Q&A: OpenDNS Founder On Cloud Security In The Transforming IT Landscape
David Ulevitch is founder and CEO of OpenDNS, a DNS service and security firm based in San Francisco. EveryDNS, Ulevitch's first company, started as a college project and grew to 100,000 users before he sold it in 2010 to Dyn Inc.
This year, Ulevitch was included in Inc. Magazine 's "35 Under 35" list of entrepreneurs.
He recently spoke on Internet security at BoxWorks, the annual Box conference. Ulevitch also spoke on that topic at the World Economic Forum after OpenDNS was selected as a technology pioneer in 2011.
CRN: Internet security is big business, and companies are spending serious money on protecting their networks and data. Yet we keep hearing about major breaches. What gives?
DU: Even though there's a lot of security companies out there, and people are spending a lot of money on security, the bar is not necessarily being raised when it comes to improving your security posture. And why is that? What else is happening that's causing a difficulty for businesses, especially small and medium businesses, and what can they do for security to both educate themselves, and what action can they take to improve their security posture so they don't constantly occupy themselves putting out fires, or, worse, [be] on the other end of an attack for which there may be limited to no recourse?
CRN: Good questions. What's the answer?
DU: First we need to understand the cloud has really changed, not only the problem statement, but also the solution, the approach to solving it. We're seeing a dramatic transformation of the IT landscape.
CRN: What does that transformation look like?
DU: Traditionally, people came into their office, they sat at their desk, using their desktop or their laptop, and they accessed their file server that was on their local network and the applications that were hosted inside the office. They were using files in the office, using computers in the office and the people were in the office. So from an IT landscape perspective, in thinking of security, all you had to do is treat the enterprise like a castle, and the way you protect a castle is you build walls around it. And you can have one entrance and one exit, where you can stick an appliance to look at traffic, and that's what firewalls do. They sit at the edge of the corporate network, at that perimeter. It’s a simplified way of establishing a security posture because you have control over what comes in and out of the office.
CRN: So what's changed?
DU: Well, you have employees using myriad devices -- some of them are owned by the company, some of them are owned by the employees -- and you have mobile devices, you have Android and iOS and you have iPads. We're going from a world where something like 80, 85 percent of all enterprise applications ran Windows. That number is dropping over the next two years to below 35 percent, which is a dramatic shift if you're trying to secure applications. Now they're becoming web-based or moving to the cloud, so your in-house Oracle application is now Salesforce, your Exchange Server is now Google Apps, you're using Box or Dropbox or Office 365 and all these various tools.
With these new devices, you have people using cloud applications that are outside of your corporate perimeter. They work from Starbucks, and they work from home, and they work from the airport, and they work from the road. These fundamental changes really represent a totally transformed IT landscape.
CRN: What are the implications for security in that transformed IT landscape?
DU: From a security perspective, it means, on the negative side, all the traditional approaches to security are no longer appropriate. You can't just stick an appliance on the edge of your network because it will see an increasingly smaller and smaller piece of your overall traffic as more people use cloud services outside the office.
CRN: So if a firewall isn't going to protect the castle, can't we still just protect the device?
Most of the security appliance vendors, the way their security has always worked is by looking at copies of malware, building a pattern to map against it, and pushing out that pattern to all their other customers who have that appliance.
The reason that doesn't work anymore, the reason that places like Home Depot and Target are getting breached, is that malware today has two things going for it that prevents the traditional approach from working.
The first is that malware is polymorphic. Every time it copies itself, it’s a little bit different. By the time you get a copy and build a pattern, that pattern is already useless because you'll never see that same pattern again.
Second reason is that oftentimes victims are being targeted so specifically that that malware, the first time you see it is also the last time you'll see it. It was like a sniper shot, not a shotgun blast.
CRN: Sounds bleak.
DU: On the positive side, it gives us an opportunity to rethink security.
This is why we're seeing the blossoming of a lot of small security startups. One disruption to the IT landscape is enough to create new security, and now we have three: the mobile workforce, multiple devices and cloud applications.
You have people focusing on identity management, trying to reimagine how you do logins to different services, so it's less complicated to provision someone when you hire them. You have companies focusing on encryption of data, the stuff you put inside of Salesforce or Amazon, to armorize the data you put in the cloud.
And you have companies like OpenDNS that, say, rather than sticking a metal box, we think we can deliver the same security or even better, but do it as a service, 24 hours a day, 7 days a week. It's contextual and it's dynamic, so it gives you the right security and the right policy depending on who you are and where you are and what you are accessing.
NEXT: OpenDNS Methodology
CRN: How does OpenDNS actually do that?
DU: Our approach is to say, 'Hey look, we know there's 300 million sites out on the Internet that people could go to,' but for the average 50-person company in North America, there might really only be 3 million websites on the Internet as far as they're concerned, and they don't need to go to the rest of them.
