673 CheckRed: Revolutionizing Cloud Security for MSPs

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast presented by NetAlly. We are here with another vendor profile for the IT Nation Pitch It program.

Today we will be chatting with CheckRed Security and joining me is CEO Patrick Clausen and CheckRed is a comprehensive cloud security SaaS solution. But it sounds like it would be simple but it's a lot, lot more. So Patrick, welcome to the show.

[Patrick Clawson]
Thank you. Thank you for having me.

[Uncle Marv]
All right. So when we talk about security SaaS solutions, people real quick have a really small thought in their head that oh, they're going to help me with cybersecurity. But it's a little more than that, isn't it?

[Patrick Clawson]
Yeah, it truly is. The concepts of SaaS security or cloud security and posture management in general marries both the cyber side of it but as well as the compliance side. So a lot of what drives the policy checks against SaaS apps would be the major frameworks in the world, whether it's a PCI or Sarbanes-Oxley, as well as the security policy checks.

[Uncle Marv]
Now the one thing I noticed and, you know, we chatted about this right before we got started and I saw it in my research, you guys not only do SaaS but you do IaaS or infrastructure as a server and platform as a service all together.

[Patrick Clawson]
We do. So we set out to build a platform that we thought for service providers in general dealt with a broad cloud security problem. And in our view that included IaaS, SaaS and SaaS in the same single multi-tenant platform.

[Uncle Marv]
All right. Now from the security standpoint with all three of those, are you just simply monitoring and assessing risk or are you going a little bit further than that?

[Patrick Clawson]
Yeah, we go a little bit further. So we've, as a group of people, been building cyber companies for the last 25 years. We fully embrace the concept of not just telling you have a problem but showing you how to fix it or helping you fix it.

We do not deploy agents. We believe that when we alert we can pass those alerts off to existing cyber platforms you've already invested in, whether they're a SOAR platform, an XDR platform, a SEM platform. So a lot of our alerts are automatically using our collaboration apps going to what you've already invested in as a customer.

But we also have very detailed analysis for analysts and we break down every alert. If you have analysts that are triaging and remediating, we give them step-by-step guided remediation instructions including CLIs and Terraforms, you know, where appropriate. So very, very detailed if you have people manually handling things and then very automated when you have the technology that can accept it.

[Uncle Marv]
All right. So no agent, which means that there's got to be some sort of cloud check-in through these other tools. So are you actually integrated into the tools?

Is there API that's involved? How are you actually doing that?

[Patrick Clawson]
API and read-only. We're 100% API based platform.

[Uncle Marv]
Okay. So now from that standpoint, as an MSP, I'm thinking, okay, I go into the cloud, I look at everything. Is it something that is truly multi-tenant where I can see kind of like a security score for all my clients at one time?

[Patrick Clawson]
Yeah, absolutely. It is completely multi-tenant and we're not confined by numbers of organizations you set up or business units underneath those organizations. And because it is truly multi-tenant, you know, you have your overall view.

And when you look at that overall risk score, you're looking at a NIST ERM score, not one of our, you know, mythical, magical, proprietary algorithms. It is the true NIST ERM score that we're relaying back to you for your customer base that's under monitoring.

[Uncle Marv]
Okay. So getting, I guess, a little bit more granular. So you said NIST there.

What exactly are you monitoring in terms of all of these security things?

[Patrick Clawson]
So, good question. So when we're looking at either cloud environments, you know, AWS, GCP, Azure, or we're looking at the major SAS apps in the world, whether that's 365, Google Workplace, Monday, Workday, you name it, SharePoint, whatever that might be. We're enforcing and looking for; we've got rules that we look for within each one of those.

And those rules come to us from two basic locations. One, the actual software manufacturer themselves is a good source and a good guide. But we also use the regulatory framework.

So we standardize on CISV8. So you'll see us using those controls that the regulations are requiring you to be compliant with as well. So those combinations come together that allow us to scan.

There are our own scanners. That SAS app, for example, with the 365 will do 132 policy checks in looking for misconfigurations, vulnerabilities, all the above.

