Petya Petrova - Fotolia

Clumio eyes security, BaaS expansion with VC funding

Clumio CTO Chad Kinney and CSO Glenn Mulvaney discuss their company's roadmap and how Clumio addresses ransomware threats in a way that's different from other backup providers.

Merging storage and security together effectively has been an elusive goal for many technology vendors over the years, but Clumio believes it has a winning formula -- and one that can effectively mitigate ransomware threats.

Clumio, a backup-as-a-service provider based in Santa Clara, Calif., recently celebrated $135 million in Series C funding. The startup was founded in 2017 with the goal of leveraging cloud-native services to build a scalable and agile BaaS offering that could also meet enterprises' needs for data protection and analytics needs.

In this Q&A, Clumio CTO Chadd Kinney and CSO Glenn Mulvaney discuss the origin story of the company, how they plan to utilize their recent funding round, and how Clumio addresses ransomware threats.

Editor's note: This interview has been edited for length and clarity.

Tell me how the company was founded.

Chad Kinney: The company was founded about two years ago. And the core concept behind it was to fundamentally remove the complexity of traditional data protection to start with, and do so by delivering a service offering that was delivered via the public cloud.

A few things we realized early on were, as customers were journeying to the public cloud, SaaS-based offerings, and path-based offerings, they needed a way to be able to protect their data set along the way. And we realized that people were running into roadblocks and moving data to the public cloud because data protection was not able to deliver the same type of functions and features that they delivered on premises, and there was a big barrier there that we were breaking through to help customers be able to journey along the public cloud.

The second part was, as we got to the public cloud, security became a big key focus. Our ability to be able to secure this information through both encryption and encryption-in-flight as well as various other ones Glen will go through on the core platform itself was something that customers were very much hyper-focused on as they moved data more and more into the public cloud.

So far we've raised about $186 million in a series of A, B and C. Most recently we just closed a series C of $135 million.

How do you plan to use that $135 million to grow the company?

Kinney: A lot of the key focus right now is expediting the introduction of new data sources for the platform itself. Today we back up VMware on premises, VMware running in AWS, as well as elastic block storage for AWS. And so, continuing to expand the data sources is a key thing we're moving forward with as part of this investment -- to get customers access to new data sources faster.

Give me a rundown of what the platform is all about.

Kinney: Fundamentally, we've built this platform for the public cloud, on top of AWS. We've built in a bunch of great efficiencies in the way the data is ingested. With anything that runs on the public cloud, if you compare that with something that runs on premises, typically you do duplication and security is retrofitted to the data center itself. And the world has shifted dramatically where people are looking to utilize the public cloud heavily and remove the things completely out of the data center. We were able to provide what we call a cloud connector that gets deployed in a customer's environment -- it's a virtual appliance so there's no hardware or anything like that. We do duplication and compression and encryption before the data is sent over the wire. We leverage the capabilities of S3 within Amazon, and we use their scale as data gets ingested over the platform itself. Then we use various stateless functions within the platform to churn through the data, as well as DynamoDB for a lot of the metadata functions and various other structures in AWS, and the agility and scale of that core platform to allow us to still be able to ingest data incredibly quickly and be able to provide services on top of that platform.

Glenn Mulvaney: From the security side, leveraging a lot of those public cloud controls we have in Amazon, we've implemented a model where data encryption is always on in the platform. It's not an option to turn it off and data is always encrypted and compressed. And the way it starts, which I think is a critical feature of the platform, is that the data is encrypted before it leaves the customer environment; it's encrypted in the customer environment, it's transmitted over a secure channel and then it's stored securely in S3. And there's different encryption keys used in each of those steps.

In terms of security in a more general fashion, we think of it in a couple of different ways. Fundamentally, we think of it as technology, people and processes, so we've talked about the technology a little bit in terms of how we handle encryption, but for the people and the processes, what we have implemented is the ISO 27001 framework, and we just completed our stage 2 audit last week. The ISO 27001 framework gives us a solid foundation for principles and controls for internal processes, and it also guided how we trained our employees about security awareness. We really used that as a guideline to integrate a lot of security into our software development lifecycle and into our QA lifecycle and broadly across all of the employees at the company, including sales and marketing and customer success.

Do you see yourself as more of a security vendor or a backup vendor or both?

Kinney: I'd say a little bit of both. I'd say we're a security-first company where we really spent a lot of time thinking about what we're doing as a core platform setting ourselves up for success. If you had to put a name on it, I'd say we're more of a data platform company than anything.

What effects have ransomware attacks had on the backup and data protection market in general?

Mulvaney: I think with the prevalence of ransomware attacks happening at all levels of organizations of all sizes, people are thinking a lot more seriously about their data protection and about their ability to recover from some sort of ransomware attack. I think there's certainly a lot of opportunity for Clumio to help a lot of organizations like that and to be able to give them a truly secure ability to recover from something like a ransomware attack. Certainly the prevalence of these [attacks] is increasing at a rate we hadn't anticipated, and I think that's helping in the market for data protection to actually drive people to think much more seriously about what their backup compliance policies look like.

How does Clumio address ransomware threats in a way that's different from other backup providers?

Kinney: Let me give you the most recent example, which is an interesting one. We recently announced the capability to be able to back up elastic block storage from AWS and when you look at the solutions that are out there today, most people protect data with snapshots and the snapshots live in the same account as the production data. Most people rely on these snapshots for quick recovery but they're also relying on them for the backup. And when malware hits or a bad actor hits on that particular account, they functionally get access to both the production data as well as the backup of that data in the same account and so it's opened up possibilities for people to run into data loss issues.

With our solution what we're fundamentally doing is we're copying the data and creating an air gap solution between the customer's environment and Clumio, which enables people to protect their data outside of their account and protect them from malware and ransomware attacks. We store all data in S3, which is unbeatable so no data, once backed up, can even change itself in any factor, so it gives customers the ability with our recovery mechanism to restore data into another AWS account, alleviating any sort of malware issues that may occur within one of their other AWS accounts.  

What do the next 12 months look like for the company?

Kinney: The motivation for us is to continue to expand more and more into the public cloud. Today we solve the key focus around private cloud, which is VMware. As people are moving to the public cloud some are choosing to use VMware running in AWS which is using a button to quickly move assets into the public cloud. They're also going and re-architecting applications into the public cloud, like using elastic block storage and other platform and service-based offerings. We are going to continue to expand in both SaaS-based offerings the usual suspects in that as well as more and more cloud-native capabilities so we can follow customers along that journey.

Beyond the additional data sources, we're adding additional functions on top of those datasets; we're investing in things like anomaly detection and reporting over the next 12 months and we are slowly bringing those into the platform as they come to bear.

Mulvaney: From the compliance side in 2020, obviously we're thinking about looking closely at CCPA [California Privacy Protection Act] and I think with that going into effect on January 1 we're going to see that there's probably going to be more emerging new standards for certifications for protections and personal information handling already the ISO 27001 was revised in 2019 and previously was only revised in 2014 so I think protection of personal data is going to be a paramount part of our roadmap and in 2020 we're looking very closely at doing high-trust certification and beginning implementation for FedRAMP.

Dig Deeper on Data security and privacy