Cloud security ely kahn


Published on

This is an investment thesis that I completed while serving as Managing Director for Wharton Venture Partners (

Published in: Technology, Business
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud security ely kahn

  1. 1. Cloud  Compu)ng  Security   Ely  Kahn   April  2011   1  
  2. 2. Execu)ve  Summary  •  What  is  Cloud  Security?   –  Cloud  security  refers  to  the  policies,  technologies,  and  controls  deployed  to   protect  data,  applica)ons,  and  the  associated  infrastructure  of  cloud   compu)ng  (includes  public  and  private  clouds)   –  Cloud  security  is  not  focused  on  security  products  that  leverage  the  cloud  to   deliver  security  services  to  a  customer  (although  this  is  also  an  interes/ng   area)    •  Why  is  Cloud  Security  an  aErac)ve  investment  area?   –  Rapid  growth  of  cloud  compu)ng   –  Security  as  a  key  concern  why  cloud  compu)ng  is  not  growing  even  faster   –  Acquisi)on-­‐hungry  cloud  infrastructure  providers  and  informa)on  security   providers  looking  to  differen)ate  themselves   –  An  ac)ve  start-­‐up  community  in  this  space   –  Data  protec)on  for  the  cloud  as  aErac)ve  investment  area  moving  forward   –  High  Cloud  Security,  CipherCloud,  and  Navajo  Systems  as  prime  examples   2  
  3. 3. There  are  4  main  types  of  risks  that  cloud  security  companies  focus  on   Virtualiza)on   Preven)ng  cyber  aEacks  on  the  hypervisor  and  virtual   Security   machines   Providing  cloud  customers  with  deeper  insights  on  where   Cloud  Security   their  data  is  stored  and  what  security  rules,  policies,  and   Governance   configura)ons  are  being  applied  to  them   Iden)ty  and  Access   Secure  and  federated  access  to  mul)ple  public  and/or   Management   private  clouds   Iden)fying  sensi)ve  data  and  encryp)ng  it  or  pu[ng  in   Data  Protec)on   place  other  protec)ve  measures  to  ensure  its  security   3  
  4. 4. There  are  a  variety  of  established  players  across  these  four  func)ons   Virtualiza)on   Security   Cloud  Security   Governance   Iden)ty  and  Access   Management   Data  Protec)on   4  
  5. 5. A  wide  variety  of  VCs  are  inves)ng  in  cloud  security   Company   Descrip3on   Founded   Round   Amt   Date   Par3cipa3ng  VCs  Symplified   IAM/CSG.  Audi)ng  and   2006   B   $9M   2011   Granite  Ventures,    Allegis   federated  SSO.       Capital,  Quest  Sodware  Nimbula   CSG.  Helps  securely  transi)on   2008   B   $15M   2010   Accel  Partners,  Sequoia  Capital   data  centers  to  private  clouds  Hytrust   CSG.    Enables  accountability,   2007   B   $10.5 2010   Granite  Ventures,  Cisco   visibility  and  control   M   Systems,  Trident  Capital,  Epic   Ventures  SecureAuth   IAM.  SSO  and  mul)factor  auth   2005   N/A   $3M   2010   Angel  investors  Appirio     CSG.  Unifies  security  policies   2006   C   $10M   2009   Granite  Ventures,  Sequoia   across  cloud  applica)ons   Capital  Reflex   CSG.  Integrates  security,   2008   A   $8.5 2009   RFA  Management  Co.  Systems   compliance  ,and  management   M  Cloudswitch   CSG/DP.  Move  applica)ons   2008   B   $8M   2009   Atlas  Venture,  Commonwealth   securely  to  the  cloud  via  VPN   Capital  Ventures,  Matrix   Partners  Conformity   IAM.  Audi)ng  and  federated   2007   A   $3M   2009   Guggenheim  Venture  Partners   SSO.      Perspecsys   DP.    Sensi)ve  data  not   2006   A   N/A   2007   Growthworks  (Canadian)   transmiEed  to  the  cloud   5  