[Uncle Marv]
All right. You said something that caught my attention, Monday.com. I actually have a customer that has Monday.com, but I never thought of monitoring that as part of my service. So how many other platforms, you know, like Monday do you guys work with that MSPs wouldn't even think about?

[Patrick Clawson]
Yeah, man, there's a ton. We've got about 60 of the major apps in the world that we cover. Our goal is the top 95%.

We're not, and when we do one, we do it really deeply. But we've also embedded an SDK into the platform. So our service provider partners will have customers that will have lesser-known apps that they can onboard and manage at a local level because it'll never go into the bigger global bucket, if that makes any sense.

[Uncle Marv]
Okay. All right. And all of these other platforms, they can still be modeled against their frameworks?

[Patrick Clawson]
Every one of them. We literally crosswalk every app through every single framework on the platform on a control-by-control-by- control basis. So if you think about anybody who's lived in the GRC world for many years, while we are not a broad GRC platform, we do handle a part of that problem.

GRC traditionally is very manual, but we take that cloud environment and the SaaS environments, and we digitally gather on a control-by-control basis your position against every one of those.

[Uncle Marv]
All right. So one of my normal questions is to try to explain, you know, how different you are from other, you know, similar products in the channel. You've already mentioned the fact that you do all of those other apps.

What else makes CheckRed different from a traditional MSP product?

[Patrick Clawson]
Yeah, I don't think vendors in this broader cloud space, whether it's the CNAP, CSPM side of it, or on the pure SaaS side, I don't think there's nobody else really doing IaaS, PaaS, and SaaS all in one place. So on a single platform, I'm doing Kubernetes posture management. I'm doing infrastructure entitlement management.

I'm doing workload protection. I'm doing posture management for cloud, for SaaS. I'm doing full CNAP.

I actually have an Active Directory posture management component. So no one else has really brought all of that together in a single platform, which is one. Number two, no one else is multi-tenant.

We bring those cloud and those SaaS capabilities to service providers in a true multi-tenant platform that hasn't been available to them before. So the concepts of doing these types of things for the customer would have been very manual, costly, and probably not done. So it's a brand new look at a completely multi-tenant platform that does it all from a single location.

[Uncle Marv]
Alright, now I'm going to ask a question that you probably aren't going to be ready for. This sounds like something that wasn't necessarily for MSPs. This sounds super enterprising to a degree.

So was this born out of enterprise and, you know, made to work for us as MSPs? Or is this built, you know, for MSPs?

[Patrick Clawson]
It gets built from the ground up. And when you look at the UI, you'll see where we have MSPs built into the UI. We used some of our CISO friends from around the world to guide us along the way.

We definitely support, you know, multiple business units, but our pathway has always been through service providers to the larger accounts. So that's our number one vector.

[Uncle Marv]
Okay, so let me ask another question. What made you see that gap that you wanted to fill?

[Patrick Clawson]
It wasn't obvious in the beginning. You know, we went to address the broader cloud platform problem. We thought they were competitors that were either IaaS and PaaS or SaaS only.

They weren't multi-tenant. We thought they were incredibly expensive and enterprise only. But as we did the analysis, we found one of the one things that they didn't do, none of those providers did, was build a multi-tenant platform from the ground up that would handle or address the service provider.

So we felt we had a real opportunity to go solve a problem for a very big market that wasn't being addressed by the more standalone technology platforms, and we could do it more cost-effectively.

[Uncle Marv]
All right. Now, some of this sounds a little overwhelming to just a typical MSP. Was there a learning curve or a challenge in talking to MSPs about this?

[Patrick Clawson]
Definitely a learning curve, right? I think it would be disrespectful to the service providers to say, oh, like everybody gets it. They don't, and I think we're still learning.

We're trying to position ourselves for service providers to be about as friendly as humanly possible. Little things like, we don't charge service providers a penny to sign up for our platform. We only charge you when you sign a customer, and we do that monthly in arrears because that's how they get to bill, right?

