SkySecure System Overview

Similar documents
UNCLASSIFIED Version 1.0 May 2012

How To Protect Your Cloud From Attack

Control your corner of the cloud.

Building A Secure Microsoft Exchange Continuity Appliance

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Endpoint protection for physical and virtual desktops

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Concierge SIEM Reporting Overview

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Secure Cloud-Ready Data Centers Juniper Networks

SANS Top 20 Critical Controls for Effective Cyber Defense

Seven Things To Consider When Evaluating Privileged Account Security Solutions

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Top 20 Critical Security Controls

Not for distribution or reproduction.

Unified Security, ATP and more

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Virtualization System Security

FISMA / NIST REVISION 3 COMPLIANCE

Security Solution Architecture for VDI

Effective End-to-End Cloud Security

Defending Against Cyber Attacks with SessionLevel Network Security

Securing the Intelligent Network

Enterprise Cybersecurity: Building an Effective Defense

Achieving PCI-Compliance through Cyberoam

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Ovation Security Center Data Sheet

Network Access Control in Virtual Environments. Technical Note

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Endpoint protection for physical and virtual desktops

Overcoming Security Challenges to Virtualize Internet-facing Applications

Extreme Networks Security Analytics G2 Vulnerability Manager

Technical Brief Distributed Trusted Computing

Security Considerations for DirectAccess Deployments. Whitepaper

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

Netzwerkvirtualisierung? Aber mit Sicherheit!

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

The Trivial Cisco IP Phones Compromise

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Securing Virtual Applications and Servers

Speed Up Incident Response with Actionable Forensic Analytics

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

INSTANT MESSAGING SECURITY

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

24/7 Visibility into Advanced Malware on Networks and Endpoints

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Security Considerations in Cloud Deployments Matthew Garrett

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Ovation Security Center Data Sheet

Defending Against Data Beaches: Internal Controls for Cybersecurity

Recommended IP Telephony Architecture

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

McAfee Security Architectures for the Public Sector

Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5

Firewalls. Chapter 3

Automate PCI Compliance Monitoring, Investigation & Reporting

PICO Compliance Audit - A Quick Guide to Virtualization

The Hillstone and Trend Micro Joint Solution

Networking for Caribbean Development

Breach Found. Did It Hurt?

How To Manage Security On A Networked Computer System

Frontiers in Cyber Security: Beyond the OS

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Goals. Understanding security testing

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Extreme Networks Security Analytics G2 Risk Manager

Learn the Essentials of Virtualization Security

VMware: Advanced Security

Windows Server Virtualization & The Windows Hypervisor

Learn the essentials of virtualization security

#ITtrends #ITTRENDS SYMANTEC VISION

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Requirements When Considering a Next- Generation Firewall

Cloud Security Overview

Post-Access Cyber Defense

How to Achieve Operational Assurance in Your Private Cloud

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Securing Your Business with DNS Servers That Protect Themselves

PCI Wireless Compliance with AirTight WIPS

Protecting Your Organisation from Targeted Cyber Intrusion

BlackRidge Technology Transport Access Control: Overview

Transcription:

SKYSECURE SYSTEM COMPONENTS SKYSECURE SERVER Trusted compute platform based on locked-down firmware, signed immutable images, Intel Trusted Execution Technology and the SkySecure I/O Controller. Controller hardware enforces segmentation for every VM, enables wire speed network-flow policy and packet mirroring, and helps make evidentiary audit trails tamper-resistant. SKYSECURE COMPARTMENT A hardware facilitated security layer wrapped around each individual VM. It controls workload identity, protocol, I/O, file system and identity management access via a perworkload security policy. SKYSECURE CENTER Skyport Systems hosted cloud management and remote attestation service that verifies the integrity of the system and ensures configuration and patch best practices are followed. It deploys and orchestrates VMs, manages and monitors security policies, alerts on policy violations, and features built-in analytics to assist with audit and compliance requirements. Securely stores policy, audit logs, and credentials. SkySecure System Overview Introduction Skyport s SkySecure system is an onpremises hardened server platform with integrated security capabilities that is fully cloud managed. It is designed to simplify the complexity of securing critical and exposed workloads. The SkySecure solution is an implementation of hypersecured infrastructure, with a zero-trust architecture integrating compute, security, virtualization and policy in a preconfigured, turn-key managed infrastructure platform. SkySecure: * Delivers Skyport hosted cloud management of on-premises secure servers * Features a zero-trust architecture that actively monitors its servers to ensure there are no viruses, rootkits, or malware * Wraps hosted VMs and applications with dedicated hardware-based firewalls * Records transaction and operational activity in a tamper-resistant secure data warehouse * Provides turn-key operations for orchestration and securing VMs, activity monitoring and analytics, and on-going maintenance Validates system integrity with a hardware-based root of trust and validated supply-chain from the point of manufacture with a secure and remote attestation service * Requires no specialized skills to install, no network changes, and no software agents requiring VM requalification Why SkySecure Assembling, integrating, operating, and maintaining the collection of security tools needed to protect critical server infrastructure is simply too difficult, and attackers frequently evade network and software security protections. Current software and network security aftermarket tools are not integrated, require specialized skills to use, are costly and error-prone to maintain, and force IT to pursue a patch update treadmill to test and fix new vulnerabilities. SkySecure is designed to reduce the cost, time, and skill-set required to protect critical servers on an ongoing basis.

