Start-ups lean hard on CPU-based security technology to protect virtual environments

The idea of relying on the server or desktop central processing unit (CPU) as the key part of a security scheme is getting more attention as a number of start-ups are using the technology to protect virtual systems.

Take start-up PrivateCore, for example, co-founded by Oded Horovitz, its CEO, along with Steve Weis, CTO, and Carl Waldspurger as adviser. The start-up has come up with what it calls its vCage software that relies on the Intel Xeon Sandy Bridge CPU  as the trusted component to encrypt data in use.

[MORE:Ten Hot Security Start-ups to watch]

"Their CPU is loaded with security," says Horovitz about the Intel Sandy Bridge processor. PrivateCore has created its vCage software for secure processing through means of Intel Sandy Bridge-based servers in cloud environments, first off in infrastructure-as-a-service (IaaS).

Horovitz was formerly a lead security engineer at VMware as was Waldspurger, who joined with Weis, formerly on Google's security team focusing on crypto, to found the Palo Alto, Calif.-based firm in 2011. PrivateCore's main argument is that the latest CPU technologies should be the foundation for data processing of encrypted data.

The challenge in processing encrypted data is "the problem with having to decrypt to do processing," points out Horovitz. The vCage approach, based on the Intel CPU Sandy Bridge, makes use of the Intel Trusted Execution Technologies and Advanced Encryption Standard algorithm to perform the processing in RAM. This can be done with Intel Sandy Bridge because there's now about 20MB of cache available, enough to get the job done, says Horovitz. The data in question is only unencrypted in the CPU.

PrivateCore's vCage approach is being tested now by infrastructure-as-a-service providers, and some enterprises in virtualized data centers, according to PrivateCore's co-founders. PrivateCore has developed a key-management system for vCage but is also eyeing integration with existing key-management systems. PrivateCore has received $2.4 million in venture-capital backing from Foundation Capital.

Another start-up, Bromium, also makes a strong argument about the value of the CPU for security.

Bromium has a desktop anti-malware protection approach based on a specialized security-oriented hypervisor that relies on machine CPU as the bedrock for isolating malware and attack code. Called vSentry, it lets malware and attack code be simply tossed when the Web browser is closed. Simon Crosby, CTO at Bromium, strongly believes that the use of hardware-based CPU is where the future of security is headed. Crosby adds: "It's hard to break the CPU."

The company now counts the New York Stock Exchange, BlackRock and ADP as technology adopters. Bromium has gotten $35.5 million in venture-capital funding from a number of investment firms, including Andreessen Horowitz. Not surprisingly, Intel Capital is among them, too.

At processor manufacturer and Intel rival Advanced Micro Devices (AMD), Ron Perez is senior fellow and senior director of security architecture. He discussed some of AMD's latest steps to optimize AMD CPU for security purposes.

The rise of mobile computing and electronic payments is leading to an era where hardware-based processing can help protect transactions. Perez says AMD has licensed a technology called TrustZone from ARM that was developed to secure mobile payments and streamed content. TrustZone has won support from several third-party vendors.

Last December, the joint-venture firm Trustonic was announced by three partners, ARM, security firm Gemalto and security company Giesecke & Devrient, which is active in the financial industry, to put forward crypto technology embed in integrated circuits that can be turned on to enable many types of security functions. Companies supporting Trustonic include Symantec, Samsung  and MasterCard International.

"We're going to include it in our processors going forward," says Perez about ARM's TrustZone technology. "We wanted an open approach as opposed to a proprietary approach."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GoogleVMwareintelData Centerhardware systemsConfiguration / maintenanceWide Area Network

More about Advanced Encryption StandardAdvanced Micro Devices Far EastAdvanced Micro Devices Far EastAMDFoundation CapitalGemaltoGoogleIDGIntelIntel CapitalSamsungSymantecVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Ellen Messmer

Latest Videos

More videos

Blog Posts