Bromium, Authentic8 and the Cloud-Native Security Renaissance

Important advances in security are happening right now due to the large secular trends of virtualization everywhere and the aggressive unbundling of modern application development in the cloud. A few of the most exciting cloud-native security startups have just released the first versions of their core products in September 2012.

The way we build and run apps today on virtualized cloud infrastructure stitched together from many third party cloud service providers has dramatically changed the surface area of an application that needs to be secured, defended and monitored. 

Today, up and down the stack, it's common for every component to be delivered as a third party service, from Typekit fonts - the icing on the presentation layer - to a managed DB service from MongoHQ. This trend builds on the third party services that are already a fait accompli: CDNs, app monitoring, exception logging, etc. All of these services, including your own core application logic are likely running on layers of virtualized hardware - usually Amazon AWS.

In general, third party services provide better security for your app because each third party provider can have a deeper knowledge of their domain, and can afford to focus all their attention on it, whereas if you managed that service yourself, you may not have the bandwidth to stay perfectly up to date on it. However, this general principle goes along with increased uncertainty. As a customer, you can't have perfect information about the precise security practices of any particular cloud service provider. 

Excitingly, there has not yet been a new series of security company exits for companies that are truly native to the massive secular cloud and virtualization trends. Clearly, there will be, and soon. This is an investable trend right now. 

I highlight a few of the most interesting new security companies that are truly cloud-native below:

Bromium puts a cloud of micro-VMs on your local machine, isolating each process within its own VM. This prevents malicious code entering from the browser to metastasize throughout your computer. Bromium just started shipping its first release vSentry focused on Windows 7 on September 20th 2012. Bromium has a blue chip team that previously founded Xen, and is capitalized to match, having raised over $35M from A16Z, Lightspeed, Ignition, Intel and Highland.

Also in September 2012, and at the other end of the incumbency spectrum, Qubes released an open source direct competitor to Bromium based on Linux. The Qubes developers are best known for devising some well-publicized virtualization exploits, and may not have any outside funding at all.

Instead of bringing the cloud to your desktop, Authentic8 is taking your browser to the cloud. Authentic8 just started letting consumers into its beta in September 2012. A8's disposable browser securely connects you to a browser instance in a newly created, isolated environment every time you start a new session and destroys that environment afterward. Virtual execution in the cloud keeps any malicious code from reaching your local machine. Like Bromium, A8 has a blue chip team that previously founded Postini, but has been far more measured in their approach to venture capital having announced only a single round from Foundry Group and Merus to date. 

Tinfoil Security is one of the best cloud security examples of the consumerization of IT trend. Most development teams building web applications do not address security systematically. Instead security work tends to combine a loose set of best practices (hashing passwords, etc.) mostly implemented most of the time clustered around a particular employee with domain knowledge having the spare cycles to carve out the time to make a security enhancement. Tinfoil provides a simple third party web service that systematizes security monitoring for web apps in much the same way that CI tools have helped systematize the build process and reduce long stretches of broken builds.

Similarly, Netflix is known for building a tool called SecurityMonkey to systematize application security testing and monitoring across their infrastructure. While Netflix has made a loose promise to open source SecurityMonkey, a few engineers there are contributing to a parallel open source security-testing platform called Gauntlt. Gauntlt provides a platform and domain specific language to systematize the use of common security testing tools in the same way that popular deployment platforms like Chef let developers systematize deployment scripts that were previously run locally. 

Obviously big companies are not standing still. Virtualization vendors like VMware have their own security offerings and older security companies are starting to pivot their product positioning towards these new kinds of cloud security issues.

Beyond putting a cloud of VMs on your computer like Bromium or putting your browser sessions in the cloud like Authentic8, Intel/McAfee and ARM are working on a third interesting category virtualized security product. DeepSafe from Intel creates a small VM as close to the hardware as possible that intends to provide a clean source of truth to compare the primary computing environment against in order to determine if it has been compromised by malware. Chipmaker ARM is building an identical product through a joint venture for ARM chips.

Of additional interest are Amazon's quiet experiments into doing some browser processing in the cloud with the Silk Browser installed on the Kindle Fire. While pitched as a performance upgrade, adding additional security resources in the cloud along the lines of Authentic8 would be a natural fit.

