The document discusses cloud computing security. It defines cloud security as the policies, technologies, and controls used to protect data, applications, and infrastructure in cloud computing environments. The document notes that cloud security is an attractive investment area due to the rapid growth of cloud computing and concerns about security. It also summarizes that most investments and acquisitions in cloud security to date have focused on cloud security governance and identity and access management functions.
2. Execu)ve
Summary
• What
is
Cloud
Security?
– Cloud
security
refers
to
the
policies,
technologies,
and
controls
deployed
to
protect
data,
applica)ons,
and
the
associated
infrastructure
of
cloud
compu)ng
(includes
public
and
private
clouds)
– Cloud
security
is
not
focused
on
security
products
that
leverage
the
cloud
to
deliver
security
services
to
a
customer
(although
this
is
also
an
interes/ng
area)
• Why
is
Cloud
Security
an
aErac)ve
investment
area?
– Rapid
growth
of
cloud
compu)ng
– Security
as
a
key
concern
why
cloud
compu)ng
is
not
growing
even
faster
– Acquisi)on-‐hungry
cloud
infrastructure
providers
and
informa)on
security
providers
looking
to
differen)ate
themselves
– An
ac)ve
start-‐up
community
in
this
space
– Data
protec)on
for
the
cloud
as
aErac)ve
investment
area
moving
forward
– High
Cloud
Security,
CipherCloud,
and
Navajo
Systems
as
prime
examples
2
3. There
are
4
main
types
of
risks
that
cloud
security
companies
focus
on
Virtualiza)on
Preven)ng
cyber
aEacks
on
the
hypervisor
and
virtual
Security
machines
Providing
cloud
customers
with
deeper
insights
on
where
Cloud
Security
their
data
is
stored
and
what
security
rules,
policies,
and
Governance
configura)ons
are
being
applied
to
them
Iden)ty
and
Access
Secure
and
federated
access
to
mul)ple
public
and/or
Management
private
clouds
Iden)fying
sensi)ve
data
and
encryp)ng
it
or
pu[ng
in
Data
Protec)on
place
other
protec)ve
measures
to
ensure
its
security
3
4. There
are
a
variety
of
established
players
across
these
four
func)ons
Virtualiza)on
Security
Cloud
Security
Governance
Iden)ty
and
Access
Management
Data
Protec)on
4
5. A
wide
variety
of
VCs
are
inves)ng
in
cloud
security
Company
Descrip3on
Founded
Round
Amt
Date
Par3cipa3ng
VCs
Symplified
IAM/CSG.
Audi)ng
and
2006
B
$9M
2011
Granite
Ventures,
Allegis
federated
SSO.
Capital,
Quest
Sodware
Nimbula
CSG.
Helps
securely
transi)on
2008
B
$15M
2010
Accel
Partners,
Sequoia
Capital
data
centers
to
private
clouds
Hytrust
CSG.
Enables
accountability,
2007
B
$10.5 2010
Granite
Ventures,
Cisco
visibility
and
control
M
Systems,
Trident
Capital,
Epic
Ventures
SecureAuth
IAM.
SSO
and
mul)factor
auth
2005
N/A
$3M
2010
Angel
investors
Appirio
CSG.
Unifies
security
policies
2006
C
$10M
2009
Granite
Ventures,
Sequoia
across
cloud
applica)ons
Capital
Reflex
CSG.
Integrates
security,
2008
A
$8.5 2009
RFA
Management
Co.
Systems
compliance
,and
management
M
Cloudswitch
CSG/DP.
Move
applica)ons
2008
B
$8M
2009
Atlas
Venture,
Commonwealth
securely
to
the
cloud
via
VPN
Capital
Ventures,
Matrix
Partners
Conformity
IAM.
Audi)ng
and
federated
2007
A
$3M
2009
Guggenheim
Venture
Partners
SSO.
Perspecsys
DP.
Sensi)ve
data
not
2006
A
N/A
2007
Growthworks
(Canadian)
transmiEed
to
the
cloud
5
6. Acquirers
include
both
tradi)onal
infosec
companies
and
cloud
infrastructure
providers
Company
Descrip3on
Acquirer
Date
Price
ArcSight
CSG.
Global
provider
of
security
and
compliance
HP
2010
$1.5B
management
Arcot
IAM.
The
industry’s
largest
cloud-‐based
authen)ca)on
CA
2010
$200M
system
TriCipher
IAM.
