Cohesive Blog

The cloud continues to be a significant force in enterprise computing and technology adoption.  Enterprises that have adopted cloud have seen slashes capital expenses, increased agility, centralized information management, and scaled their businesses quickly.

The 2015 RightScale State of the Cloud Survey estimates that 93% of respondents are adopting cloud – 88% are using public cloud, 63% using private cloud, and 58% using both.

rightscale hybrid cloud

 

With resources spread across providers, regions, and technologies, in this hyper-connected environment, most enterprises will likely never commit completely to one cloud model, provider or technology.

No IT pro is rushing to re-architect systems and applications to match a single cloud vendor. Furthermore, no enterprise IT team will risk their careers by committing to a single infrastructure vendor.  In fact, enterprises cannot forsake existing data centers to move entirely to cloud-based everything.  But, the concept of an on-premise data center is changing. Most enterprises are transforming legacy data centers into true private cloud environments.  

Every enterprise is already hybrid

The hybrid cloud is the most logical sounding answer for the quandaries of the capital expense of existing hardware, the need for cloud agility, the fear of vendor lock-in, and the market mandates set when competitors publicly commit to cloud.

Other than a few all-cloud startups and all-hardware laggards, the majority of enterprises are already “hybrid”. But the definition of the term “hybrid” continues to be hotly debated in cloud computing.

Hybrid can mean a blend of on-premise and in-cloud computing, a mix of private cloud and public cloud, or a network spread across regions or data center. “Hybrid” can even mean a shared space between partners, customers, and departments.

every enterprise is hybrid

In the future, none of that “hybrid” will matter

A huge shift in cloud computing will finally come when end applications – from accounting software to website servers – just work. No one will care about the underlying hardware, middleware or even the device connecting to the applications.  

“Hybrid Cloud” will mean cloud computing resources are interoperable with all technologies, hardware, providers, and geographies.  Developers of the world will be free to build applications without any thought to the underlying architecture.  

Security focus shifts from the data center to just the data

As data platforms modernize, security will evolve as well. No longer will organizations just build massive walls around a corporate data center to keep out all potential attackers.

Once hardware and software are virtualized they become part of the fabric of shared resources connected with public internet. Private cloud owners will see the value of public cloud security procedures and can avoid repeating security missteps.

Will this year be the year for data centers to adopt additional security that boosts existing network and physical security infrastructure?

Previously, internal data and systems were completely vulnerable to malicious “east-west” traffic. If a hacker breached the data center perimeter, they were able to move from application to application to gain access to all resources on the network.

In the future, private data centers will reflect public cloud security realities and secure internal network traffic as well. Encrypted layers of security within a data center or public cloud network will help organizations control access and encryption to limit malicious east/west movement.

This “application segmentation” at the application layer will add security within the network to strengthen existing data center hardware and virtualization layer security.

Enterprise application owners will realize the value of true virtual networks in concept in practice. No more will network operators believe a VLAN is actually virtual!

The limitations of the physical network architectures will be magnified once enterprises see the difference between an underlay for bulk transport and an overlay for application specific use-case tuning. The glaring security holes in physical networks once obfuscated will reveal themselves.

The collision between the cloud way and the physical data center way will be violent. The concept of an on-premise data center will change in 2016 both in how it will be built and how it will be consumed. Those with groups already working in the cloud will easily transition to a more flexible and efficient environment.  It may be called private cloud or software defined data center, but the name won’t matter.

The question for 2017 is “when will the traditional physical data center way become extinct?”

Posted by:

- - - -

By Nicholas Clements, Margaret Walker and Bob Smetana

According the ESG Research analyst, Doug Cahill, “the strong adoption of cloud apps, including the prevalence of Shadow IT apps, necessitates purpose-built solutions to secure sensitive data…”

Shadow IT refers to information technology built inside the enterprise without the knowledge or sanction of the official organization.  It sounds scary and dangerous. The truth is Shadow IT can be, and sometimes is