This post has been confined entirely to security for the cloud services trend, and has left out any discussion of mobile security, an equally large opportunity and the subject of a future post.

Growth Hacking Checklist

“My biggest surprise was when we launched the Facebook app and it didn’t go viral”

-Startup CEO quote

“The month after we decided to stop all marketing and put the product on auto-pilot was our biggest month ever”

-Startup engineer quote

Ok – what could anyone possibly say about Growth-Hacking that hasn’t already been said? What with high-profile startup bloggers Sean Ellis & Andrew Chen kicking things off, backed up by solid 30under30 prospects like Danielle Morrill, an honest to goodness GHIR at 500.co writing exceptional posts at Numerate Choir, a board on Quora and now even a multi-part series on Techcrunch .

I believe this discussion has come up and has been sustained by the fact that most startups are not thoughtful about their marketing, but the successful ones are.

Most startups rush into too many ‘standard’ marketing activities, and then only dabble in their consistent execution over time. This is very natural human behavior that successful companies and marketers must guard against. The psychology and results of this kind of unsuccessful marketing is exactly analogous to the many ways in which retail investors lose money in the stock market: short attention spans, emotional and irrational decision-making, and always an insufficient edge on the market.

Startups, please consider the entire attention and resource budget that you have allocated to marketing and distribution, audit all of your marketing activities against the qualities in this six-point checklist, then double-down on your most effective activities and prune the mediocre ones.

Marketing/Distribution/Growth-hacking Checklist:

Is this leveraged?

Just like you hope to establish a profitable business model for your company, you want to get more out of a marketing activity than you put in.

Content marketing? If your name isn’t KissMetrics, your own marketing team cannot hope to generate the velocity and volume of content and interaction that a community like Onstartups (Hubspot) or YouMoz (SEOmoz) can.

Building on Facebook? SocialCam saw a short window open in the Open Graph API that let them passively inject video links into your friends’ newsfeeds. A brace of competitors quickly copied this distribution leverage, but SocialCam went one better by overlaying the platform leverage of popular Youtube videos on top the existing Facebook platform leverage to create the CDO-Squared of distribution. Competitors were left pushing videos created by their own small user-base into the newsfeed until Facebook turned down the volume on that Open Graph channel.

Is this sustainable?

When Facebook detuned its Open Graph channel, all of the social video crowd were caught out and now require a re-think. Even SocialCam selling for $60M is a far cry from being one of the fastest growing companies of all time a few short months before.

Skype, on the other hand, shows that a company can ride virality for ten years and counting all the way up past 700M users with wholly-owned user relationships through multiple acquisitions and hairy legal wrangling. This is largely the result of network effects being at the product’s intrinsic core, and not hitching the company’s fortunes on an unreliable third-party social platform.

Like Skype, Dropbox’s famous referral scheme fits neatly in with its core product interaction: sharing documents across devices. Is your company counting on a referral program to drive a product that isn’t frequently referred?

Is this core to the product, brand and business model?

A product doesn’t need to be a core communication utility or social network to build a long-term sustainable leveraged growth machine.

Surveymonkey has done just that to the tune of $1B valued on business fundamentals. Surveymonkey’s business model aligns its own goals with those of its customers. While even passionate Dropbox customers might prefer to pay less for the service, Surveymonkey customers would like nothing better than to pay Surveymonkey more money, because it would mean that they had a bigger email list to market to.

Zappo’s isn’t even a company that helps one party send email to another, but their primary marketing tactic was a counter-intuitive growth hack as good as any other. Free shipping and returns let Zappo’s wage asymmetric warfare against incumbent shoe sellers. By taking on this additional cost structure, Zappo’s did not have to outbid competitors for scarce ad inventory and could grow by word-of-mouth instead.  In other words, you need to have a clear and concrete reason for people to retweet or like, not just the buttons to do so.

Is there a unique insight or special edge that we have?

The harsh light of ad-buying and paid customer acquisition illustrates this issue clearly.

