Arxan unveils its Internet of Things security strategy

Size: px

Start display at page:

Download "Arxan unveils its Internet of Things security strategy"

Amberly Jacobs
8 years ago
Views:

1 Arxan unveils its Internet of Things security strategy Analyst: Wendy Nather 17 Apr, 2015 As we've discussed before, one of the biggest disruptors to security is the application's removal from the enterprise datacenter. All the assumptions about a dedicated execution environment, standardized client, perimeter firewalls, centralized identity and access management, monitoring and operations go out the window. In their place is a disconnected, hostile environment with erratic users, tinkerers, hackers, pirates and corporate espionage agents who want to attack at the application layer. Of course, vendors of consumer and embedded system software have known this for years, but now that everyone has entered the field with a mobile app, they're having to learn the hard way that it's a wild world. This rude awakening is only going to get bigger with the Internet of Things (IoT). Auto and medical device manufacturers are discovering just how vulnerable their products are: the 'smarter' they get, the more exposed they are. Arxan has spent the last few years taking advantage of the mobile-security market. It just announced (in time for the RSA Conference in San Francisco) its expanded capabilities for IoT as well. The 451 Take We saw this coming: Arxan's ability to secure code in the Wild West of the Internet naturally lends itself to the IoT. From this perspective, the possibilities are huge one might even say 'moby' (if one were versed in arcane hackerspeak). From defending IP against reverse engineering and piracy to protecting mobile banking and payment apps against fraud to securing, say, automotive systems and the apps they talk to Arxan could build an early lead in the market. We see only two obstacles: manufacturers' reluctance to spend as much on security as the bank, software vendor and entertainment industries do, and the marketing flood that has already started in IoT security that will surely muddy the waters. Copyright The 451 Group 1

All the assumptions about a dedicated execution environment, standardized client, perimeter firewalls, centralized identity and access management, monitoring and operations go out the window.

2 Context Founded in 2001, Bethesda, Maryland-based Arxan announced in September 2013 that TA Associates had acquired a majority stake in the company for an undisclosed amount. The deal provided an exit for previous investors Trident Capital, Paladin Capital Group, Solstice Capital, EDF Ventures, Legend Ventures and TDF. Arxan's last funding around, a minor C extension, was in 2009, and its total funding was approximately $28m. The company has additional offices in North America (San Francisco and West Lafayette, Indiana), Europe (the UK, Germany, France and Sweden) and Asia (Tokyo). In June 2014, Arxan announced a major reseller relationship with IBM, in which its GuardIT and EnsureIT products would be featured as Arxan Application Protection for IBM Solutions. Since then, IBM has begun reselling Arxan's cryptographic key protection as well, which is seen as critical for the host-card emulation wave in the mobile-payments space. Technology Because Arxan's offerings involve application and cryptographic key protection, and had already been in use for years to defend against reverse engineering and software piracy, the company is used to dealing with software running in a hostile environment, whether that's a gaming console or an embedded system being sold to a nation-state that regards copyright as more of a guideline than an actual rule. The technology has been expanded to mobile use cases since 2011, but now goes several steps further. One new example touted by Arxan is that of an auto's infotainment system. These systems work with multiple third-party applications on the driver's phone, and act as the primary communications interface to the rest of the vehicle modules. Imagine that a user downloads a compromised app from an app store, and uses it to access the infotainment system more than causing possible data loss, this could threaten the driver's own safety. Numerous automotive partners have their own software to access and update different system modules; these also need to be protected from modification or unauthorized access. Without needing to change the source code, Arxan applies interdependent protection routines, called Guards, directly into a software program, and then obfuscates or scrambles the result. The Guards are available for a large number of platforms, including Windows, from the enterprise edition of 8.1 all the way through Windows Embedded POSReady 2009 and back as far as Windows Copyright The 451 Group 2

Arxan's last funding around, a minor C extension, was in 2009, and its total funding was approximately $28m.

3 NT 4.0. Other operating systems supported include Red Hat Enterprise Linux, Android, Mac OS X, ios, BlackBerry and PowerPC. From an IoT standpoint, Arxan has positioned itself to offer protection to mobile applications that are used to control an IoT device (think home automation, insulin pumps, etc.), IoT device firmware and embedded applications, and applications running on an open IoT platform (such as Android Wear or Apple Watch). Competition Within the IoT crowd, Arxan is going to run across any number of competitors that offer very different kinds of security, and, as often as not, will simply be IoT-washing their existing products this early in the game. We expect to see vendors with network-level, IP-based security as well as monitoring (because those are easier than getting up close and personal with the software). Companies running up the IoT-security flag include large firms such as Oracle and Cisco, as well as ARM Holdings and Intel (both of which recently acquired IoT-related security companies). We see established companies such as Infineon and SecureRF joining the conga line, as well as newer ones like Bastille, M2M Cyber Security, Tempered Networks, Xipiter and Mformation. There is no shortage of security vendors that are willing to poke holes in IoT as a service (IOActive is noted for this, others include Accuvant, BorderHawk, Attify and Laconicly). We will be covering IoT security in more depth in future reports. Arxan will need to wade through all of these crowds to establish its focus on the software itself. If it can do that successfully, we think it will find a large market, but it will have to address one potential problem: its price. While some gaming, entertainment and semiconductor companies are ready and willing to drop up to six figures for security, manufacturers that have not worried about it until now will be harder to convince. Even within the IBM sales sphere, we hear reports of Arxan being seen as expensive, and that's saying a lot. Arxan says it is exploring alternate price points and business models for new IoT markets, in the same manner that it adjusted its pricing for addressing the mobile marketplace. However, if competitors in IoT security can sell customers on the idea that monitoring is cheaper than protection, the company could find itself bogging down. SWOT Analysis Strengths Weaknesses Copyright The 451 Group 3

), IoT device firmware and embedded applications, and applications running on an open IoT platform (such as Android Wear or Apple Watch).

4 Arxan has years of experience protecting software in hostile environments, and it has expanded its coverage to a wide variety of platforms. In addition, its products don't require source code changes. Opportunities Threats How many Things are there? The Internet's the limit. If Arxan can make this security affordable, it can clean up. The company is used to dealing with customers that have deep pockets and appreciate the need for this type of security. That may change as Arxan expands into markets where manufacturers have never had to deal with security before, and may balk at the price. We see the main threats as being the imminent confusion of the 'Security of Things': vendors jumping into the pool with numerous terms and security techniques that will muddy the waters, and possibly obscure Arxan's positioning. Copyright The 451 Group 4

The company is used to dealing with customers that have deep pockets and appreciate the need for this type of security.

5 Reproduced by permission of The 451 Group; This report was originally published within 451 Research's Market Insight Service. For additional information on 451 Research or to apply for trial access, go to: Copyright The 451 Group 5

Critical Watch aims to reduce countermeasure deployment pain by doing it all for you

Critical Watch aims to reduce countermeasure deployment pain by doing it all for you Analyst: Javvad Malik 6 Sep, 2012 Critical Watch offers Active Countermeasure Intelligence, a combination of risk intelligence