Google has its own two-factor authentication (2FA), so why is its venture arm investing in a company that sells 2FA services?
Because, it turns out, enterprise security is a really big deal, according to Google Ventures partner Karim Faris. Faris has been hammering this enterprise security theme for several years now, leading Google to invest in ThreatStream, Ionic Security, Shape Security, and Duo Security, a 2FA company that now has over 5,000 customers, including Box, Facebook, NASA, Toyota, and Twitter.
This focus on security—particularly things like 2FA that make it somewhat simple for end-users—is critical. (2FA typically requires a user to log in with both a password and a secondary authorization code, often delivered via text message or a small electronic gadget.) Studies, like this one from Aruba Networks, keep showing that enterprise users mostly don’t care about securing enterprise data.
Just a few short years ago, Google Inc. had zero interest in the enterprise, but now factors heavily in enterprise discussions around cloud, apps, storage, and more. So on the eve of Duo Security’s Series C $30 million raise led by Redpoint Ventures, and joined by Google Ventures, I talked with Faris about Google’s interest in enterprise security.
More Cybercrime, More Cybersecurity
ReadWrite: Google Ventures’ interest in enterprise security startups seems to have grown. What is changing in the market to make info security more attractive to you now?
Faris: We look to invest in companies that are working on innovative ways to tackle security challenges, while optimizing usability. In addition to Duo, we’ve invested in companies like ThreatStream, Ionic Security, Shape Security, and Synack.
Security has always been an important topic and has garnered increasing attention as more vectors of attack materialize that cybercriminals can exploit. We used to be able to protect companies by having a hard perimeter around physical networks that was protected by traditional defenses like firewalls. But you can no longer solely rely on that with the rise of cloud and mobility services, as well as people bringing in their own devices.
That additional exposure makes enterprises more vulnerable and is fueling the need for new security innovation, which creates investment opportunity.
RW: What did you like about Duo Security?
KF: We liked a lot of things: the strength of the team, the passion of their rapidly growing user base, and the depth of the technology. Two-factor authentication gets you a lot of bang for the security buck and is something everyone should consider. If you have a fortress to keep safe, the first thing you do is protect the gates. Duo makes it incredibly easy to deploy and use. They started by guarding the gates, and now they are building a moat.
RW: You mentioned that in your original due diligence process you discovered many companies were adopting Duo and, by extension, 2FA. Why is 2FA so important to enforcing enterprise security?
KF: Enterprises historically have always had to find the right balance between adequate protection and usability. If the CISO wanted to enforce security policies, that often came at the expense of a poor user experience and meaningful workflow disruption, which directly impacted productivity.
In the case of two-factor authentication, hard or soft token implementations have not attracted many fans, whether it’s the idea of carrying another piece of plastic on your keychain or entering a one-time password every time you login. Duo figured out how to make that process seamless and more secure at the same time, while reducing the operational load on the enterprise. That led to impressive user adoption.
RW: You said Duo started by protecting the gate of the fortress. How is this best done?
KF: To be effective, you need to let IT teams easily define rules on who can access what applications and automate the enforcement of these rules. Doing so enables real-time detection and prevention of potentially malicious attempts to access applications from anywhere whether they are on premise or in the cloud.
One reason I like Duo is that it analyzes the context of a user’s behavior, location, security health of the device and the reputation of the IP address in real-time to enforce these rules. This allows more effective security without inconveniencing users.
This is critical. CISOs get insight into the security health of endpoints like Macs, Windows PCs, iOS and Android devices, without installing agents. They can identify users with devices that are out of compliance with policy and enforce restrictions on how these devices are used at work, keeping an enterprise current and safe.
Lead photo courtesy of Shutterstock