A presentation at NetField Day 11 that covered how Skyport Systems builds Secure Enclaves that are designed to host and secure critical workloads. This includes building micro-segmentation capabilities, trusted computing, secure boot, and preventing malware and rootkits from affecting IT systems.
2. Company Confidential2
The Fallacy of Security Technology
“If you think technology can fix security, you don’t understand
technology and you don’t understand security.” ~ Briankrebs.com
3. Company Confidential3
A Platform Approach: Not a Product Approach
Software-Defined
Perimeters that
Operate at the
Application Layer
Protect Against Low-Level
Rootkits/Malware, BIOS,
SSD Firmware, Physical
Ports, IPMI
Forensics that cannot
be modified or by
employees or third
parties
4. Company Confidential5
A High-Performance, Secure Enterprise Platform
Runs your application VMs
Trusted Hardware Platform
Hardened HW/SW stack
Security I/O Co-processor
Designed for hostile environments
- Branch, remote location, Datacenter
Security is built-in and invisible
- Protects platform, workloads, compliance
No special skills required
- Plug and play, no integration or modifications
No performance compromise
- Enforcement offloaded to co-processor
5. Company Confidential7
• Secure Architecture that
substantiates architectural
integrity from the ground
up
• Hardware-enforced
security policy and
forensic logging at
application edge
• Abstracts security
execution from application
SkySecure Enclave
x86 subsystem communicates only through I/O controller
SECURITY CO-PROCESSOR
x86 SYSTEM
6. Company Confidential8
Software-Defined Perimeter: DMZ per VM
ShieldNET
ShieldID
ShieldFS
ShieldADMIN
ShieldWEB
File Systems and Content Filtering
Administrative Privileged Access
Identity Management Proxy
Web Applications and Crypto/Credential Proxy
Domain Name and Zone Based Access
7. Company Confidential9
Private DMZ per VM
Traditional Zone-Based
Network Security
SkySecure Per-VM DMZ
DMZ Network Zone
Security I/O
Co-processor
DMZVM
DMZVM
DMZVM
• Protections limited to
network perimeter
• No protection between
systems in DMZ
• Complex integration and
management
• Zero-trust architecture
based on hardware
• Applications are always
protected
• Defends workloads
against compromise
8. Company Confidential10
SkySecure Center
Secure
Audit / Log
VM
Mgmt
Traffic
Intelligence
WebUI
Service
Security Data Warehouse Real-time Data Service
Security
Reporting
Real-time
Analytics
Device
Mgmt
Policy
Mgmt
Key
Mgmt
Remote
Attestation
Authentication / Secure Enclave
HSM Credential
Mgmt
10. Company Confidential12
Initial Deployment Use Cases
Exposed DMZ
Applications
Critical IT
Systems
Branch /
Untrusted
Out-of-Compliance
Applications
• Secure File Transfer
• Web / E-Commerce
Applications
• Cloud/API gateways
• Web authentication
servers
• Active Directory
• DNS / DHCP
• Software
distribution
• DevOps / SDN
Controllers
• Branch
consolidation
• Trusted
application
deployment in
hostile locations
• End-of-Support Applications
and Operating Systems
• Windows XP / 2003 / 2008,
RHEL4/5, etc
• Web servers with unpatched
SSL vulnerabilities