Endpoint Security , Governance & Risk Management , Zero Trust
Tailscale Raises $100M to Give Devices Zero Trust ProtectionCompany Will Create Variable Access Policies Based on a Device's Security Posture
Tailscale has closed a $100 million funding round to enhance its zero trust VPN offering by factoring in the security posture of a particular device.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Toronto-based startup plans to use its Series B proceeds to create access policies that are variable based on the security posture of a device itself, CEO Avery Pennarun tells Information Security Media Group. This would allow Tailscale to restrict access for users on less secure devices to just their email while allowing users on locked-down devices to deploy information in the cloud, Pennarun says.
"Tailscale is now entering a different phase of its evolution. We found product-market fit. We have a bunch of people who really love the product. It's now time to scale up going to market and getting the product into everybody's hands," he says.
Tailscale was founded in 2019, employs 35 people and has raised $115 million in three rounds of outside funding, according to Crunchbase. Pennarun expects to triple Tailscale's headcount in the next year and to focus on greatly expanding the company's go-to-market engine beyond the two salespeople and several marketing personnel the company employs today.
The $100 million funding round was led by CRV and Insight Partners. Pennarun praised Insight for its expertise in helping growth-stage companies get their sales and marketing organizations off the ground and scaled up quickly and lauded CRV's experience in consumer technology and bottom-up growth, in which individual developers are the first adopters of a product rather than the CISO or IT department (see: IAM: App Security at the Pace of Your Development Teams).
"They definitely have a lot of confidence in Tailscale's business model and product," Pennarun says.
Fusing Policies and Permissions
Allowing customers to adjust their access control policies based on a device's security should help Tailscale evolve from a VPN replacement to a true zero trust platform, Pennarun says. This will require Tailscale to both detect the actual security posture of a device in real time and enact different policies based on that posture, which he says the company should be able to do by the end of this year.
The biggest challenge here is that the security posture of a device is constantly changing, meaning that a device can be scanned for viruses and fully patched one week but not the next, Pennarun says. For most vendors, this means that they would either need to issue very short-lived certificates or have a way to revoke the certificate if the security posture of a device changes, according to Pennarun.
But at Tailscale, Pennarun says, the certificates are automatically distributed to every node of the network and updated within 100 milliseconds whenever there's a change to the security posture of a device. All that remains for Tailscale to do is correlate the security posture of the device with different access control policies, he says.
Since iPhones can only install native applications, they are usually considered more locked down - especially if they have a mobile device management platform in place. But the security posture of Windows devices varies considerably, and corporate-issued devices are typically safer than personal ones, Pennarun says.
Security teams now have a scattered set of devices sitting all over the world in people's houses, which Pennarun says has resulted in a much higher probability that they'll get stolen or misplaced. And he says Tailscale has the ability to track the posture, debug and instantaneously disable devices from a central location even though the company relies on peer-to-peer links between client and server devices.
"The tagging stuff that we already use is much more powerful than you'd get from any other kind of VPN," Pennarun says. "It gives you a lot of power to restrict access based on the individual people on your network. So this new feature is more about restricting based on device policies as opposed to people."
Ditching Hardware to Save Time and Money
Outside of device posture management, Pennarun says customers have also been clamoring for an enhanced ability to deploy, in the cloud, integrations with enterprise-scale deployments for more than 10,000 users, and better ways to ensure endpoint security is enabled.
"If you start getting into tens of thousands of user deployments, there are all kinds of special cases," Pennarun says. "Every customer is a little bit different, so you have to spend the time doing things a little bit differently for each customer. We haven't gotten the teams in place for that task yet."
Pennarun says Tailscale's biggest competitors in the enterprise market are OpenVPN, Cisco AnyConnect, and Palo Alto Networks GlobalProtect. Tailscale's biggest differentiator from market incumbents is a lack of infrastructure or central server to deploy since the company relies on peer-to-peer networks for as few as two devices, according to Pennarun.
This approach minimizes latency and allows the capacity of the network to quickly and easily scale with the size of the network since there's no costly hardware to deploy, he says. The dramatic uptick in VPN use at the start of the pandemic caused many hardware-based VPN systems to overload since they were only configured to handle a small portion of employees working remotely, Pennarun says.
From a metrics standpoint, he says, Tailscale is most closely tracking the number of active users and results. The number of active users is emphasized, he says, since it's a leading indicator and results in more revenue. The company gives away free individual plans for developers to use personally, which Pennarun says has made it much easier to get organizational buy-in since Tailscale isn't stuck making cold calls to CISOs.
"It is so easy to roll out that people almost don't realize they finished rolling it out," Pennarun says. "You can do this without signing up for a payment plan or requesting a trial or anything like that. It takes about five minutes to experiment with Tailscale, and people often describe it to us as 'magical' or 'life-changing.'"