Recently, we interviewed Haseeb Budhani, Co-founder of Soha Systems and discussed their state of the union. Soha Systems is a B2B cloud security start-up introducing a new business model to our Ecosystem. IDC refers to them as a “Cloud DMZ”. In our world, they have some commonality with Aryaka Networks in that they focus on the B2B application environment, but have a strong focus on cloud security. Soha is the first line of defense for companies that have a remote workforce accessing backend application, such as Oracle eBusiness, SAP, Intranets, Sharepoint, and so on. They are the first company in the Ecosystem to focus on this specific area, and have a dozen + customers to show for it. We like to give the Soha execs a big thanks for the Interview.
How did you come up with the idea for Soha Systems?
Two critical things had to fall in place for Soha Systems to come together. First the idea: Both Hemanth (my co-founder and the company’s VP of Engineering) and I had independently been thinking about a seamless way to deliver application security to enterprises, particularly when apps are deployed in public cloud environments such as AWS and Azure. Hemanth and I hypothesized that in this age of agile application deployment in a mix of environments (public and private), the following must be true:
- Product must be so easy to evaluate that prospective users can experience its value within minutes.
- An evaluation exercise in a customer’s environment should require ZERO changes to a) the application, b) the end user’s device, and c) the network.
- One must provide a solution as a service and not as an appliance. Customers would much rather leverage a service instead of building out complex perimeters in each application environment.
We then spent a fair bit of time studying how application teams deploy their code onto public and private cloud platforms and how they enable access to employees, partners and customers. In the process, we identified a unique approach to building application specific perimeters that meets our initial set of requirements and delivers considerable value to enterprises of all sizes.
Then the team: We were lucky enough to convince a number of extremely competent engineers who agreed with our vision and wanted to build a scalable, reliable service that would deliver security to users who have typically shied away from delving into complex security feature sets. The fact that in less than 2 years, we have a) already carried out 10+ dot releases after our GA, and b) have built such a comprehensive feature set (with lots more to come) is a testament to the strength of this extremely impressive team.
What kind of security model and features do you provide?
IDC refers to our service as a Cloud DMZ. At its core, our service keep the bad guys out of, and let the good guys into, applications deployed in both private and public clouds.
In addition to acting as an always-on perimeter for applications, we have developed a number of features that enable our customers to leverage our service instead of VPN gateways, Application Delivery Controllers (ADCs), AAA gateways, WAN Optimization Controllers (WOCs) and more, depending on their application set.
Let’s take the example of a customer with a critical ERP application that is being used by thousands of sales and operations professionals across the US. This customer can leverage the Soha Cloud to achieve the following:
- Enable customers to completely lock down their network from all external attacks – no more inbound firewalls rules needed
- Ensure that engineers working for partner companies have no access to the network but only receive access to Jenkins
- Deliver this trusted path to partner engineers without making any changes to the network (no public IPs, no inbound firewall rules, no network segmentation, etc.) or to the end users’ devices.
- Partner engineers can be authenticated by Soha Cloud (against SAML IDPs, AD, OAuth, etc.) before a single request from the end user’s device is allowed to hit Jenkins
- An optional Multi-Factor Authentication (MFA) feature is available to further validate the identity of the user
- The customer can also choose to use the Server Load Balancing (SLB) feature built into the Soha Cloud to distribute user traffic across multiple application frontends
- Monitor all user activity in a single location without worrying about adding network taps in a variety of locations in their network
There are a number of other services built into the system, such as WAN optimization and granular access control, which our customers can leverage to build out a secure application delivery infrastructure. Because our service is super easy to use and can be deployed to protect enterprise applications in minutes, customers can now leverage Soha Cloud instead of building out complex DMZs in multiple locations. This is a net-new paradigm and will, over time, enable enterprises to leverage a variety of services, such as Content Delivery Networks (CDNs), without making massive changes to their networks or their apps.
Do you work more with Intranet environments?
