Cloud Security from First Principles

A guest post about cloud security from Frank Wang, an ex-VC turned cybersecurity engineering leader with a Ph.D. from MIT and author of Frankly Speaking.

This is a guest/cross-post written by Frank Wang, an ex-VC turned cybersecurity engineering leader with a Ph.D. from MIT. Frank writes the blog, Frankly Speaking, and he has some really interesting perspectives on building security at startups and the broader cybersecurity industry.

This is not a sponsored post; Frank is a friend, and I really like this writing, so I wanted to spotlight his work.


As many of you know, I’ve been thinking a lot about cloud security, and what it really means. Recently, I’ve been trying to think about it from first principles because managing security in a public or multi-cloud world requires a fundamental paradigm shift. I’ve talked about how the public cloud is changing IT and security, specifically, how the public cloud is more session-based and has elasticity and better IT management.

What I learned from my Ph.D. is that confusing problems should start from first principles. Forget about Kubernetes, IT teams, etc. What is a system? I think of a system as having two fundamental things: endpoints and networks. In a traditional IT system, endpoints are servers and laptops. Networks are the wide-area network (WAN), the corporate network, and the devices managing this.

In a public cloud setting, this is more nebulous. There isn’t a corporate network you can trust (however, SaaS applications already started to break that down), and you have little to no control over that network. The notion of a “server” has been abstracted away as cloud providers give you access to an instance based on an ID without telling you server specifics. As you see, in some ways, this is nice. SLAs and sharing infrastructure give you great elasticity, and you don’t have to manage the details of the servers and network. However, you can’t easily customize the servers and network.

From a network standpoint, you have limited traffic visibility of traffic — only what the cloud providers give you. At this point, it’s just easiest to assume that all traffic is malicious (“zero-trust”). This is nice because you don’t have to worry about insider threats separately from external ones. Also, there can be a reduced focus on network security. However, this paradigm places more burden on the endpoints.

Endpoints can no longer rely on having a private network with trusted traffic. There is no such thing as an endpoint that doesn’t interact with the external world. Consequently, endpoints need to be “hardened” in some way. They have to have strong identities and authorization policies. Also, the network cannot enforce data policies, so endpoints have to track and enforce data policies. It’s no surprise that cloud-native companies have focused so much on identity and data governance.

Up to this point, I haven’t even mentioned the use of Kubernetes, which takes advantage of the elasticity of the cloud. Istio and Envoy aim to solve some of the problems above for Kubernetes traffic, but what about non-Kubernetes traffic?

Here are some other questions on my mind:

  • How does privileged access management change?

  • Asset management is going to be a bigger issue because the cloud makes creating assets like data and endpoints easier. How should we do asset management in the public cloud world? What should we classify as assets, and what should we track?

  • Identities are becoming more important, but how does the notion of identity change, and how do they work in a hybrid and multi-cloud world?

  • How do these changes affect the structure of security programs? How does incident response work? The concept of EDR rose out of a need for incident response due to endpoints leaving the corporate network and being infected. With a great focus on endpoints, what other endpoint management tools will be necessary?

This is only the beginning of the paradigm switch. We are already seeing fundamental changes in the way we think about security. As cloud usage evolves, there will inevitably be more changes.


Yeah… mine are definitely meant to provoke other VCs.

Thanks to Frank Wang for letting me cross-post his work!

Join the conversation

or to participate.