When a hacker broke into the computer systems of the Oldsmar Florida water supply last month, it sent up red flags across the operational tech world, whether that’s utilities or oil and gas pipelines. Xage, a security startup that has been building a solution to help protect these hard-to-secure operations, announced a Zero Trust remote access cloud solution today that could help prevent these kinds of attacks.
Duncan Greatwood, CEO at Xage, says flat out that if his company’s software was in place in Oldsmar, that hack wouldn’t have happened. Smaller operations like the one in Oldsmar tend to be one-person IT shops running older remote access software that’s vulnerable to hacking on a number of levels.
“It’s not difficult to compromise a virtual network computing (VNC) connection. It’s not difficult to compromise a stale account that’s been left on a jump box. What we started to do last year was deliver what we call a Zero Trust remote access solution to these kinds of customers,” Greatwood told me.
This involves controlling access device by device and person by person by determining who can do what based on them authenticating themselves and proving who they are. “It doesn’t rely on knowledge of a device password or a VPN zone password,” he explained.
The solution goes further with a secure traversal tunnel, which relies on a tamper proof certificate to prevent hackers from getting from the operations side of the house — whether that’s a utility grid, water supply or oil and gas pipeline — to the IT side where they could then begin to muck about with the operational technology.
Xage also uses a distributed ledger as a core part of its solution to help protect identity policies, logs and other key information across the platform. “Having a distributed ledger means that rather than an attacker having to compromise just a single node, it would have to compromise a majority of the nodes simultaneously, and that’s very difficult [if not impossible] to do,” he said.
What’s more, the ledgers operate independently across locations in a hierarchy with a global ledger that acts as the ultimate rules enforcer. That means even if a location goes offline, the rules will be enforced by the main system whenever it reconnects.
They introduced an on premise version of the Zero Trust remote access system last October, but with this kind of technology difficult to configure and maintain, some customers were looking for a managed solution like the one being introduced today. With the cloud solution, customers get a hosted solution accessible via a web browser with much faster deployment.
“What we’ve done with the cloud solution is made it really simple for people to adopt us by hosting the management software and the core Xage fabric nodes in this Xage cloud, and we’re really dramatically reducing that time to value for a remote access solution for IT,” Greatwood said.
You might be thinking that CISOs might not trust a cloud solution for these sensitive kinds of environments, and he admits that there is some caution in this market, even though they understand the benefits of moving to the cloud. To help ease these concerns, they can do a PoC in the cloud and there is a transfer tool to move back on prem easily if they are not comfortable with the cloud approach. So far he says that no early customers have chosen to do that, but the option is there.
Xage was founded in 2017 and has raised $16 million so far, according to Crunchbase data.