Decibel is announcing our investment in Cmd, a Vancouver-based cybersecurity company that provides modern access control and dynamic policy enforcement for fast moving software teams embracing the cloud. Their product deploys transparently and provides real-time control over who accesses critical workloads and which actions they are allowed to perform in production. Used by some of the largest companies with complex environments, Cmd makes it possible for developers to continue to execute with speed and agility. At the same time, Cmd gives executives the peace of mind that their production systems, both on-premise and in the cloud, are being proactively monitored for unusual or risky behavior.
Jon Oberheide, the co-founder and chief technology officer of Duo Security and advisor to Cmd, recently shared his thoughts on the company in this Q&A:
“Software is eating the world,” and companies of all shapes and sizes need to embrace technology to remain competitive in their industries. In the modern day, having an effective and efficient software delivery can be a competitive differentiator and determine whether you win or lose a market. The technological trends of cloud infrastructure and DevOps delivery have made it possible for software developers and organizations to move REALLY FAST, which can be great for the business and innovation. However, along with this speed needs to come security, safety, and the appropriate amount of risk mitigation.
Unfortunately, most historical security products are designed to slow down delivery and innovation and are not built for modern DevOps teams. Security teams need to deploy more advanced capabilities that can identify/mitigate risk but are also aligned with their new high-velocity delivery models and infrastructure. In today’s cloud environments, particularly on Linux systems which represent 97% of the market, organizations are still struggling to achieve basic security capabilities like knowing who has accessed which systems and what they did when they were logged in. This is a foundational area of security called privileged access management.
Duo made security transparent and easy and Cmd is taking a very similar approach. Duo provided the visibility and access control that security teams lost when their users went mobile and their apps went to the cloud. IT security teams didn’t want to slow down end users, but they did want to enforce a security policy when appropriate. Cmd has a similar market opportunity for software development teams–developers are moving with agility and speed in the cloud and IT security teams don’t want to slow them down. But they need to provide visibility and control for their infrastructure to mitigate risk and Cmd makes this possible by deploying easily and without changing developer behavior. Once in place, the system automatically highlights and identifies potentially malicious behavior–developers can drive as fast as they want, but have some guard rails in place so people don’t go off-roading! Sometimes even the simplest of controls can prevent even the most significant outages or breaches.
The first thing that stood out about Jake and Milun, the founders of Cmd, is that they had both worked in very large software development teams and faced the challenge of managing users and enforcing smart security policy across a distributed team. Jake was in charge of developer security at Hootsuite and Milun ran a very large team at CBS Interactive. They saw firsthand the problems of enforcing security in Linux cloud systems–developers rejected clunky, old products, leaving practitioners with a real lack of visibility and control. The solutions out there hadn't evolved with the times! This reminded me of the early days of Duo. Personally, I’ve wanted to mentor founders who have a deeply rooted passion for the problem they are trying to solve and these founders are unique in that they had seen all of the pain and are committed to building a simple solution.
Zero Trust shifts the idea of having “insiders and outsiders” to a model where you assume that any user or system could be compromised at any time. This has been one of the major security initiatives for Cisco and it is rapidly becoming the mainstream for organizations that want to have a more modern approach to cyber security. Authentication and access control are central pillars for how you establish trust in a Zero Trust world, but in cloud engineering there are additional challenges. Traditional access control is not quite enough as you need a system that moves as fast as development teams do, and is able to adapt without human intervention. This approach is more powerful than the alternative legacy model, which is to either highly restrict access based on old rules or enable unfettered access without any proactive controls.
I have been an early advisor to Decibel because of its unique focus on “founders helping founders” and the opportunity to get to work with companies like Cmd. I want to help other founders create the next generation of great companies to better serve and secure their customers. Cmd and Duo share a passion for making security easy and effective for our customers and end users. We learned a lot over the years building and scaling Duo, and can share those learnings with others who are paving new paths in the industry. Cmd is also a partner of Duo/Cisco, so we’ve already started helping secure customers together!