Server Protection Built into the Core

Yesterday, I had the privilege to catch up with Michael Beesley, Founder and CTO of Skyport Systems, a Mountain View-based company formed in 2013. I’d known for some time that the company was focused on building security into the core for enterprise and cloud-resident servers. But after talking with Michael, I became convinced that this is an idea whose time had come, and that enterprise security teams should take note for their own infrastructure.

The Skyport concept in a nutshell involves hyper-convergence of the best available cyber security protections for processing, storage, and network I/O into a commercial server appliance that offers superior support for on-premise and cloud computing. “We think of our solution as a DMZ-in-a-box,” Michael explained, “with built-in security protections for our customers.” As I listened, it became clear that this capability would be good for Internet-facing services or for critical support services like Active Directory.

The idea of built-in security for servers is not a totally new concept, of course. Trusted Platform Modules (TPMs), for example, have been included in server architectures for years to improve their underlying security – and Skyport does include TPMs on their Intel motherboards. What is perhaps novel here, however, is the degree to which modern protections pervades the solution. Several design considerations in their solution look like a page from the best innovations in our industry.

Consider that Skyport includes native support for micro-segmentation, which is a powerful means for encapsulating workloads in shrink-wrapped perimeter-like security. The great advantage of micro-segments is that the local obligations are much more tractable that one would find in a DMZ perimeter. Firewall rules are simpler, IPS rules are more focused, and so on. Skyport includes this functionality natively in their product.

The solution also integrates a variety of modern cyber security methods including support for analytics, firewall protection, and layer 7 proxies. At the lower compute level, in conjunction with trusted execution, the Skyport product includes remote attestation of measured boot. Trusted execution support seems increasingly to me like a reasonable functional requirement to consider imposing on third-party cloud providers, especially if critical infrastructure is being hosted.

A creative additional protection Michael described to me involves an input/output (I/O) controller mechanism in the Skyport server. “All I/O in our solution is restricted, he explained, “so that no network connections are possible unless they are carefully monitored for policy enforcement.” He offered some additional description of how both security and performance are improved using this more restricted, compartmented approach.

The idea of security-in-a-box seems like its time has come – and the Skyport solution is one you might have a look at immediately. Even if you are not in the business of building infrastructure, the insights from understanding how this product was designed will help you write requirements for your hosting providers and perform more effective response when security problems do occur at the infrastructure level.

Let me know what you think.