Aqua Security has acquired CloudSploit, a provider of tools for monitoring configurations of cloud services, as part of an effort to extend its cybersecurity portfolio.
Rani Osnat, vice president of strategy for Aqua Security, said the acquisition further extends the reach of Aqua Security’s portfolio beyond containers, virtual machines and serverless computing frameworks to include service posture management.
Misconfiguration of cloud services occurs because most developers are not experts when it comes to provisioning IT resources. Many of them assume that the cloud service provider is proactively managing security only to find out later the cloud service provider only secured the infrastructure on which the application is deployed. Cloud service providers expect IT organizations to secure the application and make sure that both the application and the infrastructure on which it runs are configured properly.
The acquisition of CloudSploit marks the second acquisition Aqua Security has made this year, at a time when many of the pioneers of cloud-native security platforms are being acquired. In August, the company acquired Trivy, a provider of an open source tool for scanning open source code.
Aqua Security is committed to shifting as much responsibility for application security as far left as possible onto the shoulder of developers, said Osnat. By making those tools available to developers, security then becomes an integrated element within best DevSecOps practices. Cybersecurity teams, however, are still typically responsible for monitoring security once an application is deployed in a production environment. The challenge now is defining the new segmentation of duties and then finding a platform around which developers and cybersecurity professionals can more easily collaborate, said Osnat.
Obviously, cybersecurity professionals have a vested interest in getting developers to assume more responsibility for cybersecurity. The challenge is that many cybersecurity professionals don’t always trust developers to do the right cybersecurity thing when they are either under deadline or simply prefer to focus more on their time on application code. The truth is, many developers still view cybersecurity as a function to be avoided because cybersecurity teams prevent them from delivering more code faster. There are not enough cybersecurity professionals to participate in every application development process so they will need to find a way to trust, yet verify, that developers are putting the right controls in place.
Longer-term, Aqua Security is positioning itself to be able to collect massive amounts of data via SaaS applications that should enable it to apply predictive analytics and machine learning algorithms to cybersecurity. Cybersecurity companies will need to be careful about using the phrase “artificial intelligence,” noted Osnat.
“AI is a highly abused term,” he said.
In the meantime, it’s clear cybersecurity workflows will become more automated. It’s just not likely to happen unless cybersecurity and developer teams come together to define those processes.