Cloud security ely kahn

Cloud Compu)ng Security Ely Kahn April 2011 1

Execu)ve Summary •  What is Cloud Security? –  Cloud security refers to the policies, technologies, and controls deployed to protect data, applica)ons, and the associated infrastructure of cloud compu)ng (includes public and private clouds) –  Cloud security is not focused on security products that leverage the cloud to deliver security services to a customer (although this is also an interes/ng area) •  Why is Cloud Security an aErac)ve investment area? –  Rapid growth of cloud compu)ng –  Security as a key concern why cloud compu)ng is not growing even faster –  Acquisi)on-‐hungry cloud infrastructure providers and informa)on security providers looking to diﬀeren)ate themselves –  An ac)ve start-‐up community in this space –  Data protec)on for the cloud as aErac)ve investment area moving forward –  High Cloud Security, CipherCloud, and Navajo Systems as prime examples 2

There are 4 main types of risks that cloud security companies focus on Virtualiza)on Preven)ng cyber aEacks on the hypervisor and virtual Security machines Providing cloud customers with deeper insights on where Cloud Security their data is stored and what security rules, policies, and Governance conﬁgura)ons are being applied to them Iden)ty and Access Secure and federated access to mul)ple public and/or Management private clouds Iden)fying sensi)ve data and encryp)ng it or pu[ng in Data Protec)on place other protec)ve measures to ensure its security 3

There are a variety of established players across these four func)ons Virtualiza)on Security Cloud Security Governance Iden)ty and Access Management Data Protec)on 4

A wide variety of VCs are inves)ng in cloud security Company Descrip3on Founded Round Amt Date Par3cipa3ng VCs Symplified IAM/CSG. Audi)ng and 2006 B $9M 2011 Granite Ventures, Allegis federated SSO. Capital, Quest Sodware Nimbula CSG. Helps securely transi)on 2008 B $15M 2010 Accel Partners, Sequoia Capital data centers to private clouds Hytrust CSG. Enables accountability, 2007 B $10.5 2010 Granite Ventures, Cisco visibility and control M Systems, Trident Capital, Epic Ventures SecureAuth IAM. SSO and mul)factor auth 2005 N/A $3M 2010 Angel investors Appirio CSG. Unifies security policies 2006 C $10M 2009 Granite Ventures, Sequoia across cloud applica)ons Capital Reflex CSG. Integrates security, 2008 A $8.5 2009 RFA Management Co. Systems compliance ,and management M Cloudswitch CSG/DP. Move applica)ons 2008 B $8M 2009 Atlas Venture, Commonwealth securely to the cloud via VPN Capital Ventures, Matrix Partners Conformity IAM. Audi)ng and federated 2007 A $3M 2009 Guggenheim Venture Partners SSO. Perspecsys DP. Sensi)ve data not 2006 A N/A 2007 Growthworks (Canadian) transmiEed to the cloud 5

Acquirers include both tradi)onal infosec companies and cloud infrastructure providers Company Descrip3on Acquirer Date Price ArcSight CSG. Global provider of security and compliance HP 2010 $1.5B management Arcot IAM. The industry’s largest cloud-‐based authen)ca)on CA 2010 $200M system TriCipher IAM. Mul)factor authen)ca)on VMware 2010 ~$200M Altor VS. A hypervisor-‐based virtual ﬁrewall to protect cloud Juniper 2010 $95M Networks applica)ons 3Tera CSG. Helps companies build private clouds quickly and CA 2010 $18M securely Roha3 IAM. Helps companies control who has access to data Cisco 2009 N/A Networks using context informa)on Third CSG/VS. Firewalls, IDS, and security policy Trend Micro 2009 N/A Brigade enforcement for virtualized environments Blue Lane VS. Removes malicious content from network traﬃc VMware 2008 $15M before it reaches your virtual servers 6

The growing importance of cloud security concerns… 7

… will lead to increased cloud security spending Cloud Compu3ng Market Size Cloud Security Market Size •  Cloud Security will grow to a $1.5B market by 2015 •  Cloud Security will capture 5% of IT security technology spending –  Source: Forrester Note: Gartner recently es)mated cloud spending to be 3.5x the IDC es)mate by 2014 8 8

