Modernizing Authentication — What It Takes to Transform Secure Access
Mark Hoover spent most of his professional career working with networking and connectivity technologies. Until he became CEO of Vidder, an enterprise security start-up, he'd never worked in IT security -- or even paid much attention to it, he acknowledged.
"Networking technology is so far ahead of security technology because for decades we've viewed them as different things," he said. "I'm 58 years old, I've done a bunch of stuff. It feels like contributing to the security of networking is my responsibility in life now because I've created too many problems in the past lives."
For two decades IT security relied on a toolbox of detection and isolation software, authentication, firewalls and VPNs. Their goal was to secure the perimeter around the enterprise, essentially shielding or hiding the entire network from attackers.
In recent years Hoover said that paradigm has broken down, due to two major trends:
- The morphing enterprise perimeter. Once every employee used internal applications, generally logging in through a secure, IT-controlled VPN connection. Now an application may be a cloud service running in one location, while the data is crunched on another cloud. What's more, these applications and their data may be accessed by employees on mobile devices, as well as contractors or consultants working off-site.
- More sophisticated, targeted attacks. While IT security fell behind on network and connectivity technologies, hackers became more sophisticated. Hackers can and do exploit unsecured devices or cloud-based services and, once they're in, the old security paradigm gives them access to enterprise applications.
Junaid Islam foresaw the problem back in 2009. Islam had worked with StrataCom, a provider of WAN gear, then with Cisco after it acquired StrataCom. He'd worked on a similar problem for the U.S. Department of Defense, which needed ad-hoc but highly secure networks that could be quickly set up and torn down. Islam thought the approach he'd developed for the DOD could be packaged in a more cost-effective way for use in enterprises.
That is where Hoover came in. Venture capitalists recruited him in 2010 to help monetize Islam's product. After an early trial, they realized the solution needed to offer protection granular enough to hide and protect individual applications and servers if the network is compromised. It also needed to be flexible enough to protect applications or servers wherever they reside, and regardless of how the end user accesses them.
How Vidder Does Application Security
Vidder's flagship product, PrecisionAccess, does this by incorporating three chunks of software.
First, Hoover said, it deploys a TCP gateway "near" the application or server it's protecting. Second, it leverages a controller to manage connections. The controller stops targeted attacks and bots by receiving any external requests sent to the protected application or server. It requires the requester to provide identification before allowing it to connect to the application or server, essentially foiling phishing attacks by external requests without providing any information from your network. A third agent deploys on devices such as smartphones to provide protection from attacks that exploit end-user devices.
Vidder calls itself the first secure connectivity commercial solution based on software-defined perimeter (SDP) technology. SDP is still being defined by the Cloud Security Alliance's SDP working group, which Islam co-chairs.
The approach provides a "higher posture of security," Hoover said, which is why he thinks of Vidder as a networking company as much as a security startup.
Application Security Difference
Reception has been good, once companies understand what the product does, Hoover said.
"It is definitely a new concept. The sales process is not 'We're a better form of something, we're familiar,'" he said. "You have to get them to understand how we're different. You have to help them understand how attacks are happening."
It's the combined approach that differentiates Vidder from traditional enterprise security competitors, Hoover said. While there are ID-based firewalls that deploy in front of, say, data center servers, they aren't as granular and can't be deployed off-premise, which Vidder can. Vidder also competes by offering built-in authentication that hides the application.
Vidder's product competes with traditional VPNs, but more tightly restricts access to a few applications rather than the whole network. Another use case is cloud migrations, where companies want to move workloads to multi-tenant data centers.
Islam, who serves as Vidder's president and CTO, now focuses on technology partnerships, according to Hoover. Though the company shipped its product in the third quarter of 2014, sales didn't really take off until the latter half of 2015, when series B funding allowed the company to add a marketing and sales division. Having a dedicated sales and marketing team has generated more business, creating a sales momentum Hoover said.
Not surprisingly, the company's customers are large enterprises, Hoover said. Once they understand what the product does, it's not hard to convince them of the need.
What hangs up the sales process, he said, is helping companies determine which applications or servers to protect first. Since it's sold by subscription, companies usually start with a $40,000-80,000 annual contract protecting a few applications, he added.
Fast Facts about Vidder
Founder: Junaid Islam
Product: PrecisionAccess is a software-defined perimeter technology that incorporates authentication, identity management and other traditional security tools to secure at the application and individual server level. The product shipped in the third quarter of 2014.
HQ: Campbell, Calif.
Customers: A dozen Fortune 500 companies
Funding: $17 million, with investors including LDV Partners, Envision Ventures, ONSET Ventures and Voyager Capital.
Loraine Lawson is a freelance writer specializing in technology and business issues, including integration, healthcare IT, cloud and Big Data.