentivized to provide one.
Thus, instead of going deep on a single cloud vendor, the better insertion point for a security startup is to focus across the landscape and provide enterprises with a single control plane to detect vulnerabilities and consistently manage configurations for all of its cloud infrastructure.
While continuous monitoring and assessment of penetration are also important for enterprise security, broad configuration analysis is a notable gap in the security market. Identifying where a company needs to adjust security settings in a single console provides one point to tighten security across the entire cloud surface. And once an enterprise has the ability to corral its cloud infrastructure and maintain a consistent level of configuration, then you can push up the stack and look at compliance.
The Market Opportunity for a Single Control Platform
The burden of configuring cloud-based tools properly falls to the customers, not the vendors – in fact, Gartner goes so far as to predict that 99% of all cloud security failures will be the customer’s fault by 2023. It’s a market problem that is ripe for a solution because:
- The complexity of cloud configuration and the number of settings to be managed is increasing as enterprises are increasingly multi-cloud and investing in more SaaS applications.
- The rise of APIs makes it easier to interface with multiple cloud platforms and applications.
- Bottoms up product adoption has made it easier for a startup to get into the enterprise. By building a product that’s simple enough for any user and offering a hook, such as a single point in time scan with a report on configuration suggestions, a security startup can prove its value to leadership.
- The new generation of CSOs coming into run large enterprises are often taxed with making the company more cloud forward. And they have a budget to purchase security tools. The information security market alone exceeded $114 billion last year. Furthermore, it’s hard for enterprises to put a price on security because the cost of getting it wrong is catastrophic. In 2015, Bank of America’s CEO Brian Moynihan even went so far as to say it didn’t have a cap on budget for security.
- Cloud vendors are adding new security features at ever increasing speeds. As these offerings become more mature, the multi-cloud enterprise will need a platform to manage security features.
Cloud Misconfiguration and the Impact on SaaS
While enterprises want to be cloud forward, breaches, like Capital One, slow the move to the cloud. Cloud is a variable infrastructure cost already, add the risk of security breaches, and we already see signs that cloud adoption is slowing in financial services and critical infrastructure. The Pentagon is revisiting its decision to pursue JEDI, a $10 billion cloud contract with AWS, and the Federal Reserve is reviewing policies for storing financial data in the cloud.
SaaS and cloud mean enterprises can provision infrastructure on the fly and meet the new demands for customer service and digital experiences. But as long as these technologies create security headaches, our ability to adopt this new enterprise paradigm will be limited to our ability to keep it secure. Now taking pitches for cloud configuration done right.
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.