Cloud Security Software Still Critical


Cloud Security Software Still Critical

With cloud adoption accelerating and software stocks under recent market pressure, information security stocks represent a compelling opportunity.

Key Takeaways
  • Recent data breaches demonstrate the security benefits of the cloud are not fail-safe and that general fears about threats to third-party information security providers from the cloud are premature.
  • As cloud workloads grow in number, tiers of importance and complexity, the security problem tends to grow beyond what hyperscale cloud providers can currently provide on their own.
  • Against this backdrop of accelerating cloud adoption and recent market weakness in IT and software, information security stocks represent a compelling opportunity and one that could lead to consolidation.
Public Cloud Sees Challenges in Balancing Flexibility with Security

Recent data breaches highlight that the public cloud is not a panacea for security and could serve to slow the pace of enterprise and government willingness to jettison third-party information security solutions. Given relatively constrained valuations and skeptical investor sentiment, we believe this creates an intermediate-term opportunity in information security stocks.

Following a long period where corporations and governments feared (and even shunned) the public cloud due to security concerns, they have since started a full embrace of the cloud, first and foremost for the flexibility and agility it provides, but also on the idea that the public cloud can in fact be the most secure option.

While the processes an enterprise follows to set up a cloud workload tend to be inherently more secure than the mishmash of techniques and mechanisms employed within private data centers, like most things, cloud security is only as good as its weakest link. The “shell” of the public cloud is generally highly secure, but no cloud provider can be responsible for ensuring proper configuration of a plethora of data sets. Not only is this impractical, but it becomes a trade-off between the flexibility that makes public cloud infrastructure and platform services (IaaS and PaaS) so popular, and the enterprise-grade security that most corporations and governments seek for their more important workloads.

The latest breach highlights the potential danger of leaving certain types of data within cloud storage unattended by a third-party security system.
Hilary Frisch

In the case of the Capital One data breach, the credit card issuer’s IT team were considered relatively sophisticated cloud users and forerunners within financial services in moving customer data entirely to the public cloud. Other large banks have chosen a hybrid cloud strategy, with important customer data residing in private cloud servers. These banks use the public cloud for occasional tasks that require a lot of computing power but don’t involve important customer information. As workloads grow in number, tiers of importance and complexity, the public cloud security problem also tends to grow.

The Capital One breach, while perpetrated by a former Amazon Web Services employee, exploited an at least somewhat known vulnerability involving misconfiguration of a simple web application firewall which a number of hackers could have theoretically exploited. And therein lies the hallmark of most major, high profile attacks: it’s not for a lack of alerts (in the case of Target), expertise or knowledge of the potential pitfalls that these continue to occur. Like security breaches from within and outside of an organization’s four walls, the issues come down to the leg work of ensuring that all “i”s are dotted and all “T”s are crossed within increasingly complex and potentially ephemeral systems (in the case of container-based architectures).

Moreover, many organizations use public cloud storage as a place to park legacy data or data of less certain value, even customer data. The latest breach highlights the potential danger of leaving certain types of data within cloud storage unattended by a third-party security system, and often one which is consistent with the on-premise infrastructure they continue to run.

Adding in a layer of third-party security won’t necessarily solve the problem, but it is a mechanism that companies may continue to rely on further out into the future to consolidate the system of notifications and alerts to which they have to respond in the event of a potential security compromise. By doing so, key actors within an organization’s IT team may in fact be less likely to be fired (or under the fire of the Board of Directors or the board of public opinion) if and when a security compromise occurs. And they are theoretically more likely to avert such a compromise with a more consistent approach.

The recent data coming from traditional network security vendors (and the associated channel) has been relatively positive in recent months. Many, including Fortinet and Check Point Software, highlighted cloud security as a place of relative strength. Not all vendors will benefit, but against the growing drumbeat of investor belief that the public cloud will make security software obsolete in the very near future, our view is that this could and should take longer than expected.

The current spate of cyber attacks involve longer and more involved remediation engagements, unlike the preponderance of phishing attacks of the last 18 months, highlighting the ongoing need for third-party information security protection. Management of a leading security vendor serving hybrid cloud customers just this month called the current environment among the more robust they’ve seen for security remediation and security product uptake generally.

Amidst the backdrop of the current market selloff, tariffs and near-term headwinds related to business model transitions by some larger providers, information security companies continue to trade at some of the most attractive valuations relative to their history and other parts of the software space. In addition, we believe consolidation by a handful of major security providers will ensue in the intermediate term as it affords the best hope for control on the part of customers.


Important Information


All investments involve risk, including possible loss of principal.

The value of investments and the income from them can go down as well as up and investors may not get back the amounts originally invested, and can be affected by changes in interest rates, in exchange rates, general market conditions, political, social and economic developments and other variable factors. Investment involves risks including but not limited to, possible delays in payments and loss of income or capital. Neither Legg Mason nor any of its affiliates guarantees any rate of return or the return of capital invested. 

Equity securities are subject to price fluctuation and possible loss of principal. Fixed-income securities involve interest rate, credit, inflation and reinvestment risks; and possible loss of principal. As interest rates rise, the value of fixed income securities falls.

International investments are subject to special risks including currency fluctuations, social, economic and political uncertainties, which could increase volatility. These risks are magnified in emerging markets.

Commodities and currencies contain heightened risk that include market, political, regulatory, and natural conditions and may not be suitable for all investors.

Past performance is no guarantee of future results.  Please note that an investor cannot invest directly in an index. Unmanaged index returns do not reflect any fees, expenses or sales charges.

The opinions and views expressed herein are not intended to be relied upon as a prediction or forecast of actual future events or performance, guarantee of future results, recommendations or advice.  Statements made in this material are not intended as buy or sell recommendations of any securities. Forward-looking statements are subject to uncertainties that could cause actual developments and results to differ materially from the expectations expressed. This information has been prepared from sources believed reliable but the accuracy and completeness of the information cannot be guaranteed. Information and opinions expressed by either Legg Mason or its affiliates are current as at the date indicated, are subject to change without notice, and do not take into account the particular investment objectives, financial situation or needs of individual investors.

The information in this material is confidential and proprietary and may not be used other than by the intended user. Neither Legg Mason or its affiliates or any of their officer or employee of Legg Mason accepts any liability whatsoever for any loss arising from any use of this material or its contents. This material may not be reproduced, distributed or published without prior written permission from Legg Mason. Distribution of this material may be restricted in certain jurisdictions. Any persons coming into possession of this material should seek advice for details of, and observe such restrictions (if any).

This material may have been prepared by an advisor or entity affiliated with an entity mentioned below through common control and ownership by Legg Mason, Inc.  Unless otherwise noted the “$” (dollar sign) represents U.S. Dollars.

This material is approved for distribution in those countries and to those recipients listed below. Note: this material may not be available in all regions listed.

All investors and eligible counterparties in Europe, the UK, Switzerland:

In Europe (excluding UK and Switzerland), this financial promotion is issued by Legg Mason Investments (Ireland) Limited, registered office 6th Floor, Building Three, Number One Ballsbridge, 126 Pembroke Road, Ballsbridge, Dublin 4, D04 EP27. Registered in Ireland, Company No. 271887. Authorised and regulated by the Central Bank of Ireland.

All Qualified Investors in Switzerland:
In Switzerland, this financial promotion is issued by Legg Mason Investments (Switzerland) GmbH, authorised by the Swiss Financial Market Supervisory Authority FINMA.  Investors in Switzerland: The representative in Switzerland is FIRST INDEPENDENT FUND SERVICES LTD., Klausstrasse 33, 8008 Zurich, Switzerland and the paying agent in Switzerland is NPB Neue Privat Bank AG, Limmatquai 1, 8024 Zurich, Switzerland. Copies of the Articles of Association, the Prospectus, the Key Investor Information documents and the annual and semi-annual reports of the Company may be obtained free of charge from the representative in Switzerland.

All investors in the UK:
In the UK this financial promotion is issued by Legg Mason Investments (Europe) Limited, registered office 201 Bishopsgate, London EC2M 3AB. Registered in England and Wales, Company No. 1732037. Authorized and regulated by the Financial Conduct Authority. Client Services +44 (0)207 070 7444

All Investors in Hong Kong and Singapore:

This material is provided by Legg Mason Asset Management Hong Kong Limited in Hong Kong and Legg Mason Asset Management Singapore Pte. Limited (Registration Number (UEN): 200007942R) in Singapore.

This material has not been reviewed by any regulatory authority in Hong Kong or Singapore.

All Investors in the People's Republic of China ("PRC"):

This material is provided by Legg Mason Asset Management Hong Kong Limited to intended recipients in the PRC.  The content of this document is only for Press or the PRC investors investing in the QDII Product offered by PRC's commercial bank in accordance with the regulation of China Banking Regulatory Commission.  Investors should read the offering document prior to any subscription.  Please seek advice from PRC's commercial banks and/or other professional advisors, if necessary. Please note that Legg Mason and its affiliates are the Managers of the offshore funds invested by QDII Products only.  Legg Mason and its affiliates are not authorized by any regulatory authority to conduct business or investment activities in China.

This material has not been reviewed by any regulatory authority in the PRC.

Distributors and existing investors in Korea and Distributors in Taiwan:

This material is provided by Legg Mason Asset Management Hong Kong Limited to eligible recipients in Korea and by Legg Mason Investments (Taiwan) Limited (Registration Number: (98) Jin Guan Tou Gu Xin Zi Di 001; Address: Suite E, 55F, Taipei 101 Tower, 7, Xin Yi Road, Section 5, Taipei 110, Taiwan, R.O.C.; Tel: (886) 2-8722 1666) in Taiwan. Legg Mason Investments (Taiwan) Limited operates and manages its business independently.

This material has not been reviewed by any regulatory authority in Korea or Taiwan.

All Investors in the Americas:

This material is provided by Legg Mason Investor Services LLC, a U.S. registered Broker-Dealer, which includes Legg Mason Americas International. Legg Mason Investor Services, LLC, Member FINRA/SIPC, and all entities mentioned are subsidiaries of Legg Mason, Inc.

All Investors in Australia and New Zealand:

This document is issued by Legg Mason Asset Management Australia Limited (ABN 76 004 835 839, AFSL 204827).  The information in this document is of a general nature only and is not intended to be, and is not, a complete or definitive statement of matters described in it. It has not been prepared to take into account the investment objectives, financial objectives or particular needs of any particular person.

Forecasts are inherently limited and should not be relied upon as indicators of actual or future performance.

Discussions of individual securities are not intended and should not be relied upon as the basis to buy, sell or hold any security. Investors seeking financial advice regarding the appropriateness of investing in any securities or investment strategies should consult their financial professional.