Benefits of SkySecure SkySecure is a server and operational environment with security built-in from the ground up and delivered in a Skyport hosted cloud managed solution that is easy to deploy and maintain, even in remote and hostile locations. It is an on-premises trusted compute server platform that continuously protects and manages each virtual machine it runs. SkySecure: Protects VMs from malware insertion, botnet, insider threats, credential theft, and hyperjacking Prevents lateral attacks with hardware enforced per-vm firewalling, isolation and whitelist policy Audits and stops data exfiltration of sensitive information within protected VMs Thwarts infrastructure attacks with a tamper-resistant server, reduced attack surface area, and known good verification Delivers out-of-box compliance through continuous monitoring and audit with a secure data warehouse Offers plug & play insertion with incremental deployment that requires no changes to the application, OS, or network Provides turn-key operations by streamlining the separation of duties between security, network, and application teams with cloud managed workflows in the cables, and the system does the rest. It does not require on-premises expertise to maintain since the server is fully-instrumented for lights-out management. Unlike a traditional general-purpose server platform, the SkySecure Server includes only power and network connectivity, and does not expose standard disk or USB ports on the x86 server subsystems. This reduces the attack surface area that is exposed by physical access or compromise of the system or environment in which it operates. The software stack further reduces the threat surface area by hardening the firmware, OS (whitelisted SELinux), hypervisor, and management plane. The server has two major subsystems: the x86 compute subsystem and the SkySecure I/O Controller. Both have embedded Trusted Platform Modules (TPM) and the former leverages Intel Trusted Execution Technology (TXT). Communication policy is enforced by the I/O controller, deliberately out of control of the x86 subsystem that houses the VM, and all external and inter-vm traffic has to pass through it due to SR-IOV with no local or virtual switching. SkySecure System Components SkySecure is an engineered system that delivers a turnkey operational experience and is comprised of SkySecure Server: an on-premise trusted compute platform which hosts and protects VMs SkySecure Compartment: a per-vm Firewall/DMZ perimeter with application layer protections that runs on the SkySecure Server SkySecure Center: a Skyport hosted central management, monitoring, and analytic system SkySecure Server, a Trusted Compute Platform The SkySecure Server is a physically hardened, tamperresistant x86 server platform that deploys quickly with minimal manual configuration. Just unpack, rack, and plug

Hardware, firmware, BIOS, and software images for the x86 and I/O subsystems are measured at the point of manufacture, and a measured launch environment guards the integrity of the lowest level components in the boot environment. They perform boot-time and run-time system attestation and validation to SkySecure Center to ensure system integrity has not been compromised. monitoring is covert and cannot be detected by the virtual machine within the compartment. It is also always-on and cannot be turned off due to administrative misconfiguration. Metadata from all administrative and operational activity is captured and securely sent to SkySecure Center for off-box secure data warehousing and analysis. During incident, breach, forensic, and troubleshooting situations packet mirroring can be turned on. Packet level traces can be sent for collection and analysis to storage systems while adhering to data sovereignty policies. Each compartment includes an application-layer firewall with a policy that is specific to the VM that strictly controls communications based on DNS and IP whitelists. These are easy to maintain and audit. VMs are protected from any point-of-attack, including lateral attacks from neighboring systems in the same network security zone and even VMs hosted on the same SkySecure Server. There are several application proxies that can be used: x86 subsystem communicates only through I/O controller SkySecure Compartment, a per-vm Firewall The SkySecure Compartment is a synthetic network environment designed to protected hosted VMs from external attack and contain threats from compromised VMs. Every VM is placed in a unique compartment, which isolates the VM and prevents direct layer 2 connectivity with external networks or other VMs on the same server. Unlike virtual firewalls, the segregation is opaque to the network and application teams and requires no network re-architecture. Unlike application firewalls, it requires no software agents in the VM and cannot be bypassed if the VM is compromised. Also, unlike micro segmentation, it is a full network security and analytics stack directly attached to each VM. The compartment monitors all the I/O to and from the VM. There is an observation mode so administrators can learn and easily visualize all of the traffic for each VM. The ShieldWeb: credential separation for web connections & ensuring SSL-TLS 1.2 communications security ShieldFS: file system separation, content control, audit ShieldADMIN: credential masking for SSH and block unwanted tunneling ShieldID: Active Directory / LDAP audit and protocol upgrade Compartments protect against situations where VMs are compromised by preventing data exfiltration and follow-on exploitation. They block the VM from snooping and attacking neighboring systems, even when sophisticated methods such as ARP and DNS poisoning are used. It can prevent command & control through multi-layer protocol inspection and preventing covert tunneling through legitimate protocols such as ICMP and DNS. Exfiltrating sensitive data or credentials is difficult due to the same safeguards, and in all cases the always-on I/O surveillance guarantees tamper-resistant audit trails are available.

