Sandstorm Uses Mega-Containerization to Offer Fine-Grained Access Control
In the world of software-as-a-service and containerization, Palo Alto, Calif.-based Sandstorm.io has chosen a different path: Sandstorm’s software aims to tackle the authentication and security problems that software-as-a-service poses for many companies through the use of fine-grained containerization.
“Every document runs in its own container, isolated from the others. It gives Sandstorm the ability to understand the data on the same level the user does,” said co-founder Kenton Varda.
“Sandstorm can implement access control so the application doesn’t have to. That means security vulnerabilities in the application basically don’t matter, because if I’ve created a document and I haven’t shared it with you, you can’t even send requests to that container because Sandstorm is managing what you can access. If you can’t send requests, you can’t exploit vulnerabilities in Etherpad – and there have been several. If I have shared the document with you, you have the data, and security doesn’t matter. You don’t get anything more by exploiting it,” he explained.
He cites among Sandstorm’s benefits:
- Security: There is no need to security-review every app since Sandstorm creates an environment that mitigates and contains vulnerabilities.
- Compliance: With Sandstorm, regulations like ITAR (aerospace/defense), HIPAA (healthcare), FISMA (federal government), financial regulations, European privacy laws, and more can be implemented in the platform and applied uniformly across all apps, without the app developer’s help.
- Scalability: Since each app instance handles a single document, Sandstorm can take care of scaling across multiple machines.
- Integration: All Sandstorm apps integrate with incumbent enterprise infrastructure such as single-sign-on through Active Directory, without extra work by the developer.
The open source platform for personal and private clouds so far consists of a productivity suite, but the company envisions becoming a wider marketplace for open source apps.
A ‘Better Middle Ground’
Originally a crowd-funded project, the company announced a $1.3 million seed round in January 2015, led by Quest Venture Partners. It now has seven employees.
“We believe there’s a better middle ground that merges the benefits of SaaS — ease of use, always up-to-date — with the benefits of on-prem — security, compliance, integration with corporate infrastructure — while simultaneously lowering the barrier to entry for developers,” he said.
He admits it’s early days yet for the technology, but it has a few hundred customers, most of whom it gained by word of mouth. About half are in Europe, most specifically Germany, he said, where privacy law requires data to be kept within its borders, which SaaS companies often can’t guarantee.
“A lot of companies can’t use SaaS services because they’re highly regulated, they have security concerns, competitive concerns,” he said, pointing out that cloud services are required to comply with the complex regulations governing those industries, too.
For instance, the Department of Health and Human Services recently made clear that cloud providers become “business associates” of covered healthcare entities, liable under HIPAA when they handle protected health information even if they don’t have the encryption key to that data.
“Rather than signing up for Google Docs, you might run an internal Sandstorm server and edit documents there, and the data stays on your servers. That doesn’t mean those servers are in your building – they could be on AWS. But it’s reporting to you, not the developer of the application,” Varda said.
Each grain is private until others are granted access. Sandstorm treats access permissions as an object that can be given to things, a process it calls a “capability.” The capability identifies both the identity (address) of the grain and permissions, which can be modified by role or revoked at any time.
Formerly at Google, Varda wrote much of its Protocol Buffers 2.0, now being reimagined as Cap’n Proto. Heavily based on CapTP, the network protocol used by the E programming language, a Cap’n Proto socket is a Sandstorm app’s only connection to the outside world. Other protocols, like HTTP, can be layered on top.
Capabilities exchanged between apps using the Sandstorm Powerbox UI are Cap’n Proto object references.
All the components of an app run on a single machine; it scales by adding machines as necessary. It simplified things for developers since they don’t have to write logic or storage schemas to handle more than one document.
Varda says the technology is efficient at managing so many containers. Grains are small and start up in less than a second. They run only while in use. Static assets, such as code and images are read-only, allowing them to be shared among all grains running the same app. All Etherpad documents, for instance, share one copy of the app, then the only additional data that has to be stored is just the contents of that document.
It’s also working on shared memory, for instance, by taking one instance of the app, letting it run a little bit, taking a snapshot of it, then cloning from that snapshot to start new containers.
The platform offers sharing, access control and document management at the platform level. It lets you see documents across all apps, search them all and see notifications across all apps in one place.
Its fine-grained containerization makes it easy to enforce access controls across all the apps. And it allows IT departments to enable self-service across the organization and eliminate the security and management problems of “shadow IT,” he said.
So far, the marketplace has been seeded with around 60 open source apps. It’s hoping to entice open source developers to submit enterprise-ready apps there by “checking so many of the boxes” of enterprise concerns such as security, compliance and integration with existing corporate infrastructure.