The market for cloud security tools is expected to grow significantly in the coming year. Here are 10 cloud security startups that could help boost cloud adoption in 2014 and beyond.
By Jeff Vance
The market for cloud security tools is booming. It’s actually lagging behind the market for public cloud services, which means that the security sector should experience serious growth in coming years. Gartner estimates that the market for public cloud services will grow to $207 billion by 2016. We’re often skeptical of analyst forecasts (you don’t sell reports predicting a tiny market, after all), but this estimate could actually be low.
The public cloud services market already spiked from $91 billion worldwide in 2011 to $109 billion in 2012, and as more security tools come online to help boost the trust of public cloud services, growth should start hockey sticking soon. Here are 10 cloud security startups that could help boost cloud adoption in 2014 and beyond:
What they do: Provide cloud application management, single sign-on and analytics tools. /p>
Headquarters: Santa Monica, Calif.
CEO: Scott Kriz, who was most recently VP of product for Fastpoint Games, a sports and entertainment gaming company that was sold to Weplay in 2012.
Funding: $2.4 million in seed funding from Resolute VC, Double M Partners, Social Leverage and Karlin Ventures.
Why they’re on this list: Employees at organizations of all sizes interact with dozens of apps from multiple devices over the course of their business days — this includes corporate enterprise apps, social apps, mobile apps and more. Bitium believes that two trends are converging, which will make this situation even more unmanageable. The dual trends of Bring Your Own Device (BYOD) is now dovetailing with the Bring Your Own App (BYOA) phenomena. If you prevent corporate apps from being used on employee-owned devices, savvy employees will simply switch to their own alternative apps. And if you forbid certain apps on corporate-owned devices, employees will access them on their own devices.
This puts organizations in a tough spot and leaves many with little visibility into what services are being used and what sensitive corporate information is potentially being shared.
Most app management tools that promise security often do so at the expense of the end user. Many of these services are complex enough that they require a training session with corporate IT to set up accounts.
Bitium argues that it provides a solution that prioritizes security without sacrificing usability. With Bitium, users can access more than 1,000 cloud-based apps with a single sign-on. IT is able to securely grant and revoke application access to employees and partners in one click (without sharing passwords).
Versus other SSO/authentication solutions, Bitium adds a key piece of functionality: analytics. With Bitium, IT gains visibility into what apps teams are using on a regular basis — allowing managers to stop risky behaviors and to save money by shutting off unused accounts. IT and business leaders can also see app activity within a company through Bitium’s communications tool — which pulls in messages and notifications from installed apps into a single stream.
Customers include Prialto, OpenTable, Act-On, and Media Temple.
Competitive Landscape: Competitors include Okta, OneLogin, Ping Identity and Symplified.
What they do: Offer an information security rating service, which helps organizations evaluate risks when working with partners, suppliers, outsourcers, etc.
Headquarters: Cambridge, Mass.
CEO: Shaun McConnon, who previously served as CEO of Q1 Labs.
Funding: BitSight raised a $24 million Series A round in June 2013.
Why they’re on this list: Today, organizations have hundreds of business partners with whom they share sensitive data. This exposes them to the risk of a breach through a partner network. According to BitSight, third-party breaches are the cause of a staggering amount of cyberattacks, and there is currently no objective method of keeping track of the security risks that partners pose.
BitSight’s global platform helps manage this risk by collecting and analyzing terabytes of data on security behaviors and then rating companies for their security effectiveness. Similar to consumer credit scores, BitSight SecurityRatings are automated and derived entirely from externally available data. The result: organizations are empowered to proactively identify, quantify, and mitigate security risks throughout their ecosystems.
Users receive daily updates on the ratings of their vendors, updates which provide detailed information on suspicious behaviors, such as participation in a DDoS attempt or communication with a known botnet. Aberrant behaviors are then analyzed for severity, frequency, duration and confidence to create an overall rating of the organization’s current security health.
Competitive Landscape: For the time being, BitSight is uniquely positioned in the security market. However, CloudeAssurance offers a similar service, only its focus is on cloud service providers, rather than a partner network.
What they do: Provides a platform of unified cloud information protection offerings.
Headquarters: San Jose, Calif.
CEO: Pravin Kothari, formerly a cofounder of ArcSight, which HP acquired for $1.5 billion.
Funding: CipherCloud is backed by a $30 million investment from Andreessen Horowitz.
Why they’re on this list: Organizations have a tough time managing cloud computing risks, securing data in the cloud, and maintaining compliance with various industry regulations as they embrace more and more cloud applications and services.
CipherCloud’s unified security approach should help ease CIO’s worries as they move more data into the cloud. CipherCloud protects data in the cloud through a platform that includes encryption, tokenization, DLP, malware detection, and activities auditing.
CipherCloud offers versions of its product specifically designed for Salesforce.com, Office 365, Box, Gmail and AWS. The company claims to have more than 2 million users and is protecting more than 200 million records for some of the world’s largest banks, healthcare providers, insurers and government agencies. Named customers include Mitsubishi UFJ Global Custody, Novati Technologies, and Caribbean Credit Bureau.
