June 14, 2017
Ashu Garg
More than 2,000 businesses use the password manager OneLogin.[1] Which means that, two weeks ago, more than 2,000 businesses learned that hackers spent seven hours perusing OneLogin’s customer data.[2] The security attack could prove fatal to OneLogin, and it’s only the most recent business to fall victim. Well-known data breaches cost Home Depot $62 million,[3] Sony $171 million,[4] and Target $236 million.[5] And that doesn’t factor in long-term costs to their brands, which could be billions of dollars.[6]
Businesses have responded to these hacks by building stronger, more secure infrastructure. But clearly that hasn’t been enough. We need a fundamentally different approach. Enter Fortanix, which has just announced its Series A round, led by Foundation Capital and NeoTribe. Fortanix’s approach is to assume that no infrastructure can ever be completely secure, and instead to place the focus where it’s most needed: with the application itself.
For the past year, Ambuj Kumar and Anand Kashyap have incubated Fortanix in Foundation Capital’s Menlo Park offices. It was clear from our first meeting that these two are exceptional founders. Since then, Ambuj and Anand have vindicated our belief in them, by building out the first mathematically complete, verifiable solution to a critical security problem: encryption during runtime.
Imagine the way security works today like a dam. You build a massive wall to keep water from leaking through and use release valves to carefully control when and where you let it out. So far, technology’s good at protecting data in those two circumstances: when it’s at rest (like on your hard drive or in the cloud) and when it’s in transit (through SSL or a VPN connection). Even if a hacker steals your encrypted data when its at rest or in transit, it’ll look like mumbo jumbo to them. Everyone can sleep at night.
But there’s a third case we haven’t covered – runtime, when your data is being processed. Take the credit card number you saved with your favorite e-commerce store. The problem is, the company’s applications must decrypt those numbers to make use of them. The nightmare is when they process decrypted data in full view of hackers who may have gained access to their systems using root credentials, privilege escalation, or zero-day vulnerability.
That’s why companies are rightly obsessed with patching every hole they find. Fortanix, however, assumes that your dam will always have holes in it. Instead of focusing on making a better patch, Fortanix changes the chemistry of the water itself. The Fortanix team built their software directly on top of the chip to run applications within encrypted areas of memory, keeping data protected during runtime.
The result is what Fortanix calls “self-defending” applications. Even if a hacker compromises the operating system or gains root access, the data remains encrypted. Not only that, the application can continue to run securely. You can choose any cloud provider and run an app on their server, confident that neither the cloud-service provider nor a network intruder can access your customers’ data.
This has major implications beyond credit card processing. What Fortanix has built is a platform – available now in beta – that could change everything from trading algorithms to content-delivery applications. That is what gives their technology the potential to become practically ubiquitous, and it could make Fortanix, quite possibly, one of the most successful security companies of all time. As Brian Johnson, the CSIO of Lending Club – another Foundation Capital portfolio company – wrote, “One day, all secure applications anywhere will run in the encrypted self-defending state that Fortanix has pioneered.”
Fortanix’s breakthrough would not have come without an extraordinarily capable team, with specialized expertise in everything from chipsets to virtualization. Fortanix includes tech veterans from the likes of Square, Symantec, and Cryptography Research – who collectively have published 30 papers and earned more than 100 security patents. But what impressed us above all was Ambuj, Anand, and the entire team’s drive to build a company that will come to define the security space similar to the way VMware defined the virtual hardware space.
This A round is just the beginning of Fortanix’s story. In them, we see an opportunity to usher in a world where companies and their consumers are far better protected. And everyone at Foundation is excited to be a part of what they’re building. Congratulations and onward, Fortanix!
[1] https://www.onelogin.com/customers
[2] https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/
[3] https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices
[4] https://www.strategyand.pwc.com/media/file/Limiting-the-impact-of-data-breaches.pdf
[5] https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices
[6] https://www.strategyand.pwc.com/media/file/Limiting-the-impact-of-data-breaches.pdf