Orca Security Raises $20M to Secure Cloud Platforms

Orca Security has raised an additional $20 million in funding to drive adoption of an approach to discovering cloud security issues without having to deploy agents.

Company CEO Avi Shua said the Orca Security platform looks for issues including vulnerabilities, malware, misconfigurations, leaked and weak passwords, lateral movement risk and high-risk data in the cloud. It makes use of “side-scanning” technology that examines block storage out of band via a software-as-a-service (SaaS) platform, which it then cross-references with the application programming interfaces (APIs) exposed by the cloud service providers to surface the most pressing cloud security issues.

Shua said one of the primary reasons cloud security remains such an issue is that it’s simply too complex to achieve. Cybersecurity teams are expected to deploy and manage a fleet of remote agent software, and each installation becomes its own mini DevOps project.

All those projects also conspire to increase the total cost of achieving cloud security, he noted. As a result, cybersecurity teams often tend to dissuade developers from deploying applications in the cloud whenever possible because the local on-premises IT environment has already been secured.

The Orca Security platform reduces total cost by focusing on the block storage that is accessed by all the cloud applications that make up the environment, Shua said. That approach makes it possible for IT organizations to take advantage of the inherent agility enabled by cloud computing platforms without having to sacrifice security.

There’s no doubt tensions over cloud security are running high. DevOps teams have increased substantially the rate at which applications are being deployed on public clouds. In the wake of the COVID-19 pandemic, more applications than ever are likely to be deployed in the cloud. The issue is that many DevOps teams are employing IT automation tools to configure cloud applications, which frequently results in misconfigurations. It’s then up to the cybersecurity team to discover the issues, such as what ports may have been inadvertently left open, and remediate them before anything catastrophic occurs.

In theory, of course, the adoption of best DevSecOps practices should lead to a reduction in misconfigurations. However, as long as humans are writing code, mistakes will be made. Cybersecurity teams may have to trust developers more in terms of implementing the cybersecurity controls they define, but there always will be a need to verify those controls are actually in place. The challenge cybersecurity teams face is finding a way to achieve that goal without slowing down the pace of application development and deployment.

It may take a while for DevOps teams and cybersecurity professionals to establish a better working relationship. Historically, cybersecurity professionals view developers as being more a part of the problem than the solution. Given the chronic shortage of cybersecurity professionals at a time when more applications are being built than ever, it’s apparent to everyone involved the current status quo will not hold.

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. Sponsorships ... Read More
Palo Alto Networks
Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 491 posts and counting.See all posts by mike-vizard