Editor’s note: The security layer has been a big impediment to enterprises adopting cloud and mobility technologies, especially highly regulated and sensitive enterprises. Startup Ionic Security’s platform touches data at its inception as it’s being created, which gives enterprise business policy owners and security group managers the ability to control that data no matter where it ends up anywhere in the world, in real time, as it’s being accessed. Founder, CTO and chairman Adam Ghetti explains how this cutting-edge security solution works and the path of its development.
SandHill.com: Let’s talk about your product, which you promote as a one-stop solution for cloud and mobility. How can it be a one-stop solution when enterprises are using a provider like AWS, which would control the security?
Adam Ghetti: That’s the model that currently exists, and that’s the model that we absolutely disrupt. Right now as a consumer or an organization consuming a third-party technology, you cede your security mechanisms to that third party. Once the data leaves the devices that are under your control, you give up your security posture to infrastructure and application stacks that you don’t control. You’ve given up your security posture.
At Ionic we touch the data before it leaves the devices that are under your control so that no matter where it ends up, when it does end up there, that data is now in a protected format. Then we take it a few steps further and uniquely protect that data so that every time it is accessed or attempted to be accessed by any user or any device, it has to call back home inside your enterprise infrastructure to get rights in real time.
Yet because we touch the data at its inception as it’s being created, it gives enterprise business policy owners and security group managers the ability to control that data no matter where it ends up anywhere in the world, in real time, as it’s being accessed. So whether it’s cloud or mobile computing is really not of concern to Ionic. We touch the data, so it doesn’t matter where it ends up. We provide this independent security layer at the earliest part of the life cycle of data being created.
All the security posturing of old was about securing the network, device, or app because securing the data was too complex with the old crypto architectures. We’ve inverted the architecture in such a way that it’s now easier to secure the data than it is to secure the app, network or device. And that has been the disruptive, groundbreaking portion of the Ionic platform.
We see every transaction by every user on every device 100 percent of the time. So we can give our customers ground-truth knowledge to define their organization’s business security policy.
SandHill.com: How does it affect the end user experience?
Adam Ghetti: We’ve built it in a way that is 100 percent autonomous. So the end users don’t change their workflow. They use the applications, devices, technologies and Internet connections they were using before. They don’t reroute their workflow; the data doesn’t route through some proxy or firewall or gateway.
SandHill.com: It is on premises, or SaaS or cloud? What is the model and pricing?
Adam Ghetti: We deploy on premises. It’s a client-server architecture. There’s a set of infrastructure that an organization spins up that manages all of the moving components of the Ionic platform, and that’s inside the enterprise. Then we have lightweight thin-client agents that sit on all the major devices (Windows, Mac, iOS, Android), but they run silently in the background and don’t get in the way of users’ workflow. And that’s it.
Our current model is simple. We charge per user per application per month. Depending on the application and the volume of applications, our pricing becomes negotiated at that point.
SandHill.com: What is the time frame for deployment?
Adam Ghetti: I’ll give you an example. We have a large government customer and normally that is one of the most challenging and longer sales cycles for enterprise software; some of those sales cycles can range into years. From introduction of our product to closing and funding of a seven-figure deal with this customer, it took 47 days.
SandHill.com: What was your original vision? Did you start out with the intent to become a one-stop shop for mobile and cloud security?
Adam Ghetti: No. Ionic Security was a personal project of mine back in 2010. It evolved to where it is today. My original intent was to provide content creators with the ability to control the content they create, whether it be information about where you are in the world, information about communications between you and your friends, or content you create such as photos and videos and control it, no matter where it ends up — in the cloud, on a mobile device, or inside your home computer. Our vision early on was just to put content creators back in control of their data in a world where they normally don’t own the infrastructure.
That was consumer oriented. When the project started getting legs, we called it Social Fortress. Aptly named, it was designed to give control of your data you shared with social media outlets.
SandHill.com: When and why did you switch from the consumer focus?
Adam Ghetti: The pivotal moment was when I reached out to several individuals that I had known for some time in my personal and professional life who had deep enterprise information security backgrounds from Lockheed Martin to the founder and CTO of one of the largest information security companies ever built. I reached out to both of them early on to show them our technology just to get feedback on general security.
They very quickly noticed the value it had if applied to large enterprises. So for several months we explored both consumer and enterprise applications. The net result of that was the consumer market, although it would significantly benefit from our solution, was not yet ready in mass to adopt technology to control their data. Significant education still needed to take place to bring the majority of the consumer market up to speed.
But the enterprises had had the problems at a large scale for such a long period of time and were being forced into cloud and mobility due to various factors (cost-cutting measures, partners using different technologies, being competitive, etc.). So their pain point of trying to solve their data security problem was getting bigger every day. That meant their budget for a solution already existed and their education barrier was low.
