A View from David Cowan
The Coming Wave of Security Startups
Our growing computer security problems will create many new companies.
The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants.
Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved. The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Cybersecurity is a never-ending Tom and Jerry cartoon. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete.
As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups. Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. I think that in the coming years we will see many small, creative teams of security engineers successfully discovering, testing, and building out clever new ways to secure cyberspace.
Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing. In a transformation that eclipses even the advent of client–server computing in the 1980s, business are choosing to subscribe to services in the cloud over running software on their own physical servers. Incumbents in every category of software are being disrupted by cloud-based upstarts. According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars.
Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years.
Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date. Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks.
The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products. Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source.
These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.
Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition we see startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices.
Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage. Some security auditors and security companies already sell into this market, but most cloud developers, focused on strong customer growth, have been slow to deploy strong security. Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.
Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups. For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks.
Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today