The Coming Wave of Cloud Security Startups

This is a reprint of an article I wrote this week for MIT Technology Review.

Our growing computer security problems will create many new companies.

The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants.

Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved. The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Cybersecurity is a never-ending Tom and Jerry cartoon. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete.

As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups. Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. I think that in the coming years we will see many small, creative teams of security engineers successfully discovering, testing, and building out clever new ways to secure cyberspace.

Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing. In a transformation that eclipses even the advent of client–server computing in the 1980s, business are choosing to subscribe to services in the cloud over running software on their own physical servers. Incumbents in every category of software are being disrupted by cloud-based upstarts. According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars.

Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years.

Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date. Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks.

The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products. Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source.

These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.

Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition we see startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices.

Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage. Some security auditors and security companies already sell into this market, but most cloud developers, focused on strong customer growth, have been slow to deploy strong security. Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.

Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups. For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks.

Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.

How Long Will the U.S. Cloud Market be "Snowed In"?

Do recent revelations about US cyber intelligence activities jeopardize our nation’s market leadership in cloud computing? Will enterprises – domestic and foreign alike – now favor foreign vendors, or even avoid the public cloud altogether? A review of the political and technical realities points to trouble for US cloud providers, but only for the short term.

In recent weeks we’ve seen a tangible backlash against the NSA’s PRISM program and those tech companies who cooperate, especially those who “don’t put up a fight.” It is the natural, reflexive reaction to the sudden awareness of a potential intrusion on our privacy, and it includes new scrutiny by individuals and enterprises as to whether they should entrust their data to US cloud vendors, who have already felt some impact on their rates of sales and churn.

As related news reports and editorials come online, they provoke a lot of comments that reflect public sentiment. These comments have expressed concern about the lack of transparency in federal policies and jurisdiction, and even outrage at what many believe to be unconstitutional surveillance.

But in the past week, public comments on news sites have started to incorporate a more balanced look at the situation. There is acknowledgement that US intelligence agencies are doing their jobs when they gather data on potential threats to national security, just as other governments do; that the NSA does not steal IP for economic gain as many other state agencies do, and that despite our deficiencies, the US agencies operate under tighter oversight than foreign agencies. Especially as Congress moves to improve transparency, there is a grudging awareness that US-based clouds may offer the best privacy, relatively.

But is it good enough to be simply less bad? As long as privacy remains a concern, there will be resistance to adoption of any public clouds, and, as the market leaders, US vendors will suffer.

Fortunately, cryptographic technology will ultimately make this issue largely moot for most cloud infrastructure, platforms and applications. To date, cloud vendors have been slow to implement proper cryptographic protocols, since demand has grown so quickly without it. But with the recent focus on privacy, SaaS, PaaS and IaaS providers must get around to implementing what they should have implemented years ago.

Specifically, data in the cloud must be encrypted using keys that are controlled by the customers who own them. So whether you use SalesForce, Box, Google Apps or Workday, you should have the option of encrypting your data both in transit and storage, and although many cloud providers offer encryption today, they typically use one key for everyone, or at best they offer individual keys that are generated and controlled by the vendor.

The recent, notable exception is Amazon, whose CloudHSM service offers AWS customers access to Hardware Security Modules for key protection inside their cloud. It's time for others to follow Amazon's lead, so that customers can comply with their own regulations, data breaches will be far less catastrophic, and intelligence agencies will have to find new ways to snoop.

Until then, interim solutions from a new class of security startup — like CipherCloud, Vaultive, Vormetric, and Navajo (acquired by SalesForce) — enable you to encrypt your data before you send it to the cloud. Unfortunately, cloud providers cannot do much with encrypted data that they cannot decrypt - their applications cannot provide features such as sorting, fuzzy searches, and comparative metrics. CipherCloud and others have had to invent some kludgy workarounds (e.g. adding additional unencrypted index fields) with some but limited success.These solutions will be less compelling when clouds are properly secured.

For IaaS and PaaS vendors, the imperative to hand the keys to the customer is clear, but for SaaS providers, it's trickier, since their apps need to "borrow" the keys. For those customers who cannot tolerate even the smallest risk of exposure to those nation states with formidable cyber capabilities, tradeoffs will have to be made between security and features. There will also be tradeoffs in convenience, since mobile devices will need key management systems or VPNs. The most difficult application to secure would be one that requires sharing among individuals who do not typically have cryptographic keys, which is why Lavabit and Silent Circle just shuttered their secure email services (although I expect Phill Zimmerman will craft a workable solution in time).

Cloud computing still promises compelling benefits, and US vendors have competed well on features and services, benefitting from deep and rapid innovation. But it's time now for them to properly defend their data, and market share, by attending to security. We should expect these cryptographic capabilities to generally come to market in 2015; until then, the forecast for the sector remains Partly Cloudy.