In Cloud We Trust
The adoption and utilization of cloud technology is rapidly changing the IT landscape. We think this technology provides the democratization of immense computing power to everybody because it gives every user the same access to powerful computing without having to set up costly data centers.
The trend in cloud computing has allowed start-ups and new companies to grow at explosive rates. As a result, a digital transformation within companies will be necessary to keep up in the environment of disruption and rapid change. And as companies engage in digital transformation, they will become increasingly more dependent on the cloud infrastructure. But in a world where security breaches dominate the headlines, the ambiguity that surrounds cloud computing can make securing the corporate network seem daunting. These concerns have led some Chief Information Officers (CIOs) to inhibit their organizational use of public cloud services.
The cloud services companies of all sizes…The cloud is for everyone. The cloud is a democracy.
Marc Benioff, Founder & CEO of Salesforce
The data explosion is the rapid increase in the amount of published information or data and the effects of this abundance. As the amount of available data grows, the problem of managing the information becomes more difficult, which can lead to information overload. Some interesting statistical facts are described as below1,2:
- Between 1990 and 2005 the capacity of hard disks increased a thousand fold, and it continues to increase today.
- We produce the same amount of content as stored in the Library of Congress, the largest library in the world, more than 8’500 times per day.
- Today, the US National Security Agency (NSA) collects as much information as held in the entire Library of Congress every six hours.
- 2.5 quintillion bytes (2’500’000’000’000’000’000 bytes) of data are created every day.
- 40 zettabytes (1 zettabyte = 1’000’000’000’000 Gigabytes) of data will be created by 2020.
- Most companies in the US have at least 100 Terabytes (= 100’000 Gigabytes) of stored data.
These high volumes of data present a challenge. How can we manage and secure the essence of this data rather than just stacking it?
Prior to the cloud technology, software was traditionally sold as a perpetual and on-premise solution where the customer buys from the software vendor. Under this model a customer buys an upfront perpetual license and pays an annual maintenance and service fee for support. This on-premise software model began to break down around a decade ago as the first cloud computing model was introduced. This new approach allows customers to subscribe to a service in a vendor-based model, which is accessible over the internet. With the advent of the cloud the investment in on-premise software, along with maintenance and support costs, were removed at a stroke. A cloud services platform offers customers rapid access to flexible and low-cost IT resources and they only have to pay for what they use.
According to Market Research Future this transition from on-premise solution to the cloud is happening quickly, driving the global cloud computing market an impressive compounded annual growth rate (CAGR) of 15%.
As mentioned in the beginning, one of the key drivers of cloud computing is the data explosion, in this context especially the growth of unstructured data3. Enterprises are digitizing an increasing number of business activities, leading to significant growth in unstructured data. According to Oracle and IDC, a provider of market intelligence and advisory services, unstructured data accounts for almost 80% of total enterprise data and is growing 42% p.a. versus just 22% growth in structured data as shown in Fig. 2 below.
Unstructured data is typically stored outside of the corporate network in a cloud storage environment, usually in form of applications in digital archives. On the other hand structured data is stored on-premise in a database as a backup (usually the data is stored at the same place where the company is located, e.g. in a local server down in the cellar). With more data is expected to reside outside of the corporate network (and very often even in another country with a different legal system), we believe enterprises will have to increase spending on IT security in order to provide secure data access.
Privacy and identity in the cloud
Cloud computing poses privacy concerns because the service provider can access the data that is in the cloud at any time. It could accidentally or deliberately alter or delete information. Many cloud providers can share information with third parties if necessary for purposes of law and order without a warrant. According to the Cloud Security Alliance, the top threats in the cloud are insecure interfaces and API's (application programming interface), data loss and leakages as well as hardware failure4.
Going forward we believe organizations will have to evaluate alternative emerging tools in the field of cloud security. For the most part traditional vendors have taken care of securing the IT infrastructure, including network perimeter, hypervisors and host access control. However, when it comes to protecting the data traffic between different interfaces and applications outside of the corporate network combined with implementing anti-malware solutions and ensuring compliance with current policy requirements, the complexity will dramatically increase. Very often the responsibility of the protection shifts from the cloud providers to the customers.
In the world of cloud computing the traditional “castle and moats” approach to network security has limitations in terms of scale, latency and costs. Organizations are starting to evaluate IT security applications that inspect the data traffic to protect against potential threats. We therefore think companies whose products and tools are located in the cloud between the users and cloud applications itself and are able to deliver cloud firewalls, intrusion prevention systems (IPS), sandboxing and data loss prevention systems are in an interesting competitive position. Many new use cases evolve around installations of internet connections for mobile and remote branch office employees to cloud and data center applications. We think traditional legacy network and endpoint security vendors have to reposition itself for this opportunity or they are at risk of getting disrupted by cloud security pure players.
Another challenge in securing the cloud is identity and access management. When sensitive data are stored outside of a corporate network, it is crucial to identify who has access to it, how they are using it and with which tools.
Before the rise of cloud computing most organizations exclusively used Microsoft’s Active Directory to manage identity profiles. However, this on-premise approach was challenged when authenticating users for cloud applications. Active Directory was designed to authenticate application access within the firewall, while cloud applications sit outside the firewall. Therefore the need for a cloud-based directory has quickly materialized in the identity market. In general, given the large number of enterprise workload that are expected to shift to the cloud, we believe that cloud security services will become significantly relevant over time than traditional on-premise security controls.
An additional driver for identity and access management is the General Data Protection Regulation (GDPR). This regulation is designed to standardize data privacy laws in Europe and went into effect on May 25th 2018. Failure to comply with this regulation can result in fines of EUR 20 million or 4% of total revenues, whichever is greater. In our opinion this regulation has created a “culture of compliance” in Europe, which we believe will drive spending on identity and access management tools that can help corporations to remain compliant with this regulation. Going forward we wouldn’t be surprised that this data privacy framework (or a similar version) will be implemented in other countries.
As traditional network barriers break down with the proliferation of the cloud, we think new companies with cutting edge technologies are well positioned to capture market share from the established incumbents. We would therefore expect that these trends highlight the need for a best of breed approach. Very often the providers of such products and tools are young and innovative companies in the small and mid cap world.
We think the theme of security & safety is becoming increasingly omnipresent in our daily lives and the implications for the automation of data management as well as data infrastructure (such as data centers) are also becoming more critical. As a result the relationship between security and automation (robotics) is symbiotic, with more regulation requiring more security and controls to be put in place, and in turn more automated systems are needed to manage and maintain these checks and controls efficiently.
As long-term oriented investors we think IT security and more broadly speaking security and safety in general are compelling long term secular growth themes for patient investors. Based on these convictions we are shareholders of a number of innovative and young companies which provide solutions for data loss prevention, email and data archiving as well as identity and access management.
Credit Suisse Asset Management has designed strategies to provide clients with “pure-play” exposure to these compelling and complementary long term secular growth themes: Robotics & Automation, Security & Safety, Digital Health, and Infrastructure. For further information please click here.