Tablets and smartphones, which employees are bringing into work in "Bring Your Own Device" (BYOD) style, are leading IT managers to ask security questions, starting with whether they should sort out corporate mobile apps and data from personal ones. It's all encouraged a spate of security start-ups to come up with their own answers, and highlighted here are a few that have recently hung out a shingle for mobile security. But it's not just mobile spurring the creation of young security firms out to change the world.
Many have fresh ideas on how to prevent stealthy attacks aimed at stealing sensitive information, or how to provide security for virtualized networks or software-defined networking (SDN). Gartner analyst Greg Young has pointed out that security around SDN in particular is still an open field--not necessarily a good thing for security managers who might be faced with securing SDN in a few years.
In alphabetical order, here's the start-up lineup to watch:
What Armor5 has come up with is a cloud-based security and management service for mobile devices introduced in April that works without needing client-based software. The Armor5 CloudSpace service requires enterprise customers to move VPN and other server connections into the cloud. The end effect is that any mobile device with a browser can gain access to restricted corporate data but "we won't let the data stay resident on the mobile device," says its company CEO, Suresh Balasubramanian.
By way of another example of how CloudSpace works, an individual could make use of the Salesforce.com service to fill out forms, but the minute he tried to download data, it would be blocked.
The technology is basically a "virtual browser in the cloud," says Balasubramanian. A secure container is created and the service can be set up to track file usage and other metrics, making use of the Active Directory policy engine as well for authentication or other purposes. The Santa Clara, Calif.-based company has had some early adopters testing it out, including CPP, the firm whose organizational management products include the well-known Briggs-Myers tests. Keith Phillips, chief information officer at CPP, has said one appeal of Armor5's approach is that it's agentless and easy to set up.
Armor5 was founded in March 2012 by Sunil Agrawal, CTO , and Naveen Ramaiah, vice president of engineering. The start-up has received approximately $2 million from Trinity Ventures, Nexus Venture Partners and a fund Citrix has for startups called the Citrix Startup Accelerator.
Mobile-device security is an area where both start-ups and established players are tackling the BYOD challenge through various approaches intended to restrict and control corporate data on a user-owned tablet or smartphone device while trying not to interfere with the user's personal data usage. Into this fray has stepped Averail which made its debut three months ago with what it calls Averail Access.
This "containerization" software and an accompanying service that's intended to give IT managers control over mobile-device apps and their content, according to Marc Olesen, Averail president and CEO. Olesen was previously senior vice president and general manager at McAfee's SaaS security business unit. "You can say, this document is so sensitive, you can't download it to the mobile device," Olesen says. Other options might be to let the user download it but it needs to stay encrypted via Averail.
Averail Access has a cloud-based console that lets IT managers designate apps or documents for corporate use, including restricting content based on permissions to browse, search, annotate, share and upload--while leaving the user's personal apps alone.
San Jose, Calif.-based Averail was founded in 2011 by John Drewry, whose product development background includes stints with Cisco and 3Com, and Rahul Sharma, whose engineering background includes Microsoft and Motorola. The start-up has received $6 million from Foundation Capital and Storm Ventures.
The ongoing trend to virtualize data centers and desktops has also been a disruptive force in networking. Virtualization raises questions about whether older security technologies designed for traditional physical servers or example, is effective in a virtualized network. One start-up, Cupertino, Calif.-based Bromium, argues new approaches to hypervisor security are needed and Bromium leverages CPU hardware to do this.
Bromium's vSentry code deployed at the endpoint uses Intel CPU features to automatically hardware-isolate each Windows task that accesses the Internet or untrusted documents. And its Live Attack and Visualization Analysis tool used in the security operations center automates live attack visualization. The goal of all this is to use virtualization hardware built into Intel-based devices today to instantly create hardware-isolated micro-VMS for each end-user task.
"We use it for tasks running in the operating system," says Bromium co-founder and CTO Simon Crosby. "You never know when you're being attacked." The moment you close the tab in your browser, though, the malware code is simply tossed away. "Any changes the attack made are thrown away," Crosby adds.
Crosby is a virtualization veteran. He was previously CTO (with a focus on data in the cloud) at Citrix Systems, which acquired XenSource, where he was co-founder and CTO. Bromium's CEO, Gaurav Banga, was previously CTO and senior vice president at Phoenix Technologies. Ian Pratt, senior vice president of products, is also chairman of Xen.org, the organization leading the creation of the open source Xen hypervisor.