  6. 6. Acquirers  include  both  tradi)onal  infosec  companies  and  cloud  infrastructure  providers     Company   Descrip3on   Acquirer   Date   Price   ArcSight   CSG.  Global  provider  of  security  and  compliance   HP   2010   $1.5B   management   Arcot   IAM.  The  industry’s  largest  cloud-­‐based  authen)ca)on   CA   2010   $200M   system   TriCipher   IAM.    Mul)factor  authen)ca)on   VMware   2010   ~$200M   Altor   VS.  A  hypervisor-­‐based  virtual  firewall  to  protect  cloud   Juniper   2010   $95M   Networks   applica)ons   3Tera   CSG.  Helps  companies  build  private  clouds  quickly  and   CA   2010   $18M   securely   Roha3   IAM.  Helps  companies  control  who  has  access  to  data   Cisco   2009   N/A   Networks   using  context  informa)on   Third   CSG/VS.    Firewalls,  IDS,  and  security  policy   Trend  Micro   2009   N/A   Brigade   enforcement  for  virtualized  environments   Blue  Lane   VS.  Removes  malicious  content  from  network  traffic   VMware   2008   $15M   before  it  reaches  your  virtual  servers   6  
  7. 7. The  growing  importance  of  cloud  security  concerns…     7  
  8. 8. …  will  lead  to  increased  cloud  security  spending  Cloud  Compu3ng  Market  Size   Cloud  Security  Market  Size   •  Cloud  Security  will  grow  to   a  $1.5B  market  by  2015   •  Cloud  Security  will  capture   5%  of  IT  security  technology   spending   –  Source:    Forrester   Note:    Gartner  recently  es)mated   cloud  spending  to  be  3.5x  the  IDC   es)mate  by  2014   8   8  
  9. 9. Most  of  the  investments  and  acquisi)ons  to  date  have  been  focused  on  CSG  and  IAM…  •  Iden)fied  Cloud  Security  Investments   –  6  addressed  Cloud  Security  Governance  func)ons   –  3  addressed  Iden)ty  and  Access  Management  func)ons   –  2  addressed  Data  Protec)on   –  0  addressed  Virtualiza)on  Security  •  Iden)fied  Cloud  Security  Acquisi)ons   –  3  addressed  Cloud  Security  Governance  func)ons   –  3  addressed  Iden)ty  and  Access  Management  func)ons   –  3  addressed  Virtualiza)on  Security  func)ons   –  0  addressed  Data  Protec)on   9  
  10. 10. …  but  moving  forward,  data  protec)on  will  be  the  big  play   High   Strength  of  Compe33on   Low   High   Security  Effec3veness   DP   CSG   VS   IAM   Low   10  
  11. 11. Cloud  Security  Investment  Thesis  •  Cloud  Data  Protec.on  companies  will  be  investments   for  VCs  moving  forward  •  Things  to  look  for  in  Cloud  Data  Protec)on  companies:   –  Novel  encryp)on/tokeniza)on  approaches  that  are  “defensible”  from   compe)tors   –  Keys  should  be  stored  at  a  trusted  third  party  or  at  the  client  side  (not   with  the  cloud  provider)   –  Strong  knowledge  of  cloud  provider  architectures   –  A  focus  on  low  latency,  high  customer  service,  and  ease  of  use   –  Experience  in  enterprise  sales   –  Entrepreneurs  with  a  proven  track  record  in  informa)on  security  •  Poten)al  exit  to  tradi)onal  informa)on  security  provider,  cloud   provider,  or  cloud  infrastructure  provider  most  likely  •  Examples  of  high  poten)al  start-­‐ups  are  described  on  the   following  slides   11  
  12. 12. High  Cloud  Security  is  a  stealth-­‐mode  start-­‐up  that  is  recommended  for  investment  •  Leadership   –  Founded  by  25-­‐plus-­‐year  Silicon  Valley  veterans  (IBM/ISS,  Veritas,  Hytrust,  etc.)     –  Special)es  in  security,  storage,  encryp)on,  and  opera)ng-­‐system  kernel  internals     –  The  founders  have  assembled  a  team  of  senior  engineers,  each  with  over  20  years  of   experience  •  Technology     –  The  solu)on  safely  encapsulates  any  servers  VM  image  so  it  is  protected  from   unauthorized  exposure  throughout  its  lifecycle.     –  This  protec)on  applies  inside  the  data  center  as  well  as  when  the  VM  is  being  run  on  a   remote  host  or  in  the  Cloud.     –  With  High  Cloud  if  a  VM  were  lost  or  stolen,  an  unauthorized  user  could  not  run  it  or   dissect  it  to  expose  sensi)ve  data;  only  authen)cated  and  authorized  users  can   execute  the  VM,  with  an  audit  trail  of  its  use.     –  Is  independent  of  and  works  with  all  VMs  and  applica)ons   –  Technology  is  Patent  Pending  •  Current  Status   –  Currently  in  stealth  mode   –  Shipping  beta  product  in  April  2011;  currently  looking  to  raise  capital  (~$4M)   –   12  
