Tuesday, September 25, 2012

Bromium, Authentic8 and the Cloud-Native Security Renaissance


Important advances in security are happening right now due to the large secular trends of virtualization everywhere and the aggressive unbundling of modern application development in the cloud. A few of the most exciting cloud-native security startups have just released the first versions of their core products in September 2012.

The way we build and run apps today on virtualized cloud infrastructure stitched together from many third party cloud service providers has dramatically changed the surface area of an application that needs to be secured, defended and monitored. 

Today, up and down the stack, it's common for every component to be delivered as a third party service, from Typekit fonts - the icing on the presentation layer - to a managed DB service from MongoHQ. This trend builds on the third party services that are already a fait accompli: CDNs, app monitoring, exception logging, etc. All of these services, including your own core application logic are likely running on layers of virtualized hardware - usually Amazon AWS.

In general, third party services provide better security for your app because each third party provider can have a deeper knowledge of their domain, and can afford to focus all their attention on it, whereas if you managed that service yourself, you may not have the bandwidth to stay perfectly up to date on it. However, this general principle goes along with increased uncertainty. As a customer, you can't have perfect information about the precise security practices of any particular cloud service provider. 

Excitingly, there has not yet been a new series of security company exits for companies that are truly native to the massive secular cloud and virtualization trends. Clearly, there will be, and soon. This is an investable trend right now. 

I highlight a few of the most interesting new security companies that are truly cloud-native below:

Bromium puts a cloud of micro-VMs on your local machine, isolating each process within its own VM. This prevents malicious code entering from the browser to metastasize throughout your computer. Bromium just started shipping its first release vSentry focused on Windows 7 on September 20th 2012. Bromium has a blue chip team that previously founded Xen, and is capitalized to match, having raised over $35M from A16Z, Lightspeed, Ignition, Intel and Highland.

Also in September 2012, and at the other end of the incumbency spectrum, Qubes released an open source direct competitor to Bromium based on Linux. The Qubes developers are best known for devising some well-publicized virtualization exploits, and may not have any outside funding at all.

Instead of bringing the cloud to your desktop, Authentic8 is taking your browser to the cloud. Authentic8 just started letting consumers into its beta in September 2012. A8's disposable browser securely connects you to a browser instance in a newly created, isolated environment every time you start a new session and destroys that environment afterward. Virtual execution in the cloud keeps any malicious code from reaching your local machine. Like Bromium, A8 has a blue chip team that previously founded Postini, but has been far more measured in their approach to venture capital having announced only a single round from Foundry Group and Merus to date. 

Tinfoil Security is one of the best cloud security examples of the consumerization of IT trend. Most development teams building web applications do not address security systematically. Instead security work tends to combine a loose set of best practices (hashing passwords, etc.) mostly implemented most of the time clustered around a particular employee with domain knowledge having the spare cycles to carve out the time to make a security enhancement. Tinfoil provides a simple third party web service that systematizes security monitoring for web apps in much the same way that CI tools have helped systematize the build process and reduce long stretches of broken builds.

Similarly, Netflix is known for building a tool called SecurityMonkey to systematize application security testing and monitoring across their infrastructure. While Netflix has made a loose promise to open source SecurityMonkey, a few engineers there are contributing to a parallel open source security-testing platform called Gauntlt. Gauntlt provides a platform and domain specific language to systematize the use of common security testing tools in the same way that popular deployment platforms like Chef let developers systematize deployment scripts that were previously run locally. 

Obviously big companies are not standing still. Virtualization vendors like VMware have their own security offerings and older security companies are starting to pivot their product positioning towards these new kinds of cloud security issues.

Beyond putting a cloud of VMs on your computer like Bromium or putting your browser sessions in the cloud like Authentic8, Intel/McAfee and ARM are working on a third interesting category virtualized security product. DeepSafe from Intel creates a small VM as close to the hardware as possible that intends to provide a clean source of truth to compare the primary computing environment against in order to determine if it has been compromised by malware. Chipmaker ARM is building an identical product through a joint venture for ARM chips.

Of additional interest are Amazon's quiet experiments into doing some browser processing in the cloud with the Silk Browser installed on the Kindle Fire. While pitched as a performance upgrade, adding additional security resources in the cloud along the lines of Authentic8 would be a natural fit.

This post has been confined entirely to security for the cloud services trend, and has left out any discussion of mobile security, an equally large opportunity and the subject of a future post.

No comments: