Defense in depth: practical steps to securing data & achieving compliance

© 2016 @cohesivenet

about me

Chris Purrington

VP Sales and Managing Director, UK

Cohesive Networks

© 2016 @cohesivenet

about Cohesive Networks

VNS3 security and connectivity solutions protect cloud-based apps

2100+ customers in 20+ countries across all industry verticals and sectors

Enterprise Security

Top 20 Most Promising

Company 2015

PartnerNetwork

TECHNOLOGY PARTNER

Cloud Marketplace Provider

© 2016 @cohesivenet

2,100+ customers in 20+ countries • 800+ Self Service Customers • 18+ SI Resellers • 45+ ISV OEM

Including Industry Leaders • Global Mutual Fund Company • US ERP provider • Global BPMS provider • Cloud-based Threat Detection • UK Fashion Brand • Global Big Data Analytics Provider

customers run businesses in the cloud

© 2016 @cohesivenet

agenda

• Perimeter-based security has not evolved

• Data center security is not cloud security

• Modern defense in depth

• Application segmentation

• Customer use cases

© 2016 @cohesivenet

Perimeter-based security has not evolved

© 2016 @cohesivenet

security no longer #1 barrier to cloud adoption - still a top priority

2016

© 2016 @cohesivenet

weaknesses of the perimeter-based approach frequently on display:

METHOD OF LEAKhacked accidentally published configuration error inside job leak lost/stolen computer lost/stolen media poor security

World’s Biggest Data Breaches - Information is Beautiful

© 2016 @cohesivenet

© 2016 @cohesivenet

Perimeter Security

private data center security: walls

80% of security spend is on perimeter, leaving only 20% for interior network security

© 2016 @cohesivenet

Perimeter Security

private data center vulnerability

hacker penetration

© 2016 @cohesivenet

Perimeter Security

private data center vulnerability

vulnerabilities go undetected for an average of 234 days!

© 2016 @cohesivenet

data center security is not cloud security

© 2016 @cohesivenet

Source: Azure Compliance

public cloud providers do build secure clouds…

• CSPs must meet tougher standards

• Reputation = vested interest in high levels of security

• Bigger budgets for infrastructure, data centres, compliance

• Better systems to vet and manage security staff

• Security software: dedicated instances, VLANs, VPNs, firewalls, edge protection

© 2016 @cohesivenet

• “49% of IT decision makers admit they are ‘very or extremely anxious’ about the security implications of cloud services” - BT study 2015

• 75% of enterprises use additional security measures beyond what CSPs offer - Clutch survey, March 2016

• Security risks exist beyond the “shared responsibility model”:

• 3rd party shared environments

• lack of insight into and control of underlying infra.

• isolation from other cloud users

• lack of in cloud encryption in transit

… yet CIOs and CEOs are still concerned.

© 2016 @cohesivenet

modern defense in depth

© 2016 @cohesivenet

deliver your applications in your over the top cloud networks

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 3

Layer 2

Layer1

Layer 0

Cloud Layer 3 Network

Limit of user access, control and visibility

Hardware You Can’t Get To

Hypervisor You Don’t Control

Application Policies You Control

Overlay Network 1 Overlay Network 2

Cloud Service Provider

Applications

© 2016 @cohesivenet

add cloud network and security with VNS3

firewall vpn concentrator protocol distributor extensible nfv

VNS3 Core Network Components

router switch

•Deploy in any cloud/virtual infra

•Create your own application specific network

•Separate network identity from physical location

•Control end to end encryption, IP addressing & network topology

© 2016 @cohesivenet

extend overlay networks beyond single CSPs

Active IPsec Tunnel

VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3

VNS3 Overlay Network - 172.31.1.0/24

Peered Peered

Overlay IP: 172.31.1.1Cloud Server A

Overlay IP: 172.31.1.2Cloud Server B

Overlay IP: 172.31.1.3Cloud Server C

Overlay IP: 172.31.1.4Primary DB

Overlay IP: 172.31.1.5Backup DB

ireland frankfurt

Data Center 2London

Data Center 1Seattle, WA

Failover IPsec Tunnel

vpc 1 vlan 2 vpc 3

VNS3:ha 1

ireland

© 2016 @cohesivenet

VNS3:net extending your network functions

Plug-in model allows you to easily customize your network appliance to add additional layer 4-7 network capabilities

firewall vpn concentrator protocol distributor extensible nfv

VNS3 Core Components

router switch

waf content caching nids proxy load balancing custom

L4-L7 Plugin System

© 2016 @cohesivenet

build on CSP’s layers of control and access

Provider Owned/Provider Controlled Provider Owned/User Controlled VNS3 - User Owned/User Controlled User Owned/User Controlled

Key security elements must be controlledby the customer, but separate from the provider

Cloud Edge Protection

Cloud Isolation

Cloud VLAN

Cloud Network Firewall

Cloud Network Service

VNS3 Virtual Firewall

VNS3 Encrypted Overlay Netw

ork

VNS3 NIDS, WAF, e

tc.

