Datto CEO Tim Weller: Security Is The Top Priority

‘If [a security issue] means we have to tell customers something’s a month late, if the partners aren’t getting a feature they wanted, then so be it. Security has been number one here for a long, long time,’ says Datto CEO Tim Weller.

Security Top Of Mind At Datto

Security, always a primary topic of discussion for the channel, has taken on new meaning in the last couple years with cybersecurity attacks targeting MSPs and their managed services clients. MSPs have become a target for such attacks given the possibility of an attacker gaining access to the data and systems of not just a single company but of multiple clients served by MSPs. And MSP platform providers have served to open the door to such attacks. Russia-based hacker REvil in 2021 attacked MSPs via Kaseya, while both SolarWinds and ConnectWise, whose products are used by MSPs, were hacked.

The spate of attacks, particularly the SolarWinds attack, has brought concern that laws could change to force companies to report undisclosed security breaches and expose them to increased scrutiny.

Datto, which provides a wide range of platforms for MSPs, is looking to stem the attacks with a security focus in all it does, Tim Weller told CRN. At the company‘s October DattoCon conference, the company made security the primary theme because it knows how important it is to prevent cyber attacks via the MSP community, Weller said.

“The direction at Datto is to mimic what the Microsofts and Googles of the world do [for security transparency],” he said. ”We look to big hyperscaler kinds of tech companies as being the gold standard. And we‘ll start publishing more down that line.”

Weller also reminds MSPs to make sure they focus on security, and get paid for it. “There is no mandate to go provide all of this for free,” he said. ”You need to raise your prices as you‘re providing more security. And it will be a multi-year journey.”

For a look at what a leading MSP technology provider is doing to focus the industry on security, click through the slideshow.

What was the key message from DattoCon this year?

Our key message was that MSPs are in the security business. That there’s nowhere to run or hide. You are in charge of securing the digital assets of your customers. And we’ve all at various levels probably dabbled in it. Some MSPs probably feel like they’ve been doing it for a decade. Others feel like they’re just getting started. But you can lose all the whole client relationship in a weekend. And in fact, some people did lose client relationships over the last year with various security attacks and what have you, and the attacks are growing exponentially. And so, however it feels right now, it’s going to feel a lot worse in a couple of years. So let’s get after it. That is the theme. ...

In the CEO keynote, I said there’s also opportunity. You are in the technology business, you should be charging people full freight for security protection. And I like to think about the popular phrase, ’doing well by doing good.’ You’re doing a good security practice and feel great about that. And you’re doing well growing your business. There is no mandate to go provide all of this for free. You need to raise your prices as you’re providing more security. And it will be a multi-year journey. So let’s start now.

There have been multiple attacks recently through the MSP channel, including via source code attacks via SolarWinds and Kaseya. What is Datto doing to secure its source code? Are you doing third-party validation?

Our CISO (chief information security officer) Ryan Weeks’ [announced] that we completed and passed our BSIMM (Building Security In Maturity Model). It’s a security maturity model that Google and Bank of America use. Very enterprise. Very high-end. And our RMM (remote monitoring and management) platform passed.

Ryan‘s been here over five years. He’s got, I think, 30 people directly reporting to him. He’s got another 30 within engineering that are dotted-line reports to him. And I think the main thing he was trying to get across is, this is not something you can [start and finish] this weekend. This is not calling in some penn (penetration) testers to do this, that, or the other. We have a large in-house testing team, and we use multiple firms on the outside. This is what I would call a way of life.

For internal controls, the military is actually a good way to think about it. You‘re running a battleship, you test, you drill, you train the manuals, and then lather, rinse, and repeat, you do it again. There’s north of a hundred-plus people I’m sure at Datto now that feel like this is their day job. And so at the end of the day, in software, that ends up being how you defend your supply chain. You attack your code, you deploy it, you roll it back. I didn’t mean any hubris or to be bombastic, but I said there’s a lot of rumor out in the world. Just for the factual record, publicly, Datto RMM has never been breached. I’m not pointing any fingers at anybody else. ... The only answer is to invest more, which is a bit of advantage for larger companies. That I will admit. If you’re a small company, it’s somewhat hard to do these sophisticated security maturity models. And that’s going to be something we have to share. Vendors have to get together. MSPs have to get together.

What are some of the third-party companies that Datto works with for validating your code?

They are all names you will have heard of if you cover security a little bit. We‘re not really in it for the marketing. ...

Our investment levels will just keep going up, up, and up. And we‘re five-plus years into that journey now. So I won’t talk specific vendors, but you should assume all the ones that get written up regularly, we are in touch with. And remember we have four or five products, major lines. So the answer could be different in different lines. But again, Weeks has probably somewhere between five and 10 people full-time internally just attacking. That’s kind of a fun job: attack Datto from the inside. And it’s gloves off. You get your Amazon gift card if you can fool the engineering team and break their security. And then there are outside vendors’ incident response as well. We have that plan sort of all dialed up, knock on wood.

In the wake of the Kaseya breach, the big question became the process around vulnerability disclosures. How many vulnerabilities has Datto disclosed, and what’s the process for reporting them?

There are critical risks. When Apple discloses one of those things, it’s expected to be working on that real time. And Microsoft. And we have that point of view. I can tell you, there’s no tier-one highest-level risk here that engineering teams aren’t actively working on. Everything else stops, features, anything you’re doing for a product stops while we do that. So we have a very high level of transparency internally. I don’t know what we publish to the outside world, but I think we have published some of that. The direction at Datto is to mimic what the Microsofts and Googles of the world do. We look to big hyperscaler kinds of tech companies as being the gold standard. And we’ll start publishing more down that line.