So we started meeting with Fortune 500 C-level executives in 2011, showing them our consumer-focused technology. We went in with a consumer pitch and asked what was missing to be useful to their enterprise. We took those core directional ideas and asked, “Here’s where we are and here’s where we think we can go with this; what are your thoughts?” Then we took their feedback based on their unique ecosystems and their next two- or three-year plan. That is what we used to help shape our product to where it is today.
And 100 percent of the meetings ended up with: “We want to try it out now.” That spoke volumes to us about the opportunity to help larger organizations sooner than we thought we could. And that gave us at the startup phase, when it was just two of us, the pivotal proverbial fork in the road: do we focus on consumers or do we focus on enterprises?
We decided to build a platform stack capable of solving enterprises’ massive problems in an efficient way. We knew that once that platform was in place, we could use it as a foundation and then go back out and have a stronger position to help onboard the consumer market.
SandHill.com: Have you used social media yet for marketing?
Adam Ghetti: The information security space and cybersecurity for highly regulated enterprises is the least apt to use social media. So we have not used social media to attempt to reach out to customers.
But we have engaged on social media for thought leadership. There are two key architectures that people are trying to push to solve the enterprise cloud and mobility security solutions. One is an architecture that says let’s take all the traffic coming from all the devices, route them through some sort of fancy firewall and choke it all down to a small enough point that we can look at it and then interrogate it and do security at the edge. But that has limitations:
- It impedes the mobility of and value of the cloud and mobile computing because now all the data is coming back to the enterprise in both directions 100 percent of the time.
- You’re only able to interrogate the information that is coming through that gateway, which means you have to continuously redefine what the perimeter is and continuously redefine how you get traffic to go from a device to that particular choke point.
- Most importantly in our opinion, once you’ve done that, once the data has passed through that particular choke point and left, you have no more visibility and control over it.
The most sophisticated enterprises and government organizations have all agreed with us on our architecture, which is that you can’t try to control the flow of the data anymore. The perimeter is no longer definable. It’s constantly changing shape, constantly changing size and constantly changing posture. So stop trying to circle it up with some fancy wall and trying to interrogate what’s going in and out of the boundary. It’s a losing battle.
In contrast, our architecture gets into the data-creation flow at its earliest stage so that no matter where the data ends up and no matter how it gets there, the only way it gets back into a format that is useful to somebody is that it talks back home to get rights in real time and has situational awareness associated with that.
We’ve used social media outlets to bring light to the issues that the architectures are running into and how we’re able to differentiate ourselves.
SandHill.com: Where do you think your company will be relative to progress in two years from now?
Adam Ghetti: Two years from now, Ionic will be a fundamental security layer for infrastructure. You won’t think of our company as providing a piece of software; you’ll think of our company as one that is fundamentally part of the core operating stack of any application that requires data security.
That means you’ll see us integrated into large applications, and we’ll have a vibrant developer ecosystem around our core architecture.
SandHill.com: Is there something that you personally would change about the software industry if you could?
Adam Ghetti: I think that the industry as a whole doesn’t do a good enough job of showing how important is to have knowledge of computer science. I think that is a problem at the university level and at the K-12 level.
Kids are going to go into university and into some program that may not have anything to do with computer science and will have then spent 18-22 years of their life and have no knowledge of how computer systems work; but computers will be the most critical part of their job on a day-to-day basis and they are absolutely going to become the most dependent generation ever. I find that to be somewhat troubling. I think our industry needs to do a better job of fixing that problem and stop just hoping the educational system will make some changes.
SandHill.com: Do you have advice for enterprise buyers or for software entrepreneurs?
Adam Ghetti: I would challenge anybody not to take “innovation” from a vendor (Ionic included) at face value. If somebody shows you something and says it’s state of the art, take the time to actually look at what that really means for the problem you’re trying to solve.
A lot of people get caught up in vendor hype and lose sight of the real problem they are trying to solve; so they end up making tactical decisions that impact long-term strategic flexibility.
We see startup entrepreneurs do that all the time with the way they choose to build their technologies in the stacks they choose to implement them on, and we see it in the way senior executives at large organizations procure technology.
Until you cycle out an entire generation of individuals within a particular role, you don’t get to re-evaluate the strategic decisions for what you’re doing and you end up making a lot of tactical decisions that, together, are a bad strategy. I challenge everybody to truly evaluate the next decision they are going to make, to make sure they think about it both tactically and strategically.
Adam Ghetti is founder, CTO and chairman of Ionic Security. He founded Ionic Security (previously Social Fortress) to address cloud data control and protection. Building technology-centric companies since age 12, Adam is one of Atlanta’s youngest and most promising tech entrepreneurs. An expert in complex systems and complex tasks automation, Adam has a deep, applied knowledge of application, network and data security and has spent the last 14 years building large-scale systems in Internet-related verticals.
Kathleen Goolsby is managing editor of SandHill.com.