6 tips founders need to know about securing their startup

If you’ve read anything of mine in the past year, you know just how complicated security can be.

Every day it seems there’s a new security lapse, a breach, a hack, or an inadvertent exposure, such as leaving a cloud storage server unprotected without a password. These things happen, but they don’t have to; aecurity isn’t as difficult as it sounds, but there’s no one-size-fits-all solution.

We sat down with three experts on the Extra Crunch stage at TechCrunch’s Disrupt SF earlier this month to help startups and founders understand what they need to do, when, and why.

We asked Google’s Heather Adkins, Duo’s Dug Song, and IOActive’s Jennifer Sunshine Steffens for their best advice. Here’s what they had to say.

Quotes have been edited and condensed for clarity.

1. Don’t put off the security conversation

The one resounding message from the panel: don’t put security off.

“There are basically three areas that folks should start considering how to bucket those risks,” said Duo’s Song. “The first is corporate risk in defending your users and applications they access. The second is application security and product risk. A third area is is around production, security and making sure that the operation of your security program is something that keeps up with that risk. And then a fourth — a new and emerging space — is trust, and not just privacy, but also safety.”

It’s better to be proactive about security than to be reactive to a data breach; not only will it help your company bolster its security posture, but it also serves as an important factor in future fundraising negotiations.

Song said founders have a “very direct obligation” to think about security as soon as they take someone else’s money, but especially when a company starts gathering user or customer data. “You have to put yourself in the shoes of those folks whose data you have to protect,” he said. “It’s not just your existential threats to your business, but you do have a responsibility, right to figure out how to do this well.”

IOActive’s Steffens said startups are already a target — simply because it’s assumed many won’t have thought much about security.

“A lot of attackers will go after startups who have high value data, because they know security is not a priority and it’s going to be a lot easier to get ahold of,” she said. “Data these days is extraordinarily valuable.”

2. Start with the security basics

Google’s Adkins, who runs the search giant’s internal information security team, joined the company almost two decades ago when it was just the size of a large startup. Her job is to keep the company’s network, assets, and employees safe.

“When I got there, they were so fanatical about security already, that half of the job was already done,” she said. “From the moment [Google] took its first search query, it was thinking about where those logs are stored, who has access to them, and what is its responsibility to its users,” she said.

“Startups who are successful with security are those where the chief executive and the founders are fanatical from day one and understand what threats exist to the business and what they need to do to protect it,” she said.

Song said many popular products and technologies these days come with strong security by default, such as iPhones, Chromebooks, security keys and Windows 10.

“You’re better off than the 90% of large companies out there,” he said. “That’s one of those few strategic advantages you have as a smaller, nimbler organization that doesn’t have a lot of legacy,” he added. “You can do things better from the start.”

“A lot of the basics are still key,” said Steffens. “Even as we come out with the new shiny technology, having things like firewalls and antivirus, and multi-factor authentication.”

“Security doesn’t always have to be a money thing,” she said. “There’s a lot of open source technology that’s really great.”

3. Start looking at security as an investment

“The sooner you start thinking about security, the less expensive it is in the end,” said Steffens.

That’s because, the experts said, proactive security gives companies an edge over competitors who tack on security solutions after a breach. It’s easier and more cost-effective to get it right the first time without having to fill in gaps years later.

It might be a hard sell to funnel money into something where you won’t actively see financial returns, which is why founders should think of security as investments for the future. The idea is that if you spend a little money at the start, it can save you down the line from the inevitable — a security incident that will cost you in bad headlines, lost customer trust, and potentially fines or other sanctions.

6 tips founders need to know about securing their startup

If you’ve read anything of mine in the past year, you know just how complicated security can be.

Every day it seems there’s a new security lapse, a breach, a hack, or an inadvertent exposure, such as leaving a cloud storage server unprotected without a password. These things happen, but they don’t have to; aecurity isn’t as difficult as it sounds, but there’s no one-size-fits-all solution.

We sat down with three experts on the Extra Crunch stage at TechCrunch’s Disrupt SF earlier this month to help startups and founders understand what they need to do, when, and why.

We asked Google’s Heather Adkins, Duo’s Dug Song, and IOActive’s Jennifer Sunshine Steffens for their best advice. Here’s what they had to say.

Quotes have been edited and condensed for clarity.

1. Don’t put off the security conversation

The one resounding message from the panel: don’t put security off.

