Australian startup cloud security firm Kivera has raised $3.5 million seed funding from General Advance, Round 13 Capital and angel investors including Srinath Kuruvadi (MD and head of cloud security at JPMorgan Chase), Ely Kahn (VP product management for cloud security at SentinelOne), and others.
The primary purpose of the funding is to expand technical staff recruitment following the headquarters relocation from Sydney, Australia to New York. The firm has already emerged from stealth, but is maintaining a relatively low profile while it continues to build out its product and work with early customers (primarily in the financial sector).
The Kivera Cloud Security Protection Platform (CSPP) aims to prevent cloud breaches by eliminating their primary cause: misconfiguration in the public cloud. As long ago as 2019, Gartner reported, “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.” Little has changed since then.
Gartner went on to add, “Security and risk management leaders should invest in cloud security posture management (CSPM) processes and tools to proactively and reactively identify and remediate these risks.” Kivera’s premise is that identifying misconfigurations that already exist is often too late. Most CSPMs identify misconfigurations tens of minutes to hours later — and organized crime with automated internet searching tools can find and exploit the errors as quickly as CSPMs can recognize them. It is better, claims Kivera, to prevent misconfigurations than to find them: prevention is better than cure.
The primary cause of misconfigurations is that they are possible. Developers are under constant pressure to produce at speed, cloud service providers (CSPs) need to make their services easy to use or lose customers to competitors, they continually introduce new features and services, and security teams are often unaware of the detail of interaction between the company and the CSP.
“We offer something that is prevention first and detection second,” said Neil Brown, co-founder and VP of operations at Kivera. “We catch the risk before it is created rather than find it later.” The result is a set of configuration policies that can be enforced during development. “It means the developers can push forward at speed because any configuration policies will be caught by the guardrails established by company policies enforced by Kivera.”
He added, “Cloud security teams are swamped in a backlog of alerts, and they deserve to get out of triage mode and take control of their cloud security by preventing risk up front. When dealing with sensitive workloads, the consequences of a single mistake, such as accidentally exposing a resource to the internet, can be considerable.”
He provides encryption as an example. “Let’s say I want to build a virtual machine, but haven’t included encryption. Kivera will capture this and say, ‘hey, this machine is exposed to the internet and our company policy says it must be encrypted.’ So, Kivera will recognize the error and enforce preventive controls at build time — we’ll stop risks before they get into the cloud environment. We block the process and send a message to the engineer so that the configuration error can be fixed.” The problem never reaches AWS or Google Cloud or Azure.
While each customer can develop its own policies, Kivera “has thousands of ‘out-of-the-box’ policies already embedded in pre-made policy packs,” he added. “They’re aligned with common frameworks such as NIST 853 or the CSA Cloud Controls Matrix and other compliance standards.”
Accidental – or not so accidental – attempts to bypass the Kivera controls through remote working are enforced at the CSP end. All CSPs have a native identity and access management authorization solution. Kivera uses this – if the attempted engineer access does not come through Kivera, it is simply blocked.
Kivera was originally founded in Sydney, Australia by Neil Brown (VP of operations), and Vernon Jefferson (CTO) in 2019. Joe Lea, board member at Viakoo and strategic advisor to AI EdgeLabs and SecureX.AI, joined as CEO in June 2023. The firm has relocated its headquarters to New York to better serve the North American market.
Related: These Are the Top Five Cloud Security Risks, Qualys Says
Related: Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report
Related: Companies Still Exposing Sensitive Data via Known Salesforce Misconfiguration
Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex