Cloud Security , Security Operations , Video
Clumio CEO on Why AWS S3 Buckets Pose a Giant Security Risk
Poojan Kumar on Why S3 Bucket Data Is Susceptible to Deletions and Attacks Michael Novinson (MichaelNovinson) • December 2, 2022The need for AWS security has increased as S3 buckets have evolved from a dumping ground for data to the home for critical cloud-native applications, says Clumio co-founder and CEO Poojan Kumar.
See Also: Planning for 2025: Detection Engineering with the Elastic Global Threat Report
Information in S3 buckets is susceptible to both accidental deletions and cyberattacks given the vast amount of mission-critical data that resides within this public cloud storage resource, Kumar says. In response, he says Clumio earlier this year launched a service to back up data residing in S3 buckets and enhanced it last month with the ability to instantly recover any S3 data backed up using Clumio (see: Report: Unsecured AWS Bucket Leaked Cancer Website User Data).
"Your on-prem environment is a lot more controlled, and you have control over how you recover and the cost structure," Kumar says. "But in the cloud, if you don't do it the right way, these recoveries can be super expensive."
In a video interview with Information Security Media Group, Kumar also discusses:
- Why data protection and recovery are essential for S3 buckets;
- Why AWS customers should get security from Clumio, not AWS;
- What differentiates Clumio's approach to AWS security from rivals.
Kumar has 18 years of experience in cloud computing and storage and is known for seeing an opportunity for change, innovating and capitalizing on it. He founded and built PernixData - which was acquired by Nutanix in 2016 - and then served as Nutanix's vice president of engineering and products. Earlier in his career, Kumar was head of data products at VMware and founder at Oracle Exadata.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Poojan Kumar. He is the co-founder and CEO at Clumio. Good afternoon, Poojan. How are you?
Poojan Kumar: Good, Michael. I'm great. How are you doing?
Novinson: I'm doing really well. Thank you so much here for the time. Why don't you start off by talking about an announcement you made in early November of some new data protection and recovery capabilities for S3? A two-part question for you to start with. First off, why did you decide to launch this? And then secondly, what are some of the biggest challenges around securing S3 buckets?
Kumar: Yeah, absolutely. As we all know, a lot of the application development is happening in the public cloud now. You know, there's been a huge transition of applications moving from data centers into the public cloud. And the foundation behind a lot of these applications has been S3, was basically the first service launched by AWS more than 15 years ago at this point, if my memory serves right. But more and more, it went from being a dumping ground of data to becoming the data store for critical applications built in the public cloud, right? So much so that if you see a lot of the SAS applications of today, are all, you know, have their data sitting in S3. And so as that has happened, I would say it has become a very important source of, you know, both deletions happening accidentally because of the amount of data sitting there, a place for attacks, because there's so much important data sitting there where bad actors can essentially go after S3 data, and also software bugs that could essentially create, you know, issues around the deletion of S3 data. So protecting and backing up that S3 data has become super important. And so to that effect, we were the first vendor and the pioneers in going and saying, "S3 backup and S3 data protection is needed." And we launched a service, you know, an extension to our existing platform to go and start backing up S3, about close to nine months to a year ago. More recently, we have enhanced that S3 backup and data protection with three big things, right? One is really reducing the frequency in which you can essentially go and back up your data. So essentially, every 15 minutes, you can essentially have a copy of the data so that you can restore to any point, and within the 15-minute intervals. That's number one. Number two, we have gone and drastically scaled the offering, and basically gone and said that we can do 50 billion in objects in a bucket. And even with that kind of scale, which some enterprises do have that kind of scale already. And it's very easy to get to, you know, hundreds of millions and billions of objects scale in S3. And even in that scale, since the Clumio platform was natively built in the public cloud, for the first time, we can essentially go and protect any of that scale. So that was the second big announcement. And the third big announcement last month or earlier this month was really around recovery, because what is in a backup without recovery, right? There's no point of backing up if you can't recover and especially can't recover fast. And so as you go into S3 and kind of scale environments, it becomes very important to go and recover fast. And sometimes, you want to recover because, you know, you're to recover the data. And sometimes you want to recover because you need to test something out, or an application needs some access to a part of the bucket and stuff like that. So to that effect, we announced what we call instant recovery, right? And so basically zero recovery time objective and essentially, an ability to instantly recover any part of your S3 backup directly from Clumio. And that is huge. And it opens up a lot of new use cases for S3 backup.