The company is gaining momentum, citing the New York Stock Exchange, BlackRock and ADP as Bromium technology adopters. The start-up has gotten two rounds of funding totaling $35.5 million, including from Andreessen Horowitz, Highland Capital Partners, Ignition Partners and Intel Capital.
Getting the word out to employees about the variety of compliance rules and regulations they should be following is seldom easy, nor is training them or tracking possible workplace violations. But startup Convercent in January introduced its software-as-a-service intended to do all that in an interactive way by letting businesses get the word out to employees via either PC or mobile device.
"For the new employee, it's usable as a compliance document," said Patrick Quinlan, CEO of Denver-based Convercent, which he co-founded with Philip Winterburn, CIO and Barclay Friesen. On the day it introduced its service, the start-up also said it had received $10.2 million in funding led by Azure Capital Partners, Mantucket Capital and City National Bank. Convercent now publicly says it has hundreds of customers, including ViaWest, Cbeyond, and medical suppliers Symbius and Owens & Minor. The Convercent SaaS supports more than 50 languages, giving it some global appeal.
Stopping stealthy intrusions aimed at stealing sensitive information or otherwise compromising networks is the mission of Irvine, Calif.-based start-up Cylance. Last month in June, Cylance completed controlled beta tests of its first product intended to do this. Called Cylance PrivateDETECT, it's endpoint detection and prevention software that makes use of Cylance's "secret sauce" based on algorithms that are supposed to sort out "good" and "bad" files, in order to block Windows-based attacks and malware.
Irvine, Calif.-based Cylance was founded in July 2012 by president and CEO Stuart McClure and Ryan Permeh, CTO, both with many years in the security industry. McClure launched Foundstone, acquired by McAfee in 2004, and McClure became CTO of McAfee. Permeh was founder of eEye and former scientist at McAfee.
McClure says what Cylance has come up with to detect stealthy attacks, whether they originate inside or outside the network, is not signature-based or malware-specific but a way to look at "millions of files per day" and "detect mathematically and algorithmically, what's bad or good." He says the goal is to monitor attacks and protect networks by preventing code execution. Additional products besides PrivateDETECT are likely to appear by year end.
Cylance has received $15 million in funding from a number of sources, including Khosla Ventures and Fairhaven Capital, and its board includes Patrick Heim, chief trust officer for Salesforce.com, and William Fallon, former Admiral of the US Central Command.
Another start-up on our list, NetCitadel, made its debut in January, with its Threat Response Platform and a product called OneControl intended to automate what might otherwise be manual research and changes related to configuring firewalls, switches or other gear when virtual-machine workloads are spun up or down in enterprise data centers of cloud environments.
"We're helping enterprises go from manual processing that's time-consuming to show automated responses to network events," said Mike Horn, co-founder and CEO of NetCitadel about the purpose of the OneControl virtual appliance. Used in data centers, it can automate determinations about firewall, router and switch settings based on the preferred corporate security policy related to VM-based workloads. OneControl can be installed to work with the various VM platforms, including VMware, Xen and Hyper-V.
Some early adopters include Kenettek, the Broken Arrow, Okla.-based managed services and data center provider which serves the oil and gas industry. Ken Dobbins, service manager there, has found it to help in efficiently running its data center, which is mostly virtualized. He said it not only has saved time related to changes in firewalls and routers, but it has even resulted in some savings related to VMware licensing charges based on "committed RAM per hour."
Mountain View, Calif.-based NetCitadel was founded in 2010 by Horn with Theron Tock, CTO and Vadim Kurland. Tock was previously co-founder and CTO of Neoteris, an SSL VPN appliance maker. NetCitadel, which has received an undisclosed amount of funding from New Enterprise Associates, is competing against the likes of Cisco and Juniper, which offer similar security-policy management and orchestration products.
Start-up Skyhigh Networks wants to tackle some specific security problems associated with business use of cloud services. Mainly, that's how to spot any "rogue" cloud services that were set up by a corporate employee without the IT department knowing about them and secondly, to identify "high-risk exposure" that cloud use brings to the enterprise.
