Skyhigh Security CEO Gee Rittenhouse. Source: McAfee
When I think about “sensitive data,” my mind immediately goes to social security numbers, bank accounts, phone numbers, addresses, and driver’s license numbers. However, after talking to Skyhigh Security CEO Gee Rittenhouse and Chief Product Officer Anand Ramanathan and digging deeper into what sensitive data means for businesses across a variety of verticals, it turns out “sensitive data” means different things to different companies. For example, it can include electric company account numbers, intellectual property, financial statements, earnings statements and even press releases.
The term varies widely between business verticals so much so that pinning down what sensitive data means to one company versus another and then securing that data has become a challenge in and of itself, according to Rittenhouse and Ramanathan who sat down with me at RSA Conference 2022 in San Francisco for an interview about cybersecurity, cloud, security services edge (SSE), machine learning (ML), and more.
What follows is an abbreviated Q&A of our discussion.
Elizabeth Coyne: Can you tell me about the roots of Skyhigh Security, where the business started, and how you got to where you are today?
Gee Rittenhouse: Skyhigh Security actually came out of McAfee. McAfee, years ago, started to expand from the endpoint in the cloud. And so it acquired Skyhigh Networks, which was a Cloud Access Security Broker [CASB], primarily a CASB portfolio and then, over the years, expanded into the cloud space, so we participate in SSE. That is the primary market for us. So CASBweb gateways, zero trust, access all of all of that. And as McAfee started to look and the investors of McAfee started to look at the market, they saw this kind of more XDR [extended detection and response] endpoint side and the cloud and the cloud edge side. And so, we split the company, or we split the former McAfee company, apart in January… and the endpoint side went to Trellix. … And then the cloud side became Skyhigh Security, which we launched formally in March.
Coyne: What are the key drivers in the cybersecurity market for Skyhigh Security today?
Rittenhouse: So the whole cloud migration story, like we've been on this hype cycle for a while. The whole cloud edge piece has a lot of different components to it — it's the kind of capture this migration of moving the security stack from on prem into the cloud. We recognize that our customers have gone after it and so we positioned ourselves.
But in addition to that, as people are logging in from everywhere, different devices, different applications, the data protection element is as important as the old kind of Enterprise protection that you had on prem. Data protection is it. So regardless of how you access that data, manage devices are unmanaged. And regardless of where that data sits, in Software-as-a-Service [SaaS], in cloud, on-prem., we recognized that focusing on the cloud edge alone was not enough — and the real area of focus is data protection. And the cloud edge is a perfect place to do that. So of course, our portfolio sits there, okay.
But it's comprised of lots of different things — all having a unified view of what's the data, where is it, policies around it and visibility. The technical details of how we do it are somewhat secondary, where in this industry, you'll find that the technical details are primary, and then you try to have the customers have to string all this together. We string it together primarily and then the underlying technologies. We try to simplify that on behalf of the customers.
Coyne: How has that journey followed the journey of your customers?
Anand Ramanathan: Gee talked a lot about our roadmap and that journey, that’s kind of where we are focused on from, you know, roadmap. But being data aware is core to what we do, and to be frank, that's what customers care about.
You know, the data family left the four walls and there's no moat around there. So how do you protect your data right and not come in the way of end users? You go to the cloud, not because you just want to go to the cloud, right? Make your end users productive wherever they are. And the last thing you want to do is have to queue to come in and put more roadblocks.
We have a whole slew of innovation planned around kind of how we think about what the sensitive data means to a customer. You think about the more regulated industries — it's pretty easy: social security number, driver's license number all that easy, right? Then you go into health institutions and they say, well, actually, what matters is my patient account number and that just matters to me. That's a very specific format for them. And then we go into an oil and gas company, and they say, well, I don't have any of those numbers. What matters to me is really intellectual property. So we extended our data-aware capabilities to a number of these very unique things that our customers deeply care about.
Coyne: How can you solve for that kind of complexity?
Ramanathan: Where we are now focused on is how do we kind of leverage ML to try and understand what is sensitive data? That takes you to [situations like press releases] which, on Sunday, that was sensitive data for us, but Monday morning it is no longer sensitive data, because the press release has been issued. So how do you kind of look for that? How do you look for that financial statement again? Pre-release, it was very sensitive, post-release, it is no longer sensitive.
So we try to and what we do uniquely, if we understand all these activities that happen in the cloud — if we know what documents Gee touches, know what documents Tracy touches — we've added a lot of this people context into our ML to try and make sure that we really know what is business-critical data. … We look at a lot of those kind of people context patterns to understand that. … There's a whole slew of innovations that we have around … that we are working on that continue to give our customers increased flexibility. But at the same time, you know, protect what matters most to them, which is the data.