So we can spend a lot of time making sure, apply all kinds of things around reputation, behavior, and a whole bunch of other sciences on the data we have to classify and add context on everything they do. If no other company of your size is visiting that IP address that’s located in Eastern Europe, we don't want you to be the guinea pig, so we're going to put a roadblock there and we're going to analyze it further. We can let you pass if you feel really confident about it though.
We have a whole bunch of technology that allows us to get way ahead of threats, long before some appliance will identify it as a threat on your computer. We don't want you to download it in the first place.
CRN: How do you know where the threats are? Where are you getting your data?
DU: We have 50 million people every day running through our network, and yesterday we did 60 billion DNS requests, and we log, store and analyze that. That's about half the data we analyze. The other half comes from other sources like domain registrations, BGP routing information on the Internet, what websites are hosting other websites. We add all that context together. Our research team has built a whole lot of classification engines and algorithms that mine that data looking for patterns, and whenever things deviate from that pattern or get flagged by one of the classifiers, we either do an algorithmic block or issue a red flag.
CRN: How is that service brought to market?
DU: The product we sell is called Umbrella. We decided a long time ago to take the device-agnostic approach. We don't care if you're using laptops or tablets. We don't charge per device, just per user.
Our partners include 2,000 active MSPs that have resold our service. Because they are virtual CIOs, they actually sell, provision and price that service for their customers. Most of our MSP partners just bake it into their customers' monthly costs, and we charge them per-user per-year, because they know that by using our service, the customer is going to have less infections from malware, less likely to be phished, less likely to have other security compromised and, therefore, it improves their margins. Sometimes they pass it on to the customer. We don't actually care how they do it.
CRN: What kind of relationship do you have with those MSPs?
DU: MSPs are almost a third of our business. They're phenomenal about getting us customer feedback and product feedback. And we spend a tremendous amount of engineering effort to make sure we are the premier security solution for them.
One of the things we learned from the MSP community is they are an extremely collaborative and communicative group of sort-of IT executives. And so our growth in the MSP world has been very strong. It's one of the fastest-growing segments of our business because it's all word-of-mouth, and reputation and recommendation. So we have an entire engineering and product team focused on the MSP community. We integrate with Kaseya and Autotask, and other tools they use to auto-provision their customers. They can use those tools to directly provision OpenDNS.
NEXT: MSP Cloud Business
CRN: How do you see all these changes transforming the MSP business?
DU: MSPs are transforming the model in a way that’s drastically better for them and for their customers. As they become the virtual CIO, they become enablers of technology.
They used to be focused on doing the truck-roll to small businesses, to companies they were supporting. They would come on-site and disinfect laptops; they would set up new laptops or provision new equipment; they would manage and maintain the Windows Exchange Server or the Microsoft small business server; and they basically would get paid by the hour, and now much of that software's been end-of-lifed.
What that means is that instead of getting paid by the company to come over and do all the IT work, it costs the customer, let's say, 100 bucks per employee per month, and for that they're going to do everything -- set up all your email, all your backups, all your security -- and it incentivizes the MSP to be really proactive. The less infections the customers have, the better the backups are, the more reliable their systems are, the less truck rolls they have, and that's all the better. They don't get paid for every hour they spend on-site. Now they get more money by never coming on-site.
CRN: So is that good for them financially?
DU: It’s a much more leverageable business model. You can support way more clients with way less MSP employees. Spending three hours on site, rather than 30 on site, every week is 10 times more efficiency. That's better margins, better recurring revenue, and also more predictable fees for customers on their spend.
It's truly a win-win. Since a lot of it is done virtually, rarely on site, businesses have more choice because they don't necessarily have to pick an MSP within a 5-mile radius. It allows small-business owners to get access to big tools and big services that they might not ordinarily be able to afford.
CRN: Let's circle back to OpenDNS. Do I need to be a customer of your DNS service to use Umbrella, the security platform?
DU: Yes, we offer a recursive DNS service, which is how a browser finds websites. It's necessary to use that service to access the security service.
Our customers aren't necessarily buying us for DNS service, they're buying us for security. But one side of that is we run their DNS for them, and that solves multiple issues for them.
CRN: Any last thoughts about cloud-delivered security compared to the traditional approach, and how OpenDNS is making advances in that field?
DU: It's not just because workers are outside the office, and it's not just because it's easier for these virtual CIOs to deploy it, but cloud security, our approach to security, is fundamentally much more appealing even if you don't have everyone leaving the office, because we're able to detect threats in realtime across the globe and use that intelligence to protect individual customers. Think of this as the collective wisdom of 50 million people who run through our network every single day.
And we're looking at all the traffic patterns of infected users, the traffic patterns of not-infected users, and we're able to do this really quickly. We have a research team that analyzes and adds a whole bunch of context to that data so we can figure out what different parts of the Internet are good and bad, oftentimes before you ever download malware or get infected in the first place.
And we now have a growing track record and reputation of identifying security threats before they even activate. And we often publish this data publicly, at least semi-publicly, for the security research community.
PUBLISHED OCT. 6, 2014