Box acquires e-signature startup SignRequest for new content workflows

/0 Comments/in /by

Box announced this morning that it has agreed to acquire e-signature startup SignRequest for $55 million. The acquisition gives the company a native signature component it has been lacking and opens up new workflows for the company.

Box CEO Aaron Levie says the company has seen increased demand from customers to digitize more of their workflows, and this acquisition is about giving them a signature component right inside Box that will be known as Box Sign moving forward. “With Box Sign, customers can have a seamless e-signature experience right where their content already lives,” Levie told me.

While Box has partnerships with other e-signature vendors, this gives it one to call its own, one that will be built into Box starting this summer. As we have learned during this pandemic, the more work we can do remotely, the safer it is. Even after the pandemic ends and we get back to more face-to-face interactions, being able to do things fully in the cloud and removing paper from the workflow will speed up everything.

“The massive push to remote work effectively instantly highlighted for every enterprise where their digital workflows were breaking down. And e-signature was a major part of that — too many industries still rely on paper-based processes,” he said.

Aaron Levie: ‘We have way too many manual processes in businesses’

Levie says that the signature component has been a key missing piece from the platform. “As for our platform, when you look at Snowflake, they’re the data cloud. Salesforce is the sales cloud. Adobe is the marketing cloud. We want to build the content cloud. Imagine one platform that can power the entire lifecycle of content. E-signature has been a major missing link for critical workflows,” he said.

He believes this will open up the platform for a number of scenarios, that while possible before, could not flow as easily between Box components. “Having SignRequest gets us more natively into mission-critical workflows like customer contracts, vendor onboarding, healthcare onboarding and supply chain collaboration,” Levie explained.

It’s worth noting that Dropbox acquired HelloSign for $230 million two years ago to provide it with a similar kind of functionality and workflow capability, but analyst Alan Pelz-Sharpe from Deep Analysis, a firm that follows the content management market, says this wasn’t really in reaction to that.

“I think what is interesting here is that Box is going to integrate SignRequest and bundle it as part of the standard service. That’s what really caught my eye as the challenge with e-sig is that it’s typically a separate product and so gets limited use. They bought it partly in response to Dropbox, but it was a hole that needed fixing regardless so would have done so anyway,” Pelz-Sharpe explained.

As for SignRequest, the company was founded in the Netherlands in 2014. Neither PitchBook nor Crunchbase has a record of it raising funds. The plan is for the company’s employees to join Box and help build the signature component that will become Box Sign. According to a message to customers on the company website, existing customers will have the opportunity over the next year to move to Box Sign, and get all of the other components of the Box platform.

Levie says the basic Box Sign function will be built into the platform at no additional charge, but there will be more advanced features coming that they could charge for. The deal is expected to close soon with the SignRequest team remaining in The Netherlands.

Box’s Aaron Levie says it will take creativity and focus to get through this crisis

Granulate nabs $30M for software to optimize workloads and latency

/0 Comments/in /by

Services like video streaming, gaming, media-intensive advertising and marketing technology are putting more strain on bandwidth and backend latency than ever before due to the surge of online traffic in the last year. But for most organizations in today’s usage-based cloud world, that can represent a huge cost in compute power — or a major investment in a company’s own latency technology — to try to address that.

This has created an opportunity for startups building optimization tools. Today, one called Granulate — which has built software for organizations to handle those loads more intelligently and cost-effectively — is announcing a round of funding after seeing a huge boost in business in the last 10 months, with customer growth up 360% and revenues growing 570%.

The Tel Aviv startup has picked up $30 million, a Series B, led by Red Dot Capital Partners, with previous backers Insight Partners, TLV Partners and Hetz Ventures, and new backer Dawn Capital, also participating.

The timing of this Series B speaks to the demand in the market right now: It comes on the back of Granulate closing a $12 million Series A only in April last year. Investors say that its business growth is what prompted them to re-up so soon.

“Granulate’s unique technology and impressive growth since their last funding round reflects a rising market demand for their game-changing optimization solution,” said Yaniv Stern, managing partner at Red Dot Capital Partners, in a statement. “For companies facing rising infrastructure costs or focusing on operating cost reduction, Granulate offers a solution that can drive additional improvement regardless of any other solutions already deployed by their clients.”

Granulate is not disclosing its valuation with this latest round, which brings the total raised by the startup to $45 million. 

The opportunity in the market that Granulate is targeting is the fact that media-heavy content, and services like e-commerce that rely on efficient responsiveness on sites and apps to keep people from abandoning their shopping carts, are all on the rise.

But as companies look to keep customers happy with better-quality services, they are also trying to keep an eye on margins and therefore want to keep infrastructure and computing costs low.

Granulate’s solution is software that sits at the server layer — either in the cloud or on-premises, as a customer prefers — that uses AI to detect workloads that a customer tags as important and prioritize them so that they work more efficiently. Granulate said that its software can improve response times by up to 40%, and throughput up to five times, while reducing costs by up to 60%. The company today has partnerships with AWS and Microsoft’s Azure and is in the “early stages” of talks with Google Cloud Platform.

Bigger tech companies like Netflix, Google and Amazon typically invest huge sums to build their own optimization technology, but it’s an area that smaller organizations (and you can still be huge while still being smaller than companies like Google) will not have the bandwidth — pun intended — to address in the same way.

“We are aware of similar things going on inside of Netflix as what we have built,” Asaf Ezra, co-founder and CEO of Granulate, said in an interview. “But to us, it’s a testament of how large you need to be to address this issue and the talent you need to hire to address the lowest-level issues.”

The company’s customers include at least one major retailer (which it can’t name), AppsFlyer, Period and PicsArt.

What will be interesting to watch is how the growth of 5G will affect the bigger problem: As Ezra notes, it will undoubtedly improve front-end latency.

“5G will not cannibalize Granulate,” he said. “In fact, when it becomes standard, the round trip time will be reduced for data, but the front end will be less of the ratio of the time, while the back-end latency will become more of the problem. 5G would solve only the access to your server, but not latency at the server itself.”

Longer term, it’s likely that Granulate will add more optimization and management solutions around those it already offers for latency, Ezra said, while also looking for ways to stand out apart from others in the same space. Competitors are in the process of some consolidation — witness Spot acquired by NetApp last June — so features based around a wider platform will likely be a key way to keep customers interested.

NetApp to acquire Spot (formerly Spotinst) to gain cloud infrastructure management tools

Polytomic announces $2.4M seed to move business data where it’s needed

/0 Comments/in /by

There is so much data sitting inside companies these days, but getting data to the people who need it most remains a daunting challenge. Polytomic, a graduate of the Y Combinator Winter 2020 cohort set out to solve that problem, and today the startup announced a $2.4 million seed.

Caffeinated Capital led the round with help from Bow Capital and a number of individual investors including the founders of PlanGrid, Tracy Young and Ralph Gootee, the company where Polytomic founders CEO Ghalib Suleiman and CTO Nathan Yergler both previously worked.

“We synch internal data to business systems. You can imagine your sales team living in Salesforce and would like to see who’s using your product from your customer data that lives in other internal databases. We have a no-code web app that moves internal data to the business systems of the office,” Suleiman told me.

Data lives in silos across every company, and Polytomic lets you build the connectors by dragging and dropping components in the Polytomic interface. This new data then shows up as additional fields in the target application. So you might have a usage percentage field added to Salesforce automatically if you were connecting to customer usage data.

StepZen snares $8M seed to build data integration API

The company actually sells the product to business operations teams, who would be charged with setting up a catalogue or menu of data sources that live in Polytomic. This is usually handled by someone like a business analyst who can configure the different sources. Once that’s done, anyone can build connectors to these data sources by selecting them from the menu and then choosing where to deliver the data.

The founders came up with the idea for the company because when they were at PlanGrid, they faced a problem getting data to the people who needed it in the company. The problem became more pronounced as the company grew and they had ever more data and more employees who needed access to it.

They left PlanGrid in 2018 and launched Polytomic a year later to begin attacking the problem. The two founders joined YC as a way to learn to refine the product, and were still working on it on Demo Day, delivering their presentation off the record because they weren’t quite done with it yet.

They released the first iteration of the product last September and report some progress getting customers and gaining revenue. Early customers include Brex, ShipBob, Sourcegraph and Vanta.

The company has no additional employees beyond the two founders as of yet, but with the seed funding in the bank, they plan to begin hiring a few people this year.

Jitsu nabs $2M seed to build open-source data integration platform

Rocket.Chat raises $19M for its open-source approach to integrated enterprise messaging

/0 Comments/in /by

Chat platforms like Slack have been game-changers when it comes to what business users want and expect out of their work communications. Today, a company that’s aiming to move the goalpost again with an integrated, open-source alternative is announcing some funding to fuel its growth.

Rocket.Chat, a startup and open-source-based platform of the same name used by banks, the U.S. Navy, NGOs and other organizations big and small to set up and run any variety of secure virtual communications services from one place — they can include not just team chat, but also customer service, collaboration platforms covering your staff and outside partners, school classrooms, conferences and more — has raised $19 million.

