rvlsoft - Fotolia

HPE buys Scytale to hone cloud-native security chops

HPE has scooped up Scytale, a startup that has developed a cloud-native security framework for highly distributed applications. While most enterprises don't need such capabilities today, HPE has taken a step that could serve them down the road.

Hewlett Packard Enterprise has acquired cloud-native security startup Scytale to boost its position as a neutral provider in hybrid and multi-cloud computing.

Scytale has developed an identity management and service authentication platform based on the open-source SPIFFE (Secure Production Identity Framework for Everyone) and SPIRE (SPIFFE Runtime Environment) projects hosted at the Cloud Native Computing Foundation (CNCF). Founded in 2017, Scytale had raised $8 million in venture funding. Terms of its sale to HPE weren't disclosed.

HPE, like rival Cisco, attempted to build its own AWS-like IaaS offering, but ultimately shuttered it in 2015. Now both companies are focused on selling software, hardware and services to customers with complex IT environments that span on-premises and multiple public clouds.

Scytale's technology is crucial to this strategy, said Dave Husak, HPE fellow and general manager of cloudless initiative, in a blog post.

"We recognize that every organization that operates in a hybrid, multi-cloud environment requires 100% secure, zero trust systems, that can dynamically identify and authenticate data and applications in real-time," Husak said in the post.

SPIFFE came about in 2016, after engineers from Cisco, Netflix, Salesforce, Google, Twilio and other companies held a meeting to discuss novel ways of implementing a zero-trust network security framework, Scytale co-founder Sunil James said in a blog post. Scytale was formed in 2017 to foster SPIFFE's development and it was soon accepted as a sandbox project by the CNCF.

Modern application design practices such as microservices and container orchestration have resulted in much more complex production environments that can span multiple networks, making service authentication much more difficult.

SPIFFE specifies a framework that can tie identity to application services across these heterogeneous environments, according to Scytale. It relies on mutual Transport Layer Security (mTLS), an approach that uses asymmetric cryptography to verify the sender and recipients of a message and ensure no third party has seen or altered it.

While SPIFFE and SPIRE remain fairly nascent, the projects have strong backing from the likes of Uber and Bloomberg. Scytale released a commercial SaaS offering based on the projects, Scytale Enterprise, in June 2019.

Scytale targets emerging authentication needs

More established cloud identity management vendors such as Okta differ from Scytale's cloud-native security approach in that their core focus is on authenticating users to services, said John Grady, an analyst with Enterprise Strategy Group in Milford, Mass.

"The problem Scytale is trying to solve is managing and authenticating one microservice to another across multiple locations and clouds," Grady said. "Nearly all organizations have moved to cloud, and many are using multiple cloud services. The journey to containers and true hybrid multi-cloud for enterprise-scale production apps isn't ubiquitous, but is clearly the direction we're moving, and quickly."

Managing identities in the cloud is already a headache and only getting harder so it will be critical soon.
John Grady Analyst, Enterprise Strategy Group

Scytale's open-source roots also gives HPE another talking point relative to its marketing messages, he added. In addition, Scytale's early stage of development means the price likely made it attractive for HPE to buy, versus partner, Grady said.

"Is something like Scytale critical for a majority of enterprises today? I don't think so," Grady said. "But managing identities in the cloud is already a headache and only getting harder, so it will be critical soon."

HPE found a sweet spot with the Scytale deal, another analyst said.

"Services authentication is where the rubber hits the road when it comes to modern, service mesh-based applications that [move] across an enterprise's boundaries," said Holger Mueller, an analyst with Constellation Research in Cupertino, Calif. "HPE's capabilities have increased with the Scytale acquisition and it is in better shape to play a bigger role in this important software platform environment."

Dig Deeper on Cloud infrastructure design and management