  13. 13. CipherCloud  is  a  bootstrapped  startup  that  is  recommended  for  investment  •  CipherCloud  provides  customers  with  a  web-­‐proxy  gateway  that   transparently  encrypts  sensi)ve  data  before  it’s  sent  to  SaaS/PaaS   applica)ons  in  the  cloud.    Encryp)on  key  remains  only  with   customers.    •  Named  Finalist  for  "Most  Innova)ve  Company  at  RSA®  Conference   2011  •’s  AppExchange  -­‐  partner  ecosystem  member    •  Beta  is  out  now;  final  release  expected  in  March  •  Looking  for  funding  in  the  Q3  )meframe;  hoping  to  raise  about  $5M  •  Patent-­‐pending  encryp)on/tokeniza)on  approach  •  Hired  ex-­‐Salesforce  employees  to  gain  inside  knowledge  of  the   applica)on  •  Founded  in  2010  by  Pravin  Kothari,  who  is  a  serial  entrepreneur;  was   previously  co-­‐founder  of  ArcSight    ($1.5B  exit)     13  
  14. 14. Navajo  Systems  is  a  seed-­‐stage  Israeli  start-­‐up  recommended  for  investment  •  Founded  in  2009  by  a  US-­‐educated  Israeli  entrepreneur  •  Received  unnamed  amount  of  seed  funding  from  Jerusalem   Venture  Partners  in  2009  •  Named  Finalist  for  "Most  Innova)ve  Company  at  RSA®   Conference  2010  •  Member  of  IBM  cloud  partner  ecosystem  •  Virtual  Private  SaaS  (VPS)  can  be  implemented  as  an  appliance   installed  on  the  corporate  network  or  as  a  service  hosted  by   Navajo  Systems  or  a  third-­‐party  service  provider  •  Encrypts/decrypts  sensi)ve  data  via  a  web  proxy  and  encryp)on   does  not  affect  performance  within  the  applica)on  •  Has  solu)ons  for  various  SaaS  providers  including  Google,   Salesforce,  Oracle,  etc.   14  
  15. 15. APPENDIX   15  
  16. 16. Interviewed  Companies   16  
  17. 17. Cloud  compu)ng  (public  or  private)  is  comprised  of      a  stack  of  technologies     Cloud   Public  Applica3ons   Provisioning   Cloud   Enterprise  SaaS  (external  and  internal)  App   Tightly  integrate  with  enterprise  applica)on  layer,  oden   installa)ons  (whether  for  private  or  public  usage).    Middleware   augmen)ng  it   Automate  the  crea)on  of  datacenter  cloud  Dev/Test  Tools   Used  to  help  develop  and  debug  cloud  applica)ons  –  namely,  a   development  environment  VM   This  suite  of  applica)ons  provide  value-­‐add  on  top  of  public   Amazon  Management   cloud  providers  (e.g.  Amazon)  with  extended  management   Google   dashboards  as  well  as  hypervisor  console  extensions   Rackspace   Terremark   GoGrid  Storage  and   Provided  as  a  part  of  a  storage-­‐centric  public  cloud  service  or  as  Data   components  to  building  your  private  cloud  Hypervisor   A  virtualiza)on  technique  which  allows  mul)ple  opera)ng   systems,  termed  guests,  to  run  concurrently  on  a  host  computer   Provides  common  services  for  efficient  execu)on  of  various  OS   applica)on  sodware   Source:    h7p://  March  2009   17  
  18. 18. There  are  security  issues  at  each  layer  of  the  stack  but  some  are  more  interes)ng  than  others   Cloud   Public  Applica3ons   Provisioning   Cloud   Standard  applica)on  security  issues  App   Iden)ty  and  access  management  needs   Physical  security  of  hardware,  lack  of  standards,  Middleware   Security  issues  connected  to  configura)on  Dev/Test  Tools   Code-­‐scanning  tools   privacy  laws,  etc.   management  VM   Provides  security-­‐related  info  for  configura)on  management,  Management   monitoring,  and  audi)ng  Storage  and   Provides  back-­‐up  and  disaster  recovery  Data  Hypervisor   An  en)rely  new  layer  of  very  sensi)ve  sodware  to  protect  (e.g.,   “VM  hopping”);  added  patch  management  complexity   Not  unique  to  cloud  compu)ng;  rootkits,  buffer  overflows,  privilege  OS   escala)on,  etc.;  addressed  through  patches,  firewalls,  IPS   18  
