Austin and San Antonio—Technology, of course, gives us all greater access to information than ever before. In the context of security, however, that’s often a big problem.
Companies have historically set up boundaries around the information they’re trying to protect—firewalls and virtual private networks that either aim to keep unwanted people out or allow restricted access to those they want in. A contingent of businesses, including Google, have been investing in a cybersecurity methodology in recent years called “zero trust,” which more severely limits access to things such as a company’s applications or servers.
A cybersecurity startup led by former Rackspace employees that is located in Austin and San Francisco, ScaleFT, raised a $2 million seed round of funding last week to help sell its zero trust service. The new funding is the company’s second money in since its founding in 2015; it previously received about $825,000 in angel funding. The $2 million came from Bay Area investment firms Fathom Capital, Spectrum 28, and Fuel Capital, as well as Graham Weston, a co-founder and former CEO of Rackspace.
The zero trust model assumes anyone trying to access a network is a potential threat, an untrusted source that shouldn’t be allowed in, according to Cambridge, MA-based market research company Forrester Research (NASDAQ: [[ticker:FORR]]), which says it coined the phrase in 2013. It’s easy to see the term’s connection to the more traditional method of security, loosely thought of as a “trust but verify” method, which Forrester says is no longer effective.
Those competing in the zero trust sector have started to gain momentum, particularly since Google provided some validation when it published internal research on the subject, says Ben Sabrin, ScaleFT’s chief operating officer. ScaleFT is pitching its zero trust security technology as safer and more reliable than a virtual private network (VPN), which is typically used to give employees secure access to a company’s network, especially if they work remotely.
Sabrin contends that VPNs can be slow if the employees are far away from the data center the VPN is using, and that usernames and passwords for logins can easily be hacked. ScaleFT’s design, which is modeled after the methodology Google developed, resolves that issue by letting people log in to a network without using a VPN, Sabrin says.
ScaleFT does so by identifying the person who is trying to access its client’s network via login information, such as credentials for Google Apps or Microsoft 365, he says. ScaleFT’s software then identifies the device an employee is using by its IP address (to verify the device is one the company issued or knows its employee uses), and then it analyzes what information the person is trying to access, Sabrin says.
The ScaleFT technology follows this procedure for each layer of information a person tries to access, such as a specific Web application. It will repeat it if the user then tries to access another layer of data, like a server. The tech can also apply additional rules, such as only giving a person access to a server if they have a firewall turned on or are using a specific type of encryption, Sabrin says.
“What we’re doing is running things behind-the-scenes for the user making these decisions,” he says. “We’re going to grant them access to something specific and then reevaluate any time they want to access anything else, to make sure nothing has changed based on what we know about the user, the device, and what they’re trying to do right now.”
The methodology isn’t unique to ScaleFT. Sabrin says the company’s network architecture is modeled after Google’s BeyondCorp, which the search giant uses internally and sells as Identity-Aware Proxy for people who use Google Apps. With such a dominant competitor, it would seem a wonder that ScaleFT could build a business.
But ScaleFT serves more than just Google Apps, Sabrin says, and he believes Google’s focus will remain on drawing more people to its product rather than offering its security technology to users of competitors’ applications and servers. ScaleFT’s system is focused on the entire market, he says, from apps for developers to server operators such as Amazon Web Services. Other competitors, such as Washington, DC-based Virtru, well-established firms like Palo Alto Networks, and recently formed startups like Burlington, MA-based Edgewise Networks, offer their own versions of zero trust authentication, Sabrin says.
ScaleFT partly differentiates itself by its focus on security for Web applications and servers. The company is increasingly aiming its services at developer Web applications, such as GitHub or CircleCI, though server access has historically been its focus. Sabrin notes that other companies have similar technology that can use certificates to identify and give access to users. He says he believes ScaleFT’s infrastructure that communicates between a client’s application or server and an employee’s computer is what helps the company differentiate from its competitors.
So far, ScaleFT has gained some traction. It has about 15 customers, including San Antonio companies Filestack, Jungle Disk, and Rackspace. Helping those customers securely access servers is ScaleFT’s biggest business, mostly because Rackspace uses the company’s technology to access AWS managed servers and Microsoft Azure managed servers (for all its clients who use those services). Managing cloud servers has become a core business for Rackspace, and that means ScaleFT counts about 700 companies that use Rackspace for cloud server access as indirect clients, Sabrin says.
ScaleFT has 12 employees, mostly in Austin and San Francisco, and none remain in San Antonio, despite the company’s having been founded by four former Rackspace employees, Sabrin says.
