CipherCloud – Protecting Your Data on the Way to Cloud Services
My interview with Pravin Kothari, the founder and CEO of CipherCloud, covers a wide range of topics related to security software. Of course, Pravin describes the problem space and benefits of the CipherCloud Information Protection platform – a Cloud Access Security Broker (CASB), which manages and protects the information and access of an organization’s employees to external cloud services such as Dropbox, Google Drive, Office 365, and Salesforce. He also shares the profile of CipherCloud’s current customers, as well as what opportunities CipherCloud plans to address in the future.
Pravin has been in this industry for many years and has founded several successful security software companies. He offers some insights on the future of cloud security, as well as current trends in compliance requirements. Pravin also discusses how launching and growing startups has changed over the years, including how it is both easier and harder for a startup to succeed today.
CipherCloud is not your first startup in the security space. Please tell me a little bit about yourself, your background, and your addiction to security startups.
Yes – I am definitely passionate about solving security problems. I started solving real-world security problems soon after the .COM bust in 2000. In those days, it was very easy to hack into any system. I co-founded a company called ArcSight – we had an IPO (Initial Public Offering) in 2008 and HP (Hewlett-Packard) later acquired the company.
In 2005, I founded RiskVision, which focuses on compliance and risk management. It is still an active and privately held company.
I founded CipherCloud in 2010 because I realized that the use of cloud services was becoming very widespread. Today, it is very easy for any employee to just purchase a cloud service account and start using it without any involvement from the IT department. The biggest problem with this is that sensitive data is leaving the enterprise without any check for data privacy, security and regulatory compliance. CipherCloud provides an organization with full visibility, control and information protection for the use of these services.
The CipherCloud platform is a Cloud Access Security Broker (CASB). What exactly is a CASB?
In the simplest terms, a CASB is a security service gateway that sits between an organization’s on-site infrastructure and cloud services. Today, the definition and usage of the term CASB is rather broad. I like to use the definition from the Gartner IT Glossary (who originally coined the term):
Cloud access security brokers (CASBs) are on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.
Your solutions are application-specific, rather than generic, correct?
Some of our solutions are application specific, while some are more generic. Our technology can work in generic clouds, such as ServiceNow, but we can go much deeper in specific clouds and applications.
The specific applications that we currently support include:
- SAP SuccessFactors
- SAP C4C
- Adobe Analytics Cloud
- Office 365
- Google Drive
Your web site emphasizes compliance protection at least as much as security/malware protection. Why is that?
Compliance, along with insider threats and external threats, is the third type of issue that companies face when trying to protect their sensitive information in the cloud. Compliance means that you are told exactly how you need to protect the data, such as with European Union’s GDPR (General Data Protection Regulation), healthcare’s HIPAA (Health Insurance Portability and Accountability Act), or the more general SOX (Sarbanes-Oxley Act).
We have found that over 75% of the time, the driver/motivator for companies to invest in any security product or initiative is compliance and regulation.
Do you think that the current trends in compliance requirements are a good thing, or is it getting somewhat extreme and too much of a burden for companies?
In the US, the FCC (Federal Communications Commission) recently relaxed some compliance regulations, which does not make privacy advocates too happy. Outside of the US, however, we are seeing that governments are generally getting stricter – GDPR for example. Many multinationals inside the US and Europe are looking to GDPR as the standard they need to maintain. Also, many countries beyond Europe are looking at GDPR as a baseline standard they would like to enact.
What are the services/benefits that your platform provides?
There are four basic different use cases and technology sets that we deploy:
- Visibility/Discovery (user activity and behavior monitoring)
- Threat protection
- Information protection (encryption and tokenization)
- Compliance (data loss prevention, user activity and behavior monitoring)
How do you define your market? Who is your specific target audience within that market?
Our target market consists of companies that are multinationals or in regulated industries, such as:
- Healthcare & Pharma
- Telcos, Manufacturing, Hi-tech
- Banking, Financial Services, Insurance (BFSI)
- Government and Higher Education
Our customers are typically larger companies who are moving to the cloud at a large scale. They tend to have at least 1,000 users.
In addition to your software platform, you also offer a very wide set of professional services. Are they more for marketing/adoption purposes or are they a significant source of revenue?
Paid services are not a significant component of our business (< 10%), but we do make them available to very large organizations, e.g. Fortune 50 companies. Although our software comes ready to deploy and is very easy to use, some companies still want us to ensure that everything is properly configured and that all of their employees are fully trained.
How many active customers do you have today? Where are they mainly located?
We currently have several hundred paying customers, but that list is growing rapidly. They are typically large organizations. The majority of our customers are located in North America and Europe, but we do already have customers in close to 20 different countries around the world.
Whom do you see as your main competitors? How is your platform different?
Cloud security is an extremely hot market right now and it is the fastest growing segment in the security space. We constantly see companies trying to solve one piece of the problem. There are also many new CASB vendors popping up. However, an application-specific offering like ours is unique.
How do you see cloud computing and cloud security evolving in the coming years?
When I started the company in 2010, there were many security companies getting large amounts of funding. Until now, they mainly focused on discovering which cloud services were being used inside the organization. Today, more and more companies are focusing on specialized solutions for the protection, privacy, and seamless integration of their data.
What are your future plans for CipherCloud?
This market is still in its early stages, which presents us with numerous future opportunities:
- Continuing to evolve the platform.
- Going deeper into the specific cloud applications.
- Expanding the number of cloud applications that we support.
- Increasing our international presence.
How many employees do you have today? Where are they located?
We now have approximately 300 employees, many of whom are located at our San Francisco Bay area headquarters. We also have subsidiaries in the UK, India, Australia, and Germany.
You have founded several startups in your career. How has the world of startups changed over the years? What do you see changing in the coming years?
Back in the early 2000s, it was difficult to launch a startup. Today, however, the capital needed to start a company is much less, so you can easily start a company without outside funding – or even without an office! This makes it much more efficient and easier for entrepreneurs. They can get to market very quickly after developing their initial idea. Furthermore, there is a large supply of capital available today, so that there is a high number of startups constantly being launched.
Another significant factor is that digital marketing makes it much easier for startups to reach their audiences at lower costs. The challenge then becomes how to differentiate your company and product, since there are so many companies competing out there. While in the past, incremental innovation was good enough to get attention, today you must have breakthrough innovation.
Another major challenge for startups today is finding top talent, because the supply is very limited and the competition for that limited supply is great.
How many hours a day do you normally work?
As the CEO, I must do everything – even the janitor’s job, so I work many hours. I try to achieve some sense of balance, but I still average about 60 hours a week.