Investing at the Intersection of Cloud Infrastructure and Cybersecurity

Although many companies continue to execute respectively within cloud infrastructure and security, some have decided to marry the two broader markets.

Kareem Aly

January 22, 2020

6 Min Read
Investing at the Intersection of Cloud Infrastructure and Cybersecurity

Innovation precedes security. We witnessed it with automobiles, which were introduced long before seatbelts. We witnessed it with the Internet, as credit card theft has inexorably run rampant ahead of encryption and 2FA (two-factor authentication) techniques. One Elon Musk might even argue that we will see it unfold yet again with the continued development of AI, or artificial intelligence:

Human tendencies can be hard to change. But we’re seeing some startups make the leap—to innovation with security rather than innovation before security. Some are focusing on issues related to cloud infrastructure, others on cybersecurity, and still others are making a splash intersecting the two.

Cloud infrastructure

The cloud continues to evolve and what an exciting transformation it is. We’re seeing a few trends here—namely:

  • The shift to hybrid cloud and multi-cloud. Organizations continue to make the jump—albeit more slowly than anticipated —to AWS (Amazon Web Services), Azure (Microsoft), and GCP (Google Cloud Platform). Granted, the complexity and difficulty inherent in this shift isn’t for everyone. As a result, many organizations have deployed hybrid cloud approaches, employing a mix of both cloud and legacy on-prem infrastructure. More sophisticated organizations have moved on to step two—a multi- cloud approach, eradicating vendor lock-in and enabling developers to use the most optimal cloud for their specific application. We will continue to see adoption here.

  • Adoption of microservices and service mesh architecture. The savviest of customers have moved beyond thinking about just the cloud and onto Google’s open-source spinout, Kubernetes (also known as k8s). Thanks to lackluster strategy and execution on monetization, folks have said goodbye to Docker and Mesosphere (now called D2iQ), branding k8s as the winner in container orchestration. But deploying k8s is no small feat. You need a provisioning tool (like Hashicorp Terraform). You need a multi- cluster management solution (like Rancher). Just like Databricks and Confluent created large and successful platforms on top of open-source Apache Spark and Apache Kafka, respectively, emerging startups are likewise looking to build simple, easy-to-use solutions on top of k8s

  • Focus on the developer. If you went to KubeCon, you noticed many companies’ offerings are at least partially, if not entirely, open-source and often free. Developers want to move fast, stay nimble, and typically don’t have a ton of money, so the premise makes sense. Get user base and mindshare up first; achieve network effects and pricing power via an ecosystem of happy users second. However, it’s hard to make money when things are free. As a result, umbrella companies continue to form around initially open-source projects. Keep an eye on Grafana Labs (monitoring for open-source tools, such as Prometheus) and Tetrate (container- native service mesh spun out of open-source Google Istio).


We’ll repeat it again—when innovation progresses on the infrastructure side, security follows. An illustrative and recent example is the plethora of container security vendors that emerged once this idea of containerization increased in popularity. Some trends in security we’re focused on:

  • Next-gen firewalls, or east-west security. North-south security has been a thing for as long as we can remember. Set your hard iron and firewall at the edge, procure endpoint security for your devices, and you’re good to go, right? Historically, yes. Today, no. That perimeter no longer exists. Visibility across hybrid and multi- cloud environments, policy automation and orchestration, and microsegmentation to contain attacks are direly needed as attacks inevitably make it through the front door. N/S + E/W will become the new standard.

  • Application security. We are seeing a shift of focus to the developer on the infrastructure side. And security is following as expected. Workloads are being spun up across virtual machines, containers, and clouds, and applications are being developed faster than ever, in line with the industry-wide CI/CD push. Developers want to write code faster, not fix bugs. Security teams want to fix bugs and slow down the process. A natural tension exists therein, and we are fond of the emerging solutions working to ameliorate this.

  • Brand protection. As brick and mortar continues to die out, e- commerce and online buying have proliferated. But it’s not only marketplaces and online retailers reaping the rewards; fraudsters and counterfeiters are taking a larger and larger piece of this growing pie as well. Two out of every five purchases are now counterfeit, as reported by the US Government Accountability Office. This is a growing problem across brands like Nike—which just broke up with Amazon—and Louis Vuitton as well as in industries like pharma. Companies that can automate detection of fake sites and products, block these avenues, and stop account takeovers should prove to be market winners.

The intersection

The last area here is the intersection of the two spaces we’ve covered in security and cloud infrastructure. We’d categorize this combination set into three buckets of companies:

Networking. The incumbents in this space have always made this intersection a notable part of their businesses. Companies like Cisco, Mellanox, Dell EMC, Arista, and Juniper Networks may ring a bell. But the more nascent entrants are following their footsteps —and doing quite well. The commoditization of hardware, abstraction of software from hardware, pooling of resources, and enforcement of app security / policy are draws for many customers, both from a cost savings and capacity gains perspective.

Storage. We’ve all heard of AWS, Azure, and GCP as the big storage vendors. But you can’t win forever, and they’ll all be disrupted sooner or later. Ideas around distributed storage and automatically identifying the best compute resource for any workload at any given time in any location are compelling. Although typically capital intensive, maniacal execution will result in large companies here. We’ve got an eye on this space.

Other. Broadcom first purchasing CA for $19 billion and then buying Symantec’s enterprise security division for $11 billion was a game changer. If you thought combining infra and security was fascinating, coupling semiconductors with security is a whole different ballgame. Cloudflare, which just went public, provides web performance management and ensures application availability, but also stops malicious bot abuse and DDoS attacks. Hashicorp secures and controls access to tokens, passwords, certificates, and encryption keys in addition to provisioning of cloud infrastructure (including k8s). Although these companies are attacking disparate markets, they are similar in their attempt to build security into their offerings from the ground up.


Although many companies continue to execute respectively within cloud infrastructure and security, some have decided to marry the two broader markets. In these cases, companies are introducing security from the get-go rather than as an afterthought. There’s no right or wrong, and it will always depend on the company’s overall strategy, go- to-market motion, and engineering capacity. However, the combination has proven effective in many instances and is interesting to be aware of nonetheless.


Thomvest Image.jpg



About the Author(s)

Kareem Aly

Kareem Aly is a Principal at Thomvest, focusing primarily on investments in cybersecurity and cloud infrastructure. He spends most of his time sourcing new opportunities, conducting due diligence on potential investments, and supporting existing portfolio companies.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights