The Next Wave in Cloud Infrastructure

The initial wave of cloud adoption was about lift-and-shift: moving existing workloads from on-premises data centers to public cloud providers. That phase is winding down, and a more interesting — and more complex — phase is beginning. The next wave of cloud infrastructure is about operating securely, efficiently, and intelligently at cloud scale, and it is creating an entirely new generation of companies.

The Cloud Migration Is Mostly Done — What Now?

The major cloud providers — AWS, Microsoft Azure, Google Cloud — have collectively onboarded most of the world's enterprise application workloads over the past decade. The economic arguments for cloud infrastructure — pay-as-you-go pricing, elasticity, managed services, reduced operational overhead — have proven compelling enough to drive even the most conservative enterprises to make significant commitments to public cloud.

But as enterprises complete their initial migrations, a new set of challenges has emerged. Cloud bills are growing dramatically and are often poorly understood. Cloud environments are sprawling and complex, making it difficult to maintain visibility and control. Cloud security configurations are a major source of data breaches. And the operational model for running production workloads in the cloud — observability, reliability engineering, cost management — requires a different set of tools and expertise than anything the previous generation of infrastructure vendors provided.

These challenges represent the next frontier of the cloud infrastructure market, and they are generating an extraordinary amount of startup activity. We believe the companies addressing post-migration cloud operations challenges will be among the most important infrastructure companies of the next decade.

Cloud Cost Management: The $100B Problem

Enterprise cloud spending reached over $150 billion in 2020 and is growing at 25-30% annually. Gartner estimates that organizations waste an average of 30% of their cloud spending — money spent on unused resources, oversized instances, inefficient architectural choices, and shadow IT. At the current scale of enterprise cloud spending, that represents tens of billions of dollars in annual waste.

The cloud cost management market has emerged as a response to this problem. Tools that provide visibility into cloud spending, identify waste and inefficiency, and recommend cost optimization strategies are increasingly standard components of the enterprise infrastructure stack. But we believe this market is still in its early stages, and the most interesting opportunities lie in connecting cost visibility to engineering workflows — making cost optimization a developer-time activity rather than a finance post-mortem exercise.

The companies that will win in cloud cost management are those that can integrate cost data into the CI/CD pipeline, surface cost implications to developers in real time, and automate the remediation of common cost inefficiencies. This requires a deep understanding of both cloud economics and software engineering workflows — a combination that is harder to build than it sounds.

Cloud Security Posture: The Misconfiguration Epidemic

The most common cause of cloud data breaches is not sophisticated hacking — it is misconfiguration. S3 buckets left publicly accessible. Overly permissive IAM roles. Unencrypted databases exposed to the internet. These are not exotic attack techniques; they are mundane operational mistakes that have exposed billions of records and cost enterprises billions of dollars.

Cloud Security Posture Management (CSPM) is the category of tools designed to address this problem. CSPM tools continuously scan cloud environments for misconfigurations, compare them against security best practices and compliance frameworks, and alert security teams to issues that need remediation. The market has grown rapidly, driven by high-profile cloud breaches and increasing regulatory pressure around cloud security.

We are enthusiastic about the next generation of CSPM tools that go beyond detection to automated remediation. The volume of cloud resources in a typical enterprise environment — hundreds of accounts, thousands of services, millions of configuration settings — makes manual remediation of every identified issue impractical. Companies that can automate safe remediation of common misconfigurations, with appropriate guardrails and approval workflows, will provide dramatically more security value than tools that simply generate compliance reports.

Kubernetes and Container Security

Kubernetes has become the de facto standard for container orchestration in enterprise environments. The rapid adoption of Kubernetes has been accompanied by a rapid expansion of the Kubernetes security market, as enterprises recognize that traditional security tools are not well-suited to securing containerized, dynamically scheduled workloads.

Kubernetes security spans multiple layers: image scanning (ensuring container images do not contain known vulnerabilities), runtime security (detecting anomalous behavior at the container and pod level), network policy (controlling communication between workloads), and secrets management (ensuring that sensitive configuration data is not exposed in Kubernetes configuration files). Each of these layers has seen significant startup activity, and we believe the market is still early.

The most interesting companies we see in this space are those building unified Kubernetes security platforms that address multiple layers of the stack rather than point solutions. Platform security teams are overwhelmed with security tools; consolidation is a major theme in the enterprise security market, and Kubernetes security is no exception.

Infrastructure as Code Security

Infrastructure as Code (IaC) has become the standard way that modern cloud infrastructure is defined and deployed. Tools like Terraform, CloudFormation, Pulumi, and Ansible allow infrastructure to be expressed as code, version-controlled, and deployed through automated pipelines. This shift has dramatically improved the consistency and reproducibility of cloud infrastructure deployments.

It has also created a new attack surface. IaC templates frequently contain misconfigurations — often the same misconfigurations that CSPM tools detect in deployed environments — and the shift to IaC-based deployments means that these misconfigurations can propagate rapidly across multiple environments. IaC security tools scan infrastructure templates before deployment, identifying security issues before they reach production.

The IaC security market is closely related to the developer security (DevSecOps) movement — the integration of security testing into the software development lifecycle. We believe the companies that will win in this space are those that can become part of the developer workflow rather than a separate security gate. Security tools that slow down development will be worked around; security tools that help developers write better, more secure infrastructure code will be embraced.

The Platform Engineering Layer

One of the most important emerging trends in cloud infrastructure is the rise of platform engineering teams — internal teams that build and maintain the developer tooling and infrastructure abstractions that application developers use to build and deploy their products. Platform engineering is the enterprise answer to the proliferating complexity of modern cloud infrastructure: rather than expecting every developer to understand Kubernetes, Terraform, cloud networking, and security best practices, centralize these concerns in a dedicated team and expose them through well-designed abstractions.

The platform engineering trend is creating demand for a new category of internal developer platforms (IDPs) — tools that give platform engineers the ability to define infrastructure templates, deployment workflows, and security guardrails that application developers can use without needing to understand the underlying complexity. Companies in this space are building what amounts to a new operating system for enterprise software delivery.

Key Takeaways

The initial cloud migration is winding down; the next wave is about operating cloud environments securely and efficiently at scale.
Cloud cost management, cloud security posture, Kubernetes security, and IaC security are high-growth markets with significant startup activity.
The companies that win will integrate with developer workflows rather than operating as separate security or operations gates.
Platform engineering is an emerging force that creates demand for a new generation of internal developer platforms.
Key AI Ventures is actively investing in companies addressing post-migration cloud operations challenges.

Conclusion

The first era of cloud computing was about access — getting enterprises to the cloud at all. The second era, which we are now entering, is about mastery — operating in the cloud with the security, efficiency, and operational sophistication that enterprise requirements demand. This transition is creating an enormous opportunity for companies that understand both the technical complexity of cloud infrastructure and the operational realities of enterprise IT organizations.

At Key AI Ventures, cloud infrastructure is one of our two core investment themes, alongside enterprise security. We are actively looking for founders building the next generation of cloud operations tools. Learn more about our investment approach on our About page or reach out directly.

The Next Wave in Cloud Infrastructure: What Comes After the Cloud Migration