Investing in Modern Cybersecurity: Cloud Security

In this five-part series, we set out to explore the world of cybersecurity and its investment opportunities. In the previous issue, we explored the blood vessels of the digital world: networks. Here, we move down the chain and up in the clouds looking for sky-high opportunities.

Bottom line

In the fourth part of the series, we focus on the next frontier - the cloud, and how it is secured. Cloud security relies on securing three pillars: content, access, and processes.

The ongoing cloudification drives the sector as numerous organizations and users are transitioning to cloud-based content and applications. Even harder to secure are the multi-cloud environments, which must all be correctly configured. In such an environment, Cloud security has mission-critical status. Our analysis shows that the booming $52bn (2026e) cloud security market is set to show a 17% 5Y CAGR for revenues and a solid 40% 3Y CAGR for EPS.  

Executive Summary

Content: securing the exponentially growing cloud-stored data

  • The cloud is a data center with servers and storage used to be secured as endpoints. Servers differ from endpoints in their tasks, configurations, and potential threat entry points, thus requiring specific cybersecurity solutions.

  • Content in the cloud is usually scattered across geographically distributed servers. Grouping them as parts of content delivery networks (CDN) helps improve and secure data access by caching content and absorbing harmful traffic.

  • CDNs usually come packaged with additional denial-of-service (DDoS) security against attack traffic. With their solid CDN and DDoS offering, Cloudflare and Fastly are well-positioned to benefit from the unfolding cybersecurity supercycle.

Access: safely connecting networks to the cloud

  • Companies continue moving to the cloud and want to connect their local networks to cloud applications, which raises the authorization problem.

  • The solution to ensure secure access is two-fold: use CDNs with secure "bridges" on one side and cloud access security brokers (CASB) on the other. CASB acts as a security checkpoint between users and cloud applications.

  • CASB is part of the Secure Access Service Edge (SASE) architecture, so it naturally comes prepackaged within SASE solutions (covered in the previous issue), offered by Zscaler, Palo Alto Networks, Fortinet, Check Point, Cloudflare, and Cisco.

Workload: making sure the cloud keeps good posture

  • A cloud workload is a specific process, application, service, or task that runs on cloud resources, e.g., databases, virtual machines, containers, and applications. Successful attacks on workloads result primarily from cloud misconfiguration, but attacks may come through traffic or be addressed directly at workloads.

  • Three solutions ensure cloud workload security: Web Application Firewalls (WAF) focus on traffic, Cloud Workload Protection Platforms (CWPP) on workloads, and Cloud Security Posture Management (CSPM) on configurations.

  • Palo Alto Networks and Crowdstrike, thanks to their know-how and technological lead in tools and platforms securing workloads and cloud configurations, benefit from a leading market positioning and strong ~20-30% YoY revenue growth.

Content: securing the exponentially growing cloud-stored data

When the user accesses the content or does something in the cloud, e.g., application development, high-performance computing, or modifying a picture remotely in the cloud, he, first of all, accesses the cloud, then accesses the content, and finally executes a specific process directly in the cloud. It is, therefore, easy to imagine the cloud security ecosystem. It focuses on three main areas: securing content and traffic, providing secure access to the workloads (anything that runs on cloud resources), and finally, securing these workloads.

The chart below helps visualize the cloud journey (you may also get acquainted with the cloud universe with the help of an interactive tool we created):

A server or an endpoint: a critical difference

The cloud is essentially a data center with servers and storage. Conventionally, these have been secured as endpoints with endpoint security. However, servers and endpoints differ in their tasks, configurations, and potential threat entry points. For example, endpoints access websites and applications or receive emails and are controlled by the end users. Servers used for cloud services instead store the applications, website data, or emails and usually follow a set of automated processes.

Content security is becoming critical as the appetite for safe data exchange grows

People and businesses are delivering and receiving more and more content via the cloud, i.e., today, it is estimated that 252 Exabytes of data (which, for ease of understanding, equates to ~150tn photos) are transferred via CDNs daily. Content in the cloud is usually geographically distributed via a network of servers to improve and secure data access by caching content. When a user accesses a website or application, the data cached in the nearest geographical data center is served to the user, improving speed and overall user experience. Such caching and data availability network is known as Content Delivery Network (CDN).

CDN is a service to handle legitimate traffic and maintains stable data transmission. CDNs, by construction, help against Distributed-Denial-of-Service (DDOS) attacks, which involve oversaturating servers with requests on multiple levels. For example, target servers may be overloaded with the traffic they cannot process, or hackers may send data packets but ignore the server response so that the server will run out of resources. Even the applications run in the cloud may be directly overrun by requests and collapse.

