Tel Aviv-based Aqua Security was arguably the first true pure-play cloud native security company to emerge as cloud adoption surged over the past decade. Now five years old, and with customers including JPMorgan Chase, as well as 100 of the Fortune 500, it just secured unicorn status with a $135 million Series E funding round, led by ION Crossover Partner. Not bad for a company with just 400 customers – some serious whales among them.
Like many right-thinking security companies, Aqua has also been engaging extensively with the community via its creation and support of open source tools, including kube bench, which checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark, as well as trivy: a free vulnerability scanner for container images, Git repositories and filesystems that's attracted over 6,000 stars.
The Stack sat down to speak with CEO Dror Davidoff about the cloud security business.
Dror, why raise more capital just now, and what makes your investors value you at unicorn status?
When we started Aqua Security, five years ago, the cloud-native security category didn't really exist. What's clear now is there is a category, and it's going to be a very significant, multi-billion dollar one.
We’ve proved that we have the best product in the market; we’ve already proved that we can solve a big problem; and we’ve proved to our investors that there is a significant addressable market. Now we’re after the big prize of being the leader of a significant emerging category. That requires additional fuel in our engine.
There’s a lot of vendors out there saying they’re the best thing since sliced bread. What makes your value proposition unique?
When people started to move to the cloud in a big way eight or so years ago, it was largely lift-and-shift. Since then, there’s been set of technologies that really leverage the fact that you're in the cloud.
Now, applications are broken into microservices; and then packaging cloud workloads; everything is very dynamic, and very portable; everything is sitting on a CI/CD pipeline. The way applications are developed, pushed to the market and then run has changed dramatically, in short and became genuinely cloud-native.
As a result, all of the supporting cast for this performance has had to change as well: from monitoring, to infrastructure; network elements: everything has had to adapt, including security.
We embarked on our first step [to securing this environment] five years ago by securing Docker containers. Since then cloud-native has evolved dramatically. There’s Docker, there’s multiple types of virtual containers; there’s serverless; managed services lightweight VMs that are more like cloud VMs – all running on an orchestrator, the middleware (which has also changed; it started with Docker Swarm and Mesosphere, now it’s all Kubernetes.)
See also: 6 free cybersecurity tools CISOs should know about
Five years on, we believe we have the most complete platform to [secure] the full lifecycle of this type of cloud-native application that is broken into microservices; packaging workloads; pushed at high velocity to the cloud runtime environment, and with everything managed on an orchestration tool. Because when we look at this complete lifecycle, we think about hundreds of security control points along the way that need addressing.
And while enterprises might buy piecemeal products, more and more the trend is to consolidate with Aqua because everything was developed natively on one platform, with a lot of value-added between control points.
We want to help CISOs who have to run applications in the cloud with a completely new set of threats. And what we see now is that companies who were dipping their toes into the cloud are now scaling up. And it’s one thing to secure 10 workloads in the cloud, it’s a very different thing to secure 100,000 workloads.
We've seen the cloud hyperscalers come for the open source database world with a bit of a bite. Are you concerned that native cloud security tools from the big providers are going to render vendors like Aqua redundant?
It's a worry, but not a very big one. What we've learned over the past few years is that hybrid is not a transition phase, it's a strategy.
When I say hybrid, I mean private cloud with public cloud; I mean multicloud, no one is running everything they have in the world in one public cloud. They will be looking to spread [workloads] across on top of that. When you think hybrid, you have to think multiple technology stacks: because what we've learned is that containers are great, but for certain use cases, serverless is better; for other use cases, VMs will be better; and for other use case, maybe a managed container service by Amazon will be better.
So companies will be using a broad range of technologies in the cloud, they will be running a hybrid model of on-prem and multicloud. Anyone that falls into this category -- and this is the vast majority of companies -- it [cloud provider security tools] will not be enough for them, but buying multiple security tools in each one of those environments? It makes much more sense having Aqua doing that [hybrid security for cloud-native] consistently, and consistency is huge when it comes to security.
The engineering challenge of ensuring robust and up-to-date security for such a sprawling environment or set of environments at every touch point sounds like quite a challenge...
It is! But that's our secret sauce. That's why we're so unique. We have a very, very talented team; engineering centres in Israel, in India and there is always a lot to do. But we work closely with our customers to be ahead of the curve. The thing about this environment is it creates barriers to entry; anyone who wants to compete needs to have a deep understanding of multiple clouds, multiple stacks and keep up to date. We're working with big customers and they expect us to have the next big thing supported by Aqua support. That's great: our big customers are lighthouse accounts leading the way for the market -- six months later when the rest of the market says "oh we want to run here" we can say, "we already did that". And that's a nice position to be in.