We have an outage status page on Datto. We‘re comfortable doing that on the security side, too. The only nuance there is, if you’ve got a vulnerability in the cloud, then you’re not really looking to advertise that to the bad guys. I think that’s one spot where we’ve been, I don’t know if lucky or smart, but we started the company at the right time. It predates me. We started it in the cloud. So one of the things that I really stress is the difference between cloud-native and cloud-hosted. Companies that started 20, 25 years ago had no cloud. They were on-premises-deployed software: RMM, PSA, whatever else. ...

And then we started in the late 2000s as cloud-managed, which I would call cloud-native. Our RMM tool, for example, is built in AWS. We wouldn‘t have been able to do that if we started that 2003, like some of our competitors. When they moved to the cloud, it became a lift and shift. You’re taking on-premises software and shifting it over into the cloud and hosting it in the cloud. [That] is very different than natively-built, bottoms-up in the cloud. And it has a lot of security implications that generally aren’t positive. So that’s been an advantage for us, being in the right spot at the right time. I’ll give full credit to the founders who said this is the most secure and scalable way to do it. And that’s benefited us for years.

If Datto sees a critical vulnerability, how quickly are you able to resolve it?

Depends on the vulnerability, of course. But it goes right to the top. The CTO (chief technology officer) will know about it in real time. The CISO will know. Probably the secure InfoSec team are the ones that exposed since we attack ourselves so much. And the relevant engineering teams move on it in real time. And if that means we have to tell customers something‘s a month late, if the partners aren’t getting a feature they wanted, then so be it. Security has been number one here for a long, long time. And if you think about our continuity history, if you go back far enough, it was the same. There’s no alarm bells ringing, but if somebody is on the edge of a critical data loss, that becomes the most important thing in Datto’s world, and everything else can wait. ...

Ryan came from financial services world. A lot of that team came from banks and insurance and the sort of companies that really obsess over this. It slows us down sometimes to do proper security. But he‘s got carte blanche on what he needs.

Do you ever have to compromise between securing a product and getting it out according to plan or in a manner quick enough to satisfy customers and MSPs?

Not really. I think you might disappoint MSPs, and the feature release might not be quite as rich, if you had to let some features drop and get pushed out three months so you could do some fundamental security. I feel fairly blessed that we started this years ago so we‘re enough ahead of it. But I could imagine a scenario where you’ve got a resource conflict and security would win.

I had an internal session with our engineering QA (quality assurance) team a few weeks back, and they asked me the same thing, actually. They said, ‘What’s more important, speed or quality?’ I gave him the ’Toyota’ answer. I said, ’The whole point of six-sigma back from the ’70s onward was, if you build the quality in, you actually go faster. Your assembly line speeds up because you’re not doing continuous rework.’ And I think that’s the mental model that we have, which is, let’s put the security and quality on the front end and it speeds us up over time. But security would win any of those tough battles. ... Nobody’s ever going to, with an honest face, hand over heart, tell you they have 100 percent of all their security protections enabled. The world is moving too fast. The attackers are evolving. But I think [Weeks] will tell you he’s very, very happy now with the trajectory. ... This’ll be a six, 12, 18, 24 months kind of a thing. And you won’t be surprised to learn that the in-person DattoCon next year will very much be centered around security. This, as I said, is not going away.

What does Datto do different from its competitors like Kaseya or ConnectWise or N-able in terms of your security approach? What‘s the big difference?

I think I would point to leadership and overall scale of the effort. Ryan talks to all the other CISOs. We hosted a security panel just before the pandemic with multiple CISOs from other companies. And I would point to the fact that he‘s been here over five years. I just think we’re further down the line. The investment level has been an order of magnitude higher than the other vendors here. It’s a time and money and expertise thing. And the picture has been like that really from the very beginning, but I hope certainly since I got here. ...

That‘s how the founder was before me: serve the partners, take care of employees. And the industry is growing so fast that we’ll take our share. And I think security has to be like that too. We’re a little more low-key. [A few] continuity providers are now saying they have air gapping. You know what? We quietly pioneered that years ago. You won’t find big marketing materials on it, but we have over the years saved over 400 people from what could otherwise only be called a catastrophic data loss. ... That’s not the kind of stuff you see on our website, but the partners that sell our product everyday know that. And they come back for more. And I haven’t had a data loss escalation to my desk in a couple of years.

Outside of security, what are some of things we can expect from Datto over the next six to 12 months?

That’s a hard question because it all involves security. We’re going to do a lot more through that whole NIST framework. You go from identify to protect to detect to respond to recover. We have builds going on throughout there.

One of our recent headline announcements was Datto Continuity for Microsoft Azure. ... That‘ll be a big story as partners think about going to Azure with workloads. They want to have a phenomenal continuity solution before they go there. And we’ve also solved a bit of an economic problem for them. We flat rate price it in the same way we do any of our other solutions in continuity, which means they don’t have the uncertainty of whether their Azure bill is skyrocketing, or their AWS bill or wherever they choose to put their backups. So we’ll watch that. And we’ll have more to say about how early adopter feedback is. ...

We have a pretty robust Datto networking roadmap. There‘s security elements in all of that. [And there is] our ransomware detection for RMM, which now has over a million end points. Hasn’t even been out there for a year and it has over a million end points and 136 live attack detections with life hackers roaming around networks found by our RMM, which is a pretty incredible number. Although it’s fun when you’re defending, it’s very scary to see the scope and scale of how many live attackers there are living in people’s networks every day.