More Related Content Similar to Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps to securing your data and achieving compliance" (20) More from Cohesive Networks (20) Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps to securing your data and achieving compliance" 3. © 2016 @cohesivenet
about Cohesive Networks
VNS3 security and
connectivity solutions
protect cloud-based apps
2100+ customers in 20+
countries across all industry
verticals and sectors
Enterprise
Security
Top 20 Most Promising
Company 2015
Partner
Network
TECHNOLOGY PARTNER
Cloud Marketplace Provider
4. © 2016 @cohesivenet
2,100+ customers in 20+ countries
• 800+ Self Service Customers
• 18+ SI Resellers
• 45+ ISV OEM
Including Industry Leaders
• Global Mutual Fund Company
• US ERP provider
• Global BPMS provider
• Cloud-based Threat Detection
• UK Fashion Brand
• Global Big Data Analytics Provider
customers run businesses in the cloud
5. © 2016 @cohesivenet
agenda
• Perimeter-based security has not evolved
• Data center security is not cloud security
• Modern defense in depth
• Application segmentation
• Customer use cases
8. © 2016 @cohesivenet
weaknesses of the perimeter-based approach frequently on display:
METHOD OF LEAK
hacked
accidentally published
configuration error
inside job
leak
lost/stolen computer
lost/stolen media
poor security
World’s Biggest Data Breaches - Information is Beautiful
10. © 2016 @cohesivenet
Perimeter Security
private data center security: walls
80% of security spend is on perimeter, leaving only 20% for interior
network security
14. © 2016 @cohesivenet
Source: Azure Compliance
public cloud providers do build secure clouds…
• CSPs must meet tougher standards
• Reputation = vested interest in high levels of security
• Bigger budgets for infrastructure, data centres, compliance
• Better systems to vet and manage security staff
• Security software: dedicated instances, VLANs, VPNs, firewalls, edge protection
15. © 2016 @cohesivenet
• “49% of IT decision makers admit they are ‘very or extremely anxious’ about
the security implications of cloud services” - BT study 2015
• 75% of enterprises use additional security measures beyond what CSPs
offer - Clutch survey, March 2016
• Security risks exist beyond the “shared responsibility model”:
• 3rd party shared environments
• lack of insight into and control of underlying infra.
• isolation from other cloud users
• lack of in cloud encryption in transit
… yet CIOs and CEOs are still concerned.
17. © 2016 @cohesivenet
deliver your applications in your over the top cloud networks
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 3
Layer 2
Layer1
Layer 0
Cloud Layer 3 Network
Limit of user access,
control and visibility
Hardware
You Can’t Get To
Hypervisor You
Don’t Control
Application
Policies
You Control
Overlay Network 1 Overlay Network 2
Cloud
Service
Provider
Applications
18. © 2016 @cohesivenet
add cloud network and security with VNS3
firewall vpn concentrator
protocol
distributor
extensible nfv
VNS3 Core NetworkComponents
router switch
•Deploy in any cloud/virtual infra
•Create your own application specific network
•Separate network identity from physical location
•Control end to end encryption, IP addressing & network
topology
19. © 2016 @cohesivenet
extend overlay networks beyond single CSPs
Active IPsec Tunnel
VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3
VNS3 Overlay Network - 172.31.1.0/24
Peered Peered
Overlay IP: 172.31.1.1
Cloud Server A
Overlay IP: 172.31.1.2
Cloud Server B
Overlay IP: 172.31.1.3
Cloud Server C
Overlay IP: 172.31.1.4
Primary DB
Overlay IP: 172.31.1.5
Backup DB
ireland frankfurt
Data Center 2
London
Data Center 1
Seattle, WA
Failover IPsec Tunnel
vpc 1 vlan 2 vpc 3
VNS3:ha 1
ireland
20. © 2016 @cohesivenet
VNS3:net extending your network functions
Plug-in model allows you to easily customize your network appliance to
add additional layer 4-7 network capabilities
firewall vpn concentrator
protocol
distributor
extensible nfv
VNS3CoreComponents
router switch
waf content caching nids proxy load balancing custom
L4-L7 Plugin System
21. © 2016 @cohesivenet
build on CSP’s layers of control and access
Provider Owned/Provider Controlled
Provider Owned/User Controlled
VNS3 - User Owned/User Controlled
User Owned/User Controlled
Key security elements must be controlled
by the customer, but separate from
the provider
Cloud Edge Protection
Cloud Isolation
Cloud VLAN
Cloud Network Firewall
Cloud Network Service
VNS3 Virtual Firewall
VNS3 Encrypted Overlay
N
etwork
VNS3 NIDS, WAF, e
tc.