Whaleshark Media is a roll-up of many of the largest online coupon and affiliate sites on the web. By virtue of scale, Whaleshark can negotiate the best affiliate payouts from affiliate networks and merchants. In some cases this means that Whaleshark sites can offer coupons with larger discounts than smaller competing deal sites. This also means that Whaleshark can spend more on paid advertising than a smaller site and still be right-side up. If you are competing with this kind of structural advantage, you had better be sure that you have a different advantage that outweighs this.

Similarly, Instagram’s unique insight and competitive advantage was pure craft and design. Other mobile photo apps had the same features, but were obviously less well crafted so there was no reason to use them. In effect, other photo apps brought knives to Instagram’s gun fight. This is the simplest point, but also one of the most important. As a hypothetical, if your web startup is launching a mobile app and you don’t invest enough for the fit and finish to rival other successful apps, the rising tide of mobile will not automatically lift your boat.

Is this measurable and able to be optimized and evolved over time?

One-time arbitrage opportunities and market insights tend to disappear quickly as competitors catch up and consumers get over-supplied. The path forward from success is continued optimization.

One of Zynga’s main competitive advantages over other social game publisher is its ability to cross-promote a new game to the audience of its older games. This advantage helps Zynga get new titles to scale before older game titles start to lose the interest of their players. Since games tend to go out of style relatively quickly and the Facebook platform ecosystem is always changing, Zynga needs to keep measuring and tweaking the promotion strategy and mechanics for each new game. Without measurement and improvement, Zynga would not have been able to sustain its string of hit social games.

Whitepages.com is a very large web property that spends millions of dollars each month on paid search. Like many companies, their initial SEM cost is not initially profitable based on first transactions. Whitepages’s search spend only goes into the black if some new customers acquired via search marketing return for a second monetization event without a second paid click.  Without measuring and optimizing for retention, one of Whitepages primary customer acquisition channels would be entirely closed off and the company would be much less viable.

If this works, will it lead to success?

One of my favorite thought exercises for growth-hacking and marketing is to ask what future success looks like for the company, and then work backwards to assess whether a particular marketing activity can credibly get the company there. For example, if your company has raised high single digit millions in venture money or more, you should be thinking about marketing activities that, if everything goes right, could build a business worth $100M or more. Small-bore marketing activities are the single biggest mistake that I see startup marketers make. Ad buying provides an excellent example. For most online businesses, it’s not credible to believe any amount of ad inventory will get your company to $100M. If you are tacking on a basic social media strategy of blogging, Tweeting, Facebook page updates and ‘share this’ buttons, it’s highly unlikely that this effort will contribute to building a large and special business.

In the day to day cut and thrust of startup operations, please take a more than usually critical eye to all of your marketing and growth strategies and spend your scarce time on activities that are leveraged, sustainable, and core to your product promise and function.

Like this? Email me at mathewgjohnson ‘AT’ gmail, or find me at http://mattishness.com/ or Twitter @matjohnson 

Getting a startup job business guy edition

First new post in two years. This is just a short one to hopefully break the ice.

Today, a friend introduced me to a smart young business guy looking to get into the startup world. This is the advice I gave him.

 Of course, the best way to break in is to start your own company. Even Y-Combinator has begun accepting fairly non-technical people from business schools as part of teams that also have some technical chops. In reality, many people don't want to go this route, or don't feel comfortable with it and want to get their foot in the door as an employee first.

 If this is the case and depending on your resume, I think the best plan right now would be to either join a small company more on the order of 10 employees in general marketing, or join a larger startup company in sales or finance/accounting. In either case, the goal is to find a way to add tangible, unique and valuable work product.

In a small company, marketing is kind of a catch-all for everything that is not writing code, so there are a bunch of different things that you can do to help out.

 I would actually look at sales or accounting more closely. The goal here is to put a succinct example of quantifiable success at a successful company on your resume. For example, if in 6 months you could say: I was the top producing rep at Twitter or Box.net or Yammer or something like that, then you'd have a really good story to leverage into other more interesting jobs. Additionally, right now enterprise SaaS companies are a really big deal and repeatable sales success is their biggest problem, so I think that now is a particularly good time for sales to be an entry-point.

 On the finance/accounting/risk side, I think that there are a lot of jobs, but not too large a pool of qualified applicants in the industry. For instance places like Zynga and Square have a lot of need for these people, but I have only ever met a few people in the industry who do this.