Imagine a world where you don’t need to worry about the security of your data. Concerns such as malicious attackers, trojan horses, and insider threats are non-existent. Doesn’t that sound nice? Of course it does, but let’s face it, that isn’t the real world. Quite the opposite in fact. Most organizations are constantly under attack, and not necessarily just from the outside. The good news is that Skyport Systems is aiming to be your best friend in defense.
As part of Tech Field Day 15, we stopped by the Skyport offices and had a great conversation with the folks there. If you need some background on their offering, you can check out TFD Primer: Skyport Systems. Since we attended their briefing, however, I have a much better understanding of their vision.
A CLOUD-FIRST, BUT NOT CLOUD-ONLY FUTURE
Skyport is quick to recognize that the vast majority of the enterprise environments are a mix of on-premises workload in addition to cloud-based. With more and more workloads moving to the cloud, the footprint for on-premises is shrinking in a lot of cases. Skyport sees this as an opportunity. In their view, most organizations will never be %100 cloud-based. There will always be the need to have some workloads remain in the datacenter. Services like Domain Controllers are a great example. Especially in larger environments where you want to keep the authentication mechanism close to users. This holds true not only for primary work sites but for small and/or remote branch offices as well.
So where does Skyport fit in? They see themselves as the solution that will host those remaining workloads. Their offering consists of a fairly standard looking rack-mount appliance. It is a run of the mill x86 system running a customized version of the KVM hypervisor. The system also ships with a TPM chip which they make use of. Once you plug an appliance in, it reaches out to Skyport’s cloud service to register itself. Once registered, you can start managing the system. This is where you can see some benefits for remote branch offices as well. Being able to just send an appliance out to a branch office and have it plugged in is quite appealing.
SECURITY STARTS AT STEP ONE
So, what does the process look like once you are ready to get workloads moved onto the SkySecure platform? It is worth noting that the security starts before a new virtual machine is even provisioned. Once you decide to provision a workload, a secure space is carved out. Features such as auditing start to occur, as well tasks like firewalling. One point that was brought up which I found interesting was the comparison between hardening on-prem environments and cloud-based environments. A lot of cloud environments are fairly locked down to begin with. For example, in AWS a lot of features are disabled by default. To contrast that, the ESXi hardening guide requires about %70 of the tasks to be performed after deployment. Note that we aren’t talking about applications here, but rather the core infrastructure that those applications run on.
The real meat of the product is clear once you take a look at running workloads. You can quickly see the value-add that this system brings. A great example that was demonstrated was setting up firewall rules for Active Directory. In most cases, it isn’t just one or two ports required. Using SkySecure you can apply a template to the workload which will take care of those firewall rules for you. In a lot of cases, you may need to create new templates if the proper one does not exist. However, as with most things in IT, if you take the time to create a template once, your future self will thank you.
Skyport as an ambitious vision, and that is to secure any on-premises workloads you may have. Not only secure them, but also provide historical data to verify that they have been secure. If an anomaly shows up, you can track its history to see when the variances started. Is this useful? Extremely. However, due to the fact that you need to replace existing hardware, I can’t imagine seeing many CxOs lining up to rip and replace. But, there are a lot of cases where this solution might be a great fit.
Say for instance you have branch deployments with relatively simple requirements. Maybe something like a Domain Controller and file server. This may be a great fit. In these cases, you don’t have dedicated on-site staff to manage these deployments. The cloud management portion is immediately useful at that point. What if one of those workloads does somehow get compromised? Using the collected analytics you can likely track down when the breach occurred. Further to that, you can go through historic data to see what the compromised workload did during that time.
To wrap things up, I can see some great fits for this technology. But instead of thinking at the infrastructure level, it might easier to adapt if you think about the applications you need to protect instead.
Disclaimer: I was invited to participate in Tech Field Day as a delegate. All of my expenses, including food, transportation, and lodging were covered by Gestalt IT. I did not receive any compensation to write this post, nor was I requested to write this post. Anything written above was on my own accord.