Anneka Gupta, chief product officer at Rubrik, says there are three pillars of data protection - data resilience, data observability and data recovery - and all three must be built on the zero trust principle of "trust no one."
"Part of zero trust principles is making sure that you’re giving the least privileged access. The more people that have access to your data, the more vulnerabilities you're potentially introducing into your system," she says.
To fight ransomware, Gupta says, "We're putting in controls like immutability. Once data is written, you can't change it. That means if an attacker comes in and gets access to your backup data, they're not going to be able to change anything and mess around with anything."
In this episode of "Cybersecurity Unplugged," Gupta also discusses:
- The "two-person rule" for identity proofing;
- Her career journey;
- Rubrik's Security Cloud product.
Prior to her role at Rubrik, Gupta built LiveRamp - a subscription business with $450 billion in revenue and 1,400 global employees - from scratch before exiting the company in July 2021. She is a math and computational sciences lecturer at the Stanford Graduate School of Business.
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Steve King 00:13
Good day everyone. I’m Steve King, the director of cybersecurity advisory services here at CyberTheory. Today’s episode will explore the relationship between securing data and securing the enterprise. With me to explore this topic is a woman who knows his space cold, and is the Chief Product Officer for rubric and market leader in its category. I had said that because obviously rubric has so much more than a legacy backup company on its way to a zero trust transformation company and Annika will help us understand where they are on that journey. She’s a well known senior executive leader with a proven track record of scaling, highly successful b2b enterprise sa Software as a Service enterprises, developing customer centric product strategy and execution and consistently hitting revenue growth and margin objectives. She’s got a treasure chest of awards and recognitions and I’m not going to reset them all we’d be here all day. But among them are San Francisco Business Times most influential women in business for 2021 40 under 40, a leader for 2021 Rising Stars Leadership Award for under 40 and the top 10 Digital Marketing innovator from adage of all people. So but but more importantly, Annika built LiveRamp from scratch, a subscription business with 450 million in revenue and 1400 global employees before exiting and July 2021. Attention young techies if you’re looking for a young, smart, hardworking role model, you need look no further than Anika, a fellow math junkie on it earned her undergrad from Stanford and math and computational sciences and teaches in the Stanford Graduate Business School. So, Annika, welcome to the show. And thanks for joining me today. Thanks so much for having me. It’s great to be here. Great. So let’s dive in your outbound marketing messaging suggests that you have embedded them five principles of zero trust security into your approach. Can you describe for me and our audience how you go about securing the dass elements in particular applications and data? Yeah, absolutely. So you know, one of the things that we’ve seen here a rubric is with our customers is that the world’s largest enterprises are seeing a remarkable shift in how they think about security and how they think about security at the point of data. So historically, the world of the CIO and the world of the security professionals and CISOs was, you know, they’re collaborated, but they didn’t have as many interaction points. And what we’ve seen in the past couple of years, especially with the rise of ransomware attacks, is that the security teams and the CISOs are now coming to the IT teams and saying, Hey, how do we make sure that our data is protected in the enterprise? How do we make sure that in the case of a ransomware attack, we can actually recover and get our business up and running. And this has been become even more critical issue for this day and age, because as we all know, data has become the lifeblood of the enterprise. And so when you hear it rubric, what we’ve been focused on is figuring out how do we secure the data? How do we approach this data security landscape, recognizing that this is where zero trust comes in, where we know that attackers are going to get into the system, if someone wants to get into your system, you can put up a lot of barriers, but people will find a way and and once they find a way in how do we make sure that the data is is always protected. And for us that comes down to focusing on three different pillars. First, is data resilience, how do we make sure that data is always available? And you’re always going to have a copy of your data that you can recover to? And how do we embed zero trust principles into that piece around data resilience? The second piece we have is data observability. How do you make sure you can monitor the risks on your data and remediate those risks even before you have an attack happen? And then how after an attack happened, how do you make sure that you can do all the forensics and understanding that you need to accomplish in order to to truly make sure that your data is protected for the future? And then the third is data recovery. So how do we make sure that you are able to recover your data very quickly in the case of an attack so all three of these pillars data resilience, data observability and data recovery? They’re built on that zero trust principle of
Anneka Gupta 05:00
