A presentation at NetField Day 11 that covered how Skyport Systems builds Secure Enclaves that are designed to host and secure critical workloads. This includes building micro-segmentation capabilities, trusted computing, secure boot, and preventing malware and rootkits from affecting IT systems.

1. Company Confidential1
Skyport Systems
Net Field Day 11
January 2016

2. Company Confidential2
The Fallacy of Security Technology
“If you think technology can fix security, you don’t understand
technology and you don’t understand security.” ~ Briankrebs.com

3. Company Confidential3
A Platform Approach: Not a Product Approach
Software-Defined
Perimeters that
Operate at the
Application Layer
Protect Against Low-Level
Rootkits/Malware, BIOS,
SSD Firmware, Physical
Ports, IPMI
Forensics that cannot
be modified or by
employees or third
parties

4. Company Confidential5
A High-Performance, Secure Enterprise Platform
Runs your application VMs
Trusted Hardware Platform
Hardened HW/SW stack
Security I/O Co-processor
 Designed for hostile environments
- Branch, remote location, Datacenter
 Security is built-in and invisible
- Protects platform, workloads, compliance
 No special skills required
- Plug and play, no integration or modifications
 No performance compromise
- Enforcement offloaded to co-processor

5. Company Confidential7
• Secure Architecture that
substantiates architectural
integrity from the ground
up
• Hardware-enforced
security policy and
forensic logging at
application edge
• Abstracts security
execution from application
SkySecure Enclave
x86 subsystem communicates only through I/O controller
SECURITY CO-PROCESSOR
x86 SYSTEM

6. Company Confidential8
Software-Defined Perimeter: DMZ per VM
ShieldNET
ShieldID
ShieldFS
ShieldADMIN
ShieldWEB
File Systems and Content Filtering
Administrative Privileged Access
Identity Management Proxy
Web Applications and Crypto/Credential Proxy
Domain Name and Zone Based Access

7. Company Confidential9
Private DMZ per VM
Traditional Zone-Based
Network Security
SkySecure Per-VM DMZ
DMZ Network Zone
Security I/O
Co-processor
DMZVM
DMZVM
DMZVM
• Protections limited to
network perimeter
• No protection between
systems in DMZ
• Complex integration and
management
• Zero-trust architecture
based on hardware
• Applications are always
protected
• Defends workloads
against compromise

8. Company Confidential10
SkySecure Center
Secure
Audit / Log
VM
Mgmt
Traffic
Intelligence
WebUI
Service
Security Data Warehouse Real-time Data Service
Security
Reporting
Real-time
Analytics
Device
Mgmt
Policy
Mgmt
Key
Mgmt
Remote
Attestation
Authentication / Secure Enclave
HSM Credential
Mgmt

9. Company Confidential11
SkySecure Center: Traffic Intelligence

10. Company Confidential12
Initial Deployment Use Cases
Exposed DMZ
Applications
Critical IT
Systems
Branch /
Untrusted
Out-of-Compliance
Applications
• Secure File Transfer
• Web / E-Commerce
Applications
• Cloud/API gateways
• Web authentication
servers
• Active Directory
• DNS / DHCP
• Software
distribution
• DevOps / SDN
Controllers
• Branch
consolidation
• Trusted
application
deployment in
hostile locations
• End-of-Support Applications
and Operating Systems
• Windows XP / 2003 / 2008,
RHEL4/5, etc
• Web servers with unpatched
SSL vulnerabilities

11. Company Confidential13
Win2012R2 - Unsecured
(truncated)
• No protection
• Accepting HTTPS
connections

12. Company Confidential14
Win2012R2 – Micro-segmented
(truncated)
• Firewall allowing
HTTPS inbound
• Accepting HTTPS
connections

13. Company Confidential15
Win2012R2 - SkySecure
• “IP Forwarding” is only non-info plugin returning a result.
• MS14-066 and MS15-034 critical MS vulnerabilities mitigated entirely
• ShieldWeb-In
Enabled
• Accepting HTTPS
connections

14. Company Confidential16
Contrast: Point Product Approach to
Security
Hardened
Hardware
Hardened
Firmware
Network
Hardened
VM Environment
(Compartment)
TPM Management
Secure IPMI/ILO
Tamper Detection
Signed BIOS
USB Disable/Monitor
PCAP Tooling, IPFIX/SFlow Monitor
Passive Taps, Network Packet
Broker
IDS/IPS
Hypervisor
Micro-segmentation
Web Application Firewall
Virtual Firewall
SW Signing
Key Management
Hardened
Ctrl/Mgmt Plane
Operations Management
Jump Servers/SAWs
Secure Logging/Analysis/SIEM
Secure Backup

15. Company Confidential17
Thank You