Novinson: What are some of the key differences between recovering in a traditional IT on-premises environment versus attempting to recover in AWS and S3?
Kumar: Yeah, it's night and day, right? Because I think the big difference is in the cloud, the scale at which you're dealing with things is very different. So that's number one, right? The level at which you're going and scaling and recovering is very different. Number two is really around the architecture. Because your on-premises environment is a lot more controlled. And, you know, you have control over how you recover and the cost structure and so on and so forth, right? In the cloud, if you don't do it the right way, sometimes these recoveries can be super expensive, so which is where our ability to go and really target - if I only want to recover a certain bucket, or within a bucket a certain prefix, because every other thing sitting in the bucket could be logged data, for my application data was prefixed by a certain prefix and only being able to go and recover that particular prefix and all the objects corresponding to that prefix, and figuring out which location I want to recover into, all of these things become much more important, because we did not have an S3 like thing that people would build applications on in the on-prem world.
Novinson: Interesting. And why don't you share a sense in terms of the broader context of where do data protection recovery fit into the overall S3 security posture? How significant are these pieces to the overall mission?
Kumar: Yeah, so I think this is where, if you think about it, as more and more data is landing on S3, what has happened is some of these things have become a top of mind. Now, there's a lot of overall things that you have to think about in the S3 context. Obviously, we are important piece of the puzzle in terms of going and recovering your data, because the cloud vendor tells you that the infrastructure resiliency and the security of the cloud is their responsibility, but the security of your data, and being able to back up and protect your data is your responsibility. And so to that effect, people have to think about, in the context of S3 specifically, is like visibility into the data, really coming to know what data is leaving their environment, what data is staying, what data is getting deleted, is the right data getting deleted, or there's some rogue script or runaway script that's going and deleting the wrong set of data, and so on, and so forth. So there's a lot of things both in terms of keeping into account, data leaving the environment like exfiltration, type solutions, and deletions, both by manually or by a script. All of these things are a holistic thing that people have to think about when they think about an S3 backup and data protection.
Novinson: In terms of the public cloud providers, in recent years, we've seen them increasingly taking steps to offer their own security tools and products, particularly Microsoft, but some of the others as well. From the standpoint of a customer, why is it beneficial to engage with a third party like Clumio for security, rather than just purchasing some of these add-on security offerings that an AWS might offer?
Kumar: Yeah, there's multiple reasons. So, think about Clumio offering. A lot of times, you know, customers actually want data and the security to be outside of the security domain. So when somebody backs up with Clumio, they know for a fact that the data is leaving their environment and going into the Clumio service, which is a very good thing because now it's basically leaving their security domain into the Clumio security domain, so to speak. And there is no way for anybody, there's no delete button in our UI, so that you can go and essentially delete the backup, if assuming you were to be hacked and stuff like that. If you built it yourself, at the end of the day, it's in your security domain. And if your primary gets compromised, the chances are very high that, you know, you could get compromised on your backup too, and that could be true for your own software having a bug and deletions happening. So it becomes extremely important to use a third-party service like ours to really have that benefit. That's number one. Number two is the focus, means while, you know, the cloud vendors and folks do build solutions, but they are going extremely wide, they have to go and build everything from an AI, ML service to security service to a backup service to a database service. And you name it, right. So it's extremely broad, this thing. So this is where you will see more and more, you know, ISPs we're already seeing a lot of ISPs around - look at what Datadog does and what Snowflake does, what Confluent does and now what Clumio does. More and more ISPs going and building a true enterprise grade solution on the public cloud for that specific use case and delivering it in a multicloud offering over time. And so that is something that you'll continue to see. While there'll be solutions from the cloud vendors themselves, but the best of breed, like it always happened in on the on-prem side, the best of breed is always going to come from an ISP vendor outside.
Novinson: So let's talk a little bit about that market landscape, the ISP landscape, so particularly when you're talking about AWS security or S3 security, if you're in a competitive bid scenario, who are you going up against the most frequently and what do you feel sets Clumio apart from some of your most frequent rivals?
