cloud security ely kahn
Post on 11-Nov-2014
1.577 Views
Preview:
DESCRIPTION
TRANSCRIPT
Cloud Compu)ng Security
Ely Kahn April 2011
1
Execu)ve Summary
• What is Cloud Security? – Cloud security refers to the policies, technologies, and controls deployed to
protect data, applica)ons, and the associated infrastructure of cloud compu)ng (includes public and private clouds)
– Cloud security is not focused on security products that leverage the cloud to deliver security services to a customer (although this is also an interes/ng area)
• Why is Cloud Security an aErac)ve investment area?
– Rapid growth of cloud compu)ng – Security as a key concern why cloud compu)ng is not growing even faster – Acquisi)on-‐hungry cloud infrastructure providers and informa)on security
providers looking to differen)ate themselves – An ac)ve start-‐up community in this space – Data protec)on for the cloud as aErac)ve investment area moving forward – High Cloud Security, CipherCloud, and Navajo Systems as prime examples
2
There are 4 main types of risks that cloud security companies focus on
3
Virtualiza)on Security
Cloud Security Governance
Iden)ty and Access Management
Data Protec)on
Providing cloud customers with deeper insights on where their data is stored and what security rules, policies, and configura)ons are being applied to them
Secure and federated access to mul)ple public and/or private clouds
Preven)ng cyber aEacks on the hypervisor and virtual machines
Iden)fying sensi)ve data and encryp)ng it or pu[ng in place other protec)ve measures to ensure its security
There are a variety of established players across these four func)ons
4
Virtualiza)on Security
Cloud Security Governance
Iden)ty and Access Management
Data Protec)on
A wide variety of VCs are inves)ng in cloud security
5
Company Descrip3on Founded Round Amt Date Par3cipa3ng VCs
Symplified IAM/CSG. Audi)ng and federated SSO.
2006 B $9M 2011 Granite Ventures, Allegis Capital, Quest Sodware
Nimbula CSG. Helps securely transi)on data centers to private clouds
2008 B $15M 2010 Accel Partners, Sequoia Capital
Hytrust CSG. Enables accountability, visibility and control
2007 B $10.5M
2010 Granite Ventures, Cisco Systems, Trident Capital, Epic Ventures
SecureAuth IAM. SSO and mul)factor auth 2005 N/A $3M 2010 Angel investors
Appirio CSG. Unifies security policies across cloud applica)ons
2006 C $10M 2009 Granite Ventures, Sequoia Capital
Reflex Systems
CSG. Integrates security, compliance ,and management
2008 A $8.5M
2009 RFA Management Co.
Cloudswitch CSG/DP. Move applica)ons securely to the cloud via VPN
2008 B $8M 2009 Atlas Venture, Commonwealth Capital Ventures, Matrix Partners
Conformity IAM. Audi)ng and federated SSO.
2007 A $3M 2009 Guggenheim Venture Partners
Perspecsys DP. Sensi)ve data not transmiEed to the cloud
2006 A N/A 2007 Growthworks (Canadian)
Acquirers include both tradi)onal infosec companies and cloud infrastructure providers
6
Company Descrip3on Acquirer Date Price
ArcSight CSG. Global provider of security and compliance management
HP 2010 $1.5B
Arcot IAM. The industry’s largest cloud-‐based authen)ca)on system
CA 2010 $200M
TriCipher IAM. Mul)factor authen)ca)on VMware 2010 ~$200M
Altor Networks
VS. A hypervisor-‐based virtual firewall to protect cloud applica)ons
Juniper 2010 $95M
3Tera CSG. Helps companies build private clouds quickly and securely
CA 2010 $18M
Roha3 Networks
IAM. Helps companies control who has access to data using context informa)on
Cisco 2009 N/A
Third Brigade
CSG/VS. Firewalls, IDS, and security policy enforcement for virtualized environments
Trend Micro 2009 N/A
Blue Lane VS. Removes malicious content from network traffic before it reaches your virtual servers
VMware 2008 $15M
The growing importance of cloud security concerns…
7
… will lead to increased cloud security spending
8 8
• Cloud Security will grow to a $1.5B market by 2015
• Cloud Security will capture 5% of IT security technology spending – Source: Forrester
Note: Gartner recently es)mated cloud spending to be 3.5x the IDC es)mate by 2014
