Stacklet Commercializes Cloud Custodian


By: Mary Jander

A startup named Stacklet has taken a popular open-source cloud management engine named Cloud Custodian and, with the help of the software’s creators, turned it into a streamlined commercial offering called Stacklet Platform.

The news highlights the growing popularity of the open-source model for managing multi-cloud networks, as well as the needs of DevOps teams for easy-to-implement security and management functions in cloud environments.

Cloud Custodian originated in 2016 as a project at bank holding company Capital One (COF). The purpose was to set up a rules-based framework to help DevOps teams manage cloud infrastructure, including operations, security, and costs. By mid-2020, Cloud Custodian had been downloaded over 2 million times. Capital One contributed the project to the Cloud Native Computing Foundation (CNCF) in August 2020.

Stacklet and Cloud Custodian

The Stacklet Platform is not customized; it retains all features of the open-source Cloud Custodian software, and it will continue to be tweaked as members of the CNCF add functions to the open source project. The point, according to Stacklet, is to take Cloud Custodian’s proven platform and make it easy to use by facilitating its rapid deployment with services from multiple clouds -- including AWS, Microsoft Azure, and Google Cloud Platform.

To this end, Stacklet has accelerated the set-up process with pre-defined policies governing DevOps usage of cloud services. It tracks costs, security, and operations features. Stacklet also has added an asset database designed to deliver real-time information on cloud infrastructure status and events.

Specific Stacklet Platform Functions

Stacklet uses a simple declarative language the vendor says is comprehensible to non-developers (think accountants). Developers use it to set policies concerning access rights, encryption, key rotation, and other elements of corporate security. Also, if a particular anomaly is encountered in the cloud environment, the system can be set to take remediating actions automatically.

Stacklet Platform also tracks compliance with NIST Cybersecurity Framework (CSF), the Payment Card Industry Data Security Standard (PCI-DSS), HIPAA, and the Center for Internet Security (CIS) Benchmarks. The software illustrates this compliance as shown in the screen shot below:

Source: Stacklet

Stacklet Platform manages backups, logging, and tagging in cloud operations. It can be set to de-activate virtual resources during off hours and to isolate unused resources (aka “garbage collection”).

Stacklet Platform is offered as software-as-a-service (SaaS) on an annual subscription basis, though the company isn’t officially announcing pricing at this point.

The BackGround of Stacklet

Stacklet was co-founded circa early 2020 by Kapil Thangavelu, who is credited with the development and ongoing maintenance of Cloud Custodian, and Travis Stanfield, the former senior director of software engineering at Capital One. Thangavelu now serves as Stacklet’s CTO and Stanfield as CEO.

In January 2021, Stacklet raised $18 million in Series A funding from Addition, Foundation Capital, and Liam Randall, a former Capital One VP of software innovation who is now Stacklet’s VP of business development. The company is headquartered in Arlington, Va., and has roughly 24 employees.

Catching on in Fintech

Cloud Custodian has many contributors, including Amazon (AMZN), Microsoft (MSFT), and Capital One, and its adoption as an open-source solution spans a range of vertical markets. So far, though, company sources say Stacklet Platform has been trialed primarily with financial technology (fintech) companies and pure-play technology firms. Those are the sectors moving aggressively to the cloud, and Stacklet’s Capital One DNA could also make the product attractive to other fintechs.

Regarding competition, there’s plenty, particularly from security firms such as Palo Alto Networks (PANW), via that company’s Prisma service; and Check Point Software Technologies’ (CHKP) D9 project, which is part of the vendor’s developer community outreach. Stacklet Platform also competes with in-house DIY projects.

Stacklet says its solution isn’t restricted to security, but is focused on governance. Its use is also directed not toward network managers but DevOps teams looking to relieve some of the headaches they encounter in the move to cloud. As one early adopter terms it, Stacklet enforces the guardrails: "Governance as Code is a strategic need for us,” said Naor Penso, senior director of product security at FICO, in a statement. “[O]ur partnership with Stacklet enables .... dynamic guardrail enforcement, defined by our organization.”