Interview: Shlomo Kramer

Feature by Paul Fisher

The serial company founder and SC's CEO of the Year tells Paul Fisher why he knew all along that data-centric security was the future

The serial company founder and SC's CEO of the Year tells Paul Fisher why he knew all along that data-centric security was the future.

We are on the top floor of the Mandarin Oriental hotel in Knightsbridge. Shlomo Kramer's imposing frame is supported by a sofa in the middle of the living area of the suite, which seemingly meets his approval. He likes the view. Looking through the windows and out over Hyde Park, Kramer asks if there is much fun to be had there - he is bringing his family over for Passover, he says, and is looking for activities for the kids. I can only think of horse riding and the children's playground, probably not what he had in mind. The suggestion is duly noted - with just an "OK". I feel I should have come up with some better ideas.

You see, Kramer is one of the industry's "faces". In 2006 he was named one of the top 20 people who changed networking by Network World magazine. Together with Gil Shwed and Marius Nacht he created Check Point and, with them, won the Israeli Prime Minister's Award for Computer Software when the company they founded in his grandmother's apartment was only four years old.

Nine years on and Check Point was one of the world's leading security companies, publicly traded and nicely profitable. But building one great business was obviously not enough for Kramer and, in 2002, he left to bring the world his new baby, Imperva. Why not just sit back and watch Check Point grow further?

"I really like building things. I enjoy the process of taking an idea I believe in and turning it into market reality," Kramer says. "The last six years with Imperva have been fantastic. There are a lot of sacrifices involved, especially when your family lives in Israel and you travel all around the world, but it's still worth it. Just the experience of building it and knowing that you are defining the landscape of security."

This is entrepreneurial stuff. While most of us can only dream of the fortune that Kramer has already amassed, like so many other tech creators his focus is on the creation of companies and the development of products he believes in. He has interests in several other Israeli startups. Wealth is, in the end, just a rather pleasant side effect of all this activity.

"Being an entrepreneur is all about, on the one hand, trusting yourself and saying: 'what's out there is wrong and what I'm doing is right', but also not being too full of yourself," explains Kramer. "If you're a young entrepreneur, you don't know everything, and you can't invent everything, you can't re-invent all the wheels - just invent one new wheel and accept the others," he says. "So you still need to be a system person, a bit of a rebel and maintain that balance to create something powerful." Sounds easy.

Imperva is already a global company, he says, with 170 employees in 11 countries. The HQ is, of course, in Israel, with the marketing functions centred on Silicon Valley. Few would bet against Imperva emulating the success of Check Point anyway, but this time Kramer is gambling that the world is moving to Imperva's raison d'etre - data-centric security - and he thinks he's got a six-year head start on the competition.

"When we started in 2002, not much of the market understood what we were doing. Data security was seen as far-fetched because everybody was talking about worms and broad attacks," he says. "Today data-centric security is emerging as a recognised category."

Yes, but the information security business is prone to cyclical shifts in thinking, new marketing concepts and trends, old technology in new acronyms. What's really different about the data-centric approach?

Kramer uses PCI to illustrate: "To become PCI-compliant you need to do various things across the entire data centre. You need to have a database activity monitoring solution, you need to have a web application firewall etc. But the bottom line is: 'I've got the credit-card details, what do I have to do in order to protect them?' We need to shift from the infrastructure approach.

"PCI compliance is at the epicentre of what we are doing. It's a total validation of our mission, but PCI is just the tip of the iceberg," he continues. "You have to ask yourself: why just protect credit-card data, what's special about it? There will be other types of security regulation. What you need to do is not unique to credit cards, you can take that and apply it to patient information, or financial information, or just general corporate intellectual property."

In the midst of all this he mentions the firewall, but isn't he now more famous for saying the firewall is dead? "No," he insists, "what I'm saying is that the network firewall is far from being enough. It doesn't address the really new challenges around security, the targeted attacks on your data, on your business processes, the fact that your internal privileged users have a lot of temptation to steal data and sell it on the black market. And the fact that regulation requires you to have visibility in controlling two levels of your business has nothing to do with the network firewall."

He explains that over the past 15 years, security has really moved on from a networking plane, much closer to the business and to the data itself. Many would agree - so how far is the customer base buying into the new approach? Kramer brings out the statistics to make his case.

"We have more than 400 customers worldwide. We grew 100 per cent last year. We are definitely ahead of all the competition. We are the only ones that provide the broader solution," he claims. Then, in a subtle dig at the analyst community, and perhaps some of his rivals, he says he wants the "thought leaders" to catch up with his enlightened customers.