While Content Delivery Networks absorb partially attack traffic, they may sustain DDoS traffic up to a given capacity. Therefore, CDN providers focus on 1) improving CDN and their throughput to handle more significant amounts of traffic and 2) employing comprehensive DDoS protection in addition to a CDN solution.

Many players, but only one can be the winner

Among the players, we particularly like Cloudflare, already used in 175 countries by >110K clients. Cloudflare already blocks 124bn threats per day. The company is best positioned to benefit from the unfolding cybersecurity supercycle. The company is projected to grow its sales organically at 30–40% YoY, faster than its addressable market. Data shows quarterly DDoS attacks and annual traffic to CDNs worldwide are increasing by ~40%.

Cloudflare remains one of the most innovative players in the market, with significant R&D investments (20% of sales) to ensure a high degree of innovation, and is set to become net profitable this year - all with a solid ~80% gross margin. Competitors in the content security segment include expensive, cloud-incapable on-premise Mandiant, acquired by Google, Cisco, Broadcom , narrow pointed Menlo, Fastly, and disunited AWS by Amazon. 

Cloudflare has deserved to be called the "best-in-breed" solution for cloud-content cybersecurity as it has considerable expertise. At the same time, it is fenced in by high barriers to entry, ensuring more stable and predictable growth and margin expansion with a more diverse customer base than its closest competitors, e.g., Fastly.

Access: safely connecting networks to the cloud

The two-part solution

The previous section was dedicated to securing the content, and cloud servers focused on delivering it, i.e., content delivery networks. We learned that CDN platforms help absorb malicious traffic but require additional support from a dedicated DDoS solution to secure content. However, the question of obtaining access to the cloud, the content, and CDNs remains open.

To understand the solutions, we must realize that today, there is an ongoing convergence between the network and the cloud. Many companies continue moving to the cloud and want to connect their local networks to cloud applications. The ensuing problem is securing the link between the two and - more importantly - ensuring that cloud applications will interact only with authorized users.

The first part of the solution relies on the SASE architecture explained in the previous issue and CDNs. The former establishes a bridge between local networks and the cloud, while CDNs ensure anti-DDoS capability. The second part of the solution is Cloud Access Security Broker (CASB).

CASB or not to be?

CASB is an on-premise cloud-based access broker, or in other terms, a "cloud security checkpoint." Its central role is to function as a security layer between users and cloud applications, acting as an intermediary to 1) enable access control and 2) enforce compliance with predefined policies. Additionally, CASBs give visibility into cloud applications. This alleviates the shadow IT problem (using IT, devices, software, apps, etc. without explicit IT department approval) and serves as a tool to conduct an extensive risk assessment.

Access brokers encompass numerous technological blocks. These blocks include but are not limited to authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection/prevention. Moreover, CASBs may proactively integrate behavioral analytics to detect compromised users and apps.

While cloud access brokers are the true interfaces between the cloud and the network from an administration standpoint, they do not replace other security features. Especially those that focus on the workloads, multi-cloud configurations, and cloud application security that we take a look at in the next section. 

Buying SASE? CASB comes for "free"!

As we have previously learned, Cloud Access Security Brokers (CASB) are part of the Secure Access Service Edge (SASE) architecture that also includes Firewall-as-a-Service, Secure Web Gateways, and Zero Trust - all extensively covered in the previous article. Therefore CASB's offering usually comes prepackaged with SSE/SASE solutions. Zscaler, Palo Alto Networks, Fortinet, Check Point, and Cisco are prominent players in the SASE and, by extension, CASB segment. Cloudflare is also extending its content and DDoS offering to successfully provide such services.

Workload: making sure the cloud keeps good posture

Making the cloud work

Any process, e.g., accessing a database or application done in the cloud, is considered a workload. These workloads are protected at two stages: at the connection level and then at the actual runtime stage.

The connection level is secured by Web Application Firewalls (WAF). WAFs are firewalls dedicated to web applications. These barriers usually work alongside Content Delivery Networks to help guide or restrict the traffic to and from cloud applications, allowing access to good website traffic or exhibiting red security flags if needed.

WAFs help support "service as usual" during DDoS attacks and ensure websites' availability, speed, and stability. The WAF market is currently set to grow from $5.5bn this year to $25.6bn by 2030, a CAGR of >16%, which is not surprising given that many businesses use WAFs with CDNs to increase website security. 

In addition to WAFs working at the connection level, there are currently two prominent cybersecurity solutions at the workload runtime level: Cloud Workload Protection Platforms (CWPP) and Cloud Security Posture Management (CSPM).

