Earlier this year we penned our thesis on the cloud-native security stack. Core to our outlook is the idea that security is undergoing a massive transition in which security software is evolving from individual, point products into full-fledged security platforms that map to the broader software-development process. Fundamentally, software development consists of infrastructure, applications, people and data. We believe security software will ultimately be governed by these same four mega categories: infrastructure, identity, applications and data.
The shift to the cloud is upending the compute model from one that is resource/application-centric to one that is data-centric. Cloud platforms like AWS, Azure and Google have abstracted away the need to manage databases, compute resources and networks for where applications run. Similarly, managed datastores like Snowflake, Databricks* and MongoDB have unleashed the ability for enterprises to operationalize data in applications or for internal use cases. The adoption of public cloud services has surged over the past few years, with spending on public cloud infrastructure at $143 billion growing 41% Y/Y, according to Gartner. As such, the need to secure data across heterogeneous environments is becoming a critical pillar of security programs as data becomes the core differentiating resource among enterprises.
This increase in adoption of cloud infrastructure has led to a drastic increase in data-asset volumes and a loss in visibility and control into where data is stored in the cloud. Developers, business users and DevOps professionals can self-provision cloud services and easily spin up new datastores, or copy existing databases, and utilize them for a wide array of business use cases in test and production environments. But this leaves security and data teams without an ability to keep an updated inventory list of an organization’s data assets and can lead to failure to enforce adequate security policies and controls.
While an explosion of data volume and variety has resulted in organizations becoming more data driven, a growing number of high-profile data breaches and the emergence of complex government regulations, such as GDPR and CCPA, have made data security a top priority for organizations that operate in multi-cloud environments. A recent survey from IDC found that 98% of organizations they queried reported at least one cloud data breach in the past 18 months.
Deleting personal or sensitive data and enforcing data-loss prevention (DLP) policies simply does not cut it anymore. Enterprises need a holistic view of their data assets across cloud resources (where data resides); users/identities (what data people are accessing); and apps (where data is running). From here, they need the flexibility to take action on these findings given the context of data usage.
Founded in December 2020 by Ravi Ithal, co-founder and chief architect at Netskope, and Amer Deeba, a long-time executive at Qualys and Moogsoft with deep roots in scaling high-velocity, go-to-market teams, Normalyze is an agentless cloud data-security platform. The product gives users a full picture of their data stores, applications, identities, infrastructure, and how they are all connected. Core to the platform are its discovery and classification, detection, and remediation capabilities, which give DevOps and security engineers visibility into their data sprawl, the relationships between their infrastructure, applications, and users, and the automation capability to detect and remediate issues in real-time. By tying together these assets in a graph-powered platform, Normalyze is able to uniquely categorize risk based on relationships and allow DevSecOps teams to traverse attack paths to sensitive information.
Since its inception the company has assembled a team of 20+ engineers across the U.S. and India, and its product is already being deeply used by customers in production. Normalyze’s time-to-value is an important driver of its rapid adoption over the past several months, and we believe the team has built the only data-security platform that has been architected to meet the needs of individual practitioners and teams alike.
At Battery, we get excited when founders and entrepreneurs approach complex problems with first-principles thinking, simplicity and clarity. Amer, Ravi and the rest of the Normalyze team bring a wealth of knowledge from their time spent at Netskope and Qualys and understand how to bring clarity to security’s most complex problem—data.
We have been fortunate to partner with category-defining data platforms like Databricks*, Matillion*, Streamsets*, InfluxData* and Collibra*, as well as security companies like Splunk*, Akamai*, Sumo Logic*, Bionic*, Contrast Security*, Styra* and Bridgecrew*–and now we’re excited to be a part of the journey for Normalyze to redefine data security for the cloud era.
Battery Ventures provides investment advisory services solely to privately offered funds. Battery Ventures neither solicits nor makes its services available to the public or other advisory clients. For more information about Battery Ventures’ potential financing capabilities for prospective portfolio companies, please refer to our website.
*Denotes a past or present Battery portfolio company. For a full list of all Battery investments, please click here. No assumptions should be made that any investments identified above were or will be profitable. It should not be assumed that recommendations in the future will be profitable or equal the performance of the companies identified above.
Content obtained from third-party sources, although believed to be reliable, has not been independently verified as to its accuracy or completeness and cannot be guaranteed. Battery Ventures has no obligation to update, modify or amend the content of this post nor notify its readers in the event that any information, opinion, projection, forecast or estimate included, changes or subsequently becomes inaccurate.