Instance
OS Port Filtering
Encrypted Disk
33. © 2016 @cohesivenet
Investment Management Firm meets
PCI and FISMA requirements for Data
Center deployments using VNS3:turret
north america
VNS3:turret secured and segmented
applications deployed to the private
data center allowing IMF to enforce
security policies at the application
layer
private cloud
$230B in Funds Under
Management
financial services
Customer DC
App
Application 1
Web
DB
MO
Application 2
App
Web
DB
MO
Application 3
App
Web
DB
MO
Application 4
App
Web
DB
MO
Application 5
App
Web
DB
MO
Application N
App
Web
DB
MO
34. © 2016 @cohesivenet3434
Telecom Retail and Services company
productized mobile, fixed line and
broadband provisioning as SaaS
europe
VNS3 used to secure all public &
private VLAN traffic for adherence to
Data Protection Standards
cloud WAN / hybrid cloud
$4.5B Mobile and Mobile
Related Revenues
telecommunications
MVNO Carrier
MVNO Brand
VNS3 Overlay Network
Topology per Customer
IPsec Tunnel
Mobile
Customer
Mobile
Customer
internet
internet
us-west-2
MVNO Infrastructure Overlay
logical
subnet 1
logical
subnet 2
logical
subnet 3
logical
subnet N
server database
database database
server
server server
35. © 2016 @cohesivenet35
Disruptive payment processor built
loosely coupled infrastructure in public
cloud with DR resource networks for
database replication/failover
north america
VNS3 created overlay network to
federate multiple AWS regions, IP
mobility, and secure db replication
cloud dr
Available in over 8,000
7-Eleven stores nationwide
financial services
¡
Devops
VNS3 1 (NAT + Bastion) console-east
1a-edge logical subnet
1a-private logical subnet DevOps
1c-private logical
subnet
VNS3 logical
subnet 4
1c-edge logical
subnet
Resource Network/ DR
us-east-1b us-east-1e us-west-1a us-west-1b
us-east-1 us-west-1
1a-edge logical
subnet
1a-private logical
subnet
Overlay Network
1e-private logical subnet
1e-edge logical subnet
VNS3 2 VNS3 3 VNS3 4
VNS3 logical
subnet 3
VNS3 logical subnet 1 console logical subnet VNS3 logical subnet 2
server database
36. © 2016 @cohesivenet36
BMP and CRM vendor offered Fortune
500 customers an alternative SaaS
version of their software in the cloud
ISV
north america
VNS3 isolated each customer in the
cloud and allowed them to integrate all
deployments to their existing NOC
partner/customer network
$600m Annual Revenue
us-west-2
us-east-1
Customer 1
Customer 2
Customer 3
Customer N
ISV data center
Customer 1
Customer 3
Customer N
Customer 2
server
server
server
server
database
database
database
database
Overlay Network
Overlay Network
Overlay Network
Overlay Network
with VNS3:ms
server database
37. © 2016 @cohesivenet
Cohesive Networks
Security and
connectivity at the
top of the cloud
2,100+ customers
protect cloud-
based applications
cloud demands
grow, along with
complexity
Your Applications Connected and Secure