The biggest trade-off when you move to the public cloud is control--you give up some control of your infrastructure in exchange for moving faster, being more scalable, and better managing your costs. But, that exchange can also have consequences for security.
Silicon Valley startup Bracket Computing thinks it has come up with a way to change that, and some of the world's biggest companies have quickly gotten on board and used its technology to bring some of their operations to the public cloud.
And at RSA 2017, Bracket introduced a pair of new capabilities that its CEO Tom Gillis said would have stopped insidious attacks like the Russian hack that compromised the Democratic National Committee's data during the 2016 US Presidential campaign.
Bracket calls its technology a "metavisor" because it is a software layer that acts similar to a hypervisor but runs across multiple clouds--Vmware private cloud, Amazon AWS, Microsoft Azure, and Google Cloud Platform.
Most security solutions use agents that sit on top of (or inside of) the software and hardware, they're trying to protect. The problem with agents is that "they're hard to manage and easy to defeat," said Gillis, who previously worked at Cisco Systems and IronPort.
Bracket works at a lower level.
"We're this little software layer that sits underneath the operating system," said Gillis in an interview with ZDNet.
That provides enterprises with a logical view of their entire cloud operation--and its security--even when it's spread across several of the leading cloud providers.
"We're not trying to homogenize the cloud, but provide a consistent set of security services," said Gillis.
Since Bracket launched two years ago (after three years of development in stealth mode), its metavisor technology has offered two main benefits:
Transparent encryption: All data-in-motion and all data-at-rest is encrypted by default, and is totally independently of infrastructure; this also enables granular control of data residency and data sovereignty.
Micro-segmentation firewalling: IT can determine which servers can talk to which servers; this kind of fine-grained firewalling can cover a myriad of potential attack vectors.
These features have turned Bracket into a valuable security ISV for Amazon AWS and other vendors, and it has enabled large, high-security enterprises such as Goldman Sachs, Wells Fargo, and DirecTV to bring their infrastructure to the public cloud.
At RSA 2017, Bracket also launched a pair of new features:
Forensics: This takes a picture of all the things in the operating system that should never change, and then alerts the CISO and team when something changes that shouldn't.
Run-time integrity: The new forensics capabilities allows Bracket to provide run-time integrity checks that can protect against rootkits and other malware that hides itself inside the operating system.
The Bracket team speaks with plenty of confidence--but without much hyperbole or bluster--about the work it's doing to improve cloud security.
"We're basically a new layer in the data center," said Gillis.
But, other companies at the 2017 RSA Conference are also talking about securing both data-at-rest and data-in-motion at the same time and about getting many of the same results that Bracket promises.
The big question is whether CISOs and IT leaders stick with the current agent model in security or buy into Bracket's new metavisor concept to secure the cloud. The fact that several big banks have used Bracket as their on-ramp to trust their infrastructure to the public cloud is a decent start.