Say Trust No One trust no device, trust no user, how do you give people minimal access as possible? And then how do you make sure that your data can work for you to protect you and your enterprise against cyber threats? And can you drill down into either one of those three areas? And don’t tell us exactly sort of how you go about doing it? Yeah, sure. So in in the data resilience pillar, for instance, which is really the place where rubric has spent many years developing technology, we focus on a couple of different things. One is you thinking about user access, right. So part of zero trust principles is making sure that you’re giving the least privileged access. So you know that that the more people that have access to your data, the more the more vulnerabilities you’re potentially introducing into your system. And at every user access point that we provide into your copies of the data, your backup copies, so that you can actually make sure you have a copy to recover to. We’re requiring mandatory multifactor authentication, we’re advising our customers on least privilege access are really limiting the number of admins you have available to access that data. And then we’re putting in controls like immutability, Once data is written, you can’t change it. That means if an attacker even comes in and gets access to to your backup data, you’re not going to be able, they’re not going to be able to come in and change anything and mess around with anything, once it’s written, you can’t change it, we’re doing things like retention locks, so that when you set a policy for how long your data is going to stay in the archives, or in your backup copies, you can’t go back and change that policy and say, hey, my policy used to be three months. And now I’m going to make it one day, we put controls in around that we’re doing things around enabling you to make sure that there’s a logical air gap. So there’s a very clear partition between your backup data and your your primary data sets. So again, you always have a copy of your data to recover to. And then we’re experimenting with other more intelligent capabilities, where we’re saying, Hey, can we always can we offer a recycle bin where we keep even if you say, hey, I want to delete some data, we’re keeping a copy of that data so that you can, you can go back and rewind the clock. So all of these capabilities were putting together make sure like, Hey, you always, always, always, always will have a copy of your data to recover to. And we’ve seen this work in practice. Every week, we’re getting customers that get hit with ransomware attacks, and we’ve been able to help them recover every single time. Yeah, because what you described initially, there seem pretty restrictive to me if if I changed the retention period for my backup data to 30 days, or 90 days, or what have you. And I can’t change it again, that if I got it wrong the first time and I go back, and I want to correct that. There must be a path for doing that. Is that not the case, there is a path for doing it. But we put in place a lot of controls, and we’ll work with organizations to set up their policies. But if you do something like, Hey, I have 30 days, and I want to go change it to one day, we’ll actually, you know, we’ll actually force you to like, talk to the customer support team to make sure that that’s actually what you want to do. We don’t do that in all cases. But certainly when there’s something egregious, we’re like, Well, this looks like a red flag. Maybe you didn’t mean to do this, maybe it was accidental, or maybe you have malicious activity happening. We’ll put in place those checks and balances. Okay, so you don’t insert some AI level of technology there you branch immediately to the human factor and get actual people involved in screening me when I you know, request, a change at that level is exactly the intelligence. Some of the intelligence comes in around like, what when do you call that screen up? But yeah, we’re we’re over time, I think we’ll put in place even more machine learning and algorithms around that. But today, we have some we want to put into place some simple protections to make sure that people aren’t doing anything that they don’t mean to be doing in their system with their data. And certainly we’re protecting against any malicious use cases. Yeah, sure. Well, and identity is like a big deal, right? I mean, identity proofing, we’re pretty good at authentication. We’re just not very good or proofing. Still these days. So yeah, a lot of our customers who are taking advantage of a capability that we’ve put in run a call to person role. So you need two people to actually sign off within your organization before changing certain kinds of changes, destructive activities can happen. So that’s another control that we have in place that our customers are using to help with that authentication and make sure that you’re actually the right people are doing the right things in our system with their data. How do you know that it’s actually me? In the other cohort, that’s where so one is like you have to, we have to work with our customers to set up like who those actual users are, to make sure that you’re we’re talking through the different things to consider when choosing who’s going to be part of your two person role. And then the second piece is that is that multi factor authentication is making sure that we’re not just adding easy access ID, but you’re using, you’re using like one time passwords and multifactor authentication to get into the system. And multi factor authentication isn’t foolproof, but it certainly creates a big barrier to entry. And there’s a ton of innovation happening in that area, you know, adding biometrics and other things. So as like, you know, as we, as our customers are implementing those kinds of systems, we’re integrating with that and offering our own capabilities to make sure that every single authentication into the into rubric is multifactor. Authentication. Okay, fair enough. Let me