  19. 19. Cloud  Security  Market  Opportunity  equals  Cloud   Risk  Severity  )mes  Strength  of  Compe))on   Cloud  Risk   Discussion   Severity   Compe33 Opportu on   nity  Isola3on   This  risk  category  covers  the  failure  of  mechanisms  separa)ng  storage,  memory,  rou)ng   2   3   6  Failure   and  even  reputa)on  between  different  tenants.  However  it  should  be  considered  that   aEacks  against  hypervisors  are  s)ll  less  numerous  and  more  difficult  than  aEacks  on   tradi)onal  OSs    Incomplete   When  a  request  to  delete  a  cloud  resource  is  made,  this  may  not  result  in  true  wiping  of   2   3   6  Data  Dele3on   the  data.    In  the  case  of  mul)ple  tenancies  this  represents  a  higher  risk  to  the  customer   than  with  dedicated  hardware.    Mgmt.   Customer  management  interfaces  of  a  public  CP  are  accessible  through  the  Internet  and   3   2   6  Interface   mediate  access  to  larger  sets  of  resources  and  therefore  pose  an  increased  risk,  especially   when  combined  with  web  browser  vulnerabili)es.  Data   It  may  be  difficult  for  the  cloud  customer  to  check  the  data  handling  prac)ces  of  the   2   2   4  Protec3on   cloud  provider  and  thus  to  be  sure  that  the  data  is  handled  in  a  lawful  way.    This  problem   is  exacerbated  in  cases  of  mul)ple  transfers  of  data,  e.g.,  between  federated  clouds.  Compliance   Investment  in  achieving  cer)fica)on  (e.g.,  industry  standard  or  regulatory  requirements)   1   2   2  Risks   may  be  put  at  risk  by  migra)on  to  the  cloud    Loss  of   In  using  cloud  infrastructures,  the  client  necessarily  cedes  control  to  the  Cloud  Provider   2   1   2  Governance   (CP)  on  a  number  of  issues  which  may  affect  security.    Also,  SLAs  may  not  offer  a   commitment  to  provide  such  services      Malicious   While  usually  less  likely,  the  damage  which  may  be  caused  by  malicious  insiders  is  oden   1   1   1  Insider   far  greater.    Cloud  architectures  necessitate  certain  roles  which  are  extremely  high-­‐risk.     Source:    European  Network  and  Informa/on  Security  Agency  Report  on  Cloud  Compu/ng  Benefits,  Risks,  and   Recommenda/ons  for  Informa/on  Security.    November  2009.   19  
  20. 20. There  are  other  informa)on  security  trends  and    start-­‐ups  that  are  noteworthy  but  not  covered  here  •  Use  of  Web  2.0  technologies  in  the  workplace   –  Socialware:    Middleware  to  monitor  social  media  usage  •  Leveraging  virtualiza)on  technologies  to  beEer  protect   desktops   –  Invincea:    Sandboxing  the  browser  •  Informa)on  security  for  the  internet  of  things   –  Mocana:    Smart  Grid,  embedded  devices,  etc.  •  Leveraging  massive  amounts  of  web  data  and  improved   processing  power  to  beEer  protect  enterprises   –  Endgame  Systems:    Building  IP  trust  scores   –  CloudFlare:    Advanced  protec)on  for  SMB   20  
  21. 21. Post-­‐PC  devices  (including  smartphones)  are  now  surpassing  PC  devices   21  
  22. 22. The  consumeriza)on  of  IT  is  introducing  new      security  issues  •  56%  of  enterprises  allow  personally  owned  smartphones  to   access  company  resources  •  A  recent  study  showed  that  10%  of  Android  applica)on   analyzed  contained  three  or  more  dangerous  security   permissions  •  Enterprise  device  management  is  burdened  by  a  high  diversity   of  devices  (Blackberry,  Android,  iPhone,  Windows,  Palm)  and   a  rela)vely  immature  device  management  vendor  community  •  Legal  requirements  for  data  ownership  and  privacy   boundaries  on  personally  owned  devices  are  s)ll  unclear  •  On  the  other  hand,  mobile  opera)ng  systems  are  more   stripped  down  than  PCs,  apps  run  in  sandboxes,  and  apps   must  be  signed  for  use  on  smartphones  (all  good  for  security)  Sources:    Forrester.    “Security  in  the  Post-­‐PC  Era:    Controlled  Chaos.    October  14,  2010.   22  
