The trends in network security

Unfortunately, hypergrowth tech has been a less than ideal place to invest since Thanksgiving, and now into the 2022. Yet the companies of my interest continue to execute incredibly well. I look for hypergrowth to tell me the company can execute, then listen to what the company is telling me, what the financials are telling me, and what the products are telling me about where these platforms are going – all within the industries showing positive trends over the next few years.

For the bigger industry picture, I typically look through the lens of the big industry stewards like Gartner and Forrester – who are not always correct, but generally so, and are heavily utilized as guide rails by enterprise leadership on what technology trends to explore. Beyond those, I also keep an eye on surveys that look at what the tools and techniques are being heavily adopted by C-suite and decision-makers.

Let's look at what the reported trends are in cloud, network, and application security, and what looks likely to drive the next waves of success. For this industry, I trust Gartner heavily, who has been ahead of the curve in its view of perimeterless security. Spoiler: Security remains incredibly important, and Zero Trust and SASE are well-positioned for a lot more success over the coming years. Along the way, I will highlight some specific areas that relate to CrowdStrike, Zscaler, Cloudflare, and Datadog.


The App Economy Keeps Growing

Two slides stood out in Benedict Evan's latest state of technology report in Dec-21, "Three Steps to the Future", to show how the App and API Economies continue to soar.

SaaS usage continues to expand across industries, with the compliance-driven (heavily regulated) industries a bit more reluctant to adopt. There doesn't seem to be much bundling going on – more and more point solutions keep appearing, so the count continues to rise.

I find it interesting that the use of SaaS tooling is expanding most heavily in security and engineering (DevOps) teams. Reading between the lines – with the continued adoption of all these SaaS tools, the network perimeter keeps on expanding, and the need for identity-based security features, such as Zero Trust, continue to grow.

How many SaaS tools are being utilized? Productiv, a SaaS tool mgmt and governance platform, released the latest The State of SaaS Sprawl report in Sep-21, from anonymized data in their platform.  They state that organizations are using a huge number of SaaS tools, with each department using 40-60 on average, resulting in an average of 254 across the entire company – or up to 364 SaaS tools used in the largest enterprises. Yow!

The focus of their survey was Shadow IT concerns – where enterprise users are using unsanctioned (shadow) apps that aren't being properly managed by IT. They report on average that 56% of utilized enterprise apps (+4pp YoY) are unmanaged, most heavily in smaller companies. Of the resulting IT-managed apps, 70% are behind an SSO (Single Sign-On), such as Okta, for access.

Controlling access to only sanctioned apps is what CASB (Cloud Access Security Broker, to govern SaaS access) tools are attempting to address. I also expect the continued rise of SaaS tools to see an uptake of SaaS-focused DLP (Data Loss Protection, to govern data access) solutions, to better hone the governance and control over the underlying data being accessed across these tools. Remote Browser Isolation (RBI) is also gaining in importance – especially given the recent performance gains in the latest generation of tools, powered by edge networks – as it provides a sandbox that lessens the threat exposure of using the public Internet.

These are all areas where Secure Web Gateway (SWG) + Zero Trust platforms can provide a huge benefit. SWG + Zero Trust are platforms for securing enterprise users' access to external SaaS tools and internal apps, regardless of where the user or the app lives. These services, such as from Zscaler (ZIA + ZPA) and Cloudflare (Cloudflare for Teams), can help tame this app sprawl, plus can provide these related security needs (CASB, DLP, RBI) over the enterprise's use of SaaS tools. [If you need a primer on SWG + Zero Trust, see "What is Zero Trust?".]

A walk through Gartner's vision

Let's dig into Gartner's vision of what is likely to be big drivers of growth over the near term. [It involves a lot of security acronyms, so I'll try to provide quick explanations inline.]

In their new digital experience trends in Nov-21, Gartner predicts that 85% of orgs will be cloud-first by 2025, and 95% of workloads (vs 30% in 2021). One of the key emerging trends they are focused on for 2022 is SASE Networks. [If you need a primer on SASE Networks, see "What are SASE Networks".]

SASE Networks are a distributed Zero Trust network control plane, to securely interconnect across an enterprise's disparate users, apps, devices, and environments. Gartner believes that 50% of orgs will have a SASE strategy by 2025 (vs 5% in 2020). They had earlier released its 2021 Strategic Roadmap for SASE Convergence in Mar-21, which covered strategies to move into SASE. They predicted that usage of SWG + Zero Trust platforms will be adopted by 30% of orgs in 2024 (vs 5% in 2020) – along with related security capabilities, like CASB, DLP, RBI, and web application firewalls (WAF) to help secure incoming requests. They also predicted that SASE + SD-WAN initiatives will be adopted by 60% of orgs (vs 10% in 2020).

Zero Trust and SASE Networks are just getting started. And they feed off each other, as Gartner stressed that Zero Trust can serve as the starting point towards fuller SASE adoption.

👨‍💻
A new product name has emerged: After that roadmap in Mar-21, in their security-focused Hype Cycle reports in Jul-21, Gartner then split SASE features (centralized control plane) apart from SWG + Zero Trust platforms (securing internal and external app access). They have created a new subset called Security Service Edge (SSE), which now represents the SWG + Zero Trust portion of the mix – such as the platforms from Zscaler (ZIA+ZPA) and Cloudflare (Cloudflare for Teams). SSE can serve as the foundation for other related security capabilities, like CASB, DLP, RBI, and WAF. This leaves the SASE Networks platforms to remain focused on being a centralized secure control plane over the Zero Trust. SSE now serves as the entry point towards fuller SASE adoption. (See the "Security Service Edge" section in either security hype cycle below for more details on SSE.) I must admit, Gartner's naming really stinks here, as SSE (Security Service Edge) is sure to be confused with SASE (Secure Access Service Edge). And, weirdly enough, the dropped letter, "A", stands for "access", which is what the SWG + Zero Trust part of the platform are for!

