Post on 14-Apr-2017
Defense in depth: practical steps to securing data & achieving compliance
© 2016 @cohesivenet
about me
Chris Purrington
VP Sales and Managing Director, UK
Cohesive Networks
© 2016 @cohesivenet
about Cohesive Networks
VNS3 security and connectivity solutions protect cloud-based apps
2100+ customers in 20+ countries across all industry verticals and sectors
Enterprise Security
Top 20 Most Promising
Company 2015
PartnerNetwork
TECHNOLOGY PARTNER
Cloud Marketplace Provider
© 2016 @cohesivenet
2,100+ customers in 20+ countries • 800+ Self Service Customers • 18+ SI Resellers • 45+ ISV OEM
Including Industry Leaders • Global Mutual Fund Company • US ERP provider • Global BPMS provider • Cloud-based Threat Detection • UK Fashion Brand • Global Big Data Analytics Provider
customers run businesses in the cloud
© 2016 @cohesivenet
agenda
• Perimeter-based security has not evolved
• Data center security is not cloud security
• Modern defense in depth
• Application segmentation
• Customer use cases
© 2016 @cohesivenet
Perimeter-based security has not evolved
© 2016 @cohesivenet
security no longer #1 barrier to cloud adoption - still a top priority
2016
© 2016 @cohesivenet
weaknesses of the perimeter-based approach frequently on display:
METHOD OF LEAKhacked accidentally published configuration error inside job leak lost/stolen computer lost/stolen media poor security
World’s Biggest Data Breaches - Information is Beautiful
© 2016 @cohesivenet
© 2016 @cohesivenet
Perimeter Security
private data center security: walls
80% of security spend is on perimeter, leaving only 20% for interior network security
© 2016 @cohesivenet
Perimeter Security
private data center vulnerability
hacker penetration
© 2016 @cohesivenet
Perimeter Security
private data center vulnerability
vulnerabilities go undetected for an average of 234 days!
© 2016 @cohesivenet
data center security is not cloud security
© 2016 @cohesivenet
Source: Azure Compliance
public cloud providers do build secure clouds…
• CSPs must meet tougher standards
• Reputation = vested interest in high levels of security
• Bigger budgets for infrastructure, data centres, compliance
• Better systems to vet and manage security staff
• Security software: dedicated instances, VLANs, VPNs, firewalls, edge protection
© 2016 @cohesivenet
• “49% of IT decision makers admit they are ‘very or extremely anxious’ about the security implications of cloud services” - BT study 2015
• 75% of enterprises use additional security measures beyond what CSPs offer - Clutch survey, March 2016
• Security risks exist beyond the “shared responsibility model”:
• 3rd party shared environments
• lack of insight into and control of underlying infra.
• isolation from other cloud users
• lack of in cloud encryption in transit
… yet CIOs and CEOs are still concerned.
© 2016 @cohesivenet
modern defense in depth
© 2016 @cohesivenet
deliver your applications in your over the top cloud networks
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 3
Layer 2
Layer1
Layer 0
Cloud Layer 3 Network
Limit of user access, control and visibility
Hardware You Can’t Get To
Hypervisor You Don’t Control
Application Policies You Control
Overlay Network 1 Overlay Network 2
Cloud Service Provider
Applications
© 2016 @cohesivenet
add cloud network and security with VNS3
firewall vpn concentrator protocol distributor extensible nfv
VNS3 Core Network Components
router switch
•Deploy in any cloud/virtual infra
•Create your own application specific network
•Separate network identity from physical location
•Control end to end encryption, IP addressing & network topology
© 2016 @cohesivenet
extend overlay networks beyond single CSPs
Active IPsec Tunnel
VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3
VNS3 Overlay Network - 172.31.1.0/24
Peered Peered
Overlay IP: 172.31.1.1Cloud Server A
Overlay IP: 172.31.1.2Cloud Server B
Overlay IP: 172.31.1.3Cloud Server C
Overlay IP: 172.31.1.4Primary DB
Overlay IP: 172.31.1.5Backup DB
ireland frankfurt
Data Center 2London
Data Center 1Seattle, WA
Failover IPsec Tunnel
vpc 1 vlan 2 vpc 3
VNS3:ha 1
ireland
© 2016 @cohesivenet
VNS3:net extending your network functions
Plug-in model allows you to easily customize your network appliance to add additional layer 4-7 network capabilities
firewall vpn concentrator protocol distributor extensible nfv
VNS3 Core Components
router switch
waf content caching nids proxy load balancing custom
L4-L7 Plugin System
© 2016 @cohesivenet
build on CSP’s layers of control and access
Provider Owned/Provider Controlled Provider Owned/User Controlled VNS3 - User Owned/User Controlled User Owned/User Controlled
Key security elements must be controlledby the customer, but separate from the provider
Cloud Edge Protection
Cloud Isolation
Cloud VLAN
Cloud Network Firewall
Cloud Network Service
VNS3 Virtual Firewall
VNS3 Encrypted Overlay Netw
ork
VNS3 NIDS, WAF, e
tc.
