As an investor and a technology enthusiast, I get excited when I encounter a novel viewpoint, a new way of solving a problem, or simply a new treatment to a challenge. But I have to say that it is a rare occurrence when someone solves a compelling problem, but at the same time brings fundamental innovation via its underlying technology.
JupiterOne is one such case.
I got to know Erkang Zheng, the founder of JupiterOne quite some time ago, when both of us were working in a completely different capacity.
Erkang was the CISO of LifeOmic, a data service cloud that provides many categories of health data that is central to patient care. Naturally, with these kinds of services, security, privacy, and compliance are of utmost importance.
Under Erkang’s leadership, LifeOmic attained HIPAA compliance for its cloud environment within a month, from start to finish, which is almost unheard of, especially for such a data-heavy operation.
I was curious. How did they pull it off?
So I had a conversation with Erkang, and it was one of the most productive and illuminating hours that I spent in a very long time.
“To perform a security task”, Erkang said, “you have to be able to ask questions and get accurate information in order to make decisions and execute.”
This is true with security investigations, incident response, vulnerability management, compliance, and also for many other tasks beyond security.
But the ability to get accurate information, such as what type of assets that I have, what status they are in, have they been configured correctly, etc., is easier said than done. This is because:
- Organizations often have incomplete or even incorrect information upon which to make security policy or operational decisions.
- Even if you have a complete set of information, the ability to retrieve the right set of information for the operations at hand remains a difficult challenge.
JupiterOne solves both of these problems.
At its core, JupiterOne discovers and documents your assets (and associated information) in a graph data model. More importantly, JupiterOne also documents the relationships between assets and maintains that relationship map throughout changes.
This is an extremely important point, as many asset management products do not have visibility to the relationships between assets. Without knowing how an asset impacts others, asset information becomes out of date quickly, especially in a cloud environment when workloads are ephemeral.
On top of the graph database, JupiterOne provides a powerful query engine that allows you to compose arbitrarily sophisticated queries to retrieve the desired information and insight.
JupiterOne’s innovation lies in its robust data model and the powerful query engine.
It dawned on me that this is exactly what Google did for Internet information: You collect information (Google crawling), organize it (Page ranking and other algorithms), provide a search capability (Google search), and just like that, you have the Internet at your fingertips.
Until recently, this type of approach did not exist for security information, not even for the scale of a single enterprise.
JupiterOne is building exactly that — Google for Security.
Indeed, this is how some of their customers are using JupiterOne. Databricks, for instance, built its entire security operations with JupiterOne as its foundational layer. Databricks’ VP of Security, Caleb Sima, said: “JupiterOne is the source of truth for us. If we want to know anything about our assets and relationships, we ask JupiterOne. The continuous monitoring aspect of JupiterOne enabled us to build automation that normally would require multiple vendors and a lot of manual work. JupiterOne is becoming the foundation to everything we do in security.”
Some of the example use cases that I’ve seen from JupiterOne’s customers:
- Your finance department wants to conduct a cloud spend projection by departments and needs to know which cloud asset belongs to which department? No problem, just ask JupiterOne.
- You want to do analytics across your cloud accounts and map activities to access tokens/keys? Maybe you want to know where all the secrets are for a particular type of account? Ask JupiterOne.
- You want policy-as-code? No problem. JupiterOne comes with a set of out-of-box queries that you can use as policies to check cloud security postures or compliance status. You can do custom queries, save them as policies. Better yet, share them with others. Policy-as-code, in this context, is simply policy-as-queries.
Today organizations are relying on the inventory capabilities of cloud providers to manage their cloud workloads, codes, and secrets. But unless you have done a great job of tagging your assets (including data) from get-go, you can’t manage them well. What’s more, you also need to know what IAM rules and dependencies exist within your cloud infrastructure so you can retrieve the correct information when you need it. It is an extremely complicated process. JupiterOne takes away that complexity and makes all of it dead simple.
Oh, did I mention that they do this across clouds, not just in AWS?
Multi-cloud asset identification is inherently a complex proposition. I have seen IT leaderships of companies become giddy after viewing a JupiterOne demo because the product solved a long-standing pain — cross-cloud asset identification and correlation.
Now, I am a geek. You can talk to me about graph models, query languages until the cows come home, but at the end of the day, you have to be solving a real problem. What JupiterOne built is not just a fancy graph data model and a powerful query engine, it is a novel approach to solving a multitude of cloud security challenges, including detection, security assessment, compliance monitoring, vulnerability, and configuration management.
As another one of JupiterOne’s customers said (this customer runs large online communities): “We don’t want to repeat the approach of accumulating technical debt in the cloud. With JupiterOne, we are able to do compliance, monitoring, and incident response all from JupiterOne’s living security data store, which we can query, monitor, and manage.”
Google for security, powerful, simple, and extensible. That’s what JupiterOne is.
I have been working with Erkang and JupiterOne for over a year now. It is extremely gratifying to see JupiterOne launched this week with a substantial $19M Series A funding round, with Rain Capital as one of the investors.
Backing good entrepreneurs and exceptional technologies are every investor’s goal. At Rain Capital, we are proud to find such a partner in JupiterOne and in Erkang.
Originally published at https://www.raincapital.vc on September 18, 2020.