The increase in cloud adoption driven by COVID-19 has introduced new opportunities and vulnerabilities that will persist even after the pandemic ends, said Druva CEO Jaspreet Singh.
As businesses adjust to a reopening world, they are leaning on SaaS providers and managed service providers (MSPs) more and relying less on their own data centers, he said. Meanwhile, a more distributed workforce has created a larger attack surface, making cybersecurity a top concern.
Druva closed a $147 million funding round in April that brought the cloud-based data protection startup's valuation to more than $2 billion. Since then, the company has invested in developing products and features along the post-pandemic trends Singh outlined.
Druva was named a Visionary in Gartner's Magic Quadrant for Enterprise Backup and Recovery Software Solutions in July, putting it in the same category as established vendors such as Commvault and Veritas. However, Druva was one of the earliest data protection vendors to build its platform entirely on the cloud and deliver all its offerings as a service, so it is, therefore, more directly comparable to Clumio and Commvault's Metallic division.
In this interview, Singh discussed how he envisions the post-pandemic world will unfold, the importance of SaaS and MSPs in that world, and what lessons can be learned from the ransomware attacks against SolarWinds and Kaseya.
What trends and customer challenges are you noticing as we transition to a post-pandemic world?
Jaspreet Singh: Cloud transformation and workspace transformation are definitely more mainstream and more important. When the pandemic hit, a lot of boards [of directors] were asking why they were paying so much for services they don't even use anymore. This included office space, IT systems, data centers and other services made completely unusable given the pandemic.
Workspace modernization and recovery for the workspace is also becoming mainstream. Scenarios like: What if my sign-in doesn't work? What if I can't reach my office? What if I can't reach my VPN? Disaster recovery for a distributed workforce environment is becoming the mainstream reality, and the work of building the entire workforce into a DR scenario is becoming important. And with everything distributed, security also becomes far more complex and important as we go into this transition.
In cloud and cloud transformation, people are building a multi-cloud strategy, but not for portability reasons. I don't think customers are saying, 'Let me run the same app in any cloud just to save costs.' That was a pre-pandemic thing, and I think, post-pandemic, there will be a realization that that's just a myth.
Instead, it's about interoperability. How do I operate across multiple clouds in a meaningful way so I can get the best of all clouds and not be locked into one vendor? How do I standardize so operating across multiple clouds becomes easier and foolproof? I think some of those things will start to be considered.
Whether people eventually show up to the office three days a week, two days or not at all, a lot still has to be seen. I feel, right now, a lot of people are just making public statements for the sake of public statements without truly understanding this is a black swan event.
Jaspreet SinghCEO, Druva
What has Druva been doing in response?
Singh: We are investing heavily into product and engineering. We are extending data protection into new apps, new value-add services, and just investing into growth overall. The market has been great, and we're just responding to the new cyber resiliency threats.
We acquired sfApex last year, which is a Salesforce.com backup solution. The integration of Salesforce backup into our platform was very well received. SaaS [backup] is a critical need in the market and growing rapidly. …
On the innovation side, we have a pretty healthy, robust pipeline. We launched Kubernetes as a core focus for backup. It's in early access now and will launch first on [Amazon Elastic Kubernetes Services]. We'll have a bigger announcement on that in the next couple of months. We also launched new capabilities for cyber resiliency and ransomware remediation, and we have some more updates to come in the next three to four months.
Also, as a result of COVID, SaaS became dominantly mainstream, so we have a lot of innovation on user experience, like how the customers can manage data and get a holistic view of their entire infrastructure at scale, with all the bells and whistles of security.
Druva launched a new MSP platform recently. Why target the MSP market?
Singh: There's a wide spectrum of customers. There are companies who love their backup architecture -- they want to deploy infrastructure [and] build, manage and own everything. That's, sort of, not the market for us.
And there's a middle tier of customers who like the as-a-service model, of letting somebody else take care of security and management of data protection, and they get all the benefits of it. And that segment's starting to do very, very well.
But then there's another growing set of customers who don't even have an IT team, who typically go to MSP providers, and the MSP provider gives them a full data protection offering, including onboarding, management -- everything. Now, this particular market of MSPs, their business is basically leasing infrastructure. They buy in bulk, and then send hardware to customers to enable services for them, and then amortize the hardware cost over time.
It's getting harder and harder for this particular MSP segment because they're now competing against the technology companies or cloud providers themselves. It's becoming harder for them to do their hardware-leasing model perpetually. And with security threats and ransomware, they're taking on a lot of risk, as well.
With our model, they can pretty much operate in an already purpose-built architecture to really address this customer need rapidly without any burden of hardware or software, or any burden of buying upfront and managing infrastructure without having customer commitments.
Did the ransomware attack Kaseya suffered recently raise any concerns for Druva security?
Singh: These events are very interesting learning opportunities for any company to understand what you could do better in your operations. I think we've learned attackers don't typically go after your crown jewels and, instead, go for the lowest common denominator. They hack into active directories, email systems, dev environments or engineering learning systems.
I think with, specifically, how backup software is traditionally delivered, it's no match for ransomware. Very few backup software in the market has simple things like two-factor authentication. Air gapping of data and immutability of data will do nothing if the application itself is compromised.
We were doing a lot of security updates to our platform consistently even before the Kaseya or SolarWinds incidents, which are needed for this new world. We secure our dominant cloud; we also have fairly robust policies and procedures [and] intrusion detection and vulnerability management around our DevSec environment, as well.
We have security baked into our entire stack. We have authentication systems managed through a third party, we have our own [multi-factor authentication] and the majority of our applications are two-factor.
Editor's note: This interview has been edited for clarity and length.