Mereja

Author: Andrew Manoske, Guest Contributor

  • Hacking Sand Hill: How the cloud will help security startups lure VCs

    The computer security industry is far from an easy place to build a successful startup. Security has traditionally been controlled by a small group of established firms that maintain a vice-like grip on the major IT sales channels. And understandably, big ticket customers like the military and large enterprise can be hard to sell into for startups. The technology in fields such as encryption and intrusion detection is complex and arcane, and often requires expensive certifications.

    But even in the face of such challenges security remains a hot field and offers opportunities for startups. So-called endpoint security for consumers was a $4.9 billion market in 2012, according to IDC, and enterprise security software and hardware is roughly $31.4 billion worldwide. In the past two years there have been over $12 billion in security acquisitions, with many of the notable exits in 2011 and 2012 having hit north of $800 million.

    It’s also a disruptive field. Security is constantly evolving to confront the mercurial world of hackers and cybercriminals. With the proliferation of professional financial cybercrime and high-profile state-sponsored hacking, modern adversaries for information security are incredibly sophisticated. The rise of this generation of hackers creates a demand for new and better security technologies, and two fields in particular are currently big areas of interest for Sand Hill VCs.

    Cloud and next-gen infrastructure security

    Cloud and infrastructure security refers to the hardware and software associated with protecting modern IT infrastructures. As more businesses move workloads to the cloud, critical financial and personal data becomes exposed to the public internet. Securing data in flight to the cloud and at rest off-site is mission critical.

    VCs will be heavily investing in hardware and software in this field because it shares complementary demand with the success for cloud computing; as companies demand the flexibility and cost-savings of the cloud, they will also require next-generation security built to secure the infrastructure of public and hybrid-cloud environments.

    This is a hard area for startups to play. Proving compliance with draconian and mercurial regulations like PCI-DSS or the Common Criteria is a difficult and frequently expensive endeavor. As a result of high barriers to entry, systems incumbents such as NetApp and Oracle have an advantage.

    But several new startups in this space have navigated these issues through the engagement of established veterans and a focused but superior feature set. These include encryption-focused Ciphercloud and the back-end infrastructure-focused CloudPassage. (Note: I have no financial or professional relationship with these or any of the other companies mentioned in this article.) Both Ciphercloud and Cloudpassage augment the security of an existing IT infrastructure and uniquely target bringing compliance-grade security to hybrid cloud environments. Compliance is a serious and expensive issue for the enterprise, and these industry veteran-led startups are attractive to VCs because they provide an economic but well-monetized alternative to purely consulting-based solutions.

    Intrusion detection and prevention systems

    Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) refer to software and hardware solutions that detect and halt attacks or attackers as they attempt to compromise a system in real time. The rocket science-esque fields of IDS and IPS aren’t new, but with the advent of this generation of sophisticated attackers and widespread interest in big data analysis, IDS and IPS are quickly becoming a hot topic for VCs.

    A great example of IDS/IPS success can be seen in Silvertail Systems. Acquired late last year by EMC, Silvertail used complex algorithms to detect attacks from the outside and even internal attacks launched by compromised accounts. VCs liked that Silvertail’s tech was managed by a team of industry veterans and that from the beginning they closed deals with large enterprises.

    Late-stage starlet FireEye seems poised for success by employing the same formula. Their late 2012 hire of ex-McAfee CEO Dave DeWalt and success in traditional security verticals like US DoD, US federal, and large financial have well prepared the company for their imminent IPO.

    SF-based CloudFlare can also be considered an IDS/IPS company. CloudFlare intercepts and sifts traffic to a site through an analysis engine to improve performance and protect websites from modern attacks like Distributed Denial of Service (DDoS) and Cross-Site Request Forgery (CSRF). CloudFlare protects a significant measure of the internet and remains on the watch list for nearly every VC on Sand Hill.

    CloudFlare’s frictionless sales model is also an interesting point for VCs. Bucking the traditional IT model of inside/outside sales teams, infrastructure companies like CloudFlare and New Relic allow customers to directly purchase through their sites. This decreases sales cycle time and increases margins – both key diligence metrics for VCs.  In a busy space like IPS/IDS (or IT in general), employing positive differences like a unique sales architecture help startups to distinguish themselves in the eyes of investors.

    Finding an edge

    As a security startup you can do a few things to improve your chances of closing your round. Make sure your team is led by veterans who know how to build and sell into your verticals (or actively recruit them). Also, align your company with sectors that have complementary demand with big tech trends.

    And, as in any industry, attack big problems that people are willing to pay lots of money to solve.

    Andrew “Andy” Manoske is an Associate at GGV Capital, a Sand Hill and Shanghai-based venture capital firm. Prior to GGV, he was a product manager at NetApp and managed the design of security features across the company’s entire product line. Follow him on Twitter @a2d2.

    Have an idea for a post you’d like to contribute to GigaOm? Click here for our guidelines and contact info.

     Photo courtesy alexmillos/Shutterstock.com.

    Related research and analysis from GigaOM Pro:
    Subscriber content. Sign up for a free trial.

  • Where Kim Dotcom and Mega have the edge on Dropbox and Box.net

    As a world (in)famous technologist with the literal last name “Dotcom,” Kim Dotcom is a man whose swag is matched only by the damages sought against him by the U.S. government. His filesharing site Megaupload was long the ire of record companies and movie studios, who say it was a massive and sprawling repository of pirated content.