Gartner now has a new Magic Quadrant for SSE (SWG + Zero Trust), which was just released in Feb-22. This appears to be Gartner joining their earlier Magic Quadrants between SWG (protecting web traffic) and CASB (governing web traffic). Zscaler was alone in the leader quadrant for SWG before this, but has now been joined by companies that were stronger in CASB. Private companies Netskope and McAfee Enterprise were previously a Visionary and a Challenger in the previous Magic Quadrant for SWG. Zscaler's CEO commented on this intermingling by Gartner during their latest earnings call, as he felt Gartner was overemphasizing CASB (out-of-band) features over SWG (inline). As a sign of this, Cloudflare was not included, as it did have CASB features at the time of evaluation (but has since acquired Vectrix).  [For an explanation of out-of-band vs inline protection, see the Zscaler platform dive. Basically out-of-band is a scanner via API, and inline is a real-time proxy over traffic.]

The latest Magic Quadrant for SSE, Feb-22.

Their Hype Cycle for Cloud Security from Jul-21 predicts that 70% of enterprise workloads will be in the cloud by 2023 – which is a massive uptick from the ~30% in 2021. Cloud security is of the utmost importance, and they rate SASE Networks as the most transformative change to make over the next few years, along with having a high priority for adopting SSE (SWG + Zero Trust) and CSPM (container security posture scanners). Mature security features like Cloud Workload Protection (CWP) (runtime protection of VMs and containers) and CASB (governing SaaS access) are already being heavily adopted. More nascent is CIEM (governing cloud infra services), and SaaS Security Posture Mgmt (SSPM, a version of CSPM that scans the security posture of SaaS platforms instead of containers). All of these cloud security needs continue to bode well for Zero Trust platforms like Zscaler (SASE, SSE, CASB, DLP, RBI, CSPM, CIEM) and Cloudflare (SASE, SSE, RBI, WAF), as well as adjacent cloud-native security providers such as CrowdStrike (CSPM, CWP), Sentinel One (CWP), and Datadog (CSPM, CWP).

I expect more bundling here over all these security services. In their look at security & risk trends in Nov-21, Gartner mentioned that 80% of CISOs are attempting to consolidate vendors.

👨‍💻
A new product name has emerged: In a follow-up report in Aug-21, Gartner envisions a new bundled platform over all these security features, that it calls Cloud-Native App Protection Platforms (CNAPP). They now envision all-encompassing platforms to emerge that do all the DevOps and real-time security features together in one. This would span across both pre-release and post-release sections of security that I just covered in the modern DevOps workflow. Pre-release security features would include code scanners (SAST), secrets scanners, container image scanners, dependency scanners (SCA), and IaC scanners. Post-release security features would include DAST and IAST testing tools, CSPM (container posture scanners), CWP (container runtime protection), CIEM (govern cloud access), and WAAP (next-gen app firewall). Quite the bundle. I'm not aware of any company that does all the above, as it is rare for security companies to get into DevOps code-level security (and vice versa). Gartner stressed that in their list of example providers that none cover over all their desired features. Cloud security-focused platforms provide portions of the run time aspects (like CSPM, CWP, CIEM, WAAP), as does Datadog (CWP, CSPM) – but it is hard to envision them wanting to get into code-level security concerns like code, dependency, container image, and IaC scanning. DevOps-focused companies like Gitlab, JFrog, and Snyk already do those things extremely well. So I'm not sure about this newly proposed bundle between the two opposite sides of app security, as it is really different focuses. I think it better if both those sides integrate well – such as in Datadog's partnership with Snyk. CNAPP just doesn't snap for me. (At least the name isn't confusing, like with SSE.)

Their Hype Cycle for Network Security from Jul-21 gives a broader view into network security, with significant overlap with cloud security features above. They again rate SASE as the most transformative wave coming over the next 2-5yrs, but also place a high emphasis on Cloud WAAP (Web App & API protection), which is the next evolution of web app firewalls (WAF), as well as SSE (SWG + Zero Trust), Remote Browser Isolation (RBI), and SD-WAN. [See my prior discussion on the relationship between SD-WAN and SASE Networks.]

The Hype Cycle for App Security from Jul-21 covers a lot of the same features as network security (SSE, Cloud WAAP), but through the lens of DevOps needs of securing the applications being deployed. It has a high priority on adopting dependency scanning (SCA), IAST (interactive app testing), Service Mesh, and DevSecOps (shifting security left). [These are areas GitLab and HashiCorp are heavily involved in. More on these features in a coming post on DevOps trends.] Interestingly, Gartner removed RASP (embedded runtime app protection, which Datadog and Fastly/Signal Sciences both provide) from this year's Hype Cycle, and no explanation was given. (Perhaps they expect it to fold into the new CNAAP bundled platform they are proposing? Speaking of which, I am surprised CNAAP isn't included on this Hype Cycle – it has "App Protection" right in the name.)

All in all, the immediate future seems bright for Zero Trust and SASE Networks, which are both expected to significant uptake over the next few years. Given the trend of bundling going on (across the entirety of cloud, network, and app security needs), SASE Networks, in particular, remain an architecture with a lot of optionality across all these security needs.

Add'l Reading

The SaaS graphics and stats above were from:

Here are all the Gartner resources that were used:

This post was originally written in January 2022, plus I added a bit of commentary on the recent Gartner MQ for SSE. Sign up for Premium if you want more in-depth coverage of Zero Trust & SASE Networks (and companies like Zscaler, Cloudflare, CrowdStrike, and Datadog), as well as other industries like Edge Networks, Data & Analytics, Observability, Dev Tools, and Enterprise SaaS.

- muji