Tel Aviv, Israel-based cloud security firm Polar Security has emerged from stealth with $8.5 million seed funding in a round led by Glilot Capital Partners with participation from IBI Tech Fund.
Angel investors, including Jim Reavis (co-founder and CEO of Cloud Security Alliance), Tim Belcher (former RSA CTO), Ann Johnson (former President of Qualys), Tom Noonan (VP & GM of IBM Security), and others also participated.
Polar Security was founded in 2021 by Dov Yoran (chairman), Guy Shanny (CEO), and Roey Yaacovi (CTO). Its purpose is to provide visibility into companies’ cloud data storage to allow security teams to secure the data and avoid compliance problems.
In the past, data storage has been centralized on prem and in a few known cloud storage centers. In recent years, cloud migration and the explosive growth of company data has changed this. Companies no longer necessarily know where their data resides – and you cannot secure what you cannot see.
The basic problem is that data stores are created by developers. The security team responsible for security and compliance assurance rarely knows where the data – and especially sensitive data – is located. This is exacerbated by the ‘shadow data’ that doesn’t officially exist. A developer might spin up a new S3 bucket containing sensitive data for a specific test, and not inform the security team this has happened.
Polar Security’s cloud platform is designed to throw light on the location and content of known and unknown stored company data. It has three primary layers: data discovery, data classification, and data flow mapping.
Discovery involves scanning the company’s entire cloud infrastructure, including S3 buckets, log files and shadow data for data location. Classification is the determination of sensitive data within those locations, based on data protection definitions – such as PII as defined by GDPR, and financial data as defined by PCI.
Without Polar, this is currently a manual process; and as with all manual processes it is time-consuming and subject to human error. “We provide an automated data inventory,” Polar told SecurityWeek. “In the next few months, it added, “we will give customers the ability to define their own types of sensitive information. This will be a via a dashboard where the customer can define what sensitive data looks like, such as illegal (sexual, racial, hate) speech.”
The third layer of the process is to map both existing and potential data flows. “Polar first discovers where the data lives, and then locates potential data flows,” said the firm. “Then we map out the actual flows; so, we can see that this employee has accessed this datastore (which we may not even know about) and has downloaded sensitive data from it. We provide visibility into who and what services can access sensitive data and who is accessing it, to allow security teams to provide data security and compliance controls.”
In short, the Polar platform can detect potential and actual data vulnerabilities and compliance violations. As an example, if a developer spins up a cloud server because there’s a feature he wants to check, he could end up with a U.S. server accessing data in the EU. The security team may be unaware, but Polar will find the data is in the EU, and its flow detections will see it is accessed from the U.S. If the data is personal data, there is an immediate compliance violation because it involves sensitive data movement from the EU to the U.S.
The company may not be aware that the developer has introduced a compliance violation. It may think it is operating under the protection of the EU/U.S. Privacy Shield and/or may be using standard contractual clauses – but since the Schrems II EU ruling of 2020, both have been effectively invalidated. The company is in de facto violation of GDPR and may not even know it.
“To solve data security in the cloud, you must focus on the crown jewels – the data stores holding sensitive data – as fast as developers create new data,” comments Shanny. “We built Polar to help companies automate their data security across known and unknown data stores, to continuously prevent cloud data vulnerabilities and compliance violations at any scale.”
Related: Illumio Brings Visibility, Zero Trust Principles to Hybrid Cloud
Related: The VC View: Cloud Security and Compliance
Related: Cloud Security Firm Lacework Raises Record-Breaking $1.3 Billion
Related: Cloud Security Company Wiz Raises $250 Million at $6 Billion Valuation