“There are basically three areas that folks should start considering how to bucket those risks,” said Duo’s Song. “The first is corporate risk in defending your users and applications they access. The second is application security and product risk. A third area is is around production, security and making sure that the operation of your security program is something that keeps up with that risk. And then a fourth — a new and emerging space — is trust, and not just privacy, but also safety.”

It’s better to be proactive about security than to be reactive to a data breach; not only will it help your company bolster its security posture, but it also serves as an important factor in future fundraising negotiations.

Song said founders have a “very direct obligation” to think about security as soon as they take someone else’s money, but especially when a company starts gathering user or customer data. “You have to put yourself in the shoes of those folks whose data you have to protect,” he said. “It’s not just your existential threats to your business, but you do have a responsibility, right to figure out how to do this well.”

IOActive’s Steffens said startups are already a target — simply because it’s assumed many won’t have thought much about security.

“A lot of attackers will go after startups who have high value data, because they know security is not a priority and it’s going to be a lot easier to get ahold of,” she said. “Data these days is extraordinarily valuable.”

2. Start with the security basics

Google’s Adkins, who runs the search giant’s internal information security team, joined the company almost two decades ago when it was just the size of a large startup. Her job is to keep the company’s network, assets, and employees safe.

“When I got there, they were so fanatical about security already, that half of the job was already done,” she said. “From the moment [Google] took its first search query, it was thinking about where those logs are stored, who has access to them, and what is its responsibility to its users,” she said.

“Startups who are successful with security are those where the chief executive and the founders are fanatical from day one and understand what threats exist to the business and what they need to do to protect it,” she said.

Song said many popular products and technologies these days come with strong security by default, such as iPhones, Chromebooks, security keys and Windows 10.

“You’re better off than the 90% of large companies out there,” he said. “That’s one of those few strategic advantages you have as a smaller, nimbler organization that doesn’t have a lot of legacy,” he added. “You can do things better from the start.”

“A lot of the basics are still key,” said Steffens. “Even as we come out with the new shiny technology, having things like firewalls and antivirus, and multi-factor authentication.”

“Security doesn’t always have to be a money thing,” she said. “There’s a lot of open source technology that’s really great.”

3. Start looking at security as an investment

“The sooner you start thinking about security, the less expensive it is in the end,” said Steffens.

That’s because, the experts said, proactive security gives companies an edge over competitors who tack on security solutions after a breach. It’s easier and more cost-effective to get it right the first time without having to fill in gaps years later.

It might be a hard sell to funnel money into something where you won’t actively see financial returns, which is why founders should think of security as investments for the future. The idea is that if you spend a little money at the start, it can save you down the line from the inevitable — a security incident that will cost you in bad headlines, lost customer trust, and potentially fines or other sanctions.

EU contracts with Microsoft raising “serious” data concerns, says watchdog

Europe’s chief data protection watchdog has raised concerns over contractual arrangements between Microsoft and the European Union institutions which are making use of its software products and services.

The European Data Protection Supervisor (EDPS) opened an enquiry into the contractual arrangements between EU institutions and the tech giant this April, following changes to rules governing EU outsourcing.

Today it writes [with emphasis]: “Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.”

We’ve reached out to Microsoft for comment.

A spokesperson for the company told Reuters: “We are committed to helping our customers comply with GDPR [General Data Protection Regulation], Regulation 2018/1725 and other applicable laws. We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS.”

The preliminary finding follows risk assessments carried out by the Dutch Ministry of Justice and Security, published this summer, which also found similar issues, per the EDPS.

At issue is whether contractual terms are compatible with EU data protection laws intended to protect individual rights across the region.

“Amended contractual terms, technical safeguards and settings agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect the rights of individuals shows that there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers,” the watchdog writes today.

“The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation, but also to individuals.”

A conference, jointly organized by the EDPS and the Dutch Ministry, which was held in August, brought together EU customers of cloud giants to work on a joint response to tackle regulatory risks related to cloud software provision. The event agenda included a debate on what was billed as “Strategic Vendor Management with respect to hyperscalers such as Microsoft, Amazon Web Services and Google”.

The EDPS says the idea for The Hague Forum — as it’s been named — is to develop a common strategy to “take back control” over IT services and products sold to the public sector by cloud giants.

Such as by creating standard contracts with fair terms for public administration, instead of the EU’s various public bodies feeling forced into accepting T&Cs as written by the same few powerful providers.

