Cloud Security Ranks High Among Investors

Cloud Security

Last year marked a 10-year high for venture capitalists in terms of deals and dollars. About $30 billion was plowed into 3,051 companies, of which one-third were Internet related, says CB Insights. Online storage service Dropbox got the biggest drop at $257 million. This year is starting off just as hot. Joyent just announced an $85 million D round, bringing its total to date to about $115 million.

The old argument for whether to self-host or outsource boils down to trust, and data trust is still a cloudy issue. Without trust, little is possible. Harry Potter author J.K. Rowling wrote, “Never trust anything that can think for itself if you can’t see where it keeps its brain.” Quite fitting when you talk about trusting data that resides in the all-invisible cloud.

Of course security breaches can happen in any computing environment. Most breaches go unreported so much so that new legislation is seeking to put an end to that. But no law will stop outsider or insider threats and no bread crumbs will be left behind to track the culprits. Data and apps can be changed and you’re none the wiser for it.

Ironically, we are putting trust in cloud applications that are themselves promising things like IT governance, risk management and compliance. There are no limitations to what kinds of applications we’ll see in the cloud. The sky seems to define its limits. Consolidation is already happening, triggered last year by Citrix’s acquisition of Cloud.com for $160 million.

Private equity markets are still bullish on cumulus. Forget about the euro-zone sovereign debt crisis; investors are throwing real pre-inflationary dollars into cloud-related enterprises.

With 13,000 customers, Joyent delivers public cloud services to major brands such as LinkedIn. It also licenses its cloud software to service providers like Dell. Of late, it’s offering a platform-as-a-service based on Node.js, the open source server-side JavaScript development environment destined to change the online app world. The company also puts resources into an open source based operating system called SmartOS.

Other infrastructure-as-a-service (IaaS) players include RackSpace, MediaTemple, Terremark, GoGrid and VMware.

Joyent’s biggest competitor is Amazon Web Services, but to compare AWS with Joyent is like comparing a Toyota Camry (ubiquitous, serves most needs) to the Porsche Cayenne (high-end, power to spare). Or to hear it directly from its CEO David Young, “Amazon is the Kodak of the cloud…. I don’t want to dump on Amazon, but I just don’t think you can look to a book seller and grocery store for cloud innovation. On the other hand, we’re building a cloud alliance around the globe.”

One reason that makes Joyent so attractive to investors is that it has an answer to the big problem of trust. It’s a relatively new solution jointly delivered by GuardTime and Joyent. Its primary task is to convert trust to proof without reliance on cryptographic keys for verification, but rather on mathematics.

GuardTime keyless signatures mathematically prove data integrity requiring only the use of the original data, the keyless signature for the signed data, and the integrity code that the company publishes in the Financial Times newspaper. With these three things, anyone can independently prove the integrity of any data signed without having to trust a third party.

This keyless signature authority integrates with Joyent SmartDataCenter, providing keyless signing services to Joyent users. It delivers auditable and forensic quality logs and proof of data integrity and residency for stored or archived data.

It’s a solution that can’t be undermined by human error or manipulated by cybercriminals or insiders.

These keyless signatures don’t eliminate or replace the regular security controls that need to be in place, but the process does prove that irregularities exist for tampered data, logs, node.js code, virtual machines, and virtual applications.

For Joyent customers, these signatures avoid messy key management and trust authorities, both of which could be compromised; even a hint of a compromise would invalidate all historical records. Key-based systems cost much more to sign the data than it does to actually store the data. Conversely, keyless signatures address the fundamental weaknesses associated with PKI and key-based security in the cloud; that is, eliminating key management and assuring proof.

Victor Cruz is a blogger whose articles have appeared in American Venture, Cloud Tech, Cloud Computing Journal, CommPro.biz, eSecurity Planet and others.