To do that, Skyhigh in February introduced a service aimed at tracking thousands of cloud services. The basic technique Skyhigh uses is to collect logs from firewalls and perimeter gateways to learn what URL or IP address that an employee is trying to access associated with a cloud service, while also coming up with a "risk score" for it. Cloud services are ranked according to several risk factors that include "is it multi-tenant, can I use an enterprise ID, does it do penetration testing," said Rajiv Gupta, CEO of the Skyhigh, which he co-founded in 2011 with Sekhar Sarukkai and Kaushik Narayan.
All of the monitoring information collected through the Skyhigh service is batched and sent to a dashboard for review by the IT department. Another aspect of the service seeks to ensure encryption of data. The Skyhigh service has been in use with Torrance Memorial Medical Center, Cisco and data-hosting firm Equinix, among others.
Gupta notes that it's not unusual to see companies with "more than 200 cloud services, some more than 1,000" these days. The Cupertino, Calif.-based start-up has disclosed it has received $6.7 million in venture-capital funding, with Greylock accounting for $6.5 million of that.
Another start-up debuting in February was Stormpath, with its identity and access-control cloud-based service primarily intended for use by software-development teams that are building web applications.
The cloud service can be used in a variety of ways to provide a ready-made authentication layer and workflow process that developers can turn to for use in programming environments, says Alex Salazar, Stormpath's CEO. "You don't have to worry about storing passwords, or groups, or roles for users."
Salazar founded the San Mateo, Calif.-based company in 2010 with chief technology officer Les Hazlewood. Stormpath's identity management service competes not only against open-source cloud provider ForgeRock's Open SSO product but also products from IBM and Oracle.
Stormpath has received $8.2 million in venture funding led by New Enterprise Associates and Pelion Venture Partners, with participation from Flybridge Capital Partners, following an earlier round of about $1.7 million.
Another start-up, vArmour Networks, is taking on the challenge of firewall security in fully virtualized networks, including the emerging area of software-defined networking. Beginning to emerge from stealth mode, vArmour was established in Santa Clara, in January 2011 by CEO Roger Lian and Michael Shieh, field applications engineer. Both have backgrounds working at NetScreen, the firewall vendor acquired by Juniper.
With vArmour, Lian and Hsieh say they're creating a firewall for fully virtualized network environments, including SDN. "We're pioneering a new type of software-defined security," Lian says. Shieh adds that traditional firewalling methods defined by physical appliances "is not sufficient" for SDN or other kinds of fully-virtualized networks.
The first vArmour firewalling product, now in beta evaluation trials with undisclosed companies, is called SDSec. It's described as a virtual firewall appliance that can be deployed in any hypervisor environment for application-based control of subnets and other tasks. "We scale the data plane as needed," says Lian.
The vArmour firewalling approach is intended to be "vendor agnostic" and not dependent on any vendor-specific architectures related to virtual-machine software, OpenFlow or SDN technologies, the two co-founders say.
While vArmour is not yet announcing general availability or pricing for SDSec, Lian and Shieh voice confidence they will meet the security challenges related to the next generation of network virtualization and SDN. The start-up has received about $8 million in venture-capital funding from Highland Capital Partners.
Our final start-up, Watchful Software, is seeking to revitalize the technology known as digital rights management by expanding it beyond traditional platforms like Microsoft Windows PCs into mobile devices such as iPhone, iPad, Android and Windows Phone.
The company's RightsWatch product that came out in March builds on top of Microsoft's Active Directory Rights Management Services technology but extends it to non-Microsoft platforms and makes it easier to use, says CEO Charles Foley. He founded the Medford, N.J.-based company along with Bernardo Patrao and Rui Biscaia as a spin-out from Citadel Software based in Portugal. The start-up has disclosed $1 million in venture-capital funding from Critical Ventures.
RightsWatch is a way to determine and set restrictions on access to documents through various means. These include key words that can be used to enforce a kind of data-loss prevention method. "When information is created, it's classified," Foley says. One example of how this would work is only authorized users could gain control to encrypted documents.
Watchful Software also has a security product called TypeWatch, biometric technology intended to monitor how users type on a keyboard to determine identity. Used for security access to systems and applications, it can monitor typing behavior to determine if somehow the authorized user is not actually typing at the keyboard, alerting the IT security manager.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected]
Read more about wide area network in Network World's Wide Area Network section.