Commenting in a statement today, assistant EDPS, Wojciech Wiewiórowski, said: “We expect that the creation of The Hague Forum and the results of our investigation will help improve the data protection compliance of all EU institutions, but we are also committed to driving positive change outside the EU institutions, in order to ensure maximum benefit for as many people as possible. The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to individuals is a positive step forward. Through The Hague Forum and by reinforcing regulatory cooperation, we aim to ensure that these safeguards and measures apply to all consumers and public authorities living and operating in the EEA.”

EU data protection law means data controllers who make use of third parties to process personal data on their behalf remain accountable for what’s done with the data — meaning EU public institutions have a responsibility to assess risks around cloud provision, and have appropriate contractual and technical safeguards in place to mitigate risks. So there’s a legal imperative to dial up scrutiny of cloud contracts.

In parallel, the EDPS has been pushing for greater transparency in consumer agreements too.

On the latter front Microsoft’s arrangements with consumers using its desktop OS remain under scrutiny in the EU. Earlier this year the Dutch data protection agency referred privacy concerns about how Windows 10 gathers user data to the company’s lead regulator in Europe.

While this summer the company made changes to its privacy policy for its VoIP product Skype and AI assistant Cortana after media reports revealed it employed contractors who could listen in to audio snippets to improve automated translation and inferences.

The French government, meanwhile, has been loudly pursuing a strategy of digital sovereignty to reduce the state’s reliance on foreign tech providers. Though kicking the cloud giant habit may prove harder than ditching Google search.

Edge computing startup Pensando comes out of stealth mode with a total of $278 million in funding

Pensando, an edge computing startup founded by former Cisco engineers, came out of stealth mode today with an announcement that it has raised a $145 million Series C. The company’s software and hardware technology, created to give data centers more of the flexibility of cloud computing servers, is being positioned as a competitor to Amazon Web Services Nitro.

The round was led by Hewlett Packard Enterprise and Lightspeed Venture Partners and brings Pensando’s total raised so far to $278 million. HPE chief technology officer Mark Potter and Lightspeed Venture partner Barry Eggers will join Pensando’s board of directors. The company’s chairman is former Cisco CEO John Chambers, who is also one of Pensando’s investors through JC2 Ventures.

Pensando was founded in 2017 by Mario Mazzola, Prem Jain, Luca Cafiero and Soni Jiandani, a team of engineers who spearheaded the development of several of Cisco’s key technologies, and founded four startups that were acquired by Cisco, including Insieme Networks. (In an interview with Reuters, Pensando chief financial offier Randy Pond, a former Cisco executive vice president, said it isn’t clear if Cisco is interested in acquiring the startup, adding “our aspirations at this point would be to IPO. But, you know, there’s always other possibilities for monetization events.”)

The startup claims its edge computing platform performs five to nine times better than AWS Nitro, in terms of productivity and scale. Pensando prepares data center infrastructure for edge computing, better equipping them to handle data from 5G, artificial intelligence and Internet of Things applications. While in stealth mode, Pensando acquired customers including HPE, Goldman Sachs, NetApp and Equinix.

In a press statement, Potter said “Today’s rapidly transforming, hyper-connected world requires enterprises to operate with even greater flexibility and choices than ever before. HPE’s expanding relationship with Pensando Systems stems from our shared understanding of enterprises and the cloud. We are proud to announce our investment and solution partnership with Pensando and will continue to drive solutions that anticipate our customers’ needs together.”

Suse’s OpenStack Cloud dissipates

Suse, the newly independent open-source company behind the eponymous Linux distribution and an increasingly large set of managed enterprise services, today announced a bit of a new strategy as it looks to stay on top of the changing trends in the enterprise developer space. Over the course of the last few years, Suse put a strong emphasis on the OpenStack platform, an open-source project that essentially allows big enterprises to build something in their own data centers akin to the core services of a public cloud like AWS or Azure. With this new strategy, Suse is transitioning away from OpenStack . It’s ceasing both production of new versions of its OpenStack Cloud and sales of its existing OpenStack product.

“As Suse embarks on the next stage of our growth and evolution as the world’s largest independent open source company, we will grow the business by aligning our strategy to meet the current and future needs of our enterprise customers as they move to increasingly dynamic hybrid and multi-cloud application landscapes and DevOps processes,” the company said in a statement. “We are ideally positioned to execute on this strategy and help our customers embrace the full spectrum of computing environments, from edge to core to cloud.”

What Suse will focus on going forward are its Cloud Application Platform (which is based on the open-source Cloud Foundry platform) and Kubernetes-based container platform.

Chances are, Suse wouldn’t shut down its OpenStack services if it saw growing sales in this segment. But while the hype around OpenStack died down in recent years, it’s still among the world’s most active open-source projects and runs the production environments of some of the world’s largest companies, including some very large telcos. It took a while for the project to position itself in a space where all of the mindshare went to containers — and especially Kubernetes — for the last few years. At the same time, though, containers are also opening up new opportunities for OpenStack, as you still need some way to manage those containers and the rest of your infrastructure.

The OpenStack Foundation, the umbrella organization that helps guide the project, remains upbeat.

“The market for OpenStack distributions is settling on a core group of highly supported, well-adopted players, just as has happened with Linux and other large-scale, open-source projects,” said OpenStack Foundation COO Mark Collier in a statement. “All companies adjust strategic priorities from time to time, and for those distro providers that continue to focus on providing open-source infrastructure products for containers, VMs and bare metal in private cloud, OpenStack is the market’s leading choice.”

He also notes that analyst firm 451 Research believes there is a combined Kubernetes and OpenStack market of about $11 billion, with $7.7 billion of that focused on OpenStack. “As the overall open-source cloud market continues its march toward eight figures in revenue and beyond — most of it concentrated in OpenStack products and services — it’s clear that the natural consolidation of distros is having no impact on adoption,” Collier argues.

For Suse, though, this marks the end of its OpenStack products. As of now, though, the company remains a top-level Platinum sponsor of the OpenStack Foundation and Suse’s Alan Clark remains on the Foundation’s board. Suse is involved in some of the other projects under the OpenStack brand, so the company will likely remain a sponsor, but it’s probably a fair guess that it won’t continue to do so at the highest level.

Google will soon open a cloud region in Poland

Google today announced its plans to open a new cloud region in Warsaw, Poland to better serve its customers in Central and Eastern Europe.

This move is part of Google’s overall investment in expanding the physical footprint of its data centers. Only a few days ago, after all, the company announced that, in the next two years, it would spend $3.3 billion on its data center presence in Europe alone.

Google Cloud currently operates 20 different regions with 61 availability zones. Warsaw, like most of Google’s regions, will feature three availability zones and launch with all the standard core Google Cloud services, including Compute Engine, App Engine, Google Kubernetes Engine, Cloud Bigtable, Cloud Spanner, and BigQuery.

To launch the new region in Poland, Google is partnering with Domestic Cloud Provider (a.k.a. Chmury Krajowej, which itself is a joint venture of the Polish Development Fund and PKO Bank Polski). Domestic Cloud Provider (DCP) will become a Google Cloud reseller in the country and build managed services on top of Google’s infrastructure.

“Poland is in a period of rapid growth, is accelerating its digital transformation, and has become an international software engineering hub,” writes Google Cloud CEO Thomas Kurian. “The strategic partnership with DCP and the new Google Cloud region in Warsaw align with our commitment to boost Poland’s digital economy and will make it easier for Polish companies to build highly available, meaningful applications for their customers.”

 

IBM brings Cloud Foundry and Red Hat OpenShift together

At the Cloud Foundry Summit in The Hague, IBM today showcased its Cloud Foundry Enterprise Environment on Red Hat’s OpenShift container platform.

For the longest time, the open-source Cloud Foundry Platform-as-a-Service ecosystem and Red Hat’s Kubernetes-centric OpenShift were mostly seen as competitors, with both tools vying for enterprise customers who want to modernize their application development and delivery platforms. But a lot of things have changed in recent times. On the technical side, Cloud Foundry started adopting Kubernetes as an option for application deployments and as a way of containerizing and running Cloud Foundry itself.

On the business side, IBM’s acquisition of Red Hat has brought along some change, too. IBM long backed Cloud Foundry as a top-level foundation member, while Red Hat bet on its own platform instead. Now that the acquisition has closed, it’s maybe no surprise that IBM is working on bringing Cloud Foundry to Red Hat’s platform.

For now, this work is still officially still a technology experiment, but our understanding is that IBM plans to turn this into a fully supported project that will give Cloud Foundry users the option to deploy their application right to OpenShift, while OpenShift customers will be able to offer their developers the Cloud Foundry experience.

“It’s another proof point that these things really work well together,” Cloud Foundry Foundation CTO Chip Childers told me ahead of today’s announcement. “That’s the developer experience that the CF community brings and in the case of IBM, that’s a great commercialization story for them.”