Competitive Landscape: Competitors include Gazzang, Perspecsys, Porticor, Vormetric, and Voltage Security.
What they do: Develop virtualization security tools, which organizations can use to enforce centralized policies over virtual and cloud infrastructures.
Headquarters: Mountain View, Calif.
CEO: John De Santis serves as CEO. Eric Chiu co-founded the company and is its president. De Santis was formerly Chairman and CEO of TriCipher, a software security infrastructure company acquired by VMware in 2010. After the acquisition, he served as VP, Cloud Services for VMware. Chiu was previously VP of Sales and Business Development for Cemaphore Systems.
Funding: HyTrust has raised $34.5 million from both venture capital investment firms, including Trident Capital, Granite Ventures and Epic Ventures, as well as strategic corporate investors such as Cisco, VMware, Intel Capital, and Fortinet. In-Q-Tel, the investment arm for the U.S. intelligence community, has also invested in the company.
Why they’re on this list: Virtualized and cloud infrastructures create new security, control, management, and compliance challenges for IT staffs. Organizations take big risks when they move to the cloud or rely on virtualization when critical applications and sensitive information are not properly secured.
The HyTrust Appliance delivers access control, enforcement of policy across virtual infrastructures, hypervisor hardening, and audit-quality logging. By addressing these requirements, HyTrust is able to provide organizations with the control and visibility required for them to virtualize Tier 1 applications, meet corporate governance requirements, and avoid costly downtime or other possibly more serious business disruption.
Customers include AIG, US Army, Northrop Grumman, Pepsi, McKesson, Home Shopping Network, Federal Reserve Bank of Chicago, UC Berkeley, State of New Mexico, and Denver Museum of Nature & Science.
Competitive Landscape: The cloud security market is incredibly crowded, but HyTrust has carved out a solid niche by focusing on hypervisor vulnerabilities. Competitors include Altor Networks (now Juniper) and Catbird.
What they do: Provide identity management solutions
Headquarters: San Francisco, Calif.
CEO: Mike Ellis, who previously held senior executive roles at SAP, i2 Technologies, Oracle, and Apple.
Funding: ForgeRock has secured $22 million in two rounds of funding from Foundation Capital and Accel Partners.
Why they’re on this list: Identities and application access are two of the main security challenges in the cloud/mobile/social age. Yet, most solutions are still point products that do little to unify identity management.
ForgeRock offers a “unified, open-source identity stack to protect enterprise, cloud, social and mobile applications at Internet scale.” ForgeRock’s Open Identity is built to address the needs of the next generation of identity and access management (IAM), especially as more and more people and things are assigned identities across networks.
Moreover, as customers expect to engage with business more, companies are making the shift to customer-facing IAM solutions, and ForgeRock’s solution is designed to meet these emerging needs.
Customers include Deloitte, Thomson Reuters, Aberdeen Asset Management, and Vodafone.
Competitive Landscape: The main incumbent competitors are Oracle and CA Technologies. There are also a number of startups in this space, including OneLogin, Okta, SecureAuth and several others.
What they do: Provide a service that helps users manage, control, and monitor which apps and websites have access to their personal information.
Headquarters: Tel Aviv, Israel
CEO: Olivier Amar, who was previously the VP Marketing at GetTaxi and Toyga Financial.
Funding: The company has raised a $1 million seed round led by 500 Startups, lool Ventures and 2B Angels, with participation from Plus Ventures and angel investor Robby Hilkowitz.
Why they’re on this list: Every time you sign up for a new online service, you’re asked for personal information — information an attacker could use for identity theft. For instance, Facebook recently revealed that there were over 850 million third-party connections performed with Facebook connect.
Meanwhile, 82 of the top-grossing iOS apps use some form of social connect to validate users, and 63 of the top Android apps do the same.
MyPermissions mobile and web-based solutions monitor users’ personal information and provide alerts to users when apps or services try to access pieces of their personal information (photos, financial information, location data, etc.). The solutions also allow users to review what permissions apps and services have access to, so they can decide to allow or deny the app that requested permission to do something along the lines of posting on a users’ behalf, accessing their contacts, or using a personal photo.
Business customers include Vod.io, EQuala.fm, Sytlemarks, and Any.DO.
Competitive Landscape: Competitors include Secure.me and Privacy Choice.
What they do: Provide cloud application analytics and policy creation tools that “eliminate the Catch-22 between being agile [and being] secure and compliant by providing complete visibility and enforcing sophisticated policies in cloud apps.”
Headquarters: Los Altos, Calif.
CEO: Sanjay Beri. Prior to Netskope, Beri was the GM of Juniper Network’s secure access and mobile business units and led the company’s India office. Before that, he co-founded Ingrian Networks, which was later acquired by SafeNet.
Funding: The company is backed by $21.4 million from Lightspeed Ventures and The Social+Capital Partnership.
Why they’re on this list: The last obstacle to the mainstreaming of public cloud services is trust. If organizations can’t trust a third-party providers’ security policies and data protection practices, growth will be slow. Once cloud security is on par with traditional security, adoption will spike dramatically.
