Canonic Security, a cybersecurity startup protecting SaaS business applications, recently emerged from stealth with $6 million in seed funding from leading global investors including First Round Capital, Elron Ventures, SV Angel and Operator Partners. The company also unveiled the Canonic App Governance platform, powered by the industry's first app sandbox. The commercially available platform redefines SaaS application security by allowing enterprises – for the first time ever – to simulate third-party apps and SaaS-native code behavior in its SaaS sandbox environment before granting access to organizations' business applications.
We spoke with Boris Gorin, co-founder and CEO at Canonic Security about the company's mission and where the company sees the market heading.
With over 20 years’ experience in cybersecurity, what security gap did you see in the market that led you to start Canonic Security?
Prior to launching Canonic Security, I led the SaaS security threat team over at Proofpoint, and previously, built a CASB at Firelayers (Acquired by Proofpoint).
As SaaS adoption has grown and platforms have become more and more complex, the security space has become more fragmented. The number of point SaaS security offerings has been growing but overall, as an industry, we’ve not been getting much better at solving the same problems we saw 10 years ago when CASB started.
What’s the biggest challenge when it comes to securing modern SaaS applications and what are some of the common SaaS security misconceptions that you see amongst enterprises?
Traditional security approaches were not designed to address SaaS-native security challenges, and the industry as a whole is still adapting. Traditional stand-alone SaaS security solutions would look at securing SaaS applications’ access, benchmarking configurations and scanning content for policy & compliance violations, and there is still lots of work to be done there. But it turns out SaaS platforms are much like operating systems: only so much you can do without looking at the interaction between processes, platform integrations, API calls and how they all interact with one another to form the system posture.
What advice do you have for organizations that are looking to start enhancing the security posture of their SaaS infrastructure?
Security incidents often happen because the mitigating controls were either not in place or were thought to be in place but weren't effective. Strong authentication is a good example that is all too often taken for granted. Surely most organizations would either say they have MFA or control authentication through some centralized SSO, or both.But invariably, usually up to 30% of the user base doesn't have it enforced in practice -- older devices, legacy protocols, api keys, app specific passwords, conditional access exemptions -- there's never a shortage of excuses. That's fine, as long as that's a managed risk. Often it isn't. So I guess my main advice: try to map your actual attack surface and see if the risk is something you're actually comfortable with.
How do you expect SaaS applications to evolve in the next 5 years?
The number of SaaS apps used by organizations on average will grow dramatically as apps are decomposing and hyper-specialization is growing. API integration sprawl and platform complexity will grow. will grow. We will become increasingly dependent on SaaS apps and a growing number of critical workloads while we shift to business services we subscribe to, rather than things we own, build or run.