SkySecure Center, the Cloud Delivered Management System and Secure Data Warehouse The SkySecure Center is the Skyport hosted, cloudbased administration for the entire system and features full management of SkySecure servers, remote hardware attestation, and VM and policy orchestration. An integrated audit and traffic analytics service with a lifetime secure data warehouse is included to assist meeting audit and compliance requirements. A browser is the management console, and there are secure RESTful APIs to enable customization with existing SIEM, policy, and workflow systems. Unlike traditional infrastructure and security solutions, SkySecure Center provides an easy way to guarantee systems are always up-to-date. Software and service updates are verified and supplied by Skyport so no independent system verification is needed. Deploying system patches can be scheduled and rolled-out easily as part of the ongoing SkySecure service. Policies are defined using templates and are associated with VMs before deployment. They are tailored to suit the organization s security policies, and allow fine-tuned controls appropriate for known applications such as file transfer servers, web servers, AD controllers, virtualization controllers, and DNS/DHCP systems. For applications and VMs with communication patterns that are not well-understood, built-in traffic observation can be used to develop policies over time. SkySecure Center offers secured remote console access to all hosted VMs, logging and audit of system and workload operations, as well as detailed traffic visualization and auditing to assist in remote troubleshooting and traffic forensics. All events of the system are stored in a secure data warehouse and they are signed and time stamped. This provides a tamperresistant audit and evidentiary trail for all events and I/O meta-data for each VM for its lifetime. Reduced Threat Surface Area Sophisticated attacks are often able to bypass security controls in traditional environments. SkySecure s unique approach provides protection against a range of attacks that usually succeed, such as: Undetected data exfiltration Reuse of stolen application or server credentials Identifying neighboring systems to exploit Exploiting known web crypto vulnerabilities Poisoning network services Hardware, BIOS, firmware, and hypervisor attacks SkySecure Detects & Stops Sophisticated Attacks DNS/ICMP/SSH tunneling Rogue FTP/SFTP/SCP I/O I/O to botnet-controllers Pass-the-ticket & hash Vulnerability scanning DNS/ICMP scanning Sniffing broadcast traffic Heartbleed, Poodle, Freak, Logjam DNS poisoning ARP & MAC spoofing Hyperjacking USB/console port attacks BIOS reset Undetected hardware changes Reducing the threat surface area is accomplished with a variety of protections that span the entire technology stack: Hardened hardware with no extraneous ports and a hardware-based visibility and network security stack Hardened firmware to address firmware compromise and provide secure remote management Hardened hypervisor & server OS to stop hypervisor break-out attacks and OS process level attacks Hardened VM environment that defends against credential compromise, data exfiltration, protocol level attacks, lateral attacks, and covert communication channel use Hardened management plane to reduce the risk of insider threat and mitigate against infrastructure attacks

Common Deployment Use-Cases SkySecure is well-suited to protect remote, exposed, critical, and high value applications and servers, such as: Servers in hostile and untrusted locations and branch offices with insecure physical controls, untrusted personnel access, and issues with a secure delivery chain. SkySecure servers have a locked-down chassis, hardware and software tamper detection, lights-out remote management, and they do not need on-site skilled staff to deploy. Exposed DMZ applications and gateways that are persistently under attack. SkySecure reduces the threat surface area, enforces application specific protections, prevents lateral attacks, has an observation mode, monitors and prevents exfiltration attempts, and prevents follow-on exploitation due to credential theft. Critical applications that manage the IT infrastructure are the keys-to-the-kingdom. SkySecure provides full visibility and real-time access control of communications to and from the VM, enforces whitelist access policy, and compartmentalizes critical credentials. High value electronic assets that use sensitive data while it is not encrypted. SkySecure protections span the entire platform and provide packet mirroring to obtain an evidentiary trail for incident and breach handling. Conclusion The threat landscape is changing and securing key applications and servers against sophisticated attacks is a priority for most organizations. However, it is challenging to be successful: the attack vectors continue to expand due to IT automation, aggressors constantly find new vulnerabilities to exploit, and assembling and maintaining the necessary technology stacks to protect systems is complex. SkySecure is a system designed to protect mission-critical applications while reducing operational complexity. It combines a secure server with per-vm protections that reduces the threat surface area, protects against attacks that bypass traditional safeguards, and is well suited for deployment in hostile locations. It is delivered as a cloud managed service with streamlined workflows to simplify installation and ongoing operations. On-premise 2-RU x68 server Server System Comparison Server System Capabilities OEM Rack Server Skyport Basic server software: BIOS, drivers, firmware, OS Virtualization software Event log storage, reporting, analytics, & audit Per-application firewall Managed-as-a-service Detects & prevents data and credential exfiltration Built-in integrity verification: HW, firmware, virtualization, software Sells-as-a-service: protects against obsolescence Skyport Systems 280 Hope Street Mountain View, CA 94041 info@skyportsystems.com Hardened chassis for hostile environments voids warranty

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information