Mul)factor
authen)ca)on
VMware
2010
~$200M
Altor
VS.
A
hypervisor-‐based
virtual
firewall
to
protect
cloud
Juniper
2010
$95M
Networks
applica)ons
3Tera
CSG.
Helps
companies
build
private
clouds
quickly
and
CA
2010
$18M
securely
Roha3
IAM.
Helps
companies
control
who
has
access
to
data
Cisco
2009
N/A
Networks
using
context
informa)on
Third
CSG/VS.
Firewalls,
IDS,
and
security
policy
Trend
Micro
2009
N/A
Brigade
enforcement
for
virtualized
environments
Blue
Lane
VS.
Removes
malicious
content
from
network
traffic
VMware
2008
$15M
before
it
reaches
your
virtual
servers
6
8. …
will
lead
to
increased
cloud
security
spending
Cloud
Compu3ng
Market
Size
Cloud
Security
Market
Size
• Cloud
Security
will
grow
to
a
$1.5B
market
by
2015
• Cloud
Security
will
capture
5%
of
IT
security
technology
spending
– Source:
Forrester
Note:
Gartner
recently
es)mated
cloud
spending
to
be
3.5x
the
IDC
es)mate
by
2014
8
8
9. Most
of
the
investments
and
acquisi)ons
to
date
have
been
focused
on
CSG
and
IAM…
• Iden)fied
Cloud
Security
Investments
– 6
addressed
Cloud
Security
Governance
func)ons
– 3
addressed
Iden)ty
and
Access
Management
func)ons
– 2
addressed
Data
Protec)on
– 0
addressed
Virtualiza)on
Security
• Iden)fied
Cloud
Security
Acquisi)ons
– 3
addressed
Cloud
Security
Governance
func)ons
– 3
addressed
Iden)ty
and
Access
Management
func)ons
– 3
addressed
Virtualiza)on
Security
func)ons
– 0
addressed
Data
Protec)on
9
10. …
but
moving
forward,
data
protec)on
will
be
the
big
play
High
Strength
of
Compe33on
Low
High
Security
Effec3veness
DP
CSG
VS
IAM
Low
10
11. Cloud
Security
Investment
Thesis
• Cloud
Data
Protec.on
companies
will
be
a6rac.ve
investments
for
VCs
moving
forward
• Things
to
look
for
in
Cloud
Data
Protec)on
companies:
– Novel
encryp)on/tokeniza)on
approaches
that
are
“defensible”
from
compe)tors
– Keys
should
be
stored
at
a
trusted
third
party
or
at
the
client
side
(not
with
the
cloud
provider)
– Strong
knowledge
of
cloud
provider
architectures
– A
focus
on
low
latency,
high
customer
service,
and
ease
of
use
– Experience
in
enterprise
sales
– Entrepreneurs
with
a
proven
track
record
in
informa)on
security
• Poten)al
exit
to
tradi)onal
informa)on
security
provider,
cloud
provider,
or
cloud
infrastructure
provider
most
likely
• Examples
of
high
poten)al
start-‐ups
are
described
on
the
following
slides
11
12. High
Cloud
Security
is
a
stealth-‐mode
start-‐up
that
is
recommended
for
investment
• Leadership
– Founded
by
25-‐plus-‐year
Silicon
Valley
veterans
(IBM/ISS,
Veritas,
Hytrust,
etc.)
– Special)es
in
security,
storage,
encryp)on,
and
opera)ng-‐system
kernel
internals
– The
founders
have
assembled
a
team
of
senior
engineers,
each
with
over
20
years
of
experience
• Technology
– The
solu)on
safely
encapsulates
any
server's
VM
image
so
it
is
protected
from
unauthorized
exposure
throughout
its
lifecycle.
– This
protec)on
applies
inside
the
data
center
as
well
as
when
the
VM
is
being
run
on
a
remote
host
or
in
the
Cloud.
– With
High
Cloud
if
a
VM
were
lost
or
stolen,
an
unauthorized
user
could
not
run
it
or
dissect
it
to
expose
sensi)ve
data;
only
authen)cated
and
authorized
users
can
execute
the
VM,
with
an
audit
trail
of
its
use.