Cloud Compu3ng Market Size Cloud Security Market Size
Most of the investments and acquisi)ons to date have been focused on CSG and IAM… • Iden)fied Cloud Security Investments
– 6 addressed Cloud Security Governance func)ons – 3 addressed Iden)ty and Access Management func)ons – 2 addressed Data Protec)on – 0 addressed Virtualiza)on Security
• Iden)fied Cloud Security Acquisi)ons – 3 addressed Cloud Security Governance func)ons – 3 addressed Iden)ty and Access Management func)ons – 3 addressed Virtualiza)on Security func)ons – 0 addressed Data Protec)on
9
… but moving forward, data protec)on will be the big play
10
Strength of Compe33on High Low Security Eff
ec3v
eness
High
Low
DP CSG
VS
IAM
Cloud Security Investment Thesis
• Cloud Data Protec.on companies will be a6rac.ve investments for VCs moving forward
• Things to look for in Cloud Data Protec)on companies: – Novel encryp)on/tokeniza)on approaches that are “defensible” from
compe)tors – Keys should be stored at a trusted third party or at the client side (not
with the cloud provider) – Strong knowledge of cloud provider architectures – A focus on low latency, high customer service, and ease of use – Experience in enterprise sales – Entrepreneurs with a proven track record in informa)on security
• Poten)al exit to tradi)onal informa)on security provider, cloud provider, or cloud infrastructure provider most likely
• Examples of high poten)al start-‐ups are described on the following slides
11
High Cloud Security is a stealth-‐mode start-‐up that is recommended for investment • Leadership
– Founded by 25-‐plus-‐year Silicon Valley veterans (IBM/ISS, Veritas, Hytrust, etc.) – Special)es in security, storage, encryp)on, and opera)ng-‐system kernel internals – The founders have assembled a team of senior engineers, each with over 20 years of
experience • Technology
– The solu)on safely encapsulates any server's VM image so it is protected from unauthorized exposure throughout its lifecycle.
– This protec)on applies inside the data center as well as when the VM is being run on a remote host or in the Cloud.
– With High Cloud if a VM were lost or stolen, an unauthorized user could not run it or dissect it to expose sensi)ve data; only authen)cated and authorized users can execute the VM, with an audit trail of its use.
– Is independent of and works with all VMs and applica)ons – Technology is Patent Pending
• Current Status – Currently in stealth mode – Shipping beta product in April 2011; currently looking to raise capital (~$4M) – www.highcloudsecurity.com
12
CipherCloud is a bootstrapped startup that is recommended for investment • CipherCloud provides customers with a web-‐proxy gateway that
transparently encrypts sensi)ve data before it’s sent to SaaS/PaaS applica)ons in the cloud. Encryp)on key remains only with customers.
• Named Finalist for "Most Innova)ve Company at RSA® Conference 2011
• Salesforce.com’s AppExchange -‐ partner ecosystem member • Beta is out now; final release expected in March • Looking for funding in the Q3 )meframe; hoping to raise about $5M • Patent-‐pending encryp)on/tokeniza)on approach • Hired ex-‐Salesforce employees to gain inside knowledge of the
applica)on • Founded in 2010 by Pravin Kothari, who is a serial entrepreneur; was
previously co-‐founder of ArcSight ($1.5B exit)
13
Navajo Systems is a seed-‐stage Israeli start-‐up recommended for investment
• Founded in 2009 by a US-‐educated Israeli entrepreneur • Received unnamed amount of seed funding from Jerusalem
Venture Partners in 2009 • Named Finalist for "Most Innova)ve Company at RSA®
Conference 2010 • Member of IBM cloud partner ecosystem • Virtual Private SaaS (VPS) can be implemented as an appliance
installed on the corporate network or as a service hosted by Navajo Systems or a third-‐party service provider
• Encrypts/decrypts sensi)ve data via a web proxy and encryp)on does not affect performance within the applica)on
• Has solu)ons for various SaaS providers including Google, Salesforce, Oracle, etc.
