Aqua Security buys CloudSploit, expands into cloud security

Aqua Security broadened its reach beyond containers this week with the acquisition of CloudSploit and new VM support as enterprises navigate a plethora of choices for cloud security tools.

CloudSploit, founded in 2015, is part of an emerging field Gartner calls cloud security posture management, which tracks and enforces best practices on the security of user and service accounts on public cloud platforms such as GitHub, AWS and Microsoft Azure. Terms of the acquisition, which was closed over a month ago, were not disclosed. The Silver Spring, Md.-based company's employees will join Aqua Security, and the company's product has been renamed CloudSploit by Aqua. The tool will be integrated into Aqua's other products in the first half of 2020, and a standalone version will also likely remain available indefinitely, according to Aqua executives.

The deal comes amid broad upheavals in the market for cloud and container security tools marketed to enterprises. Traditional IT vendors such as Palo Alto Networks, VMware and Qualys have begun to buy up newer players such as Twistlock, Carbon Black and Layered Insight, respectively, as users struggle to streamline the number of tools they must manage to cover both legacy and cloud-native apps.

While analysts have predicted many traditional enterprises would look to trusted vendors to integrate newcomers' IP into familiar tools, Aqua Security's expansion reflects a parallel trend, where container security specialists also expand to cover traditional infrastructure.

Fernando Montenegro

"Securing cloud-native applications is about more than just containers and serverless," said Fernando Montenegro, an analyst at 451 Research.

This is the second acquisition in the last month focused on cloud security posture management. Trend Micro bought a tool similar to CloudSploit's with its $70 million acquisition of Cloud Conformity on Oct 21.

Securing cloud-native applications is about more than just containers and serverless.

"These deals highlight that people are looking for assistance figuring out what their cloud presence is," in addition to securing new kinds of cloud-based workloads, Montenegro said.

Aqua Security also rolled out new support in its Cloud Native Security Platform (CSP) for VMs other than container hosts, officially expanding its product beyond a container security focus. Previously, CSP 4.0, released in March, added support for VMs that ran containers, but this week's update adds file integrity monitoring, machine image assurance, network discovery and microsegmentation capabilities for VMs where no containers are present.

Cloud security tools still a tangled web

Many traditional enterprises do want to wait for container and cloud security tools from traditional vendors. But some early adopters of container security tools from Aqua Security and competitors such as Twistlock have said they'd prefer to see cloud-native specialists expand to cover VMs rather than look to VM-based security tools to catch up with new architectures, since they expect cloud-native apps to become their primary focus as DevOps matures. Aqua Security executives said that's been the stance among such blue-chip customers as JP Morgan Chase, Lockheed Martin and Starbucks, as well.

Still, while there's nothing to preclude Aqua Security from expanding into bare-metal servers on-premises, the company intends to remain focused on cloud security, so enterprises with bare-metal hosts on premises will need separate security tools for those. There also remains a glut of separate tools for various layers of cloud infrastructure, such as Kubernetes and service mesh. Among the chief complaints of early microservices security practitioners is that there are too many tools to manage.

"We're a SaaS-based company and we never met a SaaS product we didn't like," said William Dougherty, vice president of IT and security at Omada Health, a San Francisco-based digital healthcare provider. Omada Health is evaluating container support in tools from Trend Micro, which it already uses for other domains of cloud security, but hasn't settled on a container security strategy yet. "I wish I had fewer vendors."

 It's a situation that doesn't look likely to be resolved soon, analysts said.

"Work efforts are becoming more and more distributed under DevOps, and the struggle comes from the fact that security remains a very centralized function," Montenegro said. "We're awash in tools, panels and dashboards, in part because security is trying to maintain its visibility over all these different work streams."

Instead of tools and workstreams converging, Montenegro predicted that enterprise IT security will itself become a more distributed discipline. Under such a structure, security professionals will give DevOps teams a means to secure their own workloads but maintain centralized incident response capabilities if something bad happens.

"We're not there yet," he said. "It's an area where people are struggling with complexity, and where the consequences of misconfigurations can be severe."