A month after raising $30 million from a group of investors that includes Intel to change the way on-premise workloads are protected, Skyport Systems Inc. is making good on its promise with the launch of a new service that puts an original twist on the traditional firewall.

Included in the subscription are three separate components starring the homegrown appliance at the heart of Skyport’s package. The SkySecure Server packs two of Intel’s latest eight-core Xeon E5-2630v3 processors and 1.8 terabytes of speedy flash storage into a tamper-proof chassis that has no physical ports to prevent direct access.

But where it gets really interesting is one layer up the stack, in the internally-produced software powering the system. Continuously checked for malicious changes from the time of manufacture, the management platform uses the Trusted Execution Technology built into the processors to re-check every component before booting and then loads up a custom implementation of SELinux to isolate the applications running on top.

The security module, which comes integrated with the kernel, serves as the linchpin for an insulation mechanism that is the second major element of Skyport’s bundle. Each logical compartment on a SkySecure Server can be calibrated to run only a specific process and to keep its contents completely isolated from other processes sharing the chassis in a way that seals off most routes for the spread of malware, the startup says.

That’s the same concept behind VMware’s NSX network virtualization software, except that Skyport has gone a step further with the inclusion of native protocol-level protections into its platform. That means communications from a compartmentalized workload using an outdated version of SSL vulnerable to Heartbleed would be automatically adapted to use a patched version of the protocol before reaching the outside world, effectively nullifying the threat.

Another major advantage that Skyport boasts over alternatives such as NSX is the reduced operational risk stemming from fact that all of those capabilities come integrated out of the box down to the hardware level, which avoids the risk of customers introducing security gaps during the implementation process. The startup’s air-tight bundle includes not only the tamper-proof equipment and computerization system but monitoring functionality as well in the form of SkySecure Center, the third major component of the architecture.

That software tracks requests to and from workloads on each SkySecure Server in real-time using a combination of open-source technologies and keeps a centralized record of the activity that is resistant to tampering just like the underlying hardware. That functionality is factored into the startup’s subscription model along with the computerization system and all of the servers deployed by the customer, a scheme that is much more accommodating than charging an upfront fee as vendors have traditionally done.

All this makes the platform too expensive to be a general-purpose server for most organizations, but that startup isn’t aiming for that. Rather, Skyport is targeting sensitive processes such as user directories, publicly-exposed services and key operational systems that can justify the premium.
Photo by Scott Hingst via Flickr