14
APPENDIX
15
Interviewed Companies
16
Cloud compu)ng (public or private) is comprised of a stack of technologies
17
Used to help develop and debug cloud applica)ons – namely, a development environment
This suite of applica)ons provide value-‐add on top of public cloud providers (e.g. Amazon) with extended management
dashboards as well as hypervisor console extensions
Provided as a part of a storage-‐centric public cloud service or as components to building your private cloud
A virtualiza)on technique which allows mul)ple opera)ng systems, termed guests, to run concurrently on a host computer
Provides common services for efficient execu)on of various applica)on sodware
Automate the crea)on of datacenter cloud
installa)ons (whether for private or public usage).
Amazon Google
Rackspace Terremark GoGrid
Applica3ons
App Middleware
Dev/Test Tools
VM Management
Storage and Data
Hypervisor
OS
Cloud Provisioning
Public Cloud Enterprise SaaS (external and internal)
Tightly integrate with enterprise applica)on layer, oden augmen)ng it
Source: h7p://jameskaskade.com/?p=388 March 2009
There are security issues at each layer of the stack but some are more interes)ng than others
18
Code-‐scanning tools
Provides security-‐related info for configura)on management, monitoring, and audi)ng
Provides back-‐up and disaster recovery
An en)rely new layer of very sensi)ve sodware to protect (e.g., “VM hopping”); added patch management complexity
Not unique to cloud compu)ng; rootkits, buffer overflows, privilege escala)on, etc.; addressed through patches, firewalls, IPS
Security issues connected to configura)on managem
ent
Physical security of hardware, lack of standards,
privacy laws, etc.
Applica3ons
App Middleware
Dev/Test Tools
VM Management
Storage and Data
Hypervisor
OS
Cloud Provisioning
Public Cloud Standard applica)on security issues
Iden)ty and access management needs
Cloud Security Market Opportunity equals Cloud Risk Severity )mes Strength of Compe))on
19
Cloud Risk Discussion Severity Compe33on
Opportunity
Isola3on Failure
This risk category covers the failure of mechanisms separa)ng storage, memory, rou)ng and even reputa)on between different tenants. However it should be considered that aEacks against hypervisors are s)ll less numerous and more difficult than aEacks on tradi)onal OSs
2 3 6
Incomplete Data Dele3on
When a request to delete a cloud resource is made, this may not result in true wiping of the data. In the case of mul)ple tenancies this represents a higher risk to the customer than with dedicated hardware.
2 3 6
Mgmt. Interface
Customer management interfaces of a public CP are accessible through the Internet and mediate access to larger sets of resources and therefore pose an increased risk, especially when combined with web browser vulnerabili)es.
3 2 6
Data Protec3on
It may be difficult for the cloud customer to check the data handling prac)ces of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of mul)ple transfers of data, e.g., between federated clouds.
2 2 4
Compliance Risks
Investment in achieving cer)fica)on (e.g., industry standard or regulatory requirements) may be put at risk by migra)on to the cloud
1 2 2
Loss of Governance
In using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security. Also, SLAs may not offer a commitment to provide such services
2 1 2
Malicious Insider
While usually less likely, the damage which may be caused by malicious insiders is oden far greater. Cloud architectures necessitate certain roles which are extremely high-‐risk.
1 1 1
Source: European Network and Informa/on Security Agency Report on Cloud Compu/ng Benefits, Risks, and Recommenda/ons for Informa/on Security. November 2009.
There are other informa)on security trends and start-‐ups that are noteworthy but not covered here
20
• Use of Web 2.0 technologies in the workplace – Socialware: Middleware to monitor social media usage
• Leveraging virtualiza)on technologies to beEer protect desktops – Invincea: Sandboxing the browser
• Informa)on security for the internet of things – Mocana: Smart Grid, embedded devices, etc.
