Analysis: Google-Wiz deal sparks questions about cloud security strategy at AWS and Microsoft

Editor’s note: This analysis is written by Christopher Budd, a tech industry veteran who previously worked at the Microsoft Security Response Center.

Earlier this month, Google announced plans to acquire Israel-based Wiz for the nearly jaw-dropping price of $32 billion (yes, with a “b”). Not only is this the biggest cybersecurity deal (yet) in terms of money — it’s also another instance of Google swooping in with a very big, open checkbook to snap up a cybersecurity industry leader to fold into the Google Cloud Platform (GCP). 

This makes it clearer that Google sees security as a competitive differentiator in the cloud and is another step toward Microsoft’s model of integrating cloud and security in-house — and away from Amazon Web Services’ more hands-off strategy of relying primarily on a security partner ecosystem. 

Google’s move on Wiz is very similar to its acquisition of Mandiant in 2022 when it paid $5.4 billion for arguably the single best known incident response (IR) company in the world. Since then we’ve seen that Google bought Mandiant not because Google wanted to become a player in the IR space but because Google wanted to have some of the best IR capabilities in the world protecting GCP and its customers. 

Wiz is a leading company in the Cloud Native Application Protection Platform (CNAPP) space. CNAPPs provide a critical security layer to today’s cloud computing. If we look at the Mandiant acquisition as a blueprint, we can surmise that Google plans to take another industry-leading company and focus it on securing GCP.

Meanwhile in Redmond, IR and CNAPP are capabilities that Microsoft’s cloud offering has had for years through internal development. I can attest that Microsoft’s cloud IR process evolved out of the work of the Microsoft Security Response Center (MSRC) that I was a part of from 2001-2010. This is the kind of capability that Google bought with Mandiant. And Microsoft has had Defender for Cloud since 2021, a product which is a direct competitor for Wiz. 

In both cases, Microsoft evolved a cloud security capability in-house and then Google saw a competitive gap and went out and paid (a lot) for an industry leader to catch up or leapfrog having these capabilities be available in-house.

If Microsoft builds cloud security capability in-house over time and Google is going out and buying it to close the gap with Microsoft, what about AWS? Where is Amazon in this all? 

Throughout its history, AWS has taken a more hands-off approach, looking to partners to provide capabilities rather than building in-house or buying to bring in-house. It’s more of a utility model ensuring there’s a “dial tone” (services when you need it) but not much else. For anything beyond that you need to work with AWS partners. Having worked for companies that have cloud security offerings, I can attest that overall AWS has had a much more robust partner engagement and ecosystem than Microsoft or Google. A prime example is that AWS re:Invent is cloud computing’s biggest annual event, even though it’s a single vendor’s event.

While AWS has in-house IR capabilities, it’s more akin to what you see with other internet infrastructure companies: an in-house IR team that keeps the properties (and customers on those properties) safe, not one that is ready to assist customers directly like you see with both Google and Microsoft. It’s also not an IR group that is engaged actively in the security research community through bug bounties and original research in the same focused way that Microsoft and Google are. 

AWS has been busy over the past year rolling out various security-related services. In December it launched a new AWS Security Incident Response service and announced new AI and machine learning threat detection capabilities within Amazon GuardDuty, its security product for AWS accounts and workloads.

But when it comes to CNAPP, AWS hasn’t built its own “Defender for AWS.” And as Averlon CEO Sunil Gottumukkala noted recently in GeekWire, Wiz and AWS have had a very close partnership. By acquiring Wiz, Google is not only adding Wiz’s capabilities to GCP, but they’re also effectively taking Wiz off the table for AWS, putting even more distance between AWS on one side and Microsoft and Google on the other in the CNAPP space. AWS has plenty of other CNAPP partners like Orca, Trend Micro, and Palo Alto among others. But the fact remains that Wiz, a major AWS partner is now effectively in enemy hands.

Ian Fleming famously noted in Goldfinger that “Once is happenstance. Twice is coincidence. Three times is enemy action.” This is now the second instance where Google has gone out and paid top dollar for a cloud security capability that Microsoft developed in-house and both Google and AWS were lacking.

A third major cloud security acquisition by Google would clearly show that Google sees security as a critical competitive arena for cloud. The fact that both these major acquisitions have been in areas where Microsoft already had a presence serves as validation of Microsoft’s long-term cloud security strategy to date. But it’s no guarantee that the next big cloud security acquisition by Google will be playing catch up to Microsoft: Google could outflank Microsoft next time.

Meanwhile, the cloud security gap with AWS is looking bigger and a third acquisition could make that gap even bigger yet.

For every action there is a reaction: it’s possible that AWS and/or Microsoft won’t take the Wiz acquisition lying down but will themselves move to “leapfrog by checkbook” around cloud security. Or in the case of AWS, take a different approach and capitalize in some way on its existing partnership model and find ways to make it even more robust and its partners resistant to take over by Google and/or Microsoft.