Important advances
in security are happening right now due to the large secular trends of
virtualization everywhere and the aggressive unbundling of modern application development
in the cloud. A few of the most exciting cloud-native security startups have
just released the first versions of their core products in September 2012.
The way we build and
run apps today on virtualized cloud infrastructure stitched together from many
third party cloud service providers has dramatically changed the surface area
of an application that needs to be secured, defended and monitored.
Today, up and down
the stack, it's common for every component to be delivered as a third party
service, from Typekit fonts - the icing on the presentation layer - to a
managed DB service from MongoHQ. This trend builds on the third party services
that are already a fait accompli: CDNs, app monitoring, exception logging,
etc. All of these services, including your own core application logic are
likely running on layers of virtualized hardware - usually Amazon AWS.
In general, third
party services provide better security for your app because each third party
provider can have a deeper knowledge of their domain, and can afford to focus
all their attention on it, whereas if you managed that service yourself, you
may not have the bandwidth to stay perfectly up to date on it. However, this
general principle goes along with increased uncertainty. As a customer, you
can't have perfect information about the precise security practices of any
particular cloud service provider.
Excitingly, there
has not yet been a new series of security company exits for companies that are
truly native to the massive secular cloud and virtualization trends. Clearly,
there will be, and soon. This is an investable trend right now.
I highlight a few
of the most interesting new security companies that are truly cloud-native
below:
Bromium puts a
cloud of micro-VMs on your local machine, isolating each process within its own
VM. This prevents malicious code entering from the browser to metastasize
throughout your computer. Bromium just started shipping its first release
vSentry focused on Windows 7 on September 20th 2012. Bromium has a blue chip
team that previously founded Xen, and is capitalized to match, having raised
over $35M from A16Z, Lightspeed, Ignition, Intel and Highland.
Also in September
2012, and at the other end of the incumbency spectrum, Qubes released an open
source direct competitor to Bromium based on Linux. The Qubes developers are
best known for devising some well-publicized virtualization exploits, and may
not have any outside funding at all.
Instead of bringing
the cloud to your desktop, Authentic8 is taking your browser to the cloud. Authentic8
just started letting consumers into its beta in September 2012. A8's disposable
browser securely connects you to a browser instance in a newly created, isolated
environment every time you start a new session and destroys that environment
afterward. Virtual execution in the cloud keeps any malicious code from
reaching your local machine. Like Bromium, A8 has a blue chip team that
previously founded Postini, but has been far more measured in their approach to
venture capital having announced only a single round from Foundry Group and
Merus to date.
Tinfoil Security is one of the best
cloud security examples of the consumerization of IT trend. Most development
teams building web applications do not address security systematically. Instead
security work tends to combine a loose set of best practices (hashing
passwords, etc.) mostly implemented most of the time clustered around a
particular employee with domain knowledge having the spare cycles to carve out
the time to make a security enhancement. Tinfoil provides a simple third party
web service that systematizes security monitoring for web apps in much the same
way that CI tools have helped systematize the build process and reduce long
stretches of broken builds.
Similarly, Netflix
is known for building a tool called SecurityMonkey to systematize application
security testing and monitoring across their infrastructure. While Netflix has
made a loose promise to open source SecurityMonkey, a few engineers there are
contributing to a parallel open source security-testing platform called
Gauntlt. Gauntlt provides a platform and domain specific language to
systematize the use of common security testing tools in the same way that popular
deployment platforms like Chef let developers systematize deployment scripts
that were previously run locally.
Obviously big
companies are not standing still. Virtualization vendors like VMware have their
own security offerings and older security companies are starting to pivot their
product positioning towards these new kinds of cloud security issues.
Beyond putting a
cloud of VMs on your computer like Bromium or putting your browser sessions in
the cloud like Authentic8, Intel/McAfee and ARM are working on a third
interesting category virtualized security product. DeepSafe from Intel creates
a small VM as close to the hardware as possible that intends to provide a clean
source of truth to compare the primary computing environment against in order
to determine if it has been compromised by malware. Chipmaker ARM is building
an identical product through a joint venture for ARM chips.
Of additional
interest are Amazon's quiet experiments into doing some browser processing in
the cloud with the Silk Browser installed on the Kindle Fire. While pitched as
a performance upgrade, adding additional security resources in the cloud along
the lines of Authentic8 would be a natural fit.
This post has been
confined entirely to security for the cloud services trend, and has left out
any discussion of mobile security, an equally large opportunity and the subject
of a future post.
No comments:
Post a Comment