The company plans to use the funding both to continue adding more customers, but also expanding the platform’s functionality, including more security features, a way to use the service over federated blockchain architecture, apps for marketplaces, options for bots, and more social media and omnichannel customer service integrations, and potentially facilities for virtual events.

As more business interactions have gone virtual, it has essentially opened the door for companies like Rocket.Chat building virtual communications platforms to build in an increasing number of features into what it does.

The Series A round of funding has four lead investors — Valor Capital Group, Greycroft, Monashees and NEA — with e.ventures, Graphene Ventures, ONEVC and DGF also participating. The Porto Alegre, Brazil-based startup (which is incorporated in Delaware) has now raised $27 million to date.

Rocket.Chat is not disclosing its valuation with this round, but it comes on the back of some significant growth in the last year. The startup now has 16 million registered users across 150 countries, with eight million of them monthly active users. Of that 16 million, 11.3 million users registered for the service in the past six months. It’s currently installed on some 845,000 servers, the company said, and has over 1,500 developers building on its platform.

Rocket.Chat’s funding and expanding business comes as part of a bigger focus overall for open-source platforms.

The promise of open source in the world of enterprise IT has been that it provides a platform to customise a service to fit with how the organization in question wants to use it, while at the same time providing tools to make sure it is robust enough in terms of security, extensibility and more for use in a business environment.

Over the years, it has become a big business opportunity, in line with organizations getting more sophisticated in terms of what they expect and need out of their IT services, where off-the-shelf apps may not always fit the bill.

Rocket.Chat positions itself as something of an all-in-one superstore for any and all communications needs, with organizations putting their own services together in whatever way works for their purposes.

It can either be hosted and managed by customers themselves, or used as a cloud-based SaaS, with its pricing ranging between free (for minimal, self-hosted services) to $4 per user per month, or higher, depending on which services customers want to have, whether its hosted and how much the platform is being used each month.

Image Credits: Rocket.Chat

As you can see in the mock-up here, its basic platform looks a little like Slack. But if you are using it for omnichannel communications for customer service, for example, you can build a platform within Rocket.Chat where you incorporate communications from any other platforms that might be used to communicate with customers.

Its work collaboration platform starts with Rocket.Chat’s basic chat interface, but also allows you to integrate alerts and links to other apps that you regularly use, as well as video calls and more. These and other functions built on Rocket.Chat can then be made to interact with each other — for example handing tickets off in customer service to internal tech support teams — or separately.

The idea is that by providing a version that can be hosted and managed by organizations themselves, it gives them more privacy and control over their electronic messaging.

Its thousands of customers reflect an interesting mix of the kinds of organizations that are looking for solutions that do just that.

Gabriel Engel, the CEO and founder, tells me the list includes several military and public sector organizations including the U.S. Navy, financial services companies like Credit Suisse and Citibank, as well as the likes of Cornell, Arizona State, UC Irvine, Bielefeld University and other educational institutions, and a number of other private companies. 

That flexibility does not always play to Rocket.Chat’s advantage, however. Controversially, it seems that the list also includes the other end of the spectrum of organizations that want to keep their messages limited to a very specific audience: Islamic State it turns out also hosts and runs a Rocket.Chat to disseminate messages.

Engel says that while this is not something that the company supports, and that it works with authorities to shut down users like these as much as it can, it’s a consequence of how the service was built:

“We are not able to track usage if they are running Rocket.Chat servers of their own,” he said. “There’s a reason why the U.S. Navy uses Rocket.Chat. And that’s because we cannot track and know what they’re doing. It’s isolated from any external influence, for better or worse.” He added that the company has policies so that if an illicit organization is using its SaaS version, these get taken down in cooperation with authorities. “But just as with Linux, if you download and run Rocket.Chat on your own computer, then obviously it’s out of our reach.”

Hearing about how a platform built with privacy by design can be abused, with seemingly little to be done about it, does seem to offset some of the benefits. The ethics of that predicament, and whether technology can ever solve it, or whether it will be up to government authorities to address, will continue to be a question not just for Rocket.Chat but for all of us.

In the meantime, investors are interested because of the alternative it provides to those groups that need it.

“In today’s environment, organizations must have a secure communication platform to engage teams internally, communicate with customers and partners externally, and connect with safe interest-based communities,” said Dylan Pearce, partner at Greycroft, in a statement. “Rocket.Chat’s world-class management team and open-source community lead the industry in innovation and provide a communications platform capable of serving every person on the planet.” 

Facebook Messenger lands on Oculus Quest

Oyster snaps up $20M for its HR platform aimed at distributed workforces

/0 Comments/in /by

The growth of remote working and managing workforces that are distributed well beyond the confines of a centralized physical office — or even a single country — have put a spotlight on the human resources technology that organizations use to help manage those people. Today, one of the HR startups that’s been seeing a surge of growth is announcing a round of funding to double down on its business.

Oyster, a startup and platform that helps companies through the process of hiring, onboarding and then providing contractors and full-time employees in the area  of “knowledge work” with HR services like payroll, benefits and salary management, has closed a Series A round of $20 million.

The company is already working in 100 countries, and CEO and Tony Jamous (who co-founded the company with Jack Mardack) said in an interview that the plan is to expand that list of markets, and also bring in new services, particularly to address the opportunity in emerging markets to hire more people.

Currently, Oyster does not cover candidate sourcing or any of the interviewing and evaluation process: those could be areas where it might build its own tech or partner to provide them as part of its one-stop shop. It has dabbled in virtual job fairs, as a pointer to one potential product that it might explore.

“There are 1.5 billion knowledge workers coming into the workforce in the next 10 years, mostly from emerging economies, while in developed economies there are some 90 million jobs unfilled,” Jamous said. “There are super powers you can gain from being globally distributed, but it poses a major challenge around HR and payroll.”

Emergence Capital, the B2B VC that has backed the likes of Zoom, Salesforce, Bill.com and our former sister site Crunchbase, is leading the funding. The Slack Fund (Slack’s strategic investment vehicle) and London firm Connect Ventures (which has previously backed the company at seed stage) are also participating. The investment will accelerate Oyster’s rapid growth, and support its mission of enabling people to work from anywhere.

Connect Ventures outs $80M third fund to back ‘product-led’ seed-stage founders

Oyster’s valuation is not being disclosed. The startup has raised about $24 million to date.

One of the great ironies of the global health pandemic is that while our worlds have become much smaller — travel and even local activities have been drastically curtailed, and many of us spend day in, day out at home — the employment opportunity and scope of how organizations are expected to operate has become significantly bigger.

Public health-enforced remote working has led to companies de-coupling workers from offices, and that has opened the door to seeking out and working with the best talent, regardless of location.

This predicament may have become more acute in the last year, but it’s been one that has been gradually coming into focus for years, helped by trends in cloud computing and globalization. Jamous said that the idea for Oyster that came to him was something he’s been thinking about for years, but became more apparent when he was still at his previous startup, Nexmo — the cloud communications provider that was acquired by Vonage for $230 million in in 2016. 

At Nexmo we wanted to be a great local employer. We were headquartered in two countries but wanted to have people everywhere,” he said. “We spent millions building employment infrastructure to do that, becoming knowledgeable about local laws in France, Korea and more countries.” He realized quickly that this was a highly inefficient way to work. “We weren’t ready for the complexity and diversity of issues that would come up.”

After he moved on from Nexmo and did some angel investing (he backs other distributed work juggernauts like Hopin, among others), he decided that he would try to tackle the workforce challenge as the focus of his next venture.

That was in mid-2019, pre-pandemic. It turned out that the timing was spot on, with every organization looking in the next year at ways to address their own distributed workforce challenges.

The emerging market focus, meanwhile, also has a direct link to Jamous himself: He left his home country of Lebanon to study in France when he was 17, and has essentially lived abroad since then. But as with many people who move from developed into emerging markets, he knew that the base of technical talent in his home country was something that was worth tapping and nurturing to help residents and the countries themselves improve their lots in life; and he thought he could use tech to help there, too.

Related to that wider social mission, Oyster has a pending application to become a B-Corporation.

Jamous is not the only one that has founded an HR company based on his personal experience: Turing’s founders have cited their own backgrounds growing up in India and working with people remotely from there as part of their own impetus for building Turing; and Remote’s founder hails from Europe but built GitLab (where he had been head of product) based on a similar premise of tapping into the talent he knew existed all around the world.

And indeed, Oyster is not alone in tackling this opportunity. The list of HR startups looking to be the ADPs of the world of distributed work include Deel, Remote, Hibob, Papaya Global, Personio, Factorial, Lattice, Turing and Rippling. And these are just some of the HR startups that have raised money in the last year; there are many, many more.

Rippling nabs $145M at a $1.35B valuation to build out its all-in-one platform for employee data

The attraction of Oyster seems to come in the simplicity of how the services are provided — you have options for contractors and full-timers, and full, larger staff deployments in other countries. You have options to add benefits for employees if you choose. And you have some tools to work out how hires fit into your bigger budgets, and also to guide you on remuneration in each local market. Pricing ranges from $29 per person, per month for contractors, to $399 for working with full employees, to other packages for larger deployments.

Oyster works with local partners to provide some aspects of these services, but it has built the technology to make the process seamless for the customer. As with other services, it essentially handles the employment and payroll as a local provider on behalf of its customers, but can do so under contract terms that reconcile both a company’s own policies and those of the local jurisdictions (which can differ widely between each other in areas like vacation time, redundancy terms, maternity leave and more).

“It has a few well-funded competitors, but that’s usually a good signal,” said Jason Green, the Emergence partner who led its investment. “But you want to bet on the horse that will lead the race, and that comes down to execution. Here, we are betting on a team that’s done it before, an entrepreneur experienced in building a company and selling it. Tony’s made money and knows how to build a business. But more than that, he’s mission driven and that will matter in the space, and to employees.”

Atlassian stops selling on-prem server licenses, adds new enteprise pricing tier

/0 Comments/in /by

Atlassian has made it clear for some time that it’s all in on the cloud, but now it’s official. The company stopped selling new on-prem server licenses as of yesterday. Perhaps to take away the sting of that move for large organizations, today it announced a new all-inclusive enterprise pricing tier.

Atlassian chief revenue officer Cameron Deatsch says that previously the company had offered a free tier and then standard and premium-level paid tiers. “And now this cloud Enterprise Edition will be our highest tier, and what this will allow is for the most complex deployments, the largest customers who need unlimited scale, the customers that have all the security and regulatory requirements, data residency, you name it, — that is what we’re launching starting [today],” Deatsch told me.

What the enterprise tier delivers is unlimited instances across the Atlassian product line for each enterprise customer. That means a big company with multiple divisions could, for instance, have 20 instances of Jira and Confluence deployed with one for each division and a central management console.

Atlassian’s two-year cloud journey

While the company is supporting existing on-prem server customers until 2024, the idea is to now move them to the cloud and this offering should help. One thing we have clearly seen is that the pandemic has accelerated the move to the cloud by companies of every size, and this should encourage the company’s largest customers to make the move.

“The reality is, the demand was there, which was great to see, but we actually had this huge pipeline of our largest customers, basically trying to build their plan over the next couple of years to get to our cloud. The general availability of our Enterprise Edition is going to accelerate that even more,” he said.

It’s a move the company has been working toward for some time, but it really began to take shape when they shifted their operations to AWS and rebuilt the entire stack as a set of microservices beginning in 2016. This was the first step toward being able to handle the increased kinds of workloads an enterprise tier would require.

The company reported earnings at the end of last month with revenue of $501.4 million up 23% YoY with over 11,000 net new subscribers, a record for the company. The new enterprise tier won’t help with new customer volume, but it should help with overall revenue as more customers look for cloud solutions and pricing that meets their needs.

A pandemic and recession won’t stop Atlassian’s SaaS push

Adobe expands Acrobat Web, adds PDF text and image editing

/0 Comments/in /by

For the longest time, Acrobat was Adobe’s flagship desktop app for working with — and especially editing — PDFs. In recent years, the company launched Acrobat on the web, but it was never quite as fully featured as the desktop version, and one capability a lot of users were looking for, editing text and images in PDFs, remained a desktop-only feature. That’s changing. With its latest update to Acrobat on the web, Adobe is bringing exactly this ability to its online service.

“[Acrobat Web] is strategically important to us because we have more and more people working in the browser,” Todd Gerber, Adobe’s VP for Document Cloud, told me. “Their day begins by logging into whether it’s G Suite or Microsoft Office 365. And so we want to be in all the surfaces where people are doing their work.” The team first launched the ability to create and convert PDFs, but as Gerber noted, it took a while to get to the point where being able to edit PDFs in a performant and real-time way was possible. “We could have done it earlier, but it wouldn’t have been up to the standards of being fast, nimble and quality.” He specifically noted that working with fonts was one of the more difficult problems the team faced in bringing this capability online.

He also noted that even though we tend to think of PDF as an Adobe format, it is an open standard and lots of third-party tools can create PDFs. That large ecosystem, with the potential for variations between implementations, also makes it more difficult to offer editing capabilities for Adobe.

With today’s launch, Adobe is also introducing a couple of additional browser-based features: protecting PDFs, splitting them into two and merging multiple PDFs. In addition, after working with Google last year to offer a handful of Acrobat shortcuts using the .new domain, Adobe is now launching a set of new shortcuts like EditPDF.new. The company plans to roll out more of these over the course of the next year.

In total, Adobe says, the company saw about 10 million clicks on its existing shortcuts, which just goes to show how many people try to convert or sign PDFs every day.

