Skyport Systems came out of stealth last week after almost two years – it is a big moment for every company. It’s also the time where you need to strike the balance between getting the industry excited about the vision and potential of your product while setting realistic expectations with your first customers and partners. Nowhere is this harder to do than in the security space – probably one of the noisiest IT sectors from a marketing point of view.
While every security professional knows that the only sane approach is a defense-in-depth strategy, the industry has a long track record of promising magic fixes. The enterprise reality is very different – as a CTO of one the world’s largest banks asked me recently: “I already have 75 security vendors today – all with a different focus and different approaches to configuration and collecting/analyzing data. Are you just going to be #76?”. In other words, if you pursue a defense-in-depth strategy, how many layers do you need?
At Skyport we don’t think of ourselves as building a security tool, we think of ourselves as building secure infrastructure. The future of enterprise architecture means the industry needs to adopt a zero trust security posture – Skyport builds secure computing solutions for this world. By building fully integrated solutions we can eliminate much of the complexity and vulnerability of the system – but there are no ‘silver bullets’.
Of course we feel flattered when somebody says, “This time, though, [the bad guys] bag of tricks might finally be empty. “…but clearly this is not the reality.
Another CTO of a Fortune 100 company sent me this SMS this week: “So how secure is secure? Is the belief that data in a SkySecure compartment is immune to compromise?”
Of course the answer is no – no security solution is perfect and defense-in-depth is still the right strategy. However, we firmly believe that we can provide a secure computing platform that greatly reduces the attack surface, makes it easy to implement best practices and get real operational insight. When thinking about your critical business applications and IT control systems, I don’t know what the right number of security vendors is, but I do know it’s a lot less than seventy-five!
We find the analogy of a vault is useful when thinking about our secure infrastructure solution. A vault is not just a room with really thick walls and a heavy door – it’s a system that already integrates many layers of security and operational processes.
- A vault is not for all of your belongings – only the most valuable and most sensitive.
- Vaults are part of the foundation – they cannot be removed.
- Vaults are extremely hard to break – but the owner doesn’t assume that it is impossible to break. As a result, additional protections are in place and act together as a system
- Inside the vault there are compartments – many times each one of them requires 2 keys (two-man rule) to open.
- Even if you break into the vault, it’s extremely hard to get the content out.
- Surveillance is a critical piece of a vault – you might not prevent the bad guys from breaking in, or even accessing some of the content, but you want them to know that you will find out who they are and record their actions.
Even with these protections, there is still defense-in-depth. The building is locked, security guards patrol the perimeter, the surveillance team is constantly monitoring the entire infrastructure – but having the vault as an engineered system at its core makes all of this a lot easier and a lot more secure compared to assembling the pieces yourself. Now if only one could order a full service vault as a service the way we sell our SkySecure servers….