Well what kind of enlightenment is he talking about? "We monitor the access to the database, we monitor the access to the data on the network. And, by monitoring real traffic, we build a model that says you are, for example, the marketing analyst of the organisation. You access the database as a user of these applications at these times of day; you use these areas, these tables in the database, doing these operations. If one day, in the middle of the night, you go with a different application and pull all the credit cards off the database, completely different area of information, then this is a violation of your data scope, so this will be alerted and probably blocked."

So it's more about control and the flow of data, but what about protecting data from malware and corruption? I suggest that, at the moment, we seem to be almost at the point where security professionals are starting to say, we can't do it; the old approach isn't working anymore. Kramer has a surprising take on this: yes they're right, he thinks, we've failed but so what?

He reveals that he is an investor in a company called Trusteer, which turns accepted anti-malware practice on its head. Instead of trying to clean up your computer from viruses and malware you just don't bother. "There are simply too many of them, it's unmanageable. You're just piling additional negative logic onto negative logic; it's not going anywhere," he states. "So, there's a new approach that says: 'we'll assume your computer is contaminated, it has bad stuff on it and, even though it does, we will enable you to do secure transactions using that computer.' This then is the positive logic that ensures you work securely."

But isn't that kind of like saying the malware writers can do what they like ... Kramer cuts in: "But this is a secure channel, it's almost like SSL, somebody can try to tap the network and eavesdrop, but I have a secure channel that is encrypted and nobody can penetrate that. So I've got this secure channel between me and my online banking application, so even if there is malware on the computer it can't penetrate that channel," he says.

That, of course, is a solution for a specific application; consumers looking to connect securely with their banks. But how far does this theory extend into other business applications? In an interview with Red Herring, a US tech magazine for the VC community, Kramer said that encryption was only useful at the database layer. What did he mean?

"Encryption is excellent if your laptop is stolen. But to use it to control access to data has, over the years, proved to be an ineffective, complex and very expensive method and, quite simply, we don't see organisations doing that anymore. Encryption is a nice word; it has this 'if it's encrypted it's secure and all my problems are solved' feeling attached to it. But it's not a silver bullet. You really need to understand what it is good for and what it isn't. And it just so happens that it is not good for access control," he explains his approach.

One event that separates the tech men from the boys is a recession; something the sages of Wall Street say is pretty much underway in the US. Is Kramer aware that customers are cutting back on spending as belts are tightened? His answer is not altogether reassuring.

"First of all, there are two things: what people are saying and what they are doing. We are not feeling any slowdown - a quarter of our business is in the financial sector and insurance, and that's going very well," he says.

"Yet, when I talk with IT executives, they all tell me they are going to cut the IT budget by 15 per cent, back to 2005 levels. But in the same sentence they are saying they need to protect the infrastructure. So, I'm not sure how much of it really addresses our category. That said, we are being very careful and continuing to monitor the market situation. But for now, everything is going great." he claims.

Well he would say that, but Kramer's record proves he is smart enough to know that those who survive a slowdown are those who think ahead. And smart enough to act on that thinking. And so he is already looking beyond the data centre and to what he calls the third element of data protection: outside the organisation and in the cloud.

"I think data lifecycle management (DLM) got a very bad reputation over the years," he says. "It was implemented using heavy enterprise systems, centred within the organisation. But DLM will be the third generation of security now, with actual securities built into the data itself." And Kramer does, of course, have "some companies working on some novel solutions" for the next generation of DLM.

He doesn't envisage an end to innovation or an end to what he calls the arms race with the hackers. Unlike many, he does not see much degree of so-called maturity. Nor do you sense that he would seek such a state of affairs. Instead he relishes the years ahead.

"This is not the car industry, right? This is an industry that's constantly being challenged. It's like the Red Queen's Race, where you have to run as fast as you can, just to stay in the same place," he says, referring to the evolutionary and economic theories that take their name from Lewis Carroll's Alice books.

So it's tough out there and likely to get tougher. But Kramer's no wallflower. His will be a presence to be reckoned with. If that means taking on his former partners at Check Point, then so be it. "I don't know how they feel about it, but I don't think about us as competitors. We've got hundreds of opportunities in the pipeline, and almost all of them have a competitor.Some of them are much bigger companies, F5 or Citrix for example. So, in a very practical way, I can't call Check Point a competitor. But it's very subjective; perhaps they view us as a competitor ... " he muses.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events