Oak9, a developer-first infrastructure-as-code (IaC) security provider, says that enterprises have begun to adopt the concept of treating applications as code. For instance, policy-as-code tools like HashiCorp Sentinel are designed to define governance or policy principles. Oak9’s platform is powered by its proprietary Security as Code (SaC), which is designed to assess changes to cloud-native infrastructure — applying the right security against SaC blueprints to risk-appropriately secure a cloud application’s architecture.
The company said organizations today are leveraging multiple tools, technologies and so on. This is why multicloud/multi-IaC language environments are becoming popular. Oak9’s technology-agnostic eliminates managing security across multiple tools at once.
The company claims to work with integrated development environments (IDEs), code repositories, continuous integration and continuous deployment (CI/CD) pipelines and chat ops tools, so developers can use their choice of IaC languages, clouds, multi-clouds, workflows, and so on.
According to Alex Brown, at the venture capital firm HPA — which led a recent funding round for Oak9 — the market’s IaC adoption has accelerated, making security of cloud apps a vital need which Oak9 can address.
Oak9, claims that its platform accelerates the delivery of cloud-native applications while offering security to identify and address any vulnerabilities. The platform is designed to tell users where security vulnerabilities live in an organization’s cloud, how critical they are, why they exist and how to remediate. With the tool, organizations have the capability to apply the security fix across their cloud infrastructure.
Talent, budgets and bandwidth challenges in cybersecurity
As a result of the pandemic, new cybersecurity threats and challenges are continually developing. According to Gartner, the COVID-19 pandemic transformed the way attackers gain access to systems, giving rise to a new, varied range of cyberattacks that will continue to develop over the next five years. A report from Tripwire said that organizations lack the knowledge required to turn things around in this predicament. Tripwire also found that some businesses have no dedicated security personnel, while others have a small, overburdened department. The talent scarcity is a problem that organizations must then solve if they want to remain secure.
In fact, IT leaders polled by Gartner reported that a lack of talent posed the biggest challenge.
The increasing push for remote work and the accelerated recruiting plans for 2021, according to Gartner research vice president, Yinuo Geng, have made it more difficult to find IT talent, particularly for capabilities that enable cloud and edge, automation and continuous deployment. Only 20% of newly adopted technologies in the IT automation sector went on in the adoption cycle, according to the poll. The main challenge for organizations was finding talent, which was the reason 64% of newly emerging technologies weren’t developing as anticipated.
Ultimately, cloud-native applications are exploding and developers are writing and building IaC. According to IDC statistics, the proportion of cloud-native applications will reach 80% in 2023. This necessitates the practice of securing cloud-based platforms, infrastructure and applications.
However, according to Om Vyas, cofounder and chief product officer at Oak9, security engineers aren’t IaC experts and developers aren’t security experts. So how does an organization ensure their cloud native application is secure?
IaC in the enterprise
The implementation and management of IaC within enterprises demand highly qualified engineers and there is a shortage of software infrastructure engineers with IaC expertise.
Raj Datta, cofounder and CEO of Oak9, said that the IaC security industry is at a crucial period because it’s clear that organizations cannot hire enough security professionals to assure adequate security in their IaC and cloud settings. The industry is seeing budget cuts, he said, and many organizations are struggling to find qualified personnel at a time when the sector actually needs more talent than ever.
Apart from talent, Vyas said budgets and bandwidth are also huge challenges in the IaC and cloud native security market right now. He claimed that Oak9 users have saved up to 70% in security review time and more than 100 hours on devops work a month. He said Oak9 offers a free community edition and integrates with popular devops tools and takes less than five minutes from onboarding to security fixes.
Monitoring gaps in security policy enforcement
Janey Hoe, vice president of Cisco Investments — an investor in Oak9 — said the developer-friendly security controls and compliance checks made possible by Oak9 are energizing the business. Alice Vilma, managing director and co-portfolio manager at Morgan Stanley’s Next Level Fund, which also invested in Oak9, said the company is a disruptive organization that is assisting in driving the development of the IaC security sector.
In this sector, Vys claims Oak9’s competitors are other IaC security products and cloud security posture management (CSPM) technologies. However, he said Oak9 is distinct as it focuses on securing the architecture of the entire cloud workload or application, rather than static misconfiguration.
Recently, Oak9 announced $8 million in an additional round of financing to intensify security in the IaC and cloud environments. Oak9, which recently released an IaC remediation capability, said it will use the funds, in part, to expand its free community edition and launch a next-generation Security as Code offering.
Oak9 has now raised $14 million in the past 15 months. The latest round also includes previous backers Menlo Ventures, which took the lead and HPA, which increased its investment in Oak9.