    If the accusations are true, it was one of the more successful pirate operations in history. At its peak, Megaupload saw approximately 7 percent of internet traffic and grossed over $150 million in annual revenue. But Megaupload’s incredible run ended in the fall of 2012 when the FBI forcefully took down the site and sought Kim’s extradition from New Zealand to face a litany of criminal charges.

    Of course, you can’t expect to keep a guy with the last name Dotcom down, and sure enough he recently announced the relaunch of a Megaupload redux dubbed Mega. Only Mega is a security- and privacy-conscious file-sharing service that audaciously targets storage industry magnates like Dropbox and Box.net.

    And loathe as some of us may be to admit it, he just may be on to something. Mega differentiates itself by embracing client-side encryption: generating and storing the keys on a user’s local machine rather than encrypting everything in the cloud. The result of such client-side encryption is not only a far more secure product – and a security practice the industry should embrace – but a significant reduction in cost and legal liability for Mega and other cloud storage providers that use this architecture.

    How Mega is different

    Security is one of the biggest inhibitors to cloud adoption. Yielding sensitive data to a third party over the public internet continues to be a dealbreaker for many medium- to large-scale enterprises, with their desire for privacy and concerns of regulatory and legal exposure.

    In the movement to the cloud, data is exposed at two points to attack or compromise: in-flight (when it is being transmitted over the security no-man’s land of the public internet) and at-rest (when it physically sits on servers within the cloud system). In both instances there are a myriad of threats that could allow that data to be stolen or compromised.

    Mega employs cryptography to protect data in-flight and at-rest. Now by all means, using encryption to protect data in-flight isn’t really game changing. Similar to most security-conscious sites, Mega wraps communication between its users with Secure Socket Layer (SSL) encryption.

    But Mega is unique in its approach to handling encryption at rest. Rather than encrypting and storing keys for a client’s data within Mega’s infrastructure, Mega pushes their cryptography back to their users. So Mega users encrypt their own data prior to sending it to Mega’s servers, and store keys locally such that even Mega can’t read their data – or be forced to yield it to authorities.

    While this sounds like a feature tailored solely to the needs of a company that will frequently find itself at the end of a subpoena, the desire to have users keep their own keys and send data in the form of encrypted “ciphertext” (rather than unencrypted “plaintext)” is actually one shared by mainstream small businesses and enterprises alike.

    Benefit for providers

    Having cloud providers hold ciphertext and having users handle their own encryption and keep their own keys makes sense on both sides of the fence.

    In an architecture where customers are responsible for their own encryption and key management, significant legal liabilities are lifted from the service provider. Customers would assume personal liability for the selection and correct implementation of encryption algorithms – a critical concern for compliance regulations like PCI-DSS that incorporate strict rules on cryptography.

    By having their customers manage keys locally, service providers can also significantly reduce costs. Many modern PCs incorporate a Trusted Platform Module (TPM) – a hardware device that can safely store cryptographic keys for prolonged periods of time. Storing keys locally on a TPM is relatively costless for the customer, but safely storing keys en masse in the cloud requires the use of expensive key management servers.

    The cost of encryption

    Encryption is also still not a costless process. By pushing customers to encrypt and decypt their own data, cloud providers can also redirect the significant compute time required to handle cryptography towards providing a higher quality of service for their customers.

    For customers, sending only ciphertext to the cloud and keeping keys locally has real benefits beyond peace of mind. If a cloud services provider is ever hacked, that customer’s data will be encrypted in a way that can’t be decrypted using its service provider’s security infrastructure. There’s no master database of passwords that an attacker can break into. Customer data on the service provider remains locked in ciphertext and encrypted using one of any number of symmetric key algorithms.

    It’s important to note, though, that there are consequences for moving to a client-side encryption architecture. For instance, when customers send only ciphertext to the cloud, popular means of reducing the on-disk footprint of data such as deduplication (in short, a process where copies or parts of files are deleted and data is instead “pointed” towards a single instance) are generally rendered impossible.

    It’s also important to note that, for the server to dedupe data encrypted by the client, the client must yield sensitive information about the plaintext at various points during its encryption. The fact that Mega seems to perform client-side encryption with deduplication is a red flag to many security cognoscenti, and may even be a sign that Mega has more visibility into its clients; data then it otherwise claims.

    Holes in Mega’s strategy

    Mega’s security infrastructure is far from perfect. Their decision to handle cryptography in browser-based Javascript has already earned wide-spread criticism, and due to implementation issues in how Mega creates keys for users,  hackers could work around encryption and access plaintext data (what’s called a “side-channel attack”).

    Regardless, to give credit where it’s due, Kim Dotcom’s decision to push encryption to the client is an impressively forward-thinking maneuver that should be replicated by Dropbox and other cloud storage providers. Client-side encryption makes financial and legal sense for customers and service providers, helping to enable even regulatory compliance-bound customers to embrace cloud computing at scale.

    Andrew “Andy” Manoske is an Associate at GGV Capital, a Sand Hill and Shanghai-based venture capital firm. Prior to GGV, he was a product manager at NetApp and managed the design of security features across the company’s entire product line. Follow him on Twitter @a2d2.

    Related research and analysis from GigaOM Pro:
    Subscriber content. Sign up for a free trial.