Start-ups lean hard on CPU-based security technology to protect virtual environments

The idea of relying on the server or desktop central processing unit (CPU) as the key part of a security scheme is getting more attention as a number of start-ups are using the technology to protect virtual systems.

Take start-up PrivateCore, for example, co-founded by Oded Horovitz, its CEO, along with Steve Weis, CTO, and Carl Waldspurger as adviser. The start-up has come up with what it calls its vCage software that relies on the Intel Xeon Sandy Bridge CPU  as the trusted component to encrypt data in use.

[MORE:Ten Hot Security Start-ups to watch]

"Their CPU is loaded with security," says Horovitz about the Intel Sandy Bridge processor. PrivateCore has created its vCage software for secure processing through means of Intel Sandy Bridge-based servers in cloud environments, first off in infrastructure-as-a-service (IaaS).

Horovitz was formerly a lead security engineer at VMware as was Waldspurger, who joined with Weis, formerly on Google's security team focusing on crypto, to found the Palo Alto, Calif.-based firm in 2011. PrivateCore's main argument is that the latest CPU technologies should be the foundation for data processing of encrypted data.

The challenge in processing encrypted data is "the problem with having to decrypt to do processing," points out Horovitz. The vCage approach, based on the Intel CPU Sandy Bridge, makes use of the Intel Trusted Execution Technologies and Advanced Encryption Standard algorithm to perform the processing in RAM. This can be done with Intel Sandy Bridge because there's now about 20MB of cache available, enough to get the job done, says Horovitz. The data in question is only unencrypted in the CPU.

PrivateCore's vCage approach is being tested now by infrastructure-as-a-service providers, and some enterprises in virtualized data centers, according to PrivateCore's co-founders. PrivateCore has developed a key-management system for vCage but is also eyeing integration with existing key-management systems. PrivateCore has received $2.4 million in venture-capital backing from Foundation Capital.

Another start-up, Bromium, also makes a strong argument about the value of the CPU for security.

Bromium has a desktop anti-malware protection approach based on a specialized security-oriented hypervisor that relies on machine CPU as the bedrock for isolating malware and attack code. Called vSentry, it lets malware and attack code be simply tossed when the Web browser is closed. Simon Crosby, CTO at Bromium, strongly believes that the use of hardware-based CPU is where the future of security is headed. Crosby adds: "It's hard to break the CPU."

The company now counts the New York Stock Exchange, BlackRock and ADP as technology adopters. Bromium has gotten $35.5 million in venture-capital funding from a number of investment firms, including Andreessen Horowitz. Not surprisingly, Intel Capital is among them, too.

At processor manufacturer and Intel rival Advanced Micro Devices (AMD), Ron Perez is senior fellow and senior director of security architecture. He discussed some of AMD's latest steps to optimize AMD CPU for security purposes.

The rise of mobile computing and electronic payments is leading to an era where hardware-based processing can help protect transactions. Perez says AMD has licensed a technology called TrustZone from ARM that was developed to secure mobile payments and streamed content. TrustZone has won support from several third-party vendors.

Last December, the joint-venture firm Trustonic was announced by three partners, ARM, security firm Gemalto and security company Giesecke & Devrient, which is active in the financial industry, to put forward crypto technology embed in integrated circuits that can be turned on to enable many types of security functions. Companies supporting Trustonic include Symantec, Samsung  and MasterCard International.

"We're going to include it in our processors going forward," says Perez about ARM's TrustZone technology. "We wanted an open approach as opposed to a proprietary approach."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenanceGooglesecurityhardware systemsData CenterintelWide Area NetworkVMware

More about Advanced Encryption StandardAdvanced Micro Devices Far EastAdvanced Micro Devices Far EastAMDFoundation CapitalGemaltoGoogleIDGIntelIntel CapitalSamsungSymantecVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place