Coyne: How are things changing for your customers because of increase global conflicts and international hacking rings?
Rittenhouse: So there's, there's kind of two pieces to your question. The one piece is the threats and the vulnerability to those threats, and we don't participate in that kind of market that is Trellix. But then there is the general [vulnerability] because of these threats. Is your data protected? Are you using zero-trust principles? Are you doing these having the right kind of policies around your data? And that we very much do and whether this is always kind of top-of-mind as people are moving to the cloud and whatnot. I think it's just kind of a continuing trend, more than anything specific.
Ramanathan: Just to add to your point, you're absolutely right. We aren’t an endpoint company, but what we do care about is a user being compromised. What does that mean from their access to certain critical elements of data? So we do things like we can see if two people logging in from multiple places, you know, where they can't really physically be there. We do look for things where if a user had had some level of infection on the machine, what kind of access should be granted particular user in terms of, you know, which aspects of the cloud can they really access? Or should it just be read-only can they not download certain critical data onto the machine? So we do participate from that perspective and understanding kind of the risk posture of that user or the device? And how do we kind of automatically kind of provide access control instead of somebody having to do these manual tasks.
Coyne: And you would do that through ML?
Ramanathan: We will get a lot of telemetry, right. We do, you know, gather telemetry from our satellites, endpoints, if you will, where we can see if a particular user had some challenges. So the posture can come from multiple data points that we gathered from the user or the telemetry or the data or the device.
Rittenhouse: Because we have a broad portfolio, we could do it both seamlessly from a user perspective, as well as whether the user is on managed or unmanaged devices because we can just move them into our remote browser isolation. And because we have all these little enforcement nodes that are at the data layer, we can just kind of move them across and it's seamless because the policy is held at a different at a different level.
Coyne: What are the number one challenges that your customers are talking about? Is it that policy enforcement?
Ramanathan: What we are seeing is first and foremost, is the sort of convergence of multiple solutions, right? There was a time even a couple years ago where people said, okay, for the remote users, I'm going to have a remote access solution for the user who is at work. I'm going to have this particular solution for a cloud app….
There's a plethora of solutions that customers invested in over the last several years that can help. They grew up in the cloud transformation. I think a lot of what I'm seeing now is practically a step back and think that was all fine from a point solution standpoint, but I have nothing about architecture … so the convergence across all these solutions are bringing to light a number of things for the customer [such as], do I have the common policy? How do I define sensitive data one and apply it across all these vectors that I'm concerned about as opposed to trying to build it out again and again? That's the first thing that we are starting to see.
As people are working remotely, this notion of unmanaged devices has become a real problem for many of our customers. I thought that you were at work, but guess what, you were pretty much on your corporate device. Now you're working from home, I've got my iPad, or iPhone, you've got your daughter's laptop depending upon what you want to use. Right? So this notion of, how do I allow you access on an unmanaged device? Because that's kind of how work gets done. Having the appropriate controls has become very critical point for us.
The third thing that's become critical as part of this notion of remote users is just not about remote working from home. I mean, I can tell you about in our own Bangalore office, that we have people … not even in Bangalore anymore. So how do you provide sort of access wherever people are in the world because you want proximity to the user to get the right level of performance and latency expectations? Yeah, we all have very different expectations today, I mean, should be when you're trying to access something in OneDrive needs to be instantaneous. There's no latency that we should have. And so how do we provide the kind of security controls that our customers are looking for.
Rittenhouse: One additional thing that we've seen is a change in the ecosystem. So previously, as a security vendor, we would partner and integrate with a particular community. As you move, and as our customers move into the cloud, that community is shifting, and so being able to integrate into collaboration tools, being able to partner with others [is key]. We integrate into 1,000s of SaaS applications out there and so our customers are asking us, “Who is in your ecosystem? We're using X for this, Y for that, where do you fit in and how do you interact with these new participants?” There's a lot of the cloud transformation that is a comprehensive transformation — not taking your old environment and moving into the cloud. And that just represents a fundamental shift in their partners in their processes in their ecosystems.
Coyne: Is that partner integration using APIs? Do you have to worry about Application Programming Interface security as well?
Rittenhouse: Well, there's kind of two pieces to that question. One is managing the APIs and using the APIs to broker the interactions, and that's one of our core strengths as a cloud access service broker. But then there's protecting the APIs as like an API gateway.
Ramanathan: I think the API gateway is a critical nascent market. You know, we're starting to see some interest from our customers. We don't play necessarily in that market specifically, but it's an adjacent market to what we do today and we are continuing to watch it.