Instance

OS Port Filtering

Encrypted Disk

© 2016 @cohesivenet

application segmentation with VNS3

© 2016 @cohesivenet

application segmentation

micro-perimeter around critical apps in any

© 2016 @cohesivenet

limit server interactions

Ensure the “right” traffic is going through secure app-layer switches

© 2016 @cohesivenet

control network flow

traffic only flows in permitted directions, from permitted locations

© 2016 @cohesivenet

security for each app

© 2016 @cohesivenet

enforce traffic policies with firewalls

© 2016 @cohesivenet

detect malicious traffic with NIDS! !

!!

© 2016 @cohesivenet

limit intra-app network traffic with WAF

© 2016 @cohesivenet

monitor traffic with app-layer switches

© 2016 @cohesivenet

Perimeter Security

private data center vulnerability

vulnerabilities go undetected for an average of 234 days!

© 2016 @cohesivenet

VNS3 security use cases

© 2016 @cohesivenet

Investment Management Firm meets PCI and FISMA requirements for Data

Center deployments using VNS3:turret

north america

VNS3:turret secured and segmented applications deployed to the private data center allowing IMF to enforce security policies at the application

layer

private cloud

$230B in Funds Under Management

financial services

Customer DC

App

Application 1

Web

DB

MO

Application 2

App

Web

DB

MO

Application 3

App

Web

DB

MO

Application 4

App

Web

DB

MO

Application 5

App

Web

DB

MO

Application N

App

Web

DB

MO

© 2016 @cohesivenet3434

Telecom Retail and Services company productized mobile, fixed line and broadband provisioning as SaaS

europe

VNS3 used to secure all public & private VLAN traffic for adherence to

Data Protection Standards

cloud WAN / hybrid cloud

$4.5B Mobile and Mobile Related Revenues

telecommunicationsMVNO Carrier

MVNO Brand

VNS3 Overlay Network Topology per Customer

IPsec Tunnel

Mobile Customer

Mobile Customer

internet

internet

us-west-2

MVNO Infrastructure Overlay

logical subnet 1

logical subnet 2

logical subnet 3

logical subnet N

server database

database databaseserver

server server

© 2016 @cohesivenet35

Disruptive payment processor built loosely coupled infrastructure in public

cloud with DR resource networks for database replication/failover

north america

VNS3 created overlay network to federate multiple AWS regions, IP

mobility, and secure db replication

cloud dr

Available in over 8,0007-Eleven stores nationwide

financial services

¡

Devops

VNS3 1 (NAT + Bastion) console-east

1a-edge logical subnet

1a-private logical subnet DevOps

1c-private logical subnet

VNS3 logical subnet 4

1c-edge logical subnet

Resource Network/ DR

us-east-1b us-east-1e us-west-1a us-west-1b

us-east-1 us-west-1

1a-edge logical subnet

1a-private logical subnet

Overlay Network

1e-private logical subnet

1e-edge logical subnet

VNS3 2 VNS3 3 VNS3 4

VNS3 logical subnet 3

VNS3 logical subnet 1 console logical subnet VNS3 logical subnet 2

server database

© 2016 @cohesivenet36

BMP and CRM vendor offered Fortune 500 customers an alternative SaaS

version of their software in the cloud

ISV

north america

VNS3 isolated each customer in the cloud and allowed them to integrate all

deployments to their existing NOC

partner/customer network

$600m Annual Revenue

us-west-2

us-east-1

Customer 1

Customer 2

Customer 3

Customer N

ISV data center

Customer 1

Customer 3

Customer N

Customer 2

server

server

server

server

database

database

database

database

Overlay Network

Overlay Network

Overlay Network

Overlay Networkwith VNS3:ms

server database

© 2016 @cohesivenet

Cohesive Networks

Security and connectivity at the

top of the cloud

2,100+ customers protect cloud-

based applications

cloud demands grow, along with

complexity

Your Applications Connected and Secure