If you were to ask Doug Gourlay for a good model of security at work, he’d likely point you to two examples–the Xbox and the iPhone. There are a ton of them out in the wild, but you don’t often hear about them being hacked.

When it comes to enterprise security, though, it’s a different story. Organizations are spending billions of dollars on security, yet we are still routinely hearing about the massive data breaches in the world’s biggest companies.

The difference is that the systems supporting tech like the iPhone and Xbox were architected with security in mind–they were built from the ground up to be secure.

Gourlay is the corporate vice president for Skyport Systems, a startup that wants to help re-architect the enterprise with security in mind. The company’s SkySecure system brings together hardware, software, and management tools to provide an out of the box solution for enterprise customers to fix the internal problems of traditional architecture.

“The underlying infrastructure, the actual data center compute infrastructure, where we have all our important applications running and store all our data, is fundamentally insecure,” said Stefan Dyckerhoff, managing director of Sutter Hill Ventures, who invested in Skyport.

To build security into the fabric of your organization, it can’t be an afterthought. Gourlay said that money spent on tools like perimeter security is money wasted, as there is no guarantee that it can always be done the right way.

“If you don’t do it perfectly once, you’ve left the door open for somebody to get in that shouldn’t be there,” Gourlay said.

So, their approach is to re-platform for security, with an architecture designed from the get-go to be hardened and secure by default. The Skyport system is composed of a two major components: An on-premise server and a management system.

“The reality is that any mid-size company and larger is going to have a blend of on-premises compute and cloud-based compute,” Gourlay said. “And, the on-premises compute are usually the things they care the most about from a security perspective.”

With this in mind, they wanted to ensure that the workloads clients cared the most about would be the ones that they would be able to secure the best. With their x86-based server, Gourlay said they reduced the attack surface, got rid of some of the extemporaneous ports, and gave it a few extra processing capabilities and a built-in firewall. Here are the specs:

  • 2x 8-core Intel Xeon processors
  • 2.4 GHz (E5-2630v3 “Haswell”)
  • 128 GB ECC DRAM (DDR4-2133)
  • 2x 960GB SSD
  • Zero Ports / Tamper-Resistant Chassis

And, here are the specs on the I/O controller:

  • 40 Gb/sec Flow Processor
  • 2x 1/10GbE SFP+

Out of the box, the first thing the server will do is call home and connect itself to the management system. Once it comes online, the hardware verifies all the software and calculates whether or not the software has been altered before allowing it to run. From the time of its manufacture, the hardware, firmware, and software are all continuously validated.

Everything possible is encrypted, signature signed, and validated, Gourlay said.

Additionally, there is a compartmentalization component to help shrink the perimeter around the workloads and provide specific, application-layer protection. The compartment function also provides transparency around workload communications.

The second major component is the SaaS management system, SkySecure Center, which provides both traffic and system intelligence. It logs every transaction in and out of every server under management and every VM under management, every admin login, and every DNS lookup.

Additionally, packet capture helps determine if a workload has been infected, and the system also records who makes policies so users can track any changes to services. Users get full visibility into all system activities, including an audit trail for policy.

Because Skyport is essentially wrapped around an application, Dyckerhoff said, they are in a unique position to collect and correlate data for users. That data can be used to help further refine an organization’s security practices.

“The first thing we chose to do in the product is help the user define the best possible security policy for that application,” Dyckerhoff said.

Many users allow too much in a policy for a given application. But, Dyckerhoff said, Skyport helps them craft a tighter policy that will help further reduce their threat surface.

According to company literature, the system can be deployed “without changes to the network, application, or OS architecture and operations.”

Skyport Systems got its start in 2013 and has raised close to $40 million in venture capital funding. Interested parties can sign up for a demo here.