– Is
independent
of
and
works
with
all
VMs
and
applica)ons
– Technology
is
Patent
Pending
• Current
Status
– Currently
in
stealth
mode
– Shipping
beta
product
in
April
2011;
currently
looking
to
raise
capital
(~$4M)
– www.highcloudsecurity.com
12
13. CipherCloud
is
a
bootstrapped
startup
that
is
recommended
for
investment
• CipherCloud
provides
customers
with
a
web-‐proxy
gateway
that
transparently
encrypts
sensi)ve
data
before
it’s
sent
to
SaaS/PaaS
applica)ons
in
the
cloud.
Encryp)on
key
remains
only
with
customers.
• Named
Finalist
for
"Most
Innova)ve
Company
at
RSA®
Conference
2011
• Salesforce.com’s
AppExchange
-‐
partner
ecosystem
member
• Beta
is
out
now;
final
release
expected
in
March
• Looking
for
funding
in
the
Q3
)meframe;
hoping
to
raise
about
$5M
• Patent-‐pending
encryp)on/tokeniza)on
approach
• Hired
ex-‐Salesforce
employees
to
gain
inside
knowledge
of
the
applica)on
• Founded
in
2010
by
Pravin
Kothari,
who
is
a
serial
entrepreneur;
was
previously
co-‐founder
of
ArcSight
($1.5B
exit)
13
14. Navajo
Systems
is
a
seed-‐stage
Israeli
start-‐up
recommended
for
investment
• Founded
in
2009
by
a
US-‐educated
Israeli
entrepreneur
• Received
unnamed
amount
of
seed
funding
from
Jerusalem
Venture
Partners
in
2009
• Named
Finalist
for
"Most
Innova)ve
Company
at
RSA®
Conference
2010
• Member
of
IBM
cloud
partner
ecosystem
• Virtual
Private
SaaS
(VPS)
can
be
implemented
as
an
appliance
installed
on
the
corporate
network
or
as
a
service
hosted
by
Navajo
Systems
or
a
third-‐party
service
provider
• Encrypts/decrypts
sensi)ve
data
via
a
web
proxy
and
encryp)on
does
not
affect
performance
within
the
applica)on
• Has
solu)ons
for
various
SaaS
providers
including
Google,
Salesforce,
Oracle,
etc.
14
17. Cloud
compu)ng
(public
or
private)
is
comprised
of
a
stack
of
technologies
Cloud
Public
Applica3ons
Provisioning
Cloud
Enterprise
SaaS
(external
and
internal)
App
Tightly
integrate
with
enterprise
applica)on
layer,
oden
installa)ons
(whether
for
private
or
public
usage).
Middleware
augmen)ng
it
Automate
the
crea)on
of
datacenter
cloud
Dev/Test
Tools
Used
to
help
develop
and
debug
cloud
applica)ons
–
namely,
a
development
environment
VM
This
suite
of
applica)ons
provide
value-‐add
on
top
of
public
Amazon
Management
cloud
providers
(e.g.
Amazon)
with
extended
management
Google
dashboards
as
well
as
hypervisor
console
extensions
Rackspace
Terremark
GoGrid
Storage
and
Provided
as
a
part
of
a
storage-‐centric
public
cloud
service
or
as
Data
components
to
building
your
private
cloud
Hypervisor
A
virtualiza)on
technique
which
allows
mul)ple
opera)ng
systems,
termed
guests,
to
run
concurrently
on
a
host
computer
Provides
common
services
for
efficient
execu)on
of
various
OS
applica)on
sodware
Source:
h7p://jameskaskade.com/?p=388
March
2009
17
18. There
are
security
issues
at
each
layer
of
the
stack
but
some
are
more
interes)ng
than
others
Cloud
Public
Applica3ons
Provisioning
Cloud
Standard
applica)on
security
issues
App
Iden)ty
and
access
management
needs
Physical
security
of
hardware,
lack
of
standards,
Middleware
Security
issues
connected
to
configura)on
Dev/Test
Tools
Code-‐scanning
tools
privacy
laws,
etc.
management
VM
Provides
security-‐related
info
for
configura)on
management,
Management
monitoring,
and
audi)ng
Storage
and
Provides
back-‐up
and
disaster
recovery
Data
Hypervisor
An
en)rely
new
layer
of
very
sensi)ve
sodware
to
protect
(e.g.,
“VM
hopping”);
added
patch
management
complexity
Not
unique
to
cloud
compu)ng;
rootkits,
buffer
overflows,
privilege
OS
escala)on,
etc.;
addressed
through
patches,
firewalls,
IPS
18
19. Cloud
Security
Market
Opportunity
equals
Cloud
Risk
Severity
)mes
Strength
of
Compe))on
Cloud
Risk
Discussion
Severity
Compe33 Opportu
on
nity
Isola3on
This
risk
category
covers
the
failure
of
mechanisms
separa)ng
storage,
memory,
rou)ng
2
3
6
Failure
and
even
reputa)on
between
different
tenants.
However
it
should
be
considered
that
aEacks
against
hypervisors
are
s)ll
less
numerous
and
more
difficult
than
aEacks
on
tradi)onal
OSs
Incomplete
When
a
request
to
delete
a
cloud
resource
is
made,
this
may
not
result
in
true
wiping
of
2
3
6
Data
Dele3on
the
data.
In
the
case
of
mul)ple
tenancies
this
represents
a
higher
risk
to
the
customer
than
with
dedicated
hardware.
Mgmt.
Customer
management
interfaces
of
a
public
CP
are
accessible
through
the
Internet
and
3
2
6
Interface
mediate
access
to
larger
sets
of
resources
and
therefore
pose
an
increased
risk,
especially
when
combined
with
web
browser
vulnerabili)es.
Data
It
may
be
difficult
for
the
cloud
customer
to
check
the
data
handling
prac)ces
of
the
2
2
4
Protec3on
cloud
provider
and
thus
to
be
sure
that
the
data
is
handled
in
a
lawful
way.
This
problem
is
exacerbated
in
cases
of
mul)ple
transfers
of
data,
e.g.,
between
federated
clouds.
Compliance
Investment
in
achieving
cer)fica)on
(e.g.,
industry
standard
or
regulatory
requirements)
1
2
2
Risks
may
be
put
at
risk
by
migra)on
to
the
cloud
Loss
of
In
using
cloud
infrastructures,
the
client
necessarily
cedes
control
to
the
Cloud
Provider
2
1
2
Governance
(CP)
on
a
number
of
issues
which
may
affect
security.
Also,
SLAs
may
not
offer
a
commitment
to
provide
such
services
Malicious
While
usually
less
likely,
the
damage
which
may
be
caused
by
malicious
insiders
is
oden
1
1
1
Insider
far
greater.
Cloud
architectures
necessitate
certain
roles
which
are
extremely
high-‐risk.
Source:
European
Network
and
Informa/on
Security
Agency
Report
on
Cloud
Compu/ng
Benefits,
Risks,
and
Recommenda/ons
for
Informa/on
Security.
November
2009.
19
20. There
are
other
informa)on
security
trends
and
start-‐ups
that
are
noteworthy
but
not
covered
here
• Use
of
Web
2.0
technologies
in
the
workplace
– Socialware:
Middleware
to
monitor
social
media
usage
• Leveraging
virtualiza)on
technologies
to
beEer
protect
desktops
– Invincea:
Sandboxing
the
browser
• Informa)on
security
for
the
internet
of
things
– Mocana:
Smart
Grid,
embedded
devices,
etc.
• Leveraging
massive
amounts
of
web
data
and
improved
processing
power
to
beEer
protect
enterprises
– Endgame
Systems:
Building
IP
trust
scores
– CloudFlare:
Advanced
protec)on
for
SMB
20
22. The
consumeriza)on
of
IT
is
introducing
new
security
issues
• 56%
of
enterprises
allow
personally
owned
smartphones
to
access
company
resources
• A
recent
study
showed
that
10%
of
Android
applica)on
analyzed
contained
three
or
more
dangerous
security
permissions
• Enterprise
device
management
is
burdened
by
a
high
diversity
of
devices
(Blackberry,
Android,
iPhone,
Windows,
Palm)
and
a
rela)vely
immature
device
management
vendor
community
• Legal
requirements
for
data
ownership
and
privacy
boundaries
on
personally
owned
devices
are
s)ll
unclear
• On
the
other
hand,
mobile
opera)ng
systems
are
more
stripped
down
than
PCs,
apps
run
in
sandboxes,
and
apps
must
be
signed
for
use
on
smartphones
(all
good
for
security)
Sources:
Forrester.
“Security
in
the
Post-‐PC
Era:
Controlled
Chaos.
October
14,
2010.