  23. 23. Smartphones  are  now  capable  of  enabling  strong  authen)ca)on  processes  •  Smartphones  now  have  enough  compu)ng  speed  and   memory  capacity  to  handle  PKI  without  much  burden  •  Cer)ficate  issuance  and  management  is  more  affordable  •  SIM  cards  are  now  capable  of  cryptoprocessing  (e.g.,  private   key  on  the  chip)  •  Foreign  examples  of  using  smartphone-­‐based  authen)ca)on   for  banking  (authen)ca)on)  and  government  services  (digital   signatures)     23  
  24. 24. Stolen  devices  and  mobile  spyware  are  the  highest  risks  for  smartphones  Source:    Forrester.    “Security  in  the  Post-­‐PC  Era:    Controlled  Chaos.    October  14,  2010.   24  
  25. 25. There  are  three  primary  types  of  smartphone    security  start-­‐ups  that  are  of  interest  •  This  investment  thesis  focuses  on  three  areas  of  Smartphone   Security:   –  Mobile  Device  Management  (MDM):  Sodware  that  monitors,   manages  and  supports  mobile  devices  deployed  across  an  enterprise;   typically  includes  data  and  configura)on  se[ngs,  encryp)on  and  wipe   for  all  types  of  mobile  devices   –  Smartphone  Malware  Protec3on  (SMP):    Ant-­‐virus/an)-­‐spyware   protec)on  for  smartphones   –  Smartphone  Authen3ca3on  (SA):    U)lizing  the  smartphone  hardware   and/or  sodware  for  mul)factor  authen)ca)on  •  Taken  together,  these  three  areas  will  comprise  a  1  –  2  billion   dollar  market  in  the  coming  years   25  
  26. 26. Recent  Smartphone  Security  Investments  (by  type)   Company   Type   Founded   Round   Date   Amount   Investors   SurIDx   MDM   2006   A   2009   $1.695M   N/A   Boxtone   MDM   2005   B   2010   $7.5M   Lazard  Technology  Partners   Mobileiron   MDM   2007   C   2010   $16M   Sequoia  Capital,  Norwest  Venture   Partners,  Storm  Ventures   Zenprise   MDM   2003   N/A   2010   $9M   Rembrandt  Venture  Partners,  Igni)on   Partners,  Bay  Partners,  Mayfield  Fund,     Shasta  Ventures   Fat  Skunk   SMP   2010   Seed   2010   N/A   N/A   Lookout   MDM,   2009   B   2010   $11M   Khosla  Ventures,  Trilogy  Equity   SMP   Partnership,  Accel  Management   Sipera   MDM,   2003   N/A   2010   $10.2M   S3  Ventures,  Sequoia  Capital,  Aus)n   Systems   SMP   Ventures,  Duchossois  Technology     Partners,  Star  Ventures   FireID   SA   2005   A   2010   $6.4M   4Di  Capital  (South  African)   Koolspan   SA   2003   C   2008   $7.1M   New  York  Angels,  Rose  Tech  Ventures,   Security  Growth  Partners   Mocana   MDM,   2008   C   2008   $7M   Shasta  Ventures,  Southern  Cross   SMP,  SA   Venture  Partners,  Bob  Pasker   26  
  27. 27. Recent  Smartphone  Security  Exits  (by  type)   Company   Date     Type   Amount   Acquirer  Trust  Digital   2010   MDM   N/A   McAfee  sMobile   2010   MDM,  SMP   $70M   Juniper  Droid  Security   2010   SMP   $9.4M   AVG  tenCube   2010   MDM   N/A   McAfee  InterNoded   2009   MDM   N/A   Tangoe  Verisign   2010   SA   1.28B   Symantec  Mobile  Armor   2010   MDM   N/A   Trend  Micro   27  
  28. 28. Duo  Security  is  a  bootstrapped  smartphone  security   start-­‐up  that  is  recommended  for  investment  •  Leadership   –  Dug  Song  is  the  well-­‐respected  founder  of  Arbor  Networks,  which  had  a   large  exit  in  2010  •  Technology   –  SaaS-­‐based  Mul)-­‐Factor  Authen)ca)on  (MFA)  service   –  Focus  on  cost  effec)veness  and  customer  interface,  which  they  believe   are  the  main  factors  that  have  prevent  MFA  from  being  adopted  •  Current  Status   –  Was  opera)ng  in  stealth  mode  un)l  December  2010   –  Product  is  in  beta  stage   –  hEp://   28  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.