Is the Cloud Safe? – The View from Vectra on Reducing Business Risk as Enterprises Aggressively Move to the Public Cloud

Digital transformation is driving enterprises to rapidly enter the next chapter of cloud adoption. Nearly half of current infrastructure-as-a-service Enterprise users are running production applications on public cloud infrastructure. As such, organizations are acutely focused on dynamic scaling, 24×7 availability, streamlined management and development tools to make the migration seamless…yet, security seems to be an afterthought or maybe just assumed to be “locked down” given that the bulk of workloads are at Amazon Web Services, Microsoft Azure or Google Cloud. Given the brands and heft of these mega tech companies, how can these clouds possibly not be secure?

Recent high-profile breaches demonstrate that there are inherent risks in the public cloud. In fact, just moving workloads to these branded cloud providers does NOT make them more secure at all.  It’s clear that enterprises must ensure their security stack is properly architected for the cloud. The recent Capital One breach was a shock to the system.

In the case of Capital One, a combination of a tech savvy team and AWS were breached by vulnerabilities that were known and could have been avoided. Does that mean it’s inherently risky to migrate to the cloud? Probably not, but it is clear we need better tools and processes to make this migration secure, scalable and cost-effective.

In this podcast, TCV’s Tim McAdam and Vectra CEO, Hitesh Sheth, talk about what it takes to reduce business risk in the cloud – and keeping enterprises, consumers and their transactions/interactions secure – while capitalizing on the tremendous opportunities the cloud offers.

For these insights and more, settle back and press play.

***

Tim McAdam: Welcome to Growth Journeys, a podcast series from TCV, focused on lessons from the field from entrepreneurs in the TCV ecosystem. I’m Tim McAdam, General Partner at TCV, and I’m here with Hitesh Sheth, CEO of Vectra, a leader in applying artificial intelligence to detect and respond in real time to cyberattacks in the cloud, data center, and enterprise infrastructures. Hitesh brings a wealth of experience from senior roles at Aruba, Juniper, and Cisco, that affords him important lessons about how enterprises can assess and address security as they migrate workloads to the cloud. These lessons include views on encryption, 5G, and commingled log data, to name a few. We’re covering all these topics today, but first, thanks for joining me, Hitesh, and welcome to Growth Journeys.

Hitesh Sheth: Great to be here, Tim. Thank you for having me.

Tim McAdam: So, let’s start with a relatively simple one, but probably complicated in its scope. What’s the general state of cloud security today?

Hitesh Sheth: Cloud security today is, in my view, where Windows used to be circa 1990s. If you go back in time a couple of decades when Windows started to proliferate, security was really not the first thing that Microsoft thought about. And at that time, it looked like a pretty complex setup with multiple operating system versions, different devices on which Windows was getting deployed, and it felt like it was an endless opportunity for attackers to leverage.

Now, fast forward to today, and if you look at the cloud environment, whether you’re dealing with serverless computing, whether you’re looking at Kubernetes, none of the technologies that are being built for the cloud have had security at the front end, and by comparison we have a thousand-fold more complex scenario than we had when Windows started prevailing from a security point of view.

So, I think the scenario we have right now is that while cloud is taking off exponentially, the security holes that we are facing are indeed very profound.

Tim McAdam: And how do you think enterprises should approach assessing their security vulnerabilities as they migrate these workloads to the cloud?

Hitesh Sheth: One of the most important things that they should think about very carefully is that whatever strategy they had in place in their traditional on-prem networks is not the strategy they should deploy into the cloud. And a good example would be – you think of perimeters when you think of on-prem networks. So traditional firewalls tend to be the way you think about security. That already is disappearing in traditional networks, and that certainly cannot apply when you’re looking at cloud infrastructure.

Now, I think Gartner has come out with a very good synthesis of how to think about building visibility for next-generation SOCs and they’ve got this thing called the Triad, and the Triad has three components to it. There is a SIEM in it. There is NDR, which is network detect and response. And there is endpoint detect and response, EDR. And logically, if you have those three technologies in place, then you have the best shot at delivering comprehensive visibility for the SOC. And the good news there, is that it is independent of whether you’re in the cloud or on on-prem networks as well.

Tim McAdam: Right. And just for the audience, could you define what a SIEM is?

Hitesh Sheth: Absolutely. SIEM is security information and event management systems. A vendor example here would be Splunk. When you’re looking at EDR, a vendor example would be CrowdStrike. And then certainly when it comes to NDR, Vectra would be the example in mind.

Tim McAdam: Perfect. So, talk about encryption for a second and what role encryption will play in securing workloads. And I think there are probably some schools of thought that say, “Why do you need any of this stuff if our data’s encrypted?”

Hitesh Sheth: Correct. So, I think there’s good news and bad news in encryption. Let me start with the good news. The good news is that you can indeed encrypt the traffic from say, the endpoint to the edge of the infrastructure, or to the SaaS application. And so, in theory, you are reducing the opportunities for a hacker to break into that workload or into the payload and initiate a cyberattack. So that’s the good news.

However, the reality is that whether you’re dealing with data centers or you’re dealing with cloud infrastructure, the number of times where the traffic’s going to get encrypted post the edge of the cloud or the data center tends to be very, very limited. And therefore, you have the need to still continuously monitor the inside of the data center or the inside of the cloud for tracking advance attacks. That’s number one.

But number two what is also probably not fully appreciated is that encryption is actually a friend for attackers. So, if your device is compromised, Tim, and then your traffic is encrypted from your device to the SaaS application, then if I’m the hacker, the chances that somebody’s going to pick me up really get diminished. Therefore, you know, logically the only way you can really find those attacks is by looking at the behavior of your device and how you’re interacting with the application. Therefore, behavioral approaches become really essential in this scenario.

Tim McAdam: Right. And that begs the question – that might be a device-specific viewpoint. But how about the data itself? Obviously, multi-tenant cloud applications have effectively commingled log data or log data from multiple customers. Is that a limitation or security risk as enterprises move their workloads to the cloud, and how do enterprises gain comfort that the integrity of their data will remain intact as they move workloads to the cloud?

Hitesh Sheth: The reason logs get commingled in the cloud environment – I’ll come back to the point I made earlier. Security is an afterthought in the scenario. The primary objective of doing that is to add efficiency to IT ops. That is the reason why they do that. For a customer, who is adopting cloud services, you have to reconsider the Triad that I described earlier. You have to have a SIEM. You can take this commingled log data and you can have this centralized in one place for analysis purposes.

But, what is really crucial is that you don’t rely on that by itself. You have to use network detect and response. You have to use endpoint detect and response. And so, the whole point of that Triad is to give you coverage in scenarios like the one you just described.

Tim McAdam: Got it. That makes sense. How about trends around next-gen communications like 5G, for example, and then this whole mindset of zero trust? How do you see these newer trends enhancing, or frankly, causing security issues?

Hitesh Sheth: The benefit of 5G is that we, as users, can bypass traditional networks, and with our devices – whether it’s a phone or a tablet – you can go straight to the cloud and order the SaaS application. You don’t have to worry about your traditional network and the security therein. Which is great.

Now, the challenge with that is that you have just now opened up a direct path into the data without any intermediary layers. So, this is where zero trust is supposed to come in.

Zero trust is supposed to introduce the notion that unless every device is authenticated, it should not be trusted. But frankly, it’s a very simplistic view of security because it essentially says, if Tim on Tim’s phone is authenticated, then Tim and Tim’s device are now automatically safe. But what if somebody stole your credentials? And that happens on a daily basis, as we know. And, therefore, it is not enough to rely on something like zero trust.

You have got to have the right monitoring principles in place in the cloud itself to ensure that if your credentials are stolen on one end, you’ve got the right mechanisms to watch for the behavior of the privileged user in the cloud.

Tim McAdam: Got it. So, let’s talk about responsibility for a second. I recently read a Gartner report that was talking about degrees of hand-off points from infrastructure as a service providers, to platform as a service providers, to SaaS providers. How do you think about this shared responsibility continuum, and do you see this security responsibility changing over time?

Hitesh Sheth: First of all, I think a lot of companies make the mistake of thinking that the security responsibility is solely the cloud provider’s responsibility. And I think that mistake originates from consumers of SaaS applications.

