Trend Micro buys cloud security firm to broaden offering

Trend Micro is to acquire cloud security posture management (CSPM) specialist Cloud Conformity to improve its expertise around the frequently occurring problem of cloud infrastructure misconfiguration, which is behind a growing number of information security leaks and breaches.

Founded three years ago in Sydney, Australia, but now based out of the US, Cloud Conformity claims to offer best-in-class infrastructure security, compliance and optimisation for public cloud installations, specifically Amazon Web Services (AWS), for which it is an advanced technology partner with competencies in security and cloud management.

“We have been laser focused on building integrated security for the cloud since its birth over a decade ago, unlike other vendors who are now attempting to stitch together disparate cloud technologies,” said Eva Chen, chief executive officer for Trend Micro.

“As more enterprises move to the cloud, our customers feel they are operating amid a Wild West approach to cloud implementations that leaves them with unmanaged risk. As an AWS technology partner of the year for 2019, Cloud Conformity understands these implementations and the risks. Its offering perfectly complements our own portfolio and provides immediate value to customers.”

Cloud Conformity CEO Michael Watts said: “We think customers will love this simplified approach to security and compliance across their entire cloud environment, including AWS, [Microsoft] Azure and Google Cloud – providing security guardrails to let them go faster and do more.”

Fernando Montenegro, principal analyst at 451 Research, added: “Our research is clear that organisations of all sizes are adopting cloud-based delivery and, in doing so, are often using not only compute services, but also storage, messaging, and many other services.

“With this acquisition, Trend Micro is able to extend its security offerings to organisations looking for assistance with cloud security beyond securing compute workloads.”

Trend Micro cited recent Gartner statistics that suggest the customer or end-user is at fault in 99% of cloud security failures, a situation that does not look set to change for at least four years. The analyst house also said that the implementation of a CSPM offering could reduce cloud security incidents related to misconfiguration by as much as 80% over about the same period.

Last month, a report produced by McAfee revealed that 99% of cloud misconfiguration errors were not picked up, exposing enterprises to an increased risk of data leaks and breaches, and penalties under law.

The McAfee study also found that enterprises were under-reporting cloud configuration errors in their infrastructure-as-a-service (IaaS) environments. It polled 1,000 businesses, which claimed that they averaged 37 IaaS misconfiguration incidents a month, but when they looked more closely, the true figure was closer to 3,500.

As a demonstration of how costly cloud configuration errors can be, the data breach of a South American marketing services company in September 2019, which was caused by a server vulnerability in a misconfigured AWS S3 bucket, exposed the personal details of millions of Ecuadorian citizens, including Wikileaks whistleblower Julian Assange.

Chris Morales, head of security analytics at Vectra, a supplier of AI-based threat detection solutions, said: “We know that poorly configured servers in AWS is something many administrators struggle with understanding, including how to properly limit access to the data they store there. This is not even about company size or maturity.

“Elasticsearch databases in AWS are known to be publicly accessible, and as this is a common setup, so it is important that organisations work with their partners to ensure their data is secure.”