Most of the investments and acquisi)ons to date have been focused on CSG and IAM… •  Iden)ﬁed Cloud Security Investments –  6 addressed Cloud Security Governance func)ons –  3 addressed Iden)ty and Access Management func)ons –  2 addressed Data Protec)on –  0 addressed Virtualiza)on Security •  Iden)ﬁed Cloud Security Acquisi)ons –  3 addressed Cloud Security Governance func)ons –  3 addressed Iden)ty and Access Management func)ons –  3 addressed Virtualiza)on Security func)ons –  0 addressed Data Protec)on 9

… but moving forward, data protec)on will be the big play High Strength of Compe33on Low High Security Eﬀec3veness DP CSG VS IAM Low 10

Cloud Security Investment Thesis •  Cloud Data Protec.on companies will be a6rac.ve investments for VCs moving forward •  Things to look for in Cloud Data Protec)on companies: –  Novel encryp)on/tokeniza)on approaches that are “defensible” from compe)tors –  Keys should be stored at a trusted third party or at the client side (not with the cloud provider) –  Strong knowledge of cloud provider architectures –  A focus on low latency, high customer service, and ease of use –  Experience in enterprise sales –  Entrepreneurs with a proven track record in informa)on security •  Poten)al exit to tradi)onal informa)on security provider, cloud provider, or cloud infrastructure provider most likely •  Examples of high poten)al start-‐ups are described on the following slides 11

High Cloud Security is a stealth-‐mode start-‐up that is recommended for investment •  Leadership –  Founded by 25-‐plus-‐year Silicon Valley veterans (IBM/ISS, Veritas, Hytrust, etc.) –  Special)es in security, storage, encryp)on, and opera)ng-‐system kernel internals –  The founders have assembled a team of senior engineers, each with over 20 years of experience •  Technology –  The solu)on safely encapsulates any servers VM image so it is protected from unauthorized exposure throughout its lifecycle. –  This protec)on applies inside the data center as well as when the VM is being run on a remote host or in the Cloud. –  With High Cloud if a VM were lost or stolen, an unauthorized user could not run it or dissect it to expose sensi)ve data; only authen)cated and authorized users can execute the VM, with an audit trail of its use. –  Is independent of and works with all VMs and applica)ons –  Technology is Patent Pending •  Current Status –  Currently in stealth mode –  Shipping beta product in April 2011; currently looking to raise capital (~$4M) –  www.highcloudsecurity.com 12

CipherCloud is a bootstrapped startup that is recommended for investment •  CipherCloud provides customers with a web-‐proxy gateway that transparently encrypts sensi)ve data before it’s sent to SaaS/PaaS applica)ons in the cloud. Encryp)on key remains only with customers. •  Named Finalist for "Most Innova)ve Company at RSA® Conference 2011 •  Salesforce.com’s AppExchange -‐ partner ecosystem member •  Beta is out now; ﬁnal release expected in March •  Looking for funding in the Q3 )meframe; hoping to raise about $5M •  Patent-‐pending encryp)on/tokeniza)on approach •  Hired ex-‐Salesforce employees to gain inside knowledge of the applica)on •  Founded in 2010 by Pravin Kothari, who is a serial entrepreneur; was previously co-‐founder of ArcSight ($1.5B exit) 13

Navajo Systems is a seed-‐stage Israeli start-‐up recommended for investment •  Founded in 2009 by a US-‐educated Israeli entrepreneur •  Received unnamed amount of seed funding from Jerusalem Venture Partners in 2009 •  Named Finalist for "Most Innova)ve Company at RSA® Conference 2010 •  Member of IBM cloud partner ecosystem •  Virtual Private SaaS (VPS) can be implemented as an appliance installed on the corporate network or as a service hosted by Navajo Systems or a third-‐party service provider •  Encrypts/decrypts sensi)ve data via a web proxy and encryp)on does not aﬀect performance within the applica)on •  Has solu)ons for various SaaS providers including Google, Salesforce, Oracle, etc. 14