While Cloud Foundry isn’t seeing the same hype as in some of its earlier years, it remains one of the most widely used development platforms in large enterprises. According to the Cloud Foundry Foundation’s latest user survey, the companies that are already using it continue to move more of their development work onto the platform and the according to the code analysis from source{d}, the project continues to see over 50,000 commits per month.

“As businesses navigate digital transformation and developers drive innovation across cloud native environments, one thing is very clear: they are turning to Cloud Foundry as a proven, agile, and flexible platform — not to mention fast — for building into the future,” said Abby Kearns, executive director at the Cloud Foundry Foundation. “The survey also underscores the anchor Cloud Foundry provides across the enterprise, enabling developers to build, support, and maximize emerging technologies.”image024

Also at this week’s Summit, Pivotal (which is in the process of being acquired by VMware) is launching the alpha version of the Pivotal Application Service (PAS) on Kubernetes, while Swisscom, an early Cloud Foundry backer, is launching a major update to its Cloud Foundry-based Application Cloud.

With its Kubernetes bet paying off, Cloud Foundry double down on developer experience

More than fifty percent of the Fortune 500 companies are now using the open-source Cloud Foundry Platform-as-a-Service project — either directly or through vendors like Pivotal — to build, test and deploy their applications. Like so many other projects, including the likes of OpenStack, Cloud Foundry went through a bit of a transition in recent years as more and more developers started looking to containers — and especially the Kubernetes project — as a platform to develop on. Now, however, the project is ready to focus on what always differentiated it from its closed- and open-source competitors: the developer experience.

Long before Docker popularized containers for application deployment, though, Cloud Foundry had already bet on containers and written its own orchestration service, for example. With all of the momentum behind Kubernetes, though, it’s no surprise that many in the Cloud Foundry started to look at this new project to replace the existing container technology.

Axonius, a cybersecurity asset management startup, raises $20M in Series B

Cybersecurity asset management startup Axonius has raised $20 million in its second round of funding this year.

Venture capital firm OpenView led the Series B, joining existing investors in bringing $37 million to date following the startup’s $13 million Series A in February.

The security startup, founded in 2017, helps companies keep track of their enterprise assets, such as how many clouds, computers and devices are on their network. The logic goes that if you know what you have — including devices plugged into your network by employees or guests — you can keep track and discover holes in your enterprise security. That insight allows enterprises to enforce security policies to keep the rest of the network safe — like installing endpoint security software, or blocking devices from connecting to the network altogether.

Axonius’ co-founder and chief executive Dean Sysman said the company takes a different approach to asset management.

“You can’t secure what you don’t know about,” he told TechCrunch. “Almost everything you’re doing in security relies on a foundation of knowing your assets and how they stack up against your security policies. Once you get that foundation taken care of, everything else you do will benefit,” he said.

Instead, Axonius integrates with over a hundred existing security and management solutions to build up a detailed picture of an entire organization.

Clearly it’s a strategy that’s paying off.

The company already has big-name clients like The New York Times and Schneider Electric, as well as a handful of customers in the Fortune 500.

Sysman said the bulk of the funding will go towards the expansion of its sales and marketing teams but also the continued improvement and development of its product. “We’re hitting the gas and continuing to bring our solution to as many organizations in the market as we can,” he said.

Axonius said OpenView partner Mackey Craven, who focuses on cloud computing and enterprise infrastructure companies, will join the board of directors following the fundraise.

How Pivotal got bailed out by fellow Dell family member, VMware

When Dell acquired EMC in 2016 for $67 billion, it created a complicated consortium of interconnected organizations. Some, like VMware and Pivotal, operate as completely separate companies. They have their own boards of directors, can acquire companies and are publicly traded on the stock market. Yet they work closely within Dell, partnering where it makes sense. When Pivotal’s stock price plunged recently, VMware saved the day when it bought the faltering company for $2.7 billion yesterday.

Pivotal went public last year, and sometimes struggled, but in June the wheels started to come off after a poor quarterly earnings report. The company had what MarketWatch aptly called “a train wreck of a quarter.”

How bad was it? So bad that its stock price was down 42% the day after it reported its earnings. While the quarter itself wasn’t so bad, with revenue up year over year, the guidance was another story. The company cut its 2020 revenue guidance by $40-$50 million and the guidance it gave for the upcoming 2Q 19 was also considerably lower than consensus Wall Street estimates.

The stock price plunged from a high of $21.44 on May 30th to a low of $8.30 on August 14th. The company’s market cap plunged in that same time period falling from $5.828 billion on May 30th to $2.257 billion on August 14th. That’s when VMware admitted it was thinking about buying the struggling company.