The Sheriff: Simon Crosby, co-founder, CTO of Bromium
by Derrick Harris
Many people might not think of Simon Crosby as one of the most-important figures in the evolution of IT infrastructure. But they should. Indirectly, at least, his work with Xen — the open source hypervisor that Crosby created with Ian Pratt in the early 2000s — helped make possible cloud computing as we know it. And very soon, Crosby’s work might change the face of enterprise security, too. Here’s how:
Crosby explained to me in a recent interview that mere server virtualization — what he calls virtualization 1.0 — was a short-lived phenomenon. People saw all these virtual machines and correctly assumed there had to be more, and IT essentially went from being manual rack-and-stack labor to being agile, edgy and highly skilled, says Crosby. “Virtualization enabled that, and virtualization enabled Amazon Web Services,” he said.
Specifically, Amazon Web Services chose to build its enormously popular cloud computing platform on Xen, when it launched in 2006. Whatever AWS was going to use had to be secure, it had to be dynamic and it had to be open source — only Xen fit the bill, Crosby said. That same year Citrix bought XenSource, the commercial entity Crosby and Pratt created around Xen.
Fast-forward to today and we have a much better sense of where things are going. Former bitter rival VMware is still the undisputed king of virtualization, and has an amazing business, says Crosby: “VMware will kill over time what’s left of HP’s software business,” along with BMC, CA, Symantec and even bits of Microsoft.
But Crosby doesn’t think this early form of virtualization is all that interesting compared to what AWS has built. “[I]n terms of standing the world on its head, Xen has done that. … [It] has had a far more profound effect on the world than even we imagined it could.”
After leaving his post as CTO of the Virtualization and Management Division at Citrix in June 2011, Crosby is ready to shake up IT again. He and Xen co-creator Pratt (as well as Guarav Banga) have reunited to form security startup Bromium, which will officially launch at our Structure conference next week and which could help quell growing fears about how corporations will secure their data in a BYOD world.
You’ll have to wait a few days for the exact details of Bromium, but here’s the gist: According to Crosby, the main problem with current security technology is that there’s “an impedance mismatch between our humanity and our computer systems.” Someone will always click the link and code will always be buggy, so bad guys will always have a way to get in, he says.
Bromium solves these problems, he explains, by using “an architecture that is naturally resilient to the fact that we are human.” The technology is connected to the work Crosby and Pratt did on Xen, if only conceptually. Virtualization plays a role, although Bromium utilizes hardware-based virtualization, and the idea that a small code base is necessary to help guarantee security certainly carried over.
In fact, Crosby said, that was one of the primary lessons learned from Xen (which has less than 50,000 lines of code compared with a couple million in VMware’s hypervisor) is: “Throw away a line of code every day. If you can, throw away 10.” Bromium has just 100,000 lines of code, and could have even fewer in the future.
“Any approach that says we can stop the bad guys is basically a lie,” Crosby says. With Bromium, he hopes to turn a $20 billion enterprise security market on its head by proving we don’t have to stop them. We just have to keep them from getting to our sensitive data when we inevitably click that infected link.