Founders: Shai Morag, Arick Goomanovsky, Sivan Krigsman and Michael Dolinsky
Investors: Glilot Capital Partners, Accel, Qumra Capital, and Target Global
Year founded: 2019
Employees: 170
Capital raised: $97 million
When start-up Ermetic launched in 2019, it initially focused on the relatively virgin territory of managing access in the cloud. It has since expanded, however, and begun offering a comprehensive product to secure enterprise activity in the cloud, placing it in competition with Israeli unicorns like Wiz and Orca Security. Shai Morag and Arick Goomanovsky have known each other for years, both having served in the elite IDF Talpiot training program and in signals intelligence unit 8200. In 2018, Morag sold his cyber startup, Secdo, for approximately $100 million. At the same time, Singapore-based Temasek Holdings purchased cyber consulting company Sygnia Consulting, which Goomanovsky co-founded, for $450 million. The two decided to cooperate in a new joint venture, but were looking for one more partner to complement their skills. "Both Arick and I come from the technology side, but in recent years we’ve moved into business management," says Morag. " So, we were looking for a third partner to fill the VP technology position."
The triangle they sought became a square instead. Through a connection made by Ofer Schreiber , a partner in cybersecurity investment fund YL Ventures, Morag and Goomanovsky met Sivan Krigsman and Michael Dolinsky, both formerly of Microsoft, who were also looking for a third partner to manage the business side of a startup they wanted to found. Thus started Ermetic, where the four partners still work. "The ideal number of partners to establish a start-up is probably two or three," admits Morag, who serves as Ermetic's CEO, "and we didn't think we would end up with four partners. Obviously, the more partners there are, the more complex the decision-making, but for us, the advantages still outweigh the disadvantages."
"A $30 billion sector"
Together, the four decided to focus on the fastest growing area in cyber today - securing enterprise activity in the public cloud. "The main advantage of the cloud over having standalone servers is not necessarily the cost, but the fact that the cloud service providers like Microsoft, Google and Amazon have built infrastructures that makes it possible to receive a great many ready-made things, so that developing an application in the cloud will take six to nine months instead of three years," explains Morag. " That's why 95% of applications are built in the cloud today, and anyone who doesn’t migrate to the cloud is left behind. Cloud infrastructure will be a half-trillion-dollar market by the end of the decade, and experience shows that 6% of that amount will go towards security, so this sector has a $30 billion potential."
Despite its advantages, the cloud can also be a large breeding ground for cyberattacks. "Because the cloud was built for application developers, it is very flexible and allows you to play with the infrastructure’s configurations," says Morag. "But developers want to work fast and release new versions fast, so mistakes are made due to carelessness, inattentiveness, and misunderstandings, all which make an organization vulnerable to attack. Unlike having your own servers, where it was easy to install threat monitoring software (agents), in the cloud you’re not managing the infrastructure, which limits your defensive capability."
After mapping the existing cloud security solutions on the market, Ermetic’s founders discovered one area that had remained almost untouched: managing access permissions in the cloud. One recent cyberattack in the US made the importance of this area very clear. In March 2019, a hacker named Paige Thompson, a former Amazon Web Services (AWS) employee, stole the personal information of about 100 million customers from banking company Capital One. Following the hack, which was discovered a few months later, Capital One was obligated to pay a $80 million fine to the authorities, and another $190 million in compensation to customers.
Post-event analysis revealed that Thompson was able to exploit a misconfiguration to penetrate the cloud-based servers leased by Capital One. Once logged into the system, Thompson obtained permissions that gave her access to a long list of the bank's databases. Morag says that this broad authorization should never have existed; it gave a single individual access to a large amount of information. Without it, Thompson would have been prevented from causing so much damage.
"A multi-billion dollar opportunity"
One thing Ermetic’s software does is perform enterprise-wide scans of all cloud access permissions granted to employees and computers. "We check what users can access in the cloud and what they actually access. If the user can access 1,000 databases, and in practice they only accesses one, why do they need the other 999? Then we can, if the customer approves, automatically curtail these permissions to the required minimum," Morag explains.
Time-limited authorization is another feature offered by Ermetic’s software. "Sometimes, a developer needs to get into the code to fix bugs, but you don't want them to have permanent access, because if this permission falls into the hands of a hacker, they can destroy the entire code. That's why it's better to use a mechanism that provides the developer access for a limited time, and is then closed".
From Ermetic’s point of view, permissions management was, from the outset, just a gateway to the broader field of cloud security. Today, Ermetic offers a broader platform with capabilities that include, in addition to managing permissions, handling misconfigurations in the cloud, finding vulnerabilities in servers, errors in code, identifying weak user passwords, missed software updates, and more.
In the area of cloud permissions management, which is still in its infancy, Ermetic competes with Microsoft, which last year acquired startup CloudKnox Permissions Management (now Entra Permissions Management). Another competitor is Irish-American company Sonrai Security, which has raised $88 million to date. But the fact that Ermetic already offers a broader solution in cloud protection, beyond authorization management, puts it in competition with all the other major cloud players in the world, such as the US-based Palo Alto Networks and Lacework, and Israeli unicorns Wiz, Orca Security, and Aqua Security.
"The combination of permissions management and other cloud security capabilities gives us an advantage over our competitors," says Morag. "If you discover a breach in the cloud, it’s still important to identify how critical it is. To know this, you need to understand what permission from which hacked computer is involved, and whether it can, for example, delete data. Other products don’t integrate this information."
Morag declines to disclose Ermetic’s revenue, but according to him, the company already has hundreds of customers and its revenue has grown by 300% annually over the past two years, with expectations for 200% growth this year. Ermetic currently employs 170 people.
Morag also notes that three of the company's four founders are entrepreneurs who have already sold companies: "We’ve received many offers, but we’re not looking to be acquired. We see an opportunity to build both a strong cloud security platform, and a company that will be worth tens of billions."
The Most Promising Startups rankings are part of the annual Enterprise Technology Summit held by "Globes" and JP Morgan.
Published by Globes, Israel business news - en.globes.co.il - on December 14, 2022.
© Copyright of Globes Publisher Itonut (1983) Ltd., 2022.