As cyberthreats continue to multiply, startups with tools to protect data are in high demand. But companies are now facing the growing complexity of managing security across their various data sources.
San Diego-based Ubiq Security believes APIs could play a key role in simplifying this task. The company hopes to encourage more developers and enterprises to build security directly into applications rather than looking for other services to plug the holes.
“How do you take the messy and complicated world of encryption and distill it down to a consumable, bite-sized chunk?” asked Ubiq CEO Wias Issa. “We built an entirely API-based platform that enables any developer of any skill set to be able to integrate encryption directly into an application without having any prior cryptography experience.”
Issa is a security veteran and said companies have generally been focused on security for their data storage systems. When they start layering applications on top, many developers find they haven’t built security into those products. In addition, the underlying storage is becoming a thicket of legacy and cloud-based solutions.
“You could have an Oracle database, an SQL Server, AWS storage, and then a Snowflake data warehouse,” Issa said. “You’ve got to go buy five or six different tools to do encryption on each one of those because they’re all structured differently.”
Even when encryption is included in the application, it can be poorly designed. Issa said cryptographic errors have typically been among the top three vulnerabilities in software applications over the past decade.
“When you’re a developer in 2020, you’re expected to know multiple languages, do front end, back end, full-stack development,” Issa said. “And on top of that, someone comes along and says, ‘Hey, can you do cryptography?’ And so the developer thinks, ‘How do I just get past this so I can go back to building a fantastic product and focusing on my day job?’ So key management is an area where developers either don’t understand it or don’t want to deal with it because it’s so complicated and so burdensome and, frankly, it’s very expensive to do.”
To cut through those challenges, Ubiq’s API-based developer platform lets developers simply include three lines of code that make two API calls. By handling encryption at the application layer with an API, the security works across all underlying storage systems as well.
“The application will handle all the encryption and decryption and simply hand the data in an encrypted state to the storage layer,” Issa said. “That allows them to not only have a better security posture but improve their threat model and reduce the overall time it takes to roll out an encryption plan.”
Customers can then use a dashboard to monitor their encryption and adjust policies without having to update code or even to know the developer jargon. This in turn simplifies the management of encryption keys.
Lessons from the government
Among its more notable customers, Ubiq announced this year that it had signed deals with the United States Army and the U.S. Department of Homeland Security. While government buyers have their particular issues, in this case, the military and civilian systems faced many of the same obstacles one might find in large enterprises.
“The government is struggling with digital transformation,” Issa said. “They’re stuck on all these legacy systems, and they’re not able to innovate as fast as the adversaries. So you’re seeing the likes of Iran and Syria and China and Russia and other Eastern Bloc countries start to build these offensive cyber capabilities. All you need is an internet connection, a bunch of skilled, dedicated resources, and now an entire country’s military cyber capability can rapidly grow. We don’t want that to outpace the United States.”
Part of the obstacle here is systems that run across tangled legacy and cloud infrastructure and mix structured and unstructured data and a wide range of coding languages. While there have been big gains in terms of protecting the underlying storage, Issa said attackers have increasingly focused on vulnerabilities in the applications.
“Encryption is something that everybody knows they need to do, but applying it without tripping over yourself is hard to do,” Issa said. “They turned to us because they’ve got all these disparate data types and they have all these unique types of storage. The problem is how to apply a uniform encryption strategy across all those diverse datasets.”
Issa said the emergence of the API economy has made such solutions far more accepted among big enterprises. They see APIs in general as a faster, more efficient way to build in functionality. Issa said applying that philosophy to security seemed like a natural evolution that not only eases the task but improves overall security.
“One of the other traditional challenges with encryption is when you deploy it somewhere and it breaks something,” he said. “And then you can’t deploy it in some sectors because the system is old. So you just apply it in two areas and then realize you’ve only applied encryption to 30% of your infrastructure. We enable a much more uniform approach.”
Ubiq got a boost earlier this month with a $6.4 million seed round. Okapi Venture Capital led the round, which included investment from TenOneTen Ventures, Cove Fund, DLA Piper Venture, Volta Global, and Alexandria Venture Investments. The company plans to use the money for product development, building relationships with developers, and marketing.
“Our core focus is going to be on growing the platform, getting customer input, and making sure that we’re making the changes that our customers are asking so we can run a very resilient, useful platform,” he said.