Security Experts:

Security Startups: In Focus With Sierraware CEO Gopal Jayaraman

Security Startups Feature

Company: Sierraware  |  Who: Gopal Jayaraman, President and CEO

SecurityWeek: How did you start out in the computer field and in particular, security?

Gopal: I have a Masters in electronics. I started in computing mainly by playing around with micro-controllers and building robots. For a long time I was working with micro-controllers and them I moved to the PC-world. When we first went to the PC-lab, people would tell us not to touch them because of viruses. That was a shell shock to me because in micro-controllers it’s all very small, self-contained – and there’s no security. That’s where I got hooked into security. I realized that there are beautiful computers and technology, and these become unusable simply because they get infected when inserting a floppy. What’s the point of having these computers if we can’t use them? Things need to be immensely better to make them more usable. It’s now 15 years of playing with security ideas – network security, operating system level security.

Photo of Gopal Jayaraman, President and CEO of SierrawareSecurityWeek: What brought you to found Sierraware?

Gopal: Gopu Subramanian, Sierraware’s CTO, and myself founded the company two years ago. The one thing that happened in 2009/ 2010 was the realization that PC is dying and we’re moving to mobile computing. This brings about a new paradigm with newer processors and newer operating systems. It’s a good opportunity not to make the same mistakes as with PCs. PCs have no security architecture inside of them – it’s a bunch of patchwork. There are firewalls, anti-virus, anti-malware scanners. Then you also have external fingerprint scanners. We can now come with new philosophies such as least-privileges, and that is something that’s build on new processors. We can come with a product that can be a philosophical enforcer in the system. Everyone that plugs-in can find its place. It’s not a solution where it’s all patchwork. After all these years we’re moving – and we have the opportunity to do it from scratch. People are realizing that security needs to be inside the system and that’s how we got the idea.

SecurityWeek: What does Sierraware do?

Gopal: Sierraware develops and sells virtualization and Trusted Execution Environment (TEE) software. Let me give you a background about TEEs. ARM Holdings has produced a set of hardware security extensions that they call TrustZone. TrustZone enables equipment vendors to run two separate execution environments - a secure and a non-secure environment- on a single processor. Sensitive information can be stored in the secure environment. In the non-secure environment, end users can run both sensitive business applications and non-business apps without risk. The hardware provides the user with the protection and isolation needed to prevent applications from accessing other applications. We provide a Trusted Execution Environment for mobile platforms to help protect mobile payment apps, Digital Rights Management applications, and anti-malware software. For example, our software allows high definition video to run in the secure environment. This means that the video decoding and playback happen in the secure world so that the user cannot take a screenshot of the video or illegally copy the video. The reason is that film studios and companies like Netflix don’t want end users to record what a device is playing. Similarly, with our SierraTEE software, keyloggers cannot steal passwords because sensitive applications store the passwords in the secure world.

SecurityWeek: How did you turn the idea into an actual business?

Gopal: I have been building ARM chips for 8 years. One fundamental problem I saw was that ARM had developed the TrustZone hardware extensions, but companies still needed cost-effective software to implement their own Trusted Execution Environments. If you look at an Android tablet, there are three layers. There is ARM, and then the actual System-On-Chip (SOC), and the Android operating system which is running various applications. In between the SOC vendor and Android, there needs to be a bridge, but equipment vendors do not have a way to build that bridge. As a result, there are dozens of small silicon vendors that develop SOCs, but do not offer the necessary security software to help secure applications. We saw the opportunity and said that we will work on the platform. We started implementing the software and we immediately saw interest from dozens of SOC and equipment vendors. Suddenly, everyone jumped on board and got interested.

SecurityWeek: What are your markets?

Gopal: Any kind of computing platform that handles sensitive data such as a mobile with credit cards, HD media, and industrial apps like power smart grids. Take for example Stuxnet which affected the Siemens controller. They stole the device key from the non-secure world. Once a device key is stolen, any app can be installed on the device. Anti-virus software would not identify it as malware because it’s running with the device key. So, we work with government and satellite communications, airlines, mobile phones, smart-grids, M2M communications.

Any of these new platforms have the same fundamental problem: a highly sophisticated operating system which is hard to certify and protect. Besides our Trusted Execution Environment, we've also developed virtualization software for embedded devices. With our hypervisor, equipment vendors can run multiple operating systems on their devices at the same time. Our SierraVisor hypervisor can be used in a wide range of products from cars to smart TVs to to ARM-based servers, and more.

SecurityWeek: At what stage is Sierraware now?

Gopal: We are self-funded so we are lucky where we are. We have 20 employees and we already have a market with customers from the mobile, automotive, and industrial industries.

SecurityWeek: What's your business model?

Gopal: We work with OEMs that make mobile phones, TVs and system designers. It’s an OS-licensing model since they all have a chip, on top of that there’s Android and we provide the layer in-between.

SecurityWeek: Who are your biggest competitors?

Gopal: In-house development shops. Some of the established vendors decided to take the work and do it by themselves. There’s also market confusion since people hear mobile and containers and think McAfee.

SecurityWeek: What is your biggest challenge?

Gopal: Hiring a team. Building a team is difficult since we require a particular expertise – chip-level programmers who write directly on a chip. When we saw that wasn’t too easy to find, we built programs to train and develop problem-solving engineers. Training takes six months so there’s the high cost of hiring and training. The second challenge is that the chip-making companies are all over the world. Previously, manufacturers were only in Silicon Valley. Now companies are everywhere - France, China, South Korea, Israel, India. It’s difficult to create a sales force and address this type of market. You have customers in every single continent and you need to consider time zones, languages, and travelling requirements.

SecurityWeek: Any tips for other entrepreneurs starting out?

Gopal: There are three: First, be hands-on. If you’re at the mercy of someone else and asking someone else to do it – that’s tough. If you can do it on your own and get to a point of having a proof of concept, then you have an opportunity. Second, pre-plan funding and life for the next 2-3 years since you’re building your life for those next two years. Third, have lots of patience. There’s going to be a lot of ups and downs, but if you’re going down a path, stick to it for a couple of years. Those will be the hardest times, but see where it goes before you change your mind.

SecurityWeek: Other than yours, what is your favorite startup – whether it is in security or not?

Gopal: My favorite startup is one that I worked for - Cavium. It was a startup 8 years back and now it’s a $400M company. The biggest thing about them was their poise and execution. No matter what was the competition – it could be a multi-million company- they were relentless. I saw them grow from a startup and I loved that about them.

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.