Netskope argues that cloud apps have already hit a tipping point in the enterprise. While IT has ownership or stewardship for some cloud apps, employees are now more empowered than ever to go outside of IT and do it themselves, creating the whole Shadow IT problem.
Getting a handle on Shadow IT means you have to discover these services. Netskope helps companies do this, providing visibility into enterprise cloud app usage and enforcing policies to make them safe, compliant, and high performing. Netskope performs deep analytics and lets IT decision makers create policies in a few clicks that protect corporate data and optimize cloud app usage in real-time and at scale.
Competitive Landscape: This cloud security subsector is wide open right now. Skyhigh Networks is the first mover in the space, but expect to see several startups emerge from stealth mode in 2014.
What they do: Provide cloud-based security that protects Web applications by contextually securing and monitoring all content, user sessions, and application behavior.
Headquarters: Los Angeles, Calif.
CEO: Julien Bellanger, who previously founded Personagraph, a mobile user privacy company. Prior to that, he was Director of Corporate Development at Intertrust.
Funding: $2.4 million in seed funding.
Why they’re on this list: Enterprises are struggling to secure Web applications and the user content within those applications due to the diverse and distributed nature of the Web. With open APIs, uncontrolled user access, and content propagation, both Web developers and security teams find it impossible to fend off the sheer volume of threats.
Prevoty’s cloud-based security solution protects Web applications (and their user content) through the use of “contextual security that focuses on the behavior of content within the context of the Web application.”
Prevoty analyzes and interprets all content within the Web application to protect against OWASP threats, preventing cross-site scripting (XSS), SQL injections (SQLI), and cross-site request forgeries (XSRF). It differentiates good content from bad content, so risks associated with user-uploaded content is mitigated. All of this is done in real time and without relying on past definitions. Organizations can also deploy their own business logic to personalize the configuration. The Prevoty system also includes strong authentication, ongoing threat analysis, alerts, and performance optimization features.
Competitive Landscape: Prevoty competes against Web Application Firewall (WAF) vendors, such as Citrix, F5, Radware, and A10 Networks. Prevoty differentiates itself through its focus on behaviors, rather than blacklists, and by delivering this solution as a service, rather than an appliance.
What they do: Provide a cloud lifecycle and security suite, which discovers, analyzes, and secures various cloud services.
Headquarters: Cupertino, Calif.
CEO: Rajiv Gupta. He formerly founded Securent and served as its CEO. After Cisco acquired Securent for $100 million in 2007, Gupta joined Cisco and served as VP/GM of the Policy Management Business Unit.
Founded: December 2011
Funding: In May 2013, Sequoia Capital and Greylock Partners invested $20 million in a Series B round, bringing total funding to $26.5 million.
Why they’re on this list: Skyhigh Networks had a good year in 2013, securing a hefty funding round in May and releasing Skyhigh Secure, an end-to-end cloud security solution, in August.
Skyhigh’s free Cloud Risk Assessment discovers and quantifies an enterprise’s cloud usage, providing complete visibility into all IaaS, PaaS, and SaaS cloud services used by employees. Skyhigh then delivers a risk assessment for all the cloud services used by employees based on 30 attributes across data, user, device, service and business categories. This helps organizations isolate potential data leaks, security breaches, and non-compliance with regulatory and internal policies from the use of cloud services.
The risk assessment tool feeds into Skyhigh Secure, which provides security and control of the cloud lifecycle. Skyhigh Secure offers contextual access control, application auditing, encryption, data loss prevention (DLP), and cloud-to-cloud access control.
Customers include Cisco, Diebold, Equinix, and Torrance Memorial Medical Center.
Competitive Landscape: Skyhigh competes with Netskope, but expect to see several startups emerge from stealth mode in 2014.
What they do: Provide antispyware/antimalware “counterveillance” software that detects and blocks remote control, spying and eavesdropping on computers, tablets, smartphones and other mobile devices.
Headquarters: Nashua, N.H.
CEO: Gary Miliefsky. He was formerly founder and CTO of NetClarity.
Funding: SnoopWall is currently backed by an undisclosed amount of angel funding.
Why they’re on this list: Cyberintrusions are getting more worrisome by the day. Not only do you have to worry about overseas hackers, but now being concerned that the NSA is snooping on you doesn’t get you labeled as crazy. Moreover, zero-day malware, which is undetected by most current cybersecurity solutions, often infiltrates devices when users install apps they believe to be trustworthy.
SnoopWall flags and prevents cyberthreats, acting as a “port authority gatekeeper” to prevent access to high-risk data ports, including webcams, microphones, GPS, USB and other points of entry that are susceptible to becoming infected with malicious code.
Competitive Landscape: SnoopWall is uniquely positioned for now. However, after SnoopWall made a big splash at DEMO Fall 2013, expect to see other antimalware providers add similar features to their suites.
Jeff Vance is a Los Angeles-based freelance writer who focuses on next-generation technology trends. Follow him on Twitter @ JWVance. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.