Important advances in security are happening right now due to the trends of virtualization everywhere and the aggressive move to deploy applications in the cloud. A few of the most exciting cloud-native security startups have just released the first versions of their core products in September 2012.
Excitingly, there has not yet been a series of security company exits for companies that are truly native to the massive secular cloud and virtualization trends. Clearly, there will be, and soon. This is an investable trend right now.
Here are five of the most interesting new security plays that are truly cloud-native below:
1. Bromium. Malware commonly enters through one process or application and then infects and hides itself elsewhere. Bromium isolates each process and application on a computer within its own micro virtual machine. In effect, Bromium creates a cloud of micro-VMs on your local machine. This prevents malicious code entering from the browser to metastasize throughout your computer. Bromium just started shipping its first release, vSentry, focused on Windows 7 on September 20th 2012. Bromium has a blue chip team that previously founded virtualization pioneer Xen and is capitalized to match, having raised over $35M from A16Z, Lightspeed, Ignition, Intel and Highland.
2. Qubes. Also in September 2012, Qubes, a smaller company at the other end of the incumbency spectrum, released an open source direct competitor to Bromium based on Linux. The Qubes developers are best known for devising some well-publicized virtualization exploits and may not have any outside funding at all.
3. Authentic8. Instead of bringing the cloud to your desktop, Authentic8 is taking your browser to the cloud. Authentic8 just started letting consumers into its beta in September 2012. A8’s disposable browser securely connects you to a browser instance in a newly created, isolated environment every time you start a new session and destroys that environment afterward. Virtual execution in the cloud keeps any malicious code from reaching your local machine. Like Bromium, A8 has a blue chip team that previously founded Postini, but has been far more measured in its approach to venture capital, having announced only a single round from Foundry Group and Merus to date.
4. Tinfoil Security. Tinfoil Security, also launching out of beta in September 2012, is one of the best cloud security examples of the consumerization of IT trend. Most development teams building web applications do not address security systematically. Instead developers tend to fix vulnerabilities one at a time when there is downtime between customer-facing feature work. Often the knowledge of common security flaws that need to be fixed is limited to one engineer who takes particular interest in the topic. Tinfoil provides a simple third-party web service that systematizes security monitoring for web apps in much the same way that Continuous Integration tools have helped systematize the application build process and reduced long stretches of lost engineering productivity due to broken builds.
5. Gauntlt. Netflix is known for building a tool called SecurityMonkey to systematize application security testing and monitoring across its infrastructure. While Netflix has made a loose promise to open source SecurityMonkey, a few of its engineers are contributing to a parallel open source security-testing platform called Gauntlt. Gauntlt provides a platform and domain-specific language to systematize the use of common security testing tools the same way that popular deployment platforms like Chef let developers systematize deployment scripts that were previously run locally.
While these cloud-native security startups make headway, big companies are not standing still. Virtualization vendors like VMware have their own security offerings, and older security companies are starting to pivot their product positioning towards new kinds of cloud security issues.
Beyond putting a cloud of VMs on your computer like Bromium or putting your browser sessions in the cloud like Authentic8, Intel/McAfee and ARM are working on a third interesting category of virtualized security product. DeepSafe from Intel creates a small VM as close to the hardware as possible that intends to provide a clean source of truth to compare the primary computing environment against in order to determine if it has been compromised by malware. Chipmaker ARM is building an identical product through a joint venture for ARM chips.
Meanwhile, Amazon has some quiet experiments underway to enable some browser processing in the cloud with the Silk Browser installed on the Kindle Fire. While pitched as a performance upgrade, adding additional security resources in the cloud along the lines of Authentic8 would be a natural fit.
Mathew Johnson is an entrepreneur and a Scout at AngelList. Previously, he helped start a big data company called Socrata. He was a speaker at the first Lean Startup Conference, has spoken in Steve Blank’s Customer Development class at Berkeley, and was a mentor for the HBS MVP Fund.
[Top image credit: tashatuvango/Shutterstock]