Kumar: Yeah, our big advantage is we were natively built from day one, which basically, you know, the ability to do these things, all the innovations we have come up with, like we were the first ones to do S3, were the first ones to even come close to doing an instant recovery. In the billions of objects scale, all of these things are continuous backups that we just talked about. Everything that you see, we are the first. And the reason we are the first again and again is because architecture matters. And so, while there's a bunch of companies in the space, but they were really, you know, born and built. And they're phenomenal companies, but they're all really born and built in the on-premises world. And so for them to go pivot to the cloud, both the scale doesn't work, the cost structure doesn't work, the architecture doesn't really, you know, is not optimized to work at the cloud scale and deliver a solution at the right cost. So there's so many limitations, right? For any other solution, that typically, the only competition that we face, generally, when we talk to a customer in the public cloud is customer trying to basically, you know, doing it themselves basically on AWS is like a bunch of Lego blocks that I need to go and build my Lego. Whereas when Clumio comes in, we are essentially delivering the Lego to the customer. And, you know, delivering it at obviously in an architecture that scales the right price point. And obviously a solution that is naturally air gapped, and so on and so forth. So do it yourself is typically the big competition. And that's not to be, you know, and that's not unexpected, because before we existed, people were looking to solve this problem, and they were forced to kind of do it themselves.
Novinson: Interesting. I know we've talked quite a bit about data protection and recovery, the new capability you have. Wanted to talk about kind of overall across the Clumio product portfolio to get a better sense of what's been the fastest growing area to Clumio business in 2022, and why?
Kumar: Yeah, for us, it is been around, you know, we obviously have a comprehensive service that if you think about it, we go in, protect pretty much all services that matter on the AWS side, your EC2, EBS, RDS, Dynamo, you know, S3 and so on, and so forth. So we basically cover your bases in the entire application, we have Microsoft 365 that we also protect, we also support VMware running on AWS, so it's a pretty broad offering, but our fastest growing is S3. Because, again, I think there was a lot of pent up demand on the S3 side, and more and more, we're getting asked for a lot of newer things on the S3 side, because again, every cloud-native application has some element of S3, if not all of it around it.
Novinson: Why don't you talk a little bit about the macroeconomic environment. In recent months, there have been increasing discussions about a slowdown due to rising interest rates due to supply chain issues due to inflation. And I was wondering, how are you seeing that manifested in Clumio, either in terms of customer buying behavior, or in terms of actions you've taken at the company to adjust to this new reality?
Kumar: Yeah, I mean, I think there's definitely a bunch of uncertainties around this thing. Now, I think the good news, at least for a company like ours is, at the end of the day, there is still a lot of movement to the public cloud. But now I think more and more, there is going to be a lot of optimization that needs to happen in the cloud, because people are looking at how the budget looks like for the next year, and they're looking at the costs and looking at the revenue. And so obviously, there's a lot of belt tightening that is happening. So for us, it's been, at least from a customer-facing perspective, it's been great, because one of the things we also do is we give the right visibility to the customer, and we help them in terms of the costs, on the AWS costs, specifically on the protection side, which again, ultimately, helps in their overall costs and visibility. So that part of the message for us actually has been good synergist in a very synergistic in terms of what the next 12 months look like. Having said that, obviously, I think it really matters in terms of the initiative the customer has at the end of the day. And more and more, at least we see that even though there is a lot of tightening happening, the right areas do get the investments. So, it's for us, it's really about going and attaching ourselves to the digitization initiatives, which ultimately, you know, moves the customers forward. So, we're seeing more and more of that, and it's not really impacting us from that perspective. But having said that, we're also very cautious as we get into 2023.
Novinson: Let me ask you here. Finally, I'll ask you to gaze into your crystal ball and take a look ahead to 2023. What's your customers or prospects watching for at Clumio? What are the biggest things you're hoping to invest in our work, in the year ahead?
Kumar: Yeah, I mean, for us, we're just getting started with this whole thing. If you think about it, it's all about the data, right? Everybody knows that. And we are in the business today of going and backing up and protecting the data of the customer across all of their services. There's still a lot more to go in terms of where the data resides for the customer. So Clumio's innovation and roadmap is really aligned into, I would say, three fundamental pillars. Number one is going and expanding, right? In terms of all of the avenues that the customer data is in, number two is going and building deeper innovation, like we talked about with the instant recovery piece, which really enables a bunch of other use cases. So going deep in the innovation side in the data, and number three is essentially going and deriving more value in the data of the customer. So there's a lot of vectors in which you can expect a ton of innovation to come out from Clumio.
Novinson: So definitely be interesting to watch. Poojan, thank you so much here for the time.
Kumar: Thank you, Michael. Really appreciate the time. You're very welcome.
Novinson: We've been speaking with Poojan Kumar. He is the co-founder and CEO of Clumio. For Information Security Media Group, this is Michael Novinson. Have a nice day.