Thank you to everyone who joined SDxCentral and Skyport Systems for their special Demo featuring SkySecure. The first of its kind, SkySecure is a cloud-managed secure server aimed at changing the way enterprises combat cyberthreats. In this fascinating demonstration, Skyport showcased how SkySecure can stop infrastructure attacks, audit and halt data exfiltration, provide out-of-box compliance with continuous monitoring, and offer plug and play insertion without need for application, OS, or network changes, all from an on-premises hardened server platform. Following the live event, the Skyport presenters were kind enough to take some audience questions. Read the whole Q&A below.
Does your solution extend to containers such as Docker?
Skyport: Our solution can support virtual machines (VM) which, in turn, include containers. Under the covers, SkySecure has its own hypervisor layer based on Xen, but that is not directly exposed to any housed VMs or the operations staff.
Do the OS patches update crisply to prevent hackers from exploiting issues?
Skyport: Yes. The software layer of SkySecure combines firmware, hardware, virtualization, and the security controls into one system that we are responsible for managing “as a single nut.” Skyport provides updates to the server platform. An organization only needs to maintain the virtual machine themselves.
Can you elaborate on what security features you have built into the hardware?
Skyport: There are many elements of the hardware layer. A few of the key features are:
- Separate hardware subsystems (I/O controller and x86)
- TPMs for verification and keys
- S/R IOV to provide a hardware “firewall” and ensure all I/O goes through our security system
- A hardened chassis with extraneous ports eliminated.
How does Skyport hardware interact with a server running VMs?
Skyport: Skyport provides the server as part of the system we provide. When you use SkySecure, we will provide the server along with the software stack that runs on it which in turn protects and manages the VMs. We also provide the cloud management environment. Conceptually like Meraki, but for managing our servers that you deploy on premises.
What type of hypervisors work with SkySecure?
Skyport: Today the hypervisor is part of the software stack we have constructed. Today, we are using Xen, but plan to broaden to inter-operate with other hypervisor techs in the future.
Where is Skyport running the management system? Can it be run locally?
Skyport: The SkySecure Center runs in a privately hosted provider facility that provides appropriate availability and security controls — Layer 42 is one of the two we use. At present, there is no option to host the management system yourself, although for customers considering large scale use of our system, we can discuss options.
If I have applications with a lot of data on disk or storage, can I use the product?
Skyport: Yes. VMs on SkySecure can use Common Intermediate Format (CIF) and Network File System (NFS) to access external file systems. The product has access controls, monitoring, and credential compartmentalization to enhance the overall security.
What types of VMs are supported?
What happens if the server loses connection to the management system?
Skyport: Transient connectivity problems do not affect the system. Remote management, such as changing policies, is not possible when the connection is down, and are automatically re-established when connectivity returns.
Are there applications that the system doesn’t support?
There seems to be a lot of data collection. What percentage of the VMs performance will be impacted due to the data collection and analysis?
Skyport: The majority of data is communication metadata and it is gathered in the I/O controller, which is customer designed and optimized for performance. It is sent to SkySecure for secure storage. When using SkySecure, a starting design assumption is to plan for a five percent performance impact.
How do you handle DNS-based attacks?
Skyport: SkySecure has its own DNS table to ensure it can enforce a whitelist policy based on fully qualified domain name (FQDN) lookups and maintains state of DNS communications and addresses. SkySecure also prevents hosted VMs from directly connecting to external DNS servers as they always use SkySecure’s service.
Can you explain how east/west and north/south traffic and policies are dealt?
Skyport: Every VM hosted on SkySecure is wrapped into a proxy-based firewall that enforces communication policy to any other system, whether running in the same network zone or even on the same SkySecure server.
Please explain the relationship between the ‘cloud controller’ and the physical server. Where does the cloud controller live?
Skyport: The ‘cloud controller’ is called SkySecure Center, and it is the operational management layer for the servers that are deployed on premises. All provisioning, configuration, monitoring, and auditing are done through SkySecure Center. When it needs to make changes to a server, it does so. Servers are not managed locally. Currently, SkySecure Center is hosted in Skyport’s private cloud facilities hosted at Layer 42 and maintained by our operations staff.
During the first demo when talking about the netflow like stats, I did not understand what the multi-color vertical lines represented. Can you elaborate?
Skyport: The vertical columns represent different attributes to display in the traffic intelligence report, such as traffic direction, destination FQDN, port/protocol, was the traffic blocked, and what policy matched the disposition of the traffic. You can dynamically select the attributes to display and their sort order.