Everyone who reads VMblog knows
how bad most enterprise network security can be. It's a $100 billion annual
industry of products and services that fails every day. That kind of miserable
track record wouldn't work in any other industry.
When Google got breached in
2009, at the hands of alleged China state actors, the Web giant realized that
perimeter security was an oxymoron. There is no such thing as reliable
perimeter security. Google started all over again and developed a security and
identity architecture it called BeyondCorp.
ScaleFT, founded by former
Rackspace executives whose own corporate network was also breached in 2009,
today announced a $2 million seed funding round and unveiled its own "Zero
Trust" platform for companies to achieve their own BeyondCorp-inspired security
architecture.
I spoke to Ivan Dwyer, VP of products, to learn more.
VMblog: To kick things off, can you tell VMblog readers a bit more about your product?
Ivan Dwyer: The ScaleFT Platform is a real-world implementation of a Zero Trust
architecture similar to Google's BeyondCorp. Our products are used for both
privileged access to infrastructure resources, and employee access to corporate
web applications. Our founding team was witness to the Operation Aurora attacks
while working at Rackspace, and felt that the correct response was not to
follow tradition by bolstering the perimeter defenses with more firewalls and
VPNs. As it turned out, Google agreed with that sentiment and thus began their
BeyondCorp initiative.
After our company was formed and the initial product was
built, Google released their first BeyondCorp paper, which closely paralleled
our own thinking. It wasn't until Google published the second paper, however,
when it became clear that the architecture was closely aligned with ours. We
are believers in the BeyondCorp framework and there is no better validation
that Zero Trust works than Google's success in avoiding breaches of its own
networks.
VMblog: How do you get Zero Trust to work for data center, cloud infrastructure, and
SaaS? How do you manage identity?
Dwyer: We see the definition of identity changing with Zero Trust. It's no longer just
an employee record, it's the combination of a user plus their device at a
specific point in time. To handle all environments, our approach is to decouple
as much of the decision-making logic as possible to the cloud, keeping the
identity governance as no more than a system of record. We know that many
enterprises run Active Directory on-premises, and have no plans to migrate to
the cloud any time soon. This means we need to build native integrations for
all identity providers to handle the user authentication process. We handle
authorization through the ScaleFT Access Fabric, a globally distributed system
that performs real-time policy-driven decision making based on dynamic user and
device conditions.
VMblog: VPNs are how enterprises provide secure access to corporate networks. How do
you encourage user adoption with a new security technology? And doesn't it make
access unwieldy, hamper performance?
Dwyer: We see the VPN market being disrupted by
Zero Trust, not simply because the network is a poor determination of trust in
the cloud, but also because the end user experience is terrible. When done
right, like Google did with BeyondCorp, a Zero Trust implementation provides
better security that is actually loved by the users. They found that IT support
tickets dropped drastically once implemented, which any company would want.
It's the architecture of Zero Trust that supports this improved environment,
with the access controls themselves driving the experience.
We built our Access
Fabric to make lightning-fast authorization decisions without getting in the
way of the user's workflow. It's our goal to make that decision-making process
easily understood by everyone in the company, so that the policies actually
help improve every employee's overall security posture. For example, when you
get locked out by your company's VPN, you rarely know why, and will do
everything you can to circumvent it. With a well-crafted Zero Trust
implementation, a policy that states a user must keep their device up-to-date
to access an internal application can easily provide the right self-remediation
messaging. This feedback loop is something we pay close attention to with our
own Zero Trust products.
VMblog: Finally, can you walk us through how your access controls work?
Dwyer: Every request to a
protected resource, server or web app, flows through a centralized access
gateway that performs the authentication against the identity provider and
authorization against the access policies. Our policy framework factors in a
number of user and device factors, such as whether the OS is up-to-date or is
the disk encrypted. We operate our own PKI as part of the platform, which
issues an ephemeral credential for each verified request, and opens an
encrypted channel with the resource for a secure session. We support SSH and
RDP for server access, and HTTPS for web access, streamlining the end user
experience without any additional configuration or patching.
The ScaleFT
platform enables companies to achieve their own BeyondCorp-inspired security
architecture by authenticating, authorizing, and encrypting every request to a
protected resource, with the decision being made in real-time based on what is
known about the user and the device.
##