Instance
OS Port Filtering
Encrypted Disk
© 2016 @cohesivenet
application segmentation with VNS3
© 2016 @cohesivenet
application segmentation
micro-perimeter around critical apps in any
© 2016 @cohesivenet
limit server interactions
Ensure the “right” traffic is going through secure app-layer switches
© 2016 @cohesivenet
control network flow
traffic only flows in permitted directions, from permitted locations
© 2016 @cohesivenet
security for each app
© 2016 @cohesivenet
enforce traffic policies with firewalls
© 2016 @cohesivenet
detect malicious traffic with NIDS! !
!!
© 2016 @cohesivenet
limit intra-app network traffic with WAF
© 2016 @cohesivenet
monitor traffic with app-layer switches
© 2016 @cohesivenet
Perimeter Security
private data center vulnerability
vulnerabilities go undetected for an average of 234 days!
© 2016 @cohesivenet
VNS3 security use cases
© 2016 @cohesivenet
Investment Management Firm meets PCI and FISMA requirements for Data
Center deployments using VNS3:turret
north america
VNS3:turret secured and segmented applications deployed to the private data center allowing IMF to enforce security policies at the application
layer
private cloud
$230B in Funds Under Management
financial services
Customer DC
App
Application 1
Web
DB
MO
Application 2
App
Web
DB
MO
Application 3
App
Web
DB
MO
Application 4
App
Web
DB
MO
Application 5
App
Web
DB
MO
Application N
App
Web
DB
MO
© 2016 @cohesivenet3434
Telecom Retail and Services company productized mobile, fixed line and broadband provisioning as SaaS
europe
VNS3 used to secure all public & private VLAN traffic for adherence to
Data Protection Standards
cloud WAN / hybrid cloud
$4.5B Mobile and Mobile Related Revenues
telecommunicationsMVNO Carrier
MVNO Brand
VNS3 Overlay Network Topology per Customer
IPsec Tunnel
Mobile Customer
Mobile Customer
internet
internet
us-west-2
MVNO Infrastructure Overlay
logical subnet 1
logical subnet 2
logical subnet 3
logical subnet N
server database
database databaseserver
server server
© 2016 @cohesivenet35
Disruptive payment processor built loosely coupled infrastructure in public
cloud with DR resource networks for database replication/failover
north america
VNS3 created overlay network to federate multiple AWS regions, IP
mobility, and secure db replication
cloud dr
Available in over 8,0007-Eleven stores nationwide
financial services
¡
Devops
VNS3 1 (NAT + Bastion) console-east
1a-edge logical subnet
1a-private logical subnet DevOps
1c-private logical subnet
VNS3 logical subnet 4
1c-edge logical subnet
Resource Network/ DR
us-east-1b us-east-1e us-west-1a us-west-1b
us-east-1 us-west-1
1a-edge logical subnet
1a-private logical subnet
Overlay Network
1e-private logical subnet
1e-edge logical subnet
VNS3 2 VNS3 3 VNS3 4
VNS3 logical subnet 3
VNS3 logical subnet 1 console logical subnet VNS3 logical subnet 2
server database
© 2016 @cohesivenet36
BMP and CRM vendor offered Fortune 500 customers an alternative SaaS
version of their software in the cloud
ISV
north america
VNS3 isolated each customer in the cloud and allowed them to integrate all
deployments to their existing NOC
partner/customer network
$600m Annual Revenue
us-west-2
us-east-1
Customer 1
Customer 2
Customer 3
Customer N
ISV data center
Customer 1
Customer 3
Customer N
Customer 2
server
server
server
server
database
database
database
database
Overlay Network
Overlay Network
Overlay Network
Overlay Networkwith VNS3:ms
server database
© 2016 @cohesivenet
Cohesive Networks
Security and connectivity at the
top of the cloud
2,100+ customers protect cloud-
based applications
cloud demands grow, along with
complexity
Your Applications Connected and Secure