If you are consuming Salesforce, as an example, I think it’s very reasonable to expect that Salesforce has taken care of your security requirements. In theory, that’s generally true. However, if you are the entity that is actually deploying your applications into the cloud environment, having that expectation that AWS, Microsoft, Google, have done the same thing is fundamentally not true.

At the end of the day, the company that’s utilizing cloud resources is responsible for the security of the network layer, the data on top of that, the applications, and how people are interacting with those applications. That responsibility solely resides with the entity that is using those services. And I think even as cloud providers evolve their security offerings, it would be a mistake for consumers of those offerings to relinquish their responsibility back to the cloud provider.

Tim McAdam: So, Hitesh, you can’t pick up the paper today without reading headlines about the shortage of qualified cybersecurity talent relative to the size of the problem. This is a massive issue. Why haven’t more cybersecurity companies adopted an AI/ML framework like Vectra’s given the obvious dearth of humans in the sector?

Hitesh Sheth: I actually think, Tim, that a lot of security vendors are talking about AI today. It’s become one of the pain points for customers, where AI has evolved into a buzzword from vendors, and they talk about it all the time.

The issue fundamentally is that the vendors are approaching this completely wrong, in my view. Even for investors, as they think about investing in companies that are touting AI, the principle of generalized AI simply does not work. Generalized AI equals a human being. And AI is not advanced enough, from a software point of view, to repeat what a human being would do in technology. So, the notion of applied AI is really key here. Applied AI does work as evidenced from the work that we do at Vectra.

And I think the key there is you cannot just take AI by itself. If it’s application-specific, then domain becomes very critical. And one of the early epiphanies that we had in our journey here is that as we experimented with generalized AI, and frankly we made mistakes with that. And what struck us very quickly was that, “Hey, you need security domain, you’ve got to have security domain paired up with AI for this to work.” If I’m a customer, I would be testing for that every single day before accepting a vendor’s word that their tech is actually going to work in my environment. Otherwise, it’s the person behind the curtain actually doing the work, not the software.

Tim McAdam: Right. Well, thank you for making all those generalized AI mistakes before we invested, Hitesh.

Hitesh Sheth: And, yes, we did that in the first few years, Tim, as you know well, but if you don’t make mistakes, you don’t learn. And we are much better off as a result.

Tim McAdam: So lastly, at a recent offsite, one of my partners floated the concept of via negativa, or addition by subtraction, as it related to our business model as investors. That is to say, focus on fewer, more high-impact investment themes or investment types by not focusing on others. Hitesh, should via negativa apply to streamlining the security posture of enterprises as they think about moving to the cloud?

Hitesh Sheth: I think it’s an absolutely fantastic principle for how you think about where you invest in infrastructure broadly and certainly in security, because as we all know, security is rife with a plethora of technologies and vendors pitching the next-greatest tool to customers every single day. Yet, paradigms have evolved very, very rapidly.

So for example, if I am building something from ground up, a customer should ask themselves, why do they really need a firewall? For what purpose? If I have EDR on my endpoint, if I have the right setup for monitoring my workloads in the cloud, what role does a firewall really play? What role does a perimeter play? If you want to save your dollars, OpEx or CapEx, I’ll put something bold out there and say, eliminate the firewall. I would challenge somebody to do that. And then provided they are actually following the SOC Triad – be religious about implementing the SOC Triad.

Do that first and then question the need for spend on anything else next. That’s the approach – that’s how via negativa can apply to security spend.

Tim McAdam: That is bold. I like it. Hitesh, thanks for joining us today.

Hitesh Sheth: Thanks very much, Tim, really appreciate it.

***

The views and opinions expressed are those of the speakers and do not necessarily reflect those of TCMI, Inc. or its affiliates (“TCV”). TCV has not verified the accuracy of any statements by the speakers and disclaims any responsibility therefor. This blog post is not an offer to sell or the solicitation of an offer to purchase an interest in any private fund managed or sponsored by TCV or any of the securities of any company discussed. The TCV portfolio companies identified above, if any, are not necessarily representative of all TCV investments, and no assumption should be made that the investments identified were or will be profitable. For a complete list of TCV investments, please visit www.tcv.com/all-companies/. For additional important disclaimers regarding this document, please see “Informational Purposes Only” in the Terms of Use for TCV’s website, available at http://www.tcv.com/terms-of-use/.


Venafi Secures $100M Financing Round Led by TCV

Salt Lake City–November 29, 2018–Venafi®, the leading provider of machine identity protection, today announced the closing of a $100 million round of financing, led by TCV with additional participation from existing investors, QuestMark Partners and NextEquity Partners. TCV is one of the largest and most respected providers of capital to growth-stage private and public companies in the technology industry and has backed industry-leading companies, including Airbnb, Alarm.com, Cradlepoint, Genesys, Netflix, Rapid7, Silver Peak, Splunk, Spotify and Zillow. As part of the transaction, TCV general partner, Jake Reynolds, joins Venafi’s board of directors.

The funding will be used to accelerate Venafi’s growth and to cement the firm’s growing market leadership. In addition to fueling growth, $12.5 million of the investment will be made available to third-party developers in the first tranche of the new Machine Identity Protection Development Fund. Venafi created the fund to accelerate the integration of machine identity intelligence into a wide range of machines in the enterprise and further enhance and expand the machine identity ecosystem. The fund will allow developers, including consultancies, systems integrators, fast-moving startups, open source developers and cybersecurity vendors to apply for sponsorship. This sponsorship will allow recipients to build integrations that deliver greater visibility, intelligence and automation for Venafi customers across any technology that creates or consumes machine identities.

“Identity is the foundation of security,” said Jeff Hudson, CEO of Venafi. “The cyber world is made up of machines, and all machines require identities for the cyber world to be secure. As a society, we understand the risks associated with human identity theft very well, and we spend over $8 billion per year protecting human identities. However, most organizations don’t yet understand the risks associated with machine identities and, as a result, spend almost nothing to protect them. This leaves our global digital economy at risk. TCV has a long history of partnering with the world’s leading technology firms, so we’re very excited about the opportunity to work with them. Their investment and expertise will help us ensure that the world’s machines, including hardware and software from smart machines, virtual servers, applications, containers, and more, are connected, safe and secure.”

Just as usernames and passwords are used to identify and authenticate humans, machine identities enable the trusted relationships between machines that control the flow of sensitive data. Because machine identities are poorly understood and often unprotected, they are subject to being exploited by cybercriminals. The Venafi platform protects the machine identities whose underlying technology is cryptographic keys and digital certificates by providing unparalleled visibility, intelligence and automation.

“The team at TCV is excited about our partnership with Venafi,” said Jake Reynolds, general partner at TCV. “DevOps and IoT are driving growth in the number of machines thanks to cloud computing, virtualization, and the proliferation of connected devices. Venafi is well-positioned to provide the machine identity protection for enterprise machines, and we look forward to supporting the Venafi team as they continue to scale in this rapidly expanding market.”

With over 30 patents, Venafi delivers innovative machine identity protection solutions for the world’s most demanding, security-conscious Global 5000 organizations, including the top five U.S. health insurers; the top five U.S. airlines; four of the top five U.S. retailers; and four of the top five banks in each of the following countries: U.S., U.K., Australia and South Africa.

For more information about the fund please visit: https://www.venafi.com/machine-identity-protection-fund

About Venafi

Venafi is the inventor and cybersecurity market leader in machine identity protection, securing connections and communications between machines. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with untrusted machines.

For more information, visit: www.venafi.com.

About TCV

Founded in 1995, TCV provides capital to growth-stage private and public companies in the technology industry. Since inception, TCV has invested over $10 billion in leading technology companies and has helped guide CEOs through more than 115 IPOs and strategic acquisitions. TCV’s investments include Airbnb, Altiris, AxiomSL, Dollar Shave Club, EmbanetCompass, EtQ, ExactTarget, Expedia, Facebook, Fandango, GoDaddy, HomeAway, LinkedIn, Netflix, OSIsoft, Rent the Runway, Sitecore, Splunk, Spotify, Varsity Tutors, and Zillow. TCV is headquartered in Menlo Park, California, with offices in New York and London. For more information about TCV, including a complete list of TCV investments, visit https://www.tcv.com/.

Contacts

Venafi
Shelley Boose
shelley.boose@venafi.com
408.398.6987

TCV
Katja Gagen
kgagen@tcv.com
415.690.6689