DataCloak, a Chinese Practitioner of Zero Trust Model of Cybersecurity
Rooted in the principle of 'never trust, always verify,' the 'zero trust' cybersecurity network is a buzzword at present, with a model expected to succeed the classic 'trust, but verify' philosophy.
DataCloak (数篷科技) recently announced the completion of its Series A round of financing, led by Jeneration Capital (时代资本) and bankrolling the cybersecurity company with USD 13 million.
Stone VC (基石资本), Songhe Capital (松禾资本), and Matrix Partners China (经纬中国) – who previously led DataCloak USD 5 million Pre-Series A round of funding in September 2018 – have also taken part in this fresh event.
Founded in 2018, the Shenzhen-based company provides integrated solutions for the core needs of medium and large enterprises, centered on data security and privacy protection.
As mentioned, DataCloak employs a 'zero trust' IT security framework. What does this entail?
The traditional castle-and-moat security model follows a 'trust, but verify' concept, where people inside the 'castle' – i.e., the company – and those who pass the security check of the 'wary guards' – i.e., they are trusted by the conventional firewall and password-based challenge-response security protocol – can get access to the internal network of the company.
To protect the security of the 'castle,' employees may use physical isolation methods, such as prohibiting data copying or the taking of internal computers outside the company, or creation of virtual desktops.
The advance in technologies and social shifts expose the outdated nature of the traditional castle-and-moat model, especially in these two aspects:
1. The popularity of cloud computing and edge computing, along with the widespread adoption of big data and AI, has significantly changed the data stream processing and computing environment. This has led the boundaries of the Trusted Computing Base (TCB) system, which was easy to control in the past, to become increasingly porous. The fact that people tend to work remotely more and collaborate from multiple sites is challenging the Intranet security standards under the castle-and-moat model.
2. The castle-and-moat model puts the emphasis on security protection on boundary reinforcement, which ignores defenses against people inside the company. However, according to figures, Verizon Wireless disclosed in their 2019 Data Breach Research Report Investigations, 34% of the security incidents that took place that year involved internal actors.
On the other hand, the 'zero trust' framework, initiated by John Kindervag – former Vice President and Principal Analyst at Forrester Research – in 2010, abides by the 'never trust, always verify' principle. This implies that no one is trusted by default either inside or outside the network of an entity; therefore, verification is required from everyone who seeks access to resources on the network.
There is no specific technology associated with the model, but rather, the system can be thought of as a holistic means to achieve network security, adopting various principles and technologies.
In September 2018, DataCloak launched its self-designed Zero Trust Adaptive Secure Computing Platform, named DACS.
The product could be considered as data-centric dynamic secure workspaces that enable employees to access business data securely and remotely. These secure workspaces can be freely created, expanded or contracted, with timelines that accompany the entire lifecycle of a project and automatically terminate when it is over.
To keep it simple, the realization of the solution is fundamentally based on three technologies:
1. A software-defined lightweight trusted computing environment following the 'zero-trust' model towards the terminal. This computing environment is built deeply isolated from the terminal OS, thus ensuring data storage and computation security.
2. Software-Defined Networking (SDN) that controls data communication through networks, which allows DACS to set up secure data communication pipelines between secure computing environments to keep data flowing safely.
3. An AI security brain that enables the secure workspaces to process and analyze security events from the state information collected, to finally form an adaptive active immune system through machine learning.
Although the idea of 'zero-trust' networks has been put forward for almost a decade, it is in the last few years that the framework has started to attract recognition and realize real-world applications.
The framework is embraced by big names such as Google (GOOGL: Nasdaq), Coca Cola (KO: NYSE), and WestJet Airlines (WJA: Tsx), and is recommended by the US House of Representatives for massive adoption in all government agencies in the wake of the OPM Data Breach.
Liu Chao (刘超) – Founder and CEO of DataCloak – noted during an interview with 36Kr that the reason behind the late adoption of the 'zero-trust' approach could possibly be attributed to three causes:
1. The wake-up call from the serious consequences of the large-scale data breach incidents in recent years – such as Facebook and China Life Insurance – has given rise to the companies' awareness and demands for Intranet security.
2. Policymakers filed stricter data protection laws against data protection – the General Data Protection Regulation (GDPR) launched in 2016 in the EU, for example – to accelerate enterprises' upgrading of their outdated security protection networks.
3. The complex technologies supporting the realization of the 'zero-trust' framework – such as Multi-Factor Authentication (MFA), Software-Defined Networking (SDN) and policy engines – have gradually achieved a practical level, enabling commercialization.
4. The continuous accumulation of experience through practice based on the concepts of active defense and dynamic defense. Google has implemented a 'zero-trust' model on an enterprise-level in its BeyondCorp project. The practice of the Internet juggernaut is showing a significant banner effect in the field.
Based on its standardized DACS, DataCloak has launched several solutions, namely source code protection, user privacy leakage prevention and the multi-regional office, which target different business scenarios.
Up to now, the Shenzhen-based startup has served tens of clients, and is going to acquire more clients operating in advanced manufacturing, finance and gaming sectors, according to the team.
The market size of China’s Internet security market is projected to exceed CNY 60 billion (USD 8.64 billion) in 2019, as noted by Zhao Zhiguo – Director of the Cyber Security Administration of the Ministry of Industry and Information Technology (MIIT) of the Chinese government – during the 2019 China Cyber Security Industry Summit Forum, held in December.
According to research conducted by China Center for Information Industry Development (CCID), this market has been growing at a 20% level pace on a year-on-year basis recently – a satisfactory speed to a large extent, given the fact that it doubles the pace of growth of the worldwide one.
However, it is apparent that the one-year-old DataCloak only accounts for a tiny bite of the entire cake.
As its business is mainly based on the 'zero-trust' network, a rather new concept in the world of security management – and although the idea is considered to be a more advanced approach compared to the castle-and-moat model – whether the company can create awareness and persuade potential clients to buy into it will be crucial to future performance.