Server Startup And Systems Integrator Team To Confront 'Frankenstein's Monster' In Some Active Directory Environments

Skyport Systems, a startup focused on building ultra-secure servers, has teamed up with a Microsoft-aligned systems integrator to keep hackers from compromising Active Directory authentication controls.

Together, Skyport and Ascent Solutions, based in Minneapolis, have developed a turnkey implementation that aligns Microsoft's prescriptive model with how infrastructure and architecture work at both a systems level and a human level.

"We're taking a holistic view of a major technology and security threat that exhibits itself at least monthly on the pages of the major business journals," said Doug Gourlay, Skyport's corporate vice president. "Hackers are exploiting silos between security, networking, app and system teams."

[Related: Skyport Systems Names Former HP Exec As CEO]

id
unit-1659132512259
type
Sponsored post

The project started when Skyport, based in Mountain View, Calif., had some conversations with Microsoft about how best to help organizations struggling to block credential theft. Without that level of intrusion, the breaches at Sony, Target and JPMorgan Chase would have never made headlines, Gourlay said.

Skyport wanted to thwart hackers who were using attacks like Pass-the-Ticket or Pass-the-Hash that compromise the credential authentication process, giving them access to corporate networks.

The startup's inquiries coincided with Microsoft releasing its first prescriptive model for how to secure Active Directory and identity management systems. Microsoft's model relies on a validated clean source for hosting administrator domains -- a use case Skyport's hardened servers were well-suited for, Gourlay said.

Microsoft introduced Skyport to an innovative solution provider.

"Microsoft pointed us to Ascent Solutions," Gourlay said. "We marched over to Minneapolis to have a chat with them."

Large enterprises have been implementing the Microsoft-prescribed architecture with assistance from Microsoft Consulting Services. But the Skyport-Ascent partnership is intended to harden credential verification for down-market customers, he said.

The two companies began discussing how they could build the most secure architecture possible, addressing all major avenues of attack that are turning user credential hacks into front-page news.

Pete Fox, vice president of Cyber Services at Ascent Solutions, told CRN that many organizations operate a needlessly complex credential authentication environment.

"Many companies have a Frankenstein monster in their Active Directory composition," Fox said.

The systems integrator had been implementing Microsoft's secure model for several quarters without the benefit of the Skyport platform, he said.

"As we work with Skyport, we're able to dramatically reduce the time it takes to build the environment, which is 40 percent of that roughly two-month project," Fox told CRN.

Ascent has scoped the work, depending on the size of the organization, to between an eight-week and a 16-week consulting engagement in which it first evaluates systems administration and Active Directory practices, then benchmarks them against Microsoft's prescriptions, creating a gap analysis.

Ascent works with customers to implement a tiered system, helping them think through which systems and tools belong in different tiers.

"Many production systems like to play around in Tier 0," where domain admin credentials reside, he said.

The solution addresses all four major Active Directory deployment environments, using Skyport's hyper-secured servers as validated clean sources for hosting Red Forest domains, where administrator accounts safely reside on secure workstations.

For more sophisticated customers, Ascent can also implement "Just In Time" provisioning, which limits the amount of time administrators have privileges turned on.

"An initial implementation spinning up this new tier might take between two and 10 Skyport boxes for a large customer working with hundreds of servers, Fox said.

"The solution is fully baked," he added. "We've done it repeated times."