• Leveraging massive amounts of web data and improved processing power to beEer protect enterprises – Endgame Systems: Building IP trust scores – CloudFlare: Advanced protec)on for SMB
Post-‐PC devices (including smartphones) are now surpassing PC devices
21
The consumeriza)on of IT is introducing new security issues
22
• 56% of enterprises allow personally owned smartphones to access company resources
• A recent study showed that 10% of Android applica)on analyzed contained three or more dangerous security permissions
• Enterprise device management is burdened by a high diversity of devices (Blackberry, Android, iPhone, Windows, Palm) and a rela)vely immature device management vendor community
• Legal requirements for data ownership and privacy boundaries on personally owned devices are s)ll unclear
• On the other hand, mobile opera)ng systems are more stripped down than PCs, apps run in sandboxes, and apps must be signed for use on smartphones (all good for security)
Sources: Forrester. “Security in the Post-‐PC Era: Controlled Chaos. October 14, 2010.
Smartphones are now capable of enabling strong authen)ca)on processes
23
• Smartphones now have enough compu)ng speed and memory capacity to handle PKI without much burden
• Cer)ficate issuance and management is more affordable • SIM cards are now capable of cryptoprocessing (e.g., private
key on the chip) • Foreign examples of using smartphone-‐based authen)ca)on
for banking (authen)ca)on) and government services (digital signatures)
Stolen devices and mobile spyware are the highest risks for smartphones
24 Source: Forrester. “Security in the Post-‐PC Era: Controlled Chaos. October 14, 2010.
There are three primary types of smartphone security start-‐ups that are of interest
25
• This investment thesis focuses on three areas of Smartphone Security: – Mobile Device Management (MDM): Sodware that monitors,
manages and supports mobile devices deployed across an enterprise; typically includes data and configura)on se[ngs, encryp)on and wipe for all types of mobile devices
– Smartphone Malware Protec3on (SMP): Ant-‐virus/an)-‐spyware protec)on for smartphones
– Smartphone Authen3ca3on (SA): U)lizing the smartphone hardware and/or sodware for mul)factor authen)ca)on
• Taken together, these three areas will comprise a 1 – 2 billion dollar market in the coming years
Recent Smartphone Security Investments (by type)
26
Company Type Founded Round Date Amount Investors
SurIDx MDM 2006 A 2009 $1.695M N/A
Boxtone MDM 2005 B 2010 $7.5M Lazard Technology Partners
Mobileiron MDM 2007 C 2010 $16M Sequoia Capital, Norwest Venture Partners, Storm Ventures
Zenprise MDM 2003 N/A 2010 $9M Rembrandt Venture Partners, Igni)on Partners, Bay Partners, Mayfield Fund, Shasta Ventures
Fat Skunk SMP 2010 Seed 2010 N/A N/A
Lookout MDM, SMP
2009 B 2010 $11M Khosla Ventures, Trilogy Equity Partnership, Accel Management
Sipera Systems
MDM, SMP
2003 N/A 2010 $10.2M S3 Ventures, Sequoia Capital, Aus)n Ventures, Duchossois Technology Partners, Star Ventures
FireID SA 2005 A 2010 $6.4M 4Di Capital (South African)
Koolspan SA 2003 C 2008 $7.1M New York Angels, Rose Tech Ventures, Security Growth Partners
Mocana MDM, SMP, SA
2008 C 2008 $7M Shasta Ventures, Southern Cross Venture Partners, Bob Pasker
Recent Smartphone Security Exits (by type)
27
Company Date Type Amount Acquirer
Trust Digital 2010 MDM N/A McAfee
sMobile 2010 MDM, SMP $70M Juniper
Droid Security 2010 SMP $9.4M AVG
tenCube 2010 MDM N/A McAfee
InterNoded 2009 MDM N/A Tangoe
Verisign 2010 SA 1.28B Symantec
Mobile Armor 2010 MDM N/A Trend Micro
28
• Leadership – Dug Song is the well-‐respected founder of Arbor Networks, which had a
large exit in 2010
• Technology – SaaS-‐based Mul)-‐Factor Authen)ca)on (MFA) service – Focus on cost effec)veness and customer interface, which they believe
are the main factors that have prevent MFA from being adopted
• Current Status – Was opera)ng in stealth mode un)l December 2010 – Product is in beta stage – hEp://www.duosecurity.com/
Duo Security is a bootstrapped smartphone security start-‐up that is recommended for investment
top related