Google Cloud partners with startup Veza

Google Cloud is using Veza’s data security services to let customers understand who has access to specific data and what they can do with it.

Security officers can map where people can go in a business’s facilities because they are identified, the location of the facility’s room’s is understood and access to the sensitive areas controlled. But the security folks sometimes have no idea who – people or applications – can access different types of data, especially in a multi-cloud environment.

This represents an attack surface for phishing malware and a disincentive for on-premises-based organisations to move to the public cloud.

Sunil Potti, GM and VP for Cloud Security at Google Cloud, issued a quote: “With Veza’s platform now available alongside Google Cloud’s secure and global infrastructure, customers will be able to quickly deploy the solutions they need to better understand, control, and securely take action on their data across their multi-cloud environments.”

Let’s take a closer look at the problem Veza says it solves. Data can be stored in multiple cloud locations: AWS, Azure and GCP for example, and the services within them, plus databases, data warehouses and lakehouses, such as Snowflake and SQL Server. These can be front-ended by identity management services from Okta, Azure’s Active Directory and others, the cloud service supplier’s permission systems; AWS IAM, Azure Role-Based Access Control (RBAC), GCP IAM, and also system-level permissions from services, apps, and systems like S3, Github, and Snowflake. 

Permission systems can be complex; the AWS IAM User Guide is 1,091 pages long according to Veza, and definitions of what constitutes a permission and a user are different in S3, Snowflake and SQL Server.

Veza has defined and set up a central permissions metadata store, and pulls metadata about permissions from data sources, identity and permission management systems, such as those above. It has built Core Authorization Platform software that is a distributed-systems engine optimized for extracting authorization metadata, loading it into the Veza authorization metadata store, and supporting real-time querying of this metadata store.

Veza software components.

With this authorization metadata store in place, it can be queried to find out which actors (people, apps) can do what (read, change, encrypt, delete) to which data. The store can also be used to pick out vulnerabilities, such as sensitive data that is too accessible and staff with excessively powerful permission sets. It can detect violations from good practise, alert security staff, and enable them to fix such problems.

Veza violations screenshot.

Authorization charts (graphs) can be generated to show the authorization relationships between all users (people, service accounts, etc.), apps, and data sources. This includes relationships based on authorization entities like users, groups, and roles, in Cloud IAM solutions like AWS IAM, GCP IAM, and Azure RBAC. For example, a business’s security people can see which Okta users have delete permissions on Snowflake tables, which Azure users can create and delete AWS S3 buckets, which users are currently allowed to create and delete code repositories in GitHub, and so on. 

Veza Authorization Graph.

Tarun Thakur, CEO at Veza, said the product integration between Veza and Google Cloud means that “identity-to-data relationship insights from the Veza platform can be pulled directly into the Google Cloud Policy Analyzer, allowing customers to secure both Google Cloud data (Looker, BigQuery, Google Storage Buckets, etc.) to which multi-cloud identities (AD, Azure AD, Okta, etc.) have permissions and multi-cloud data (AWS, Snowflake, etc.) that is being accessed by Google Cloud identities.”   

The Veza software is built to be extensible; it has a API for that purpose, and supports AI/ML-based capabilities, from access recommendations to natural language-based universal search and more.

Brief Veza history

  • 2020 – Founded by Thakur, CTO Maohua Lu and Chief Architect Rob Whitcher
  • 2021 – B-round of funding led by Google Ventures
  • 2022 – Came out of stealth
  • – April – $50 million in C-round led by Accel with a c$500 million valuation

Total funding is $110 million

Veza says it has many enterprise customers already. Going from nowhere to a half billion dollar valuation in two years is some feat and it looks as if Veza is pioneering a whole new data security service sector.

We think it likely it will soon announce partnerships with AWS and Azure as well, and follow up with relationships with cloud data sources, like Snowflake and the like, possibly the main app SaaS applications as well, such as Salesforce and ServiceNow.

Read a Thakur blog and a technical white paper to find out more.