As Gerber noted, a lot of potential users don’t necessarily think of Acrobat first. Instead, what they want to do is compress a PDF or convert it. Acrobat Web and the .new domains help the company bring a new audience to the platform, he believes. “It’s unlocking a new audience for us that didn’t initially think of Adobe. They think about PDFs, they think about what they need to do with them,” he said. “So it’s allowing us to expand our customer base by being relevant in the way that they’re looking to discover and ultimately transact. Our journey with Acrobat web actually started with that notion: let’s go after the non-branded searches.”

Adobe, of course, funnels to the Acrobat desktop app all branded searches where users are explicitly looking for Acrobat, but for the more casual user, it brings them to Acrobat Web where they can easily perform whatever action they came for without even signing up for the service.

What Andy Jassy’s promotion to Amazon CEO could mean for AWS

/0 Comments/in /by

Blockbuster news struck late this afternoon when Amazon announced that Jeff Bezos would be stepping back as CEO of Amazon, the company he built from a business in his garage to worldwide behemoth. As he takes on the role of executive chairman, his replacement will be none other than AWS CEO Andy Jassy.

With Jassy moving into his new role at the company, the immediate question is who replaces him to run AWS. Let the games begin. Among the names being tossed about in the rumor mill are Peter DeSantis, vice president of global infrastructure at AWS and Matt Garman, who is vice president of sales and marketing. Both are members of Bezos’ elite executive team known as the S-team and either would make sense as Jassy’s successor. Nobody knows for sure though, and it could be any number of people inside the organization, or even someone from outside. Amazon was not ready to comment on a successor yet with the hand-off still months away.

Holger Mueller, a senior analyst at Constellation Research, says that Jassy is being rewarded for doing a stellar job raising AWS from a tiny side business to one on a $50 billion run rate. “On the finance side it makes sense to appoint an executive who intimately knows Amazon’s most profitable business, that operates in more competitive markets. [Appointing Jassy] ensures that the new Amazon CEO does not break the ‘golden goose’,” Mueller told me.

Jeff Bezos will no longer be CEO of Amazon as of later this year

Alex Smith, VP of channels, who covers the cloud infrastructure market at analyst firm Canalys, says the writing has been on the wall that a transition was in the works. “This move has been coming for some time. Jassy is the second most public-facing figure at Amazon and has lead one of its most successful business units. Bezos can go out on a high and focus on his many other ventures,” Smith said.

Smith adds that this move should enhance AWS’s place in the organization. “I think this is more of an AWS gain, in terms of its increasing strategic importance to Amazon going forward, rather than loss in terms of losing Andy as direct lead. I expect he’ll remain close to that organization.”

Ed Anderson, a Gartner analyst also sees Jassy as the obvious choice to take over for Bezos. “Amazon is a company driven by technology innovation, something Andy has been doing at AWS for many years now. Also, it’s worth noting that Andy Jassy has an impressive track record of building and running a very large business. Under Andy’s leadership, AWS has grown to be one of the biggest technology companies in the world and one of the most impactful in defining what the future of computing will be,” Anderson said.

AWS is sick of waiting for your company to move to the cloud

In the company earnings report released today, AWS came in at $12.74 billion for the quarter up 28% YoY from $9.6 billion a year ago. That puts the company on an elite $50 billion run rate. No other cloud infrastructure vendor, even the mighty Microsoft, is even close in this category. Microsoft stands at around 20% marketshare compared to AWS’s approximately 33% market share.

It’s unclear what impact the executive shuffle will have on the company at large or AWS in particular. In some ways it feels like when Larry Ellison stepped down as CEO of Oracle in 2014 to take on the exact same executive chairman role. While Safra Catz and Mark Hurd took over at co-CEOs in that situation, Ellison has remained intimately involved with the company he helped found. It’s reasonable to assume that Bezos will do the same.

With Jassy, the company is getting a man who has risen through the ranks since joining the company in 1997 after getting an undergraduate degree and an MBA from Harvard. In 2002 he became VP/technical assistant, working directly under Bezos. It was in this role that he began to see the need for a set of common web services for Amazon developers to use. This idea grew into AWS and Jassy became a VP at the fledgling division working his way up until he was appointed CEO in 2016.

How AWS came to be

‘ValidCC,’ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered

/0 Comments/in /by

ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure.

ValidCC, circa 2017.

There are dozens of online shops that sell so-called “card not present” (CNP) payment card data stolen from e-commerce stores, but most source the data from other criminals. In contrast, researchers say ValidCC was actively involved in hacking and pillaging hundreds of online merchants — seeding the sites with hidden card-skimming code that siphoned personal and financial information as customers went through the checkout process.

Russian cybersecurity firm Group-IB published a report last year detailing the activities of ValidCC, noting the gang behind the crime shop was responsible for plundering nearly 700 e-commerce sites. Group-IB dubbed the gang “UltraRank,” which it said had additionally compromised at least 13 third-party suppliers whose software components are used by countless online stores across Europe, Asia, North and Latin America.

Group-IB believes UltraRank is responsible for a slew of hacks that other security firms previously attributed to at least three distinct cybercrime groups.

“Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” Group-IB wrote. “UltraRank combined attacks on single targets with supply chain attacks.”

ValidCC’s front man on multiple forums — a cybercriminal who uses the hacker handle “SPR” — told customers on Jan. 28 that the shop would close for good following what appeared to be a law enforcement takedown of its operations. SPR claims his site lost access to a significant inventory — more than 600,000 unsold stolen payment card accounts.

“As a result, we lost the proxy and destination backup servers,” SPR explained. “Besides, now it’s impossible to open and decrypt the backend. The database is in the hands of the police, but it’s encrypted.”

ValidCC had thousands of users, some of whom held significant balances of bitcoin stored in the shop when it ceased operations. SPR claims the site took in approximately $100,000 worth of virtual currency deposits each day from customers.

Many of those customers took to the various crime forums where the shop has a presence to voice suspicions that the proprietors had simply decided to walk away with their money at a time when Bitcoin was near record-high price levels.

SPR countered that ValidCC couldn’t return balances because it no longer had access to its own ledgers.

“We don’t know anything!,” SPR pleaded. “We don’t know users’ balances, or your account logins or passwords, or the [credit cards] you purchased, or anything else! You are free to think what you want, but our team has never conned or let anyone down since the beginning of our operations! Nobody would abandon a dairy cow and let it die in the field! We did not take this decision lightly!”

Group-IB said ValidCC was one of many cybercrime shops that stored some or all of its operational components at Media Land LLC, a major “bulletproof hosting” provider that supports a vast array of phishing sites, cybercrime forums and malware download servers.

Assuming SPR’s claims are truthful, it could be that law enforcement agencies targeted portions of Media Land’s digital infrastructure in some sort of coordinated action. However, so far there are no signs of any major uproar in the cybercrime underground directed at Yalishanda, the nickname used by the longtime proprietor of Media Land.

ValidCC’s demise comes close on the heels of the shuttering of Joker’s Stash, by some accounts the largest underground shop for selling stolen credit card and identity data. On Dec. 16, 2020, several of Joker’s long-held domains began displaying notices that the sites had been seized by the U.S. Department of Justice and Interpol. Less than a month later, Joker announced he was closing the shop permanently.

And last week, authorities across Europe seized control over dozens of servers used to operate Emotet, a prolific malware strain and cybercrime-as-service operation. While there are no indications that action targeted any criminal groups apart from the Emotet gang, it is often the case that multiple cybercrime groups will share the same dodgy digital infrastructure providers, knowingly or unwittingly.

Gemini Advisory, a New York-based firm that closely monitors cybercriminal stores, said ValidCC’s administrators recently began recruiting stolen card data resellers who previously had sold their wares to Joker’s Stash.

Stas Alforov, Gemini’s director of research and development, said other card shops will quickly move in to capture the customers and suppliers who frequented ValidCC.

“There are still a bunch of other shops out there,” Alforov said. “There’s enough tier one shops out there that sell card-not-present data that haven’t dropped a beat and have even picked up volumes.”

Taking a Realistic View of Cyber Security Requirements for Digital Providers

/0 Comments/in /by

A guest post by MrR3b00t, aka pwndefend’s Daniel Card 

In today’s rapidly evolving cybersecurity landscape, it seems that barely a day goes by without news of a new breach notification, from minor to major incidents, affecting organizations of all shapes and sizes. In the not too distant past (think early 2000s), most organizations stood up a perimeter firewall, deployed some antivirus and thought that rotating passwords every 30 days was enough to protect them. Since then, technology has been deployed at an ever increasing pace, threat actors have got more sophisticated, and regulations and compliance have become increasingly mandatory.

On top of that, due to the dominance of internet connectivity in modern day commerce and the provision of online services, many businesses have become digital providers, and that adds a whole extra dimension to their cybersecurity management and practices. Such businesses are not only primary targets for all kinds of data theft threats including ransomware, they are subject to increasing scrutiny by both customers and regulators.

It’s no surprise, then, that even well-resourced organizations find it difficult to keep up with security management and compliance requirements for modern service providers. And if you’re just starting out, trying to evaluate where you are and what you need to do to get up to speed before either the bad guys (threat actors) or the good guys (regulators, assurance tests) catch up with you can be a daunting task.

In this post, we look at what an organization that hasn’t really considered security up till now (for whatever reason) can do to help themselves not only increase their security posture but also prepare for a customer conducting some level of cyber assurance review on their organization. If you have yet to invest time or resources, do not have processes and procedures in place, and/or have a massive gap in your documentation levels, you will likely get a very hard time during and following an audit. It’s time to put this right!

What is the Nature of Your Business?

If you are a shoe repair business that has a mainly non-digital service, your requirements will likely be low. The same can be said for a range of other organization types. However, let’s look at the type of organizations that are likely or certainly going to have compliance and audit requirements:

  • Independent Software Vendors
  • Cloud Services Providers (IaaS/PaaS)
  • Software as a Service Providers (SaaS)
  • Hosting Companies
  • Managed Services Providers (MSP)
  • Services forming part of the supply chain to government digital services
  • Services forming part of the supply chain to healthcare services
  • Services forming part of the supply chain to CNI
  • Business where sensitive data are being controlled or processed at volume
  • Financial Related Services
  • Payment Services Provider
  • E-Commerce Trader
  • Pension Services
  • Any regulated industry

The key differentiator here is where you are providing and operating a service for your customers. If you are providing an advisory service or your digital footprint and data processing levels are low, you will likely be able to manage by achieving something like the UK’s Cyber Essentials or equivalent.

If you write software or host services (e.g. SaaS), then you need to have security management in your business plans. That’s not me saying it, that’s markets demanding it. The old days of HR buying a service because they “like the look of it” still exist, but they are on their way out. Organizations are waking up to their digital security obligations (there are legal requirements – this isn’t a matter of choice) as well as the shifting marketplace forces which are now insisting providers operate services securely and with privacy at the forefront.

Four Simple Questions for Rapid Assessment

  • Would You or Could You Pass Cyber Essentials/Cyber Essentials Plus?
    If the answer is “no” then you need to pull your socks up (there’s a security pun in here somewhere). No, seriously. This is where you start as a bare minimum.
  • Do You Meet the Standards Required for PCI DSS?
    This is obviously quite complex as there are different levels and standards, but the acid test here is would you meet the lower bar for PCI compliance e.g., SAQ A?
  • Would You Pass ISO/IEC 27001:2013?
    Remember that for ISO/IEC 27001:2013, you will need to show ~ 3 months’ worth of evidence that you practise what your documents say. Whilst you could likely game this part (a bit like using a non-ACAS approved accreditation body), never forget this is your business and your customers that you are short changing in the long run.
  • Would You Pass a SOC2 Audit?
    Not for the faint hearted, these audits require substantial investments. This means they should form part of your business plan and not just be tacked on.

So What Does a Security Audit Look Like?

The first thing with any scenario is taking stock. If you have managed to conduct business so far without the beady eye of third party audits and security assurance activities, then your margins were probably healthy. At some point, a customer is going to ask for assurance and due diligence information. For many organizations, this is a prerequisite to their doing business with you at all.

This will generally flow like this:

  • the customer may conduct open source intelligence gathering
  • request for a Self-Assessment Review / Due Diligence Form
  • more detailed evidence requests
  • third-party audit
  • customer audit

Now depending upon the nature of the business, there may be a range of different activities. I can speak from my experience with supply management that this is how I operate:

  • I assess the services and the risk level for the business
  • I determine a likely assurance level
  • I conduct due diligence exercises
  • If red flags are raised, I generally move further down the assurance level route

From someone who has and does conduct assurance activities for customers looking to review their supply chain risk, I can only talk based on my experience; however, I can say this:

  • If I can’t find details about your security management capabilities and certifications on your website, I dig further.
  • If you evade or refuse to share documents such as change management policies/processes etc, I dig further.
  • If you try and hide behind “we can’t share policies or processes due to security” I raise another red flag.
  • If you don’t have documentation or can’t reasonably rapidly provide evidence, then I consider as a rule that you don’t manage risk and security to a reasonable level.

I must also add that willingness also goes a long way. If you don’t have the relevant certifications, standards, and capabilities today, that’s not to say you can’t achieve them. Honesty and integrity go a long way in my book.

That’s a view of how it works from a practitioner perspective. You must remember, though, it all depends on the nature, sensitivity and risk level of the services being provided or sought. Assurance efforts should be scaled appropriately to the level of risk the contract or service provides.

Conclusion

When assessing cyber security management and compliance requirements, you need to look not only at your business risk and model but also at your customers and make informed decisions about how you can provide assurance, not only to your board but also to your customers.

Manging cyber security for non-micro businesses where you control and/or process customer data, provide managed or hosted services means you will almost certainly need more than a note saying you think your services are secure if you want to do business with larger organizations.

Hopefully, this post helps people understand a bit more about the assurance space. Cyber security management is a business challenge and capability; it’s not just a technical thing!

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security