Intranet applications is certainly where we initially saw a fair bit of customer interest. In addition, we have been pulled into a number of other employee and partner use cases that cover a wide variety of the application spectrum. Interestingly, we have a mix of mid-to-large enterprises and startups that are leveraging Soha Cloud for better application security and access. A sub-set of our happy customers are listed on our website.
Do you have PoPs across a range of geographies?
Till very recently, we were US focused and only maintained PoPs in the continental US. More recently, we are getting some interest in locations such as China and are working towards rolling out new locations in the near term.
Is Soha Networks similar to B2B Player Aryaka?
Although Aryaka is focused on the enterprise application delivery problem, they are focused on the CDN angle with respect to ensuring a superior user experience for enterprise users worldwide. In effect, Aryaka’s solution (and others like it) focus on being as close to the user as possible so that user traffic can be delivered over an optimized network to wherever the applications happens to be.
We happen to provide an entirely complementary offering. We are helping customers build out a unified and turnkey security perimeter (a DMZ) for their application infrastructure in both private and public clouds. Even when leveraging a CDN, customers still have to build security around their applications so that they only good guys are getting into critical applications and applications are highly available. The biggest attraction for our customers is that not only does our service provide them with a highly secure and trusted path between known users on the Internet and their applications, they can also rely on our service to authenticate and authorize users before they are allowed to interact with their application.
Do you also provide enterprise access to a Salesforce?
We are not focused on securing access to SaaS applications by enterprise users. However, a number of SaaS companies rely on our service to protect their applications from bad guys on the Internet. Soha Cloud can help companies securely deliver applications to a wide variety of constituents without being bogged down by complex, old-school tools that do a poor job of improving security postures while costing significant time and money.
Do you do authentication and identity access management?
One of the integral features we offer to our customers today is authentication integrations and simplified authorization policy provisioning. By virtue of the fact that our service behaves as the application’s perimeter, we are able to first identify the user attempting to access a given application and then continue to ensure that all access activity meets configured policies. Our early customers recognized the value of our core architecture and agreed that our path to delivering not only a secure path, but also critical features such as authentication proxying, policy enforcement, etc., would make our service more valuable to them.
To be clear, we add a number of other features and view authentication and authorization as critical features that are needed to secure application access. We also provide TCP optimization and compression services because we believe that end user experience is a critical metric for solution adoption. We also provide SLB services so that customers can scale their internal applications easily, or remove points of failure at the server infrastructure level.
Do you provide application delivery functionality?
Absolutely. Our core premise is that traditional application models are broken and our unique architecture not only makes application environments more secure, it also enables a significantly simpler model for application delivery.
This is another hybrid model, similar to CDNs, for instance Aryaka but with a different twist. Do you see yourself evolving as you talk to more customers?
We exist to simplify the application perimeter. Our goal is to continue to add features that make it easier for our customers to secure user interactions with applications in public and private clouds. Our product roadmap incorporates a number of security features that our customers expect to have available in their DMZs. The best part about having a number of happy customers is that it becomes quite easy to figure out what features to build next.
Given our focus, our solution is quite complementary to CDNs. In some respects, CDNs are focused on getting as close to the user as possible and deliver a secure and fast access experience. We, on the other hand, are focused on helping our customers deploy trusted paths to applications deployed in public or private clouds, while ensuring complete user access control, server load balancing and monitoring.
How do you price your product? Is it by platform price, bandwidth or by user?
We presently price out our solution along three vectors:
- We charge by the number of distinct networks where applications are deployed (e.g. a data center or a virtual private cloud
- We charge by blocks of authorized users on an monthly or annual basis
- We charge by features buckets. The per-user recurring price changes based on whether the customer prefers features available in our Standard, Premium or Enterprise offerings.
There is also a freemium model in place that allows customers to get some airtime with Soha Cloud on their own schedule. The freemium service supports one application and up to five authorized users.