give you a little whiplash here, I want to ask you about live RAM. You spent several years, essentially building a business from scratch as part of that team, and then ultimately ended up running much of the company. And it got that million 450 million revenue is a big deal. And you were very young at the time, can you sort of give our audience a glimpse into how that happened? And what your what your various roles were? Starting with your initial assignment there? Yeah, sure. I mean, I feel really lucky about the and grateful for the experience that I had at live ramp and the way that it really launched my career from from right after college all the way up till today. So when I joined live ramp, it was a 20 person startup, we were at the intersection, we were experimenting with many products at the intersection of data technology and marketing. And I started as a software engineer on the team. And basically, like, as we found product market fit. And this is where the luck came in, we ended up finding product market fit and we ended up like the company ended up being a rocket ship. And really, my career took off. Because of that I was able to grow within a growing company, I was able to take on more responsibilities. And I had to put in a lot of effort day in and day out to continue to reinvent myself in order to take on those responsibilities. So I was a software engineer, I became our first product manager, I lead marketing and recruiting during our early growth days. And then I lead product it for the majority of the time that I was there. And over time I took on by the time I left I was president I was overseeing all product engineering, customer support and our security teams as well, which is what got me excited about data security and rubric when I decided to leave. But it was an incredible journey. I never would have thought that when I joined the company 12 years ago that I would have stayed there for 11 years. But I kept getting offered these new opportunities to help grow the company helped take it in new directions, and really ended up in a place where I was able to drive the strategy drive the operations, and really successfully take a company from zero to one, building our first initial product that got really strong product market fit. And then being able to scale from one a one product company to a multi product portfolio where we were providing providing marketing technology to the world’s largest enterprises globally. Yeah, you name some very popular business books written by VCs as well as part of this conversation. It’s interesting. What was the that magic PMF fit that you found early on? What was the what was the product that really rang the market? Bell? Yeah, so what we discovered early on is that data was really important for marketing organizations in order to understand who their customers were, and how to best interact with and personalize experiences for customers. And when librarians started, it was in the very early days of digital marketing. So there was a lot of very sophisticated tools, technology and data that was being used to, for instance, determine what kinds of coupons or magazines to send you in the mail or what kind of emails to send you that are going to be relevant based on your previous purchase behavior, or things like that. And that rich set of data assets was not yet being used in the digital marketing ecosystem, because it was still really early days. So librarians initial product was about how do you take these rich assets that have been used in traditional marketing channels, and help bridge that into the digital marketing world, and that we started building products there and it became this was really during the time when digital marketing and the advertising ecosystem online started to really take off. And there was such a hunger for data that we ended up really having a product that was in the right place at the right time to help organizations that were making this transition, that we’re going through their own digital marketing, transformation, leverage all of their data assets on the online and be able to personalize experiences on their website, and within the advertising ecosystem. Yeah, it’s a great story. And I know that a lot of our audience or young folks that are part of you know, we have an education initiative here at ISMG, as well called Cyber red.io that we’re launching. And we’ve got a lot of folks that are trying to figure out how to launch their careers in cyber security. So it’s always fascinating to talk to someone like yourself, who managed to latch on to a wave like this one, and hit hit one out so early. So appreciate that. Thanks. Jumping back to today’s world, you know, data storage is an industry all by itself. Yet any industry whose leaders push the responsibility for security back on its customers, in my mind is immature and public cloud providers claim responsibility for the protection availability of the cloud, yet, it’s still a customer’s responsibility to protect the resources in the cloud. It’s further complicated by the fact that in solution tools that public providers offer are also very different from each other. And that creates what I think is an enormous complexity on top of it already enormous complexity, how does rubric handle the management of all that interaction? That that would be my number, if I were a buyer of yours, I’d want to know how you’re going to help me do that, because that’s a very difficult situation. Yeah, I you bring up such a great point is one of the biggest reasons that our customers come to rubric today is the sheer amount of complexity that they’re having to manage. Because most of our customers have data that’s sitting within one or more data centers, data was sitting when one or more public clouds data that’s sitting in one or