Virtualization Technology News and Information
VMblog's Expert Interviews: ScaleFT Unveils a New Real-world, Zero Trust Platform Similar to Google's BeyondCorp

interview scaleft

Everyone who reads VMblog knows how bad most enterprise network security can be. It's a $100 billion annual industry of products and services that fails every day. That kind of miserable track record wouldn't work in any other industry.

When Google got breached in 2009, at the hands of alleged China state actors, the Web giant realized that perimeter security was an oxymoron. There is no such thing as reliable perimeter security. Google started all over again and developed a security and identity architecture it called BeyondCorp.

ScaleFT, founded by former Rackspace executives whose own corporate network was also breached in 2009, today announced a $2 million seed funding round and unveiled its own "Zero Trust" platform for companies to achieve their own BeyondCorp-inspired security architecture.

I spoke to Ivan Dwyer, VP of products, to learn more.

VMblog:  To kick things off, can you tell VMblog readers a bit more about your product?

Ivan Dwyer:  The ScaleFT Platform is a real-world implementation of a Zero Trust architecture similar to Google's BeyondCorp. Our products are used for both privileged access to infrastructure resources, and employee access to corporate web applications. Our founding team was witness to the Operation Aurora attacks while working at Rackspace, and felt that the correct response was not to follow tradition by bolstering the perimeter defenses with more firewalls and VPNs. As it turned out, Google agreed with that sentiment and thus began their BeyondCorp initiative.

After our company was formed and the initial product was built, Google released their first BeyondCorp paper, which closely paralleled our own thinking. It wasn't until Google published the second paper, however, when it became clear that the architecture was closely aligned with ours. We are believers in the BeyondCorp framework and there is no better validation that Zero Trust works than Google's success in avoiding breaches of its own networks.

VMblog:  How do you get Zero Trust to work for data center, cloud infrastructure, and SaaS?  How do you manage identity?

Dwyer:  We see the definition of identity changing with Zero Trust. It's no longer just an employee record, it's the combination of a user plus their device at a specific point in time. To handle all environments, our approach is to decouple as much of the decision-making logic as possible to the cloud, keeping the identity governance as no more than a system of record. We know that many enterprises run Active Directory on-premises, and have no plans to migrate to the cloud any time soon. This means we need to build native integrations for all identity providers to handle the user authentication process. We handle authorization through the ScaleFT Access Fabric, a globally distributed system that performs real-time policy-driven decision making based on dynamic user and device conditions.

VMblog:  VPNs are how enterprises provide secure access to corporate networks.  How do you encourage user adoption with a new security technology?  And doesn't it make access unwieldy, hamper performance?

Dwyer:  We see the VPN market being disrupted by Zero Trust, not simply because the network is a poor determination of trust in the cloud, but also because the end user experience is terrible. When done right, like Google did with BeyondCorp, a Zero Trust implementation provides better security that is actually loved by the users. They found that IT support tickets dropped drastically once implemented, which any company would want. It's the architecture of Zero Trust that supports this improved environment, with the access controls themselves driving the experience.

We built our Access Fabric to make lightning-fast authorization decisions without getting in the way of the user's workflow. It's our goal to make that decision-making process easily understood by everyone in the company, so that the policies actually help improve every employee's overall security posture. For example, when you get locked out by your company's VPN, you rarely know why, and will do everything you can to circumvent it. With a well-crafted Zero Trust implementation, a policy that states a user must keep their device up-to-date to access an internal application can easily provide the right self-remediation messaging. This feedback loop is something we pay close attention to with our own Zero Trust products.

VMblog:  Finally, can you walk us through how your access controls work?

Dwyer:  Every request to a protected resource, server or web app, flows through a centralized access gateway that performs the authentication against the identity provider and authorization against the access policies. Our policy framework factors in a number of user and device factors, such as whether the OS is up-to-date or is the disk encrypted. We operate our own PKI as part of the platform, which issues an ephemeral credential for each verified request, and opens an encrypted channel with the resource for a secure session. We support SSH and RDP for server access, and HTTPS for web access, streamlining the end user experience without any additional configuration or patching.

The ScaleFT platform enables companies to achieve their own BeyondCorp-inspired security architecture by authenticating, authorizing, and encrypting every request to a protected resource, with the decision being made in real-time based on what is known about the user and the device.


Published Wednesday, July 19, 2017 8:03 AM by David Marshall
Filed under: ,
VMblog's Expert Interviews: ScaleFT Talks Better Security Through UX : @VMblog - (Author's Link) - November 16, 2017 8:04 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2017>