Cloud security is one of the big drivers among enterprises making IT investments this year, according to a recent report from Gartner, which estimated that some $4.4 trillion in IT spend overall in 2022. Today, a startup called DoControl, which is building what it describes “no code” solutions for one part of that security stack — securing log-ins across cloud apps — is announcing $30 million in funding to expand.
The funding is coming in the form of a Series B round of funding led by Insight Partners, with other unnamed previous backers also participating. New York-headquartered with R&D operations also in Israel, DoControl came out of stealth last year and its list of investors also includes RTP Global, StageOne Ventures, Cardumen Capital and security firm CrowdStrike, which is both a financial and strategic backer, working with DoControl within its own company and incorporating it also into its platform.
The issue that DoControl is tackling is one that has grown with the way that enterprises work today. As more companies shift more of their IT activities into cloud environments, collaboration doesn’t just happen between people in the same organization; increasingly people share documents and data across different companies, too.
That’s great, but problems arise when people change roles, or leave organizations, or projects move around and those who attached to documents fail to update sharing accessibility to the data within those shared apps and documents. It’s not a matter of it not being possible for an organization to revoke access, but across many applications sharing is enabled on a per-user basis, and so it means it needs to be disabled on a per-user basis, too, but because we’re busy and distracted, it often isn’t.
“So even if you delete a user from the wider system, that information might still be shared,” said Adam Gavish, the CEO of DoControl. “If I start a doc on, say, Google and then share it with a vendor, from what we see no one ever goes back to the doc and removes the sharing privilege. You don’t remember what you shared, you don’t have the context and it’s done and buried across multiple ecosystems. ”
Gavish saw this problem first-hand: he worked on privacy and security at Google Cloud prior to founding DoControl. It was there that he first started identifying the problem, but struggled to get people to want to build something to address it. “They had other priorities,” he said.
Things are rapidly changing, however, with security breaches such as the one at Okta putting a focus on how even zero-trust network and app authentication may not always be enough to protect data.
DoControl’s solution is built on the idea of attaching a zero-trust security principle to data access, similar to the zero-trust approach that many vendors have built around network or app access, where users are required to log in to use apps.
“We are not reinventing the wheel,” Gavish jokes. But they are, maybe more accurately, building a wheel that is more fit for purpose, to work with the specific vehicle people are driving today. Users are authenticated, but equally when they leave an organization, or change roles, and then try to use the same documents, it can be seen, flagged, and if needed stopped. The system is also set up to monitor and stop when users — current and past, with access yet to be revoked — are also moving data in and out of apps, which is particularly important in cases where personal information is involved.
DoControl today provides integrations into what Gavish described as “the top 15” cloud app platforms, which include Google and Microsoft apps (including GitHub), Jira, and Salesforce (including Slack).
Although there is an API available now for integrating DoControl into wider security authentication framework, some of the funding will be used to build a more powerful API aimed at security developers who can then build integrations with whatever other apps an organization is using that DoControl may not already support by default. Currently, when those use cases arise, end users have to ask DoControl to build those integrations itself.
“Every modern company has to deal with the risk of unmanageable SaaS data access, where sensitive company, employee, and customer data are stored within popular enterprise applications. DoControl offers a rare combination of asset management, security automation, and remediation actions that eliminate the risk of exposure created by a lack of SaaS data protection capabilities,” said Stephen Ward, MD at Insight Partners, in a statement. “In my time as a CISO, I saw the importance of technology that quickly and effectively addresses these issues, and it’s why we’re proud to partner with DoControl as they continue to grow.”
Gavish, who co-founded DoControl with Omri Weinberg (CRO) and Liel Ran (CTO), described CrowdStrike as not just an investor but a “paying customer.”
“When [CrowdStrike] detects malware on the end point we can find and remove the log-in,” he said, adding that CrowdStrike turning to a third party like DoControl for this work is a “testament to how hard all this is.” Netskope and BetterCloud are among competitors also building tools to address the same problem DoControl is, which is another reason for investing in more tools to integrate DoControl into more environments. A further partnership with Datadog, to open up incident reports directly after detecting the user log-in, is also in the works.