How the Google-Wiz acquisition redefines cloud security

How the Google-Wiz acquisition redefines cloud security CNAPP is Dead! Long Live CNAPP! What does the future hold for our customers? Google’s acquisition of Wiz, announced last week, is a pivotal moment as it marks a strategic shift in how cyber security will evolve over the next few years. It instantly turns Google into a major player in security, adding Wiz to other building blocks Google has racked up in the past couple of years, most notably Mandiant and Google Chronicle. Google will be a new gorilla in the security market, just as Microsoft created a thriving, multi-billion dollar business out of the Defender product line. But while Microsoft has a long history of “owning” operating systems, servers, and Office applications, and is leveraging that to expand its footprint, Google is new to the enterprise security business. In the first phase of public cloud adoption, the “lift and shift” phase, CSPM (cloud security posture management) emerged to ensure proper configuration of cloud services, and CWPP (cloud workload protection platforms) to monitor and protect workloads running in the cloud. The second phase of cloud adoption, the cloud native phase, driven by technologies such as containers, serverless functions, CI/CD, and orchestration (Kubernetes), imparted an even more dramatic change in security – the integration of multiple silos of application related security information. It introduced integrated shift left capabilities , providing a broader risk-based approach to vulnerability management, hardening, and incident management. Thus CNAPP (cloud native application protection platforms) was born. In the early days of cloud services, the cloud providers adopted the shared responsibility model in which some responsibilities were borne by them (such as infrastructure and physical security), others were clearly on the shoulders of customers (configuring of services, their data, their users, their applications), and there’s been a non-negligible area of “shared responsibility” where the answer is often “it depends”. I believe that with this move, Google is shifting the borders within this model and will be offering more of the posture management and visibility to customers as part of its infrastructure. After all this is what Wiz has become famous for – agentless scanning of the cloud estate, providing broad visibility and risk assessment. And this is something a cloud provider can easily integrate into cloud operations.