We simplify the charge methodology. It's not based on nine different variables like assets and workloads and sessions and users. We just do employee count.

That's it, and we keep it super simple. So we also give our service provider partners free one-time assessments, which they can use to create opportunities for themselves, which is good for us. So we continue to learn.

We've tried to build our go-to-market model, our revenue models around what's good for them, and you know, again, I think it'd be disrespectful to tell anybody we get it all figured out. We're still learning too.

[Uncle Marv]
Okay, so now the question becomes, you have this tool available. You can start to look at stuff. Do you guys have maybe some recommendations or best practices that you can help MSPs learn how to, you know, improve the cloud security posture?

[Patrick Clawson]
Yeah, so a couple of things we run into, and I don't think anybody listening would be terribly surprised. There's a grouping of service providers across the world, and certainly a large number here in the U.S. They get to a size, and they'd like to grow their revenue, but doing so requires manual effort. So you got to invest and hire the people to go do the cloud posture analysis, which is a very time-consuming manual effort, or to help them understand the risk that their SaaS apps and the third-party apps hanging off their approved SaaS apps are imposing upon that business.

So traditionally, it's been a manual exercise, which has kept a lot of the service providers from actually executing against it. It's too hard. It's expensive.

It takes a long time. So part of the learning curve for most of them is, hey, I have the ability to do an analysis for one of my customers against their full cloud environment, their full SaaS environment, and correlate that to any major framework. And I'm doing that in minutes, auto-generating the reports, so I can sit down in front of my customers and create new revenue-generating opportunities.

And that's kind of a light bulb that's taken a while. For so long, it's been so manual that to realize they have a tool that they can use to actually simply create new revenue has been interesting.

[Uncle Marv]
Has there been any studies to get statistics as to, one, how much time has been saved for MSPs to do this, and two, the percentage of increase in revenue they've been able to generate from it?

[Patrick Clawson]
I think we're still early stage on the last question. As we sign larger partners around the world, when that happens, it happens in big chunks. And they come, you get 10,000 user customers.

It's big and fast. The time saving is immediate. And I don't know how you measure it.

It's literally, if I have 1,000 user environment and I'm scanning their Azure environment and their MS365, I'm doing that in 10 minutes with all of the intense rules that we're analyzing. We're populating all of the alerts with guided remediation workflows and building the full reports in 10 minutes. So it's not like we get it done in a day.

We get it done in minutes. Something that would take a month to do.

[Uncle Marv]
I was going to say, that sounds super-fast.

[Patrick Clawson]
Very fast. We'll do a 70,000 user environment for all the Microsoft stuff, and that's Intune, Defender, SharePoint, 365. We'll do that in about an hour and 15 minutes.

[Uncle Marv]
All right. So let me ask before we close up here, your experience so far in PitchIT. How's it been?

Everything you expected?

[Patrick Clawson]
You know, yeah. It's been fun, to be honest. It's a good time, right?

It's a new market. They're a new group of people. We're trying to let our voice be heard, and we're excited to see how it goes.

[Uncle Marv]
All right. And you guys are a few weeks in now. It's early in the summer.

I know you've got to finish the 16-week boot camp that they give you, and then do some more pitching. And looking forward to seeing you guys in Orlando, November, at IT Nation Connect, to see if you're one of the final three in the presentation.

[Patrick Clawson]
Looking forward to it.

[Uncle Marv]
All right, Patrick. It was good to chat with you. I'll have to head over to your website some more.

So, well, let's see. Checkred.com. We'll have the link in the show notes, folks.

And give them a chat and use CheckRed to stay ahead of your evolving cyber threats out there. So, Patrick, thanks a lot.

[Patrick Clawson]
Thank you. Appreciate the time.

[Uncle Marv]
All right. That's going to do it, folks. We'll be back with more vendor profiles throughout the summer.

Of course, you can always check out the IT Business Podcast at the website, ITBusinessPodcast.com. Subscribe in your favorite pod catcher, and we'll see you guys out there. Talk to you later.

Holla!