The secret to Google's rock-solid security is now commercially available

A new startup aims to commercialize a security approach birthed at Google. It just might work.

If you want to see the future, I've written, you just need to peek behind the firewalls of Google, Microsoft, LinkedIn, and other tech giants. These behemoths have gifted us incredible technology for managing containers at scale (Kubernetes, Apache Mesos), handling big data (Apache Hadoop, Apache Kafka), and more. What they haven't done much about, however, is security.

Until now. While not an open source project, the concept of zero trust security was surfaced by Google and now provides the foundation for startup ScaleFT, which just raised $2 million in seed funding from Fuel Capital, a venture firm co-founded by Brad Silverberg and Chris Howard. While Howard's background in brand strategy may be less well-known, Silverberg is a household name in tech, having spent years at Microsoft in charge of the Windows (including the launch of Windows 95), internet, development tools, and Office divisions.

I caught up with Silverberg and Howard to better understand how they uncovered ScaleFT, and why they think a zero trust approach can fix security.

Commercializing the web giants

TechRepublic: ScaleFT's security concepts were born at Google, and I notice that many of your portfolio founders come from giant web-scale companies (e.g., Mesosphere founders from Twitter) or aim to commercialize technologies from the internet giants. Is that how you de-risk investments?

Howard: There is a lot of truly extraordinary infrastructure technology being invented at web-scale companies that is rethinking and reinventing the way computing is done relative to cloud, massive scale, mobile, and AI. So many cool things are being done at big technology companies for their own internal use. At some point, it gets to the outside world. It gets commercialized.

For example, Hadoop came out of Yahoo!, based on ideas pioneered at Google, and commercialized by companies such as Cloudera and Hortonworks. Kafka came out of LinkedIn, and is being commercialized by Confluent. Mesosphere came out of UC Berkeley, based on ideas from Google, and put in production at places like Twitter and AirBnB. Kubernetes came out of Google and is being commercialized by companies such as CoreOs. And so on....

SEE: The best security? Have Zero Trust, says expert (TechRepublic)

At Fuel Capital, it's a model we love, where groundbreaking infrastructure gets invented and proven at a web-scale company and then commercialized for enterprise use by a startup for the broader market. Ideas that solve real infrastructure problems—often, but not always, based on open source—is one of our core investment theses.

ScaleFT fits this model perfectly and addresses one of the most pressing and important issues of them all: Security. Security is even more important in a world with such massive scale and mobility. The BeyondCorp and zero trust approach for security that is the basis for ScaleFT comes from Google, and we believe it will redefine the way security is done.

Learning not to trust

TechRepublic: So what is new in security? That's the second oldest profession in IT.

Silverberg: It's obvious to anyone that security is broken. It breaks every day. We read about phishing attacks, the Russians hacking the DNC, emails leaking: It's obvious to us that the whole approach we've taken to security for the last 20-30 years is inherently limited. The perimeter-based approach doesn't work. People get more and more clever every day in how they try to put their fingers in that dike. The bad guys continually stay a step ahead of the good guys.

What excites us about ScaleFT is that they understand we can't win the perimeter defense way. Perimeter will always have holes. We need to flip the security paradigm on its head.

SEE: BeyondCorp: Borderless security for today's mobile workforce (TechRepublic)

TechRepublic: How did you discover zero trust and ScaleFT?

Howard: When we saw the BeyondCorp work coming from Google, we didn't know of any companies that were actually commercializing it. When we heard about ScaleFT and that they were taking the Google approach, we got super excited. Given all the problems with perimeter models, we think you have to start with zero trust. When you have zero trust, even inside the internal network of a company, then you have the basis for solving security issues.

The challenge with zero trust is how do you get the performance, and get people to use it, if you don't trust anything? But that is the start. And ScaleFT seems to have solved the performance and usability challenges. Users like zero trust. It's faster than VPNs! The fact that Google uses it is proof that usability issues can be solved.

The leap of faith

TechRepublic: Zero trust sounds like almost a leap of faith. How do you get customers to abandon their VPNs and perimeter defenses? The psychology of that sale is interesting.

Silverberg: This is a ridiculously great idea but there is a leap of faith involved. As an investor, you have to believe in the idea, the market opportunity, and the team. The market opportunity is immense. Security is a priority zero issue for every company and yet the current model is broken. It's one of the biggest markets out there, one in which products fail every day.

SEE: Why VCs look to tech giants like Google and Facebook to see the future of data infrastructure (TechRepublic)

In some ways, it reminds me of Microsoft's early challenges with security and our patch Tuesdays. The perimeter security model is like Windows patching. You just keep patching, like chasing a dog's tail. Bad guys are always ahead. The current security is built on a flawed model. What is the level of customer satisfaction? Is anyone satisfied with the level of security they have with their company? Absolutely not.

Zero trust is a fundamentally better way of doing security. The fact that this is based on Google and how they run their own security is the best validation you can get. Is there another company on the planet under more security attack? Maybe some banks, but maybe not. Google hasn't seen a major security breach since Aurora in 2009, more than eight years ago. Their security model is proved out and validated.

We believe the zero trust approach will redefine how security is done. So the question for us at Fuel is how we can help the ScaleFT team execute and take full advantage of this immense opportunity.

Also see

Image: iStockphoto/PetrBonek

About Matt Asay

Matt Asay is a veteran technology columnist who has written for CNET, ReadWrite, and other tech media. Asay has also held a variety of executive roles with leading mobile and big data software companies.

Editor's Picks

Free Newsletters, In your Inbox