APPENDIX 15

Interviewed Companies 16

Cloud compu)ng (public or private) is comprised of a stack of technologies Cloud Public Applica3ons Provisioning Cloud Enterprise SaaS (external and internal) App Tightly integrate with enterprise applica)on layer, oden installa)ons (whether for private or public usage). Middleware augmen)ng it Automate the crea)on of datacenter cloud Dev/Test Tools Used to help develop and debug cloud applica)ons – namely, a development environment VM This suite of applica)ons provide value-‐add on top of public Amazon Management cloud providers (e.g. Amazon) with extended management Google dashboards as well as hypervisor console extensions Rackspace Terremark GoGrid Storage and Provided as a part of a storage-‐centric public cloud service or as Data components to building your private cloud Hypervisor A virtualiza)on technique which allows mul)ple opera)ng systems, termed guests, to run concurrently on a host computer Provides common services for eﬃcient execu)on of various OS applica)on sodware Source: h7p://jameskaskade.com/?p=388 March 2009 17

There are security issues at each layer of the stack but some are more interes)ng than others Cloud Public Applica3ons Provisioning Cloud Standard applica)on security issues App Iden)ty and access management needs Physical security of hardware, lack of standards, Middleware Security issues connected to configura)on Dev/Test Tools Code-‐scanning tools privacy laws, etc. management VM Provides security-‐related info for configura)on management, Management monitoring, and audi)ng Storage and Provides back-‐up and disaster recovery Data Hypervisor An en)rely new layer of very sensi)ve sodware to protect (e.g., “VM hopping”); added patch management complexity Not unique to cloud compu)ng; rootkits, buffer overflows, privilege OS escala)on, etc.; addressed through patches, firewalls, IPS 18

Cloud Security Market Opportunity equals Cloud Risk Severity )mes Strength of Compe))on Cloud Risk Discussion Severity Compe33 Opportu on nity Isola3on This risk category covers the failure of mechanisms separa)ng storage, memory, rou)ng 2 3 6 Failure and even reputa)on between different tenants. However it should be considered that aEacks against hypervisors are s)ll less numerous and more difficult than aEacks on tradi)onal OSs Incomplete When a request to delete a cloud resource is made, this may not result in true wiping of 2 3 6 Data Dele3on the data. In the case of mul)ple tenancies this represents a higher risk to the customer than with dedicated hardware. Mgmt. Customer management interfaces of a public CP are accessible through the Internet and 3 2 6 Interface mediate access to larger sets of resources and therefore pose an increased risk, especially when combined with web browser vulnerabili)es. Data It may be difficult for the cloud customer to check the data handling prac)ces of the 2 2 4 Protec3on cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of mul)ple transfers of data, e.g., between federated clouds. Compliance Investment in achieving cer)fica)on (e.g., industry standard or regulatory requirements) 1 2 2 Risks may be put at risk by migra)on to the cloud Loss of In using cloud infrastructures, the client necessarily cedes control to the Cloud Provider 2 1 2 Governance (CP) on a number of issues which may affect security. Also, SLAs may not offer a commitment to provide such services Malicious While usually less likely, the damage which may be caused by malicious insiders is oden 1 1 1 Insider far greater. Cloud architectures necessitate certain roles which are extremely high-‐risk. Source: European Network and Informa/on Security Agency Report on Cloud Compu/ng Benefits, Risks, and Recommenda/ons for Informa/on Security. November 2009. 19

There are other informa)on security trends and start-‐ups that are noteworthy but not covered here •  Use of Web 2.0 technologies in the workplace –  Socialware: Middleware to monitor social media usage •  Leveraging virtualiza)on technologies to beEer protect desktops –  Invincea: Sandboxing the browser •  Informa)on security for the internet of things –  Mocana: Smart Grid, embedded devices, etc. •  Leveraging massive amounts of web data and improved processing power to beEer protect enterprises –  Endgame Systems: Building IP trust scores –  CloudFlare: Advanced protec)on for SMB 20

Post-‐PC devices (including smartphones) are now surpassing PC devices 21

The consumeriza)on of IT is introducing new security issues •  56% of enterprises allow personally owned smartphones to access company resources •  A recent study showed that 10% of Android applica)on analyzed contained three or more dangerous security permissions •  Enterprise device management is burdened by a high diversity of devices (Blackberry, Android, iPhone, Windows, Palm) and a rela)vely immature device management vendor community •  Legal requirements for data ownership and privacy boundaries on personally owned devices are s)ll unclear •  On the other hand, mobile opera)ng systems are more stripped down than PCs, apps run in sandboxes, and apps must be signed for use on smartphones (all good for security) Sources: Forrester. “Security in the Post-‐PC Era: Controlled Chaos. October 14, 2010. 22

Smartphones are now capable of enabling strong authen)ca)on processes •  Smartphones now have enough compu)ng speed and memory capacity to handle PKI without much burden •  Cer)ﬁcate issuance and management is more aﬀordable •  SIM cards are now capable of cryptoprocessing (e.g., private key on the chip) •  Foreign examples of using smartphone-‐based authen)ca)on for banking (authen)ca)on) and government services (digital signatures) 23

Stolen devices and mobile spyware are the highest risks for smartphones Source: Forrester. “Security in the Post-‐PC Era: Controlled Chaos. October 14, 2010. 24

There are three primary types of smartphone security start-‐ups that are of interest •  This investment thesis focuses on three areas of Smartphone Security: –  Mobile Device Management (MDM): Sodware that monitors, manages and supports mobile devices deployed across an enterprise; typically includes data and conﬁgura)on se[ngs, encryp)on and wipe for all types of mobile devices –  Smartphone Malware Protec3on (SMP): Ant-‐virus/an)-‐spyware protec)on for smartphones –  Smartphone Authen3ca3on (SA): U)lizing the smartphone hardware and/or sodware for mul)factor authen)ca)on •  Taken together, these three areas will comprise a 1 – 2 billion dollar market in the coming years 25

Recent Smartphone Security Investments (by type) Company Type Founded Round Date Amount Investors SurIDx MDM 2006 A 2009 $1.695M N/A Boxtone MDM 2005 B 2010 $7.5M Lazard Technology Partners Mobileiron MDM 2007 C 2010 $16M Sequoia Capital, Norwest Venture Partners, Storm Ventures Zenprise MDM 2003 N/A 2010 $9M Rembrandt Venture Partners, Igni)on Partners, Bay Partners, Mayﬁeld Fund, Shasta Ventures Fat Skunk SMP 2010 Seed 2010 N/A N/A Lookout MDM, 2009 B 2010 $11M Khosla Ventures, Trilogy Equity SMP Partnership, Accel Management Sipera MDM, 2003 N/A 2010 $10.2M S3 Ventures, Sequoia Capital, Aus)n Systems SMP Ventures, Duchossois Technology Partners, Star Ventures FireID SA 2005 A 2010 $6.4M 4Di Capital (South African) Koolspan SA 2003 C 2008 $7.1M New York Angels, Rose Tech Ventures, Security Growth Partners Mocana MDM, 2008 C 2008 $7M Shasta Ventures, Southern Cross SMP, SA Venture Partners, Bob Pasker 26

Recent Smartphone Security Exits (by type) Company Date Type Amount Acquirer Trust Digital 2010 MDM N/A McAfee sMobile 2010 MDM, SMP $70M Juniper Droid Security 2010 SMP $9.4M AVG tenCube 2010 MDM N/A McAfee InterNoded 2009 MDM N/A Tangoe Verisign 2010 SA 1.28B Symantec Mobile Armor 2010 MDM N/A Trend Micro 27

Duo Security is a bootstrapped smartphone security start-‐up that is recommended for investment •  Leadership –  Dug Song is the well-‐respected founder of Arbor Networks, which had a large exit in 2010 •  Technology –  SaaS-‐based Mul)-‐Factor Authen)ca)on (MFA) service –  Focus on cost eﬀec)veness and customer interface, which they believe are the main factors that have prevent MFA from being adopted •  Current Status –  Was opera)ng in stealth mode un)l December 2010 –  Product is in beta stage –  hEp://www.duosecurity.com/ 28

Cloud security ely kahn

by Ely Kahn

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 296

Statistics

Cloud security ely kahn Presentation Transcript

http://blog.wvpventures.com	294
http://translate.googleusercontent.com	2