Securing those workloads

Cloud Workload Protection Platforms (CWPP) are similar to endpoint security solutions. However, they extend to include cloud-specific elements such as virtual machines and containers. Also, as most applications are developed and run in containers and virtual machines, such tools secure cloud applications and processes during their entire development cycle. As more businesses switch from on-site to cloud application development and container-based applications, demand for Cloud Workload Protection Platforms may only grow.

Gartner estimates that 95% of cloud security issues result from misconfiguration. As we have previously explained, the responsibility for cloud security is split between the provider and the customer depending on the solutions, i.e., Infrastructure-, Software-, or Platform-as-a-Service. Cloud security means securing the physical side "of" it and the applications "in" it. Such complexity means that cloud configurations must be continuously monitored, issues quickly identified, and security gaps reinforced, e.g., enforce policies, apply best practices, and verify configurations for known risks. Cloud Security Posture Management (CSPM) platforms are made precisely for this. CSPM tools detect and auto-rectify misconfigurations, update the list of best practices, and may even contextualize alerts and initiate a response by assigning them to the right security team.

CWPP and CSPM are also integral to the broader shift to Cloud-Native Application Protection Platforms (CNAPP). Cloud applications have unique characteristics (e.g., containers and fragmented software components), making them expensive to secure and configure. CNAPP, just like application security tools, offers security from application development to deployment. However, it additionally combines application development tools such as Dynamic/Static Application Security Testing with CWPP and CSPM. This allows developers to have a continuous turnkey application security framework.

The dynamic workload security market is shifting again

The market of cloud security vendors is vast. WAF market is well represented by traditional firewall players (Cisco, Check Point, Palo Alto Networks, Fortinet), CDN (Akamai, Fastly, Cloudflare), and cloud providers (Amazon, Microsoft ). The two workload solutions above are standalone tools. However, with the ongoing cloudification, especially boosted by COVID-19, there is ongoing consolidation in the market. For example, CWPP-only vendors Aqua Security, Palo Alto Networks, and Crowdstrike now offer CSPM solutions. Aqua Security and Palo Alto Networks obtained these capabilities through the acquisition of CloudSploit and RedLock, while Crowdstrike developed their Horizon offering in-house.

Crowdstrike noticed that customers were using their Endpoint Detection & Response solutions (endpoint solution), which we covered in the previous issue, to secure cloud servers. To improve its offering, the company developed CWPP and CSPM modules and Falcon Horizon, which not only secure clients' cloud servers but look for misconfigurations in the public cloud (when a client is also using dropbox, google drive, etc.), containers, and even serverless environments. Crowdstrike remains our top pick in the cybersecurity universe - it is best positioned to capture growth with its innovative thinking, timely market offerings, and excellent financial health to sustain growth.

Finally, the shift to CNAPP has only started and is a nascent platform. Actors that offer CWPP and CSPM and naturally best positioned to offer CNAPP, e.g., Palo Alto Networks, Microsoft , Check Point.


  • Cloud tipping-point. Although many companies use cloud applications, core processes generally remain on-premise. With the cloud gaining momentum, there will be a tipping point with applications massively being switched to the cloud. 

  • Convenience and ease of use. Regulation will force administrations and corporations to upgrade their systems. From a security perspective, using the cloud is way less painful and much more efficient than upgrading on-premise systems.

  • The exponential amount of data. The volume of generated data keeps increasing, making on-premise storage data more and more difficult. In the meantime, shifting to the cloud requires securing its access.


  • Disruption of communications. Uninterrupted communications with cloud networks remain one of the weakest links in case of cyber warfare or massive cyber attacks, which are expected to increase in frequency. 

  • Loss of control. Switching to the cloud means some loss of control for users. This may spook some, especially if the almighty cloud providers abuse their position.

  • Unsecured interfaces. The cloud is only secured if the APIs and interfaces used to communicate with it are secure. Compromised interfaces would lead to data breaches, loss, and potentially complete account hijacking, slowing the global cloudification process. 

Companies mentioned in this article

Fortinet (FTNT); Crowdstrike (CRWD); Zscaler (ZS); Akamai (AKAM); Amazon (AMZN); Aqua Security (Not listed); Broadcom (AVGO); Check Point (CHKP); Cisco (CSCO); CloudSploit (Not listed); Cloudflare (NET); Fastly (FSLY); Mandiant (MNDT); Menlo (Not listed); Microsoft (MSFT); Palo Alto Networks (PANW); RedLock (Not listed)



This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.

As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.

The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.

Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.

It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.

Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.