Introducing Security Platform as a Service

It’s another important milestone in Pangea’s history. Earlier this month we announced our Series B led by GV (Google Ventures), with participation from Decibel and Okta Ventures. We didn’t expect to raise a series B this soon, but it became clear to us that the sheer size of problem that Pangea is solving requires us to scale far beyond a typical enterprise company, and our investors have recognized the massive opportunity that this presents.

The reason is SPaaS.. But what is THAT?

SPaaS is Security Platform as a Service. It’s a framework of API-first cybersecurity services that developers can embed directly into their applications to deliver security functions to their customers.

To really appreciate what this means, we need to first look at some existing examples.

It all started with PaaS or Platform as a Service when AWS first pioneered (followed by GCP and Azure) the concept of taking the aging data center and the software stack on top of it, and flipping both the architecture and business model on its head by:

1. Creating a collection of easily consumed API-first micro services to provide compute, storage, database, analytics, and dozens of other capabilities for application builders to deliver their product on (like EC2 and S3), and then a framework of services to embed directly into their apps (database, message busses, caches, etc). Today these platforms deliver over 200 individual services that empower developers to ship cloud apps orders of magnitude faster.

2. An orthogonal pricing model whereby you only pay for what you use - in very small micro-payments - making it dead simple and cost-effective to get started. This dramatically lowered the bar to deliver a cloud application - you no longer needed a datacenter! This model has led to an astounding flood of over 50,000 new companies starting on AWS annually. I was an early AWS customer at Immunet in 2008, and we would never have been able to deliver what we did on a modest budget if we had to build out a physical presence. But this is all old news and well-recognized now.

The second example is CPaaS or Communications Platform as a Service pioneered by Twilio, whereby an application builder could embed communications functions directly into their app. Twilio’s API-first services enables developers to forgo the need to work with the telecom industry in order to communicate with customers over SMS and email. Another great example of how just a few lines of code can provide a highly advanced set of functions to your app.

Enter SPaaS or Security Platform as a Service - It’s 2022 and an exciting time to be a developer. The numbers reflect this - Forrester estimates that we may see up to 1 million software companies by 2027. With this massive influx of software developers, those that can build security functions remain few and far between - and yet security isn’t just a nice to have.

We’ve seen the API-first economy explode, but cybersecurity, as usual, has been far behind, and there’s no single place for an app builder to find the broad set of services they need to get their app to market quickly.

Developers need to source these functions from an ambiguous and fragmented set of open source and scattered commercial offerings. At the same time - even though they’re table stakes - having rich security features isn’t going to make a user fall in love with your product. But while most developers don’t dedicate their energy to delivering security, you can’t sell a product to the enterprise without it.

SPaaS is the first-ever effort to shift security “left of left” by providing a set of security building blocks for developers that “just work” out-of-the-box. SPaaS delivers a broad set of API-driven security services that embed into an application’s runtime code. SPaaS includes functions like:

• Authentication (AuthN)

• Authorization (AuthZ)

• Secrets management

• Secure audit logging

• Entitlement and license management

These are core security functions that every cloud app needs, but most developers would rather not take the time to build. These aren’t exactly new, but until now, they haven’t been available in a single place. SPaaS provides a single place to pull these functions from a trustworthy source. Besides the above, there are dozens more SPaaS services that cater to specific use cases, verticals, and compliance needs:

• Secure object storage - to store and share file objects securely

• File reputation lookup - a lookup to determine if a file is known to be malicious

• File scan - a deeper scan for malicious content in unknown file objects

• Redact - to remove personally identifiable information (PII), financial data, protected health information (PHI), and other sensitive information from data

• Embargo - to block export-controlled countries from accessing your app

• and many more..

Why hasn’t this been done before? First of all it’s not as easy as it sounds. Building SPaaS is an order of magnitude harder than building point security products - either on-premise or SaaS - as we need to build dozens of scalable cloud-delivered services, each of which is a distinct product on its own. Not a small undertaking! Imagine building AWS from scratch… Fortunately, we don’t have to deal with hardware and regional coverage as we can rely on the existing PaaS providers for that!

We expect this to be a long and meaningful journey as we build out a broad set of services first, and then add depth to each of those services over time. While the journey has only just begun, we’re elated to welcome Google Ventures, Decibel and Okta Ventures to be a part of it!

Oliver