more SaaS applications. And they’re looking at the surface area in this increasingly expansive surface area of data in saying how am I possibly going to secure this data across all of these different surface areas with all of the different configurations technologies that I’m using? What is that really going to look like? And that’s really where where rubric shines is we’ve built a product, a single product, we call it rubric, security cloud, that is one interface for being able to touch and manage all of that data. Now, on the back end, we have to manage a lot of the complexity of hooking into all of these different data assets, understanding the underlying data, understanding the interaction, an interface between the applications that that companies are building and their data, but then what our goal is to provide as simple as an interface as possible for our customers to come in and truly be able to build data resilience and execute on that within their system, be able to understand the risk to their data through our data, observability capabilities, and then be able to recover in the case of any kind of operational or cyber downtime when they need to, and and doing that across their full surface areas of data. So that’s, that’s something that when I when I first saw the rubric product, a little over a year ago, I was really impressed with the simplicity that we were able to bring to to customers even then. And over the past year, we’ve, we’ve done even more to unify our products and unify the experience such that truly like any enterprise can come in and have a one stop shop for for being able to manage that all of that data. Is it fair to say then that you have sort of a private cloud front end that that manages all of that downstream complexity of private public hybrid and edge computing and the back end. So the way that we do it is that we have a, we have a single control plane that manages that, that’s how our customers access managing the data. And then that control plane is hooked into all of the different data sources that our customers have within their enterprise. So that could be within their data centers. That could be their multiple different types of cloud environments. That could be their SAS tools. And so we’re hooked in to all of those different data sources, and then we’re surfacing the actual manage of men of that data in in one customer experience in one control plane. Okay, fair enough. Yeah. A lot of your messaging is kind of focused around innovation and, you know, obviously ransomware and threat intelligence, etc. Although when folks look at rubric, they might say you’re simply a data backup company trying to look like
Steve King 20:00
Something else what? What is it about your product specifically that sets you apart from other legacy data backup and recovery companies, like the VMs. And cohesity is in a Cronus is? Yeah, so I mean, one of the things that really set up rubric from day one is that rubric as it was only started about eight years ago. And so our architecture, from day one, we architected security directly into the way we we created our data resilience capabilities. And what that meant is that we took a software first approach, we built native immutability directly into the software that we’re creating. And our entire architecture is built on that foundation. And so when you look at rubric compared to other data protection companies, or backup lino legacy backup and recovery companies, we are complete, architected in a completely different way that provides a ton of value when we think about zero trust, data security, and what it really takes to provide cyber resilience and data resilience to to enterprises. And then on top of that, in the past four, four or five years as ransomware has become a much bigger challenge for organization, we’ve not only we have that secure architecture, which is our foundation, we’ve built a variety of different applications on top of that, to help our customers answer critical questions like if you’ve got hit by a ransomware attack, what was the blast radius of the attack? What data actually got compromised in that attack? In that data? Was there any sensitive data that potentially could have been exfiltrated? as well? How do you come up with a clean copy of the data to recover to and then how do you actually execute those recovery operations as quickly as possible so that you can get your business up and running in hours and days instead of weeks and months, which is what often organizations are led to. So the combination of our core architecture being software driven and security focused, and all of these capabilities that we’ve built on top of truly, truly made rubric, not just from a marketing perspective, but from a product perspective, launched us into the data security sphere. And what we’re seeing now is that when we’re going out and selling to our customers, the security teams are part of the conversation. And so it’s become very real, because security is very interested in what we’re doing. And in the future, we have a lot of ideas about ways we’re going to continue to expand and solve even greater security challenges around the data for for the world’s largest enterprises. So your ideal customer profile is seaso. In addition to the CIO or a combination or influencers in both organizations, what does that look like? Yeah, yeah, I think today, we primarily sell into the CIO with the seaso, being a heavy influencer, and oftentimes actually accelerating our deal cycles, because they’re really interested in the ransomware recovery piece of what we’re able to offer. And then over time, and we’re already starting to see it with some of the new capabilities that we’ve built, we anticipate that we’re gonna make a bigger shift into CISOs being primary buyers of our product.
Anneka Gupta 23:24
And from a financial infrastructure point of view, can you kind of give us some specifics about funding and where you stand relative to your investment cycle and so forth? Sure. We’re a late stage private company. And so you know, our goal as a company is we want to build a long term, long term, we want to be a public company, but we’re not, you know, not we’re not rushing into that. We’ve had amazing funding to date from some top VCs like Lightspeed and Bain and, and Greylock, who’ve been wonderful partners to us over the years. Our last round was back in 2019. But we’ve been building we’ve been accelerating our growth and building and we’re continuing to execute on that. And I think we’re really excited about the future. I think we have a great company that’s we’re built sustainably so that we can continue to grow without having to put in lots and lots of new dollars in order to continue to scale our revenue and scale the business. Yeah. And since you’ve been there, have you raised around? No. Okay.
Steve King 24:31
So these aren’t investors that have for example, you work with LiveRamp Greylock and Bain and and Lightspeed they’re not gather not investors.
Anneka Gupta 24:44
Because LiveRamp was a public company for the last three and a half years that I was with a company you know, most at that point like most of our investors were
Steve King 24:54
big kind of investors. Yeah, sure. Sure. Public Company investors. Sure. So I’m I’m the I’m looking at the clock here. And I’m conscious of the fact that we’ve got, we’re nearing the end of our 30 minute window. But final question then from, we switch to our marketing audience hear from a marketing point of view, what specific campaigns do you have planned over the next 12 months, it’ll lead you to, to a category dominant position in the space, I assume that’s what you want to be?
Anneka Gupta 25:26
Absolutely, we’re very focused on this week, we have our annual customer event, which for the first time in two years we’re doing in person. And we’re doing a really big launch around rubric security cloud, which is our new way of packet, the umbrella packaging, or data security platform that’s helping organizations solve for data resiliency to observability, and data recovery. So we’re making a lot of noise around around that. We’ve done a lot in the last year, we announced a really big partnership with Microsoft, we’ve been doing a ton of work with Microsoft, we have a lot more exciting announcements that are going to be coming this later this year of how we’re building zero trust data security in combination hand in hand with with Microsoft. And we have more to common in terms of how we’re bringing security new security applications on top of the data to help customers understand the risk to their organizations, and really be able to help recover data very quickly and remediate their systems to reduce their overall data risk. And so we’re creating some really cool new products around that, that we’re going to be running campaigns around over the next six months for the rest of the year.
Steve King 26:42
Yeah, that sounds exciting. Just curious, are you planning on being at the RSA Conference this year?
Anneka Gupta 26:49
We’re gonna have a presence there. I personally won’t be able to go to that, because I’m actually having my first baby and a couple of weeks. So. So yeah, but that’s, but rubric certainly will have a presence there.
Steve King 27:03
Well, congratulations to that as well. So man managing to do not just multitasking at work, but multitasking in your life as well. So good job, Annika. Thank you. Hey, look, I appreciate you taking the time today. I think this was valuable, at least from my point of view, I hopefully, you got some opportunity to talk certainly about the company and your success there. And I know that our listening audience were able to grab value out of this as well. So I really appreciate you taking the time. And what I’d like to do is revisit this and another six to nine months just to kind of see where you guys are at and what’s happened in the space because it as you pointed out earlier is a is an evolving space within cybersecurity, for sure.
Anneka Gupta 27:55
I would love that. Thank you so much for having me.
Steve King 27:58
Great. I appreciate that. And then best of luck with your new baby here. Thank you. So thank you to our audience as well for spending another 30 minutes with us here and hopefully you guys all found this entertaining and valuable. And until next time, I’m your host, Steve King signing off.