Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

9/28/2017
03:35 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Fortanix Has Series A Funding for Run-Time Encryption

Fortanix has introduced new technology for run-time encryption to protect sensitive data.

Private data can be protected when it's at rest. It can be protected when it's in transit. But what about when it's being accessed by applications?

Run-time encryption is a solution to this problem, and it's the latest technology to emerge in cloud-based security. Essentially, it is aimed at protecting applications and data during use and computation. The clever part of this is that it allows general computation tasks to be executed on encrypted data.

At the moment, such tasks end with the data being decrypted and it is at that moment that hackers can swoop in and exploit this as a weakness that offers up control over free private data. "Without run-time encryption, once the hacker gets inside, the game is over," Ambuj Kumar, CEO and co-founder of Fortanix, told SecurityNow, "They take control of the data immediately, and can either analyze it there and then or send it to a remote server for analysis."

Ambuj Kumar, CEO and co-founder of Fortanix
Ambuj Kumar, CEO and co-founder of Fortanix

In short, the data then belongs to them and can't be accessed any more by the host target. The answer of course is not to make sensitive data available to any untrusted operating systems, root users, cloud providers or insiders in the first place.

"We set out to create a means to protect applications directly, regardless of the trustworthiness of the computing infrastructure," said Kumar. Welcome to an era of securing data-in-use. Kumar -- previously chief architect at Cryptography Research and Anand Kashyap, CTO and co-founder, formerly an engineer at Symantec and VMWare -- spotted this weakness, and in 2016, and the company was born.

Fortanix exemplifies the new security paradigm of accepting that at some point, systems will be hacked: it's no longer good enough to try and hold the perimeter. It's a case of not if, but when. As hackers break into a server, they may have penetrated security to get there, but the data with run-time encryption is still scrambled and therefore unreadable. It's a technology which natrually comes into its own when it provides the security for applications which are in the cloud.

Kumar believes the run-time encryption concept could apply to many other systems and applications where this functionality would be a plus. Currently, Fortanix leads with a product it launched last week called SDKMS (Self-Defending Key Management Service), which is its application of run-time encryption that the firm holds pending patents to. Kumar says it has emerged from beta and is now under limited GA since his company is still developing the sales resources to serve the apparent demand. SDKMS is a key management service, based in the cloud, which the company claims is the first one to be Intel SGX-based, offering data enclaves, the protected areas of execution in memory.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event -- a free breakfast collocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

"Our key market is the financial properties because they have important data to protect, and they can afford new systems," jokes Kumar. Included too is the government sector, because it holds state secrets but importantly is the target for the most advanced hackers.

Fortanix has to date taken two rounds of funding, one a seed round from an undisclosed source, the other -- closed in early June -- a series A round for $8 million from Foundation Capital and NeoTribe Ventures. Fortanix' first two publicly announced customers are Lending Club and IBM.

It's a brand-new technology, so was it hard to convey the technical aspects to potential investors? What was the VC community's reaction to Fortanix?

"Initially, no one understood," said Kumar. "Many folks in the VC community claim to find funding for technologies with new angles. Most of them understand the money, but not technology."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37759
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2021-37760
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.