22
23. Smartphones
are
now
capable
of
enabling
strong
authen)ca)on
processes
• Smartphones
now
have
enough
compu)ng
speed
and
memory
capacity
to
handle
PKI
without
much
burden
• Cer)ficate
issuance
and
management
is
more
affordable
• SIM
cards
are
now
capable
of
cryptoprocessing
(e.g.,
private
key
on
the
chip)
• Foreign
examples
of
using
smartphone-‐based
authen)ca)on
for
banking
(authen)ca)on)
and
government
services
(digital
signatures)
23
24. Stolen
devices
and
mobile
spyware
are
the
highest
risks
for
smartphones
Source:
Forrester.
“Security
in
the
Post-‐PC
Era:
Controlled
Chaos.
October
14,
2010.
24
25. There
are
three
primary
types
of
smartphone
security
start-‐ups
that
are
of
interest
• This
investment
thesis
focuses
on
three
areas
of
Smartphone
Security:
– Mobile
Device
Management
(MDM):
Sodware
that
monitors,
manages
and
supports
mobile
devices
deployed
across
an
enterprise;
typically
includes
data
and
configura)on
se[ngs,
encryp)on
and
wipe
for
all
types
of
mobile
devices
– Smartphone
Malware
Protec3on
(SMP):
Ant-‐virus/an)-‐spyware
protec)on
for
smartphones
– Smartphone
Authen3ca3on
(SA):
U)lizing
the
smartphone
hardware
and/or
sodware
for
mul)factor
authen)ca)on
• Taken
together,
these
three
areas
will
comprise
a
1
–
2
billion
dollar
market
in
the
coming
years
25
26. Recent
Smartphone
Security
Investments
(by
type)
Company
Type
Founded
Round
Date
Amount
Investors
SurIDx
MDM
2006
A
2009
$1.695M
N/A
Boxtone
MDM
2005
B
2010
$7.5M
Lazard
Technology
Partners
Mobileiron
MDM
2007
C
2010
$16M
Sequoia
Capital,
Norwest
Venture
Partners,
Storm
Ventures
Zenprise
MDM
2003
N/A
2010
$9M
Rembrandt
Venture
Partners,
Igni)on
Partners,
Bay
Partners,
Mayfield
Fund,
Shasta
Ventures
Fat
Skunk
SMP
2010
Seed
2010
N/A
N/A
Lookout
MDM,
2009
B
2010
$11M
Khosla
Ventures,
Trilogy
Equity
SMP
Partnership,
Accel
Management
Sipera
MDM,
2003
N/A
2010
$10.2M
S3
Ventures,
Sequoia
Capital,
Aus)n
Systems
SMP
Ventures,
Duchossois
Technology
Partners,
Star
Ventures
FireID
SA
2005
A
2010
$6.4M
4Di
Capital
(South
African)
Koolspan
SA
2003
C
2008
$7.1M
New
York
Angels,
Rose
Tech
Ventures,
Security
Growth
Partners
Mocana
MDM,
2008
C
2008
$7M
Shasta
Ventures,
Southern
Cross
SMP,
SA
Venture
Partners,
Bob
Pasker
26
27. Recent
Smartphone
Security
Exits
(by
type)
Company
Date
Type
Amount
Acquirer
Trust
Digital
2010
MDM
N/A
McAfee
sMobile
2010
MDM,
SMP
$70M
Juniper
Droid
Security
2010
SMP
$9.4M
AVG
tenCube
2010
MDM
N/A
McAfee
InterNoded
2009
MDM
N/A
Tangoe
Verisign
2010
SA
1.28B
Symantec
Mobile
Armor
2010
MDM
N/A
Trend
Micro
27
28. Duo
Security
is
a
bootstrapped
smartphone
security
start-‐up
that
is
recommended
for
investment
• Leadership
– Dug
Song
is
the
well-‐respected
founder
of
Arbor
Networks,
which
had
a
large
exit
in
2010
• Technology
– SaaS-‐based
Mul)-‐Factor
Authen)ca)on
(MFA)
service
– Focus
on
cost
effec)veness
and
customer
interface,
which
they
believe
are
the
main
factors
that
have
prevent
MFA
from
being
adopted
• Current
Status
– Was
opera)ng
in
stealth
mode
un)l
December
2010
– Product
is
in
beta
stage
– hEp://www.duosecurity.com/
28