HPE has bought itself a whole spiffey sackful of Cloud Native and open source pixie dust with the purchase of cloud security startup Scytale.

The company was formed in 2017 by, as HPE’s blog on the buy puts it, “a group of seasoned engineers from cloud-native enterprises like Amazon Web Services, Duo Security, Google, Okta, PagerDuty, and Splunk.”

The plucky engineers were focused on zero trust security architectures, in particular the Secure Production Identity Framework for Everyone (SPIFFE), and the associated Spire runtime and according to Scytale CEO Sunil James’s blog on the deal, to “make Spiffe a reality.” 

As well as driving the open source architectures, the company sells a Scytale Enterprise version of Spire, and Scytale Essentials, a Scytale-supported, production-hardened distribution of SPIRE.

“We believed openness would breed success – SPIFFE could only succeed as open, community-driven projects, surrounded by a thriving ecosystem. We first released SPIFFE in December ’17, with the Cloud Native Computing Foundation (CNCF) adopting the project a few months later,” James continued.

As for agreeing to the buy, James said meeting he had been “impressed” by HPE’s execs’ “clearsightedness as to the importance of ZT to HPE customers” and as HPE developed its “Cloudless Computing” strategy “it became more apparent to me how directionally aligned Scytale and HPE were.”

“Under HPE, Scytale will continue to help steward SPIFFE. Our ever-growing and vocal community will lead us. We’ll toil to maintain this transparent and vendor-neutral project, which will be fundamental in HPE’s plans to deliver a dynamic, open, and secure edge-to-cloud platform.”

Dave Husak, HPE fellow and general manager for its Cloudless initiative, added in a blog, “HPE is fully-committed to continuing Scytale’s stewardship and contributions to SPIFFE and SPIRE, and these projects will play a fundamental role in HPE’s plans to deliver a dynamic, open, and secure edge-to-cloud platform.”

He said “every organization that operates in a hybrid, multi-cloud environment requires 100% secure, zero trust systems” and that “We also recognize that the open source community, which every day advances an endless array of projects designed for an open, multi-cloud, micro-services driven world, are at the forefront of writing code that delivers true zero trust, highly secure systems.”

“This acquisition also represents HPE’s ongoing transformation, part of which is to embrace and contribute to open source projects in the Cloud Native Computing Foundation and elsewhere. Our goal is to deliver services and products that advance these developments, and provide our customers and partners with the fastest-possible path to application modernization.”

More directly, Husak said the company saw “many opportunities to leverage SPIFFE and SPIRE across the HPE portfolio, and believe state-of-the-art cryptographic-identity technology will play a critical role in enterprise-scale digital transformation, cloud-enablement, and cloud-migration projects”.

While both organisations make great play of their support to Spiffe and Spire, it’s worth noting that both projects are still just in the CNCF’s sandbox category, almost two years after the CNCF first took them on.

It’s also worth noting that HPE – or at least its predecessor, HP – has a patchy record on capitalising on acquisitions. These include its mega buy of IT services giant EDS in 2008 for around $13bn, only for HPE to offload its services division a couple of years ago. On the software side, a series of buys earlier this century culminated in the purchase of UK software outfit Autonomy – a calamitous deal, the ramifications of which are still being played out in court in the UK.