The attitude of breach presumption is one that has fostered a family of seek-and-destroy security products. Find the infected system and fix it. Fair enough. Breach presumption is perhaps a wise posture to take, but it doesn’t mean we have to give up the perimeter. While some security consultants I’ve talked to tell me they counsel their clients to purchase breach insurance and pre-plan a good PR strategy, the fact remains that breach prevention is still desirable.
And so it is that Skyport Systems comes to market. Skyport is not offering a firewall, an IDS, or other sort of traffic inspection engine. Rather, Skyport is selling a secure computing platform. Skyport is hardened hardware that creates a secure environment to stand up virtual machines. You buy Skyport servers to host your most sensitive applications, or perhaps most vulnerable, customer-facing applications.
On their site’s front page, Skyport describes themselves as…
“…the easy button for establishing secure perimeters around the applications you care about the most.”
More Detail About Skyport
What makes up the Skyport Systems offering?
1. Hardened hardware. Skyport servers go through a series of sanity checks to validate that no rootkit has been deployed, no malware is lurking down in BIOS, on-board storage is clean, etc. The system itself won’t come up if the sanity checks aren’t passed.
2. Process proxies. Skyport includes many hardened proxies for services such as RADIUS to limit exposure to vulnerabilities found in services that must necessarily go off-box.
3. An attitude of untrust. VMs hosted on Skyport can’t talk to each other unless explicitly permitted. Have you ever worked with a firewall that passed no traffic whatsoever until explicitly permitted? Skyport is that sort of mindset, but for virtual machines.
4. A management system. Skyport offers an umbrella manager that is used to manage and monitor the system, and generate reports. For example, the manager contains workflow processes that help operators securely deploy virtual machines.
5. Xen. One architecture element that’s important to understand is that Skyport is not simply hardware. You don’t rack a Skyport server and then throw VMware ESXi on it and add it your vCenter. Rather, a Skyport box comes with a hypervisor, and that hypervisor is Xen.
That said, I don’t expect this to matter much to most consumers. Hypervisors are tools that get a specific job done, and aren’t especially exciting by themselves — sort of like Ethernet switches with equal specs.
Container support will come to Skyport eventually. The founders suggest that the VM-to-VM secure communications model will eventually be extended to container-to-container communications.
Skyport Use Cases
1. DMZ. In your DMZ, you might host web servers, forward or reverse proxies, load balancers, and other systems that acts as ingress or egress points to your network. Deploying on Skyport offers an intensely secure environment for these applications that tend to be more exposed to outside attackers.
2. NFV. Virtualized network functions present an interesting high-value target, as they are in the data path. Compromising a VNF could lead to exfiltration of far more interesting data than compromising a single endpoint host might.
3. Sensitive data housing. Not all of your sensitive data is going to be public-facing. From the perspective of a bad guy, that’s assumed. Therefore, a bad guy wants ultimately to get to the chewy center of your environment — you know, where the good stuff is. In that case, hosting internal apps on Skyport adds a layer of platform trust that will help resist intruders who’ve established a beachhead inside the trusted perimeter.
4. Regulatory compliance. Those shops with health care, payment card, DoD, or other required security postures can use Skyport to aid them in their quest for compliance.
5. Any company morally engaged in protecting their customers. To those companies who house their customer’s data and think breaches are no big deal, Skyport is not for you. Continue to abuse the trust of your customers by leaking their private information through your apathy and ineptitude.
But for those companies who understand the moral obligation they have to protecting their customers personal, financial, health-related, etc. data, Skyport is someone you should be talking to. While instantiating VMs on Skyport isn’t a panacea by itself, Skyport turns cheap, ubiquitous, open x86 hardware into a trustable platform. If you don’t have such a platform in place today, you move the ball ahead by computing the Skyport way.
Possible Objections To Skyport
Any hardware investment comes with objections. Because…hardware. Aren’t we trying to move to a world where x86 is an abstracted resource we don’t have to deal with directly? Where we can put virtual machines and containers anywhere we want? To that mindset, Skyport no doubt sounds a bit icky. A special box you buy and stick in the rack to do magic security things at the compute layer? And how awful is it going to be when we have to upgrade the special box at some unwieldy cost?
To speak to the hardware objection, note that when you buy Skyport, you aren’t buying a server, at least not exactly. You’re buying a service that happens to be delivered in the form of a hardened x86 compute platform. In that context, you aren’t burdened with ownership of the box, and thus, it’s not your problem. The physical box is Skyport’s problem. To this end, Skyport will replace the box periodically at no additional cost to you.
Another concern is that of supply chain corruption. As manufacturing and assembly factories are compromised, rootkits can be installed. What’s to prevent Skyport from being compromised in the very same way, undermining their value proposition? The short answer is that Skyport trusts none of their outsourced manufacturing. The longer answer is that Skyport demonstrates their lack of trust via their boot check sequence. Boxes don’t come online unless they pass a series of checks that compromised systems will fail.
Yet another concern might be that Skyport is neither running VMware, nor is it delivered as a software package you integrate into vCenter. Considering VMware’s ubiquity in the enterprise, this might give some prospective customers pause. Since Skyport stands alone, operations are going to have to change to accommodate the new system and its peculiarities. This is true enough, and a weighty consideration as Skyport is a bit more involved than simply adding a new application to the IT mix. Skyport is an infrastructure product, and must be evaluated as such by IT. That said, Skyport demonstrated a mature GUI. That GUI is simply a front-end to an API that sophisticated customers could choose to leverage.
Yet a final objection might be VMware NSX. While NSX is not a product that will compete directly with Skyport, NSX offers a centrally-managed, policy-driven, VM-aware distributed firewall that governs VM-to-VM communications in a multi-hypervisor environment. The Skyport security value proposition goes much deeper than this, but I can imagine some folks might call NSX “good enough.”
How should Skyport position this product?
I was part of a few conversations considering how Skyport should position themselves. Security is a hot sector right now, and thus Skyport could be fairly positioned in that space. And yet, Skyport doesn’t map to traditional security products. This not this appliance you rack up, shove traffic through or copy traffic to, and have security stuff happen. Rather, Skyport is security-optimized compute infrastructure designed to be unfriendly to rootkits, malware, etc.
Think of Skyport as fortress infrastructure. First of all, Skyport is infrastructure on which you run virtual machines. As it happens, that infrastructure is bounded by the walls of a fortress. For those VMs to communicate with each other or the outside world, they must traverse the fortress walls. Nothing gets in or out without explicit permission, and even traffic with permission is scrutinized. As it happens, these functions are inseparable in the Skyport model.
Despite the current excitement in the security market, calling Skyport a security product alone is a misleading position that sells it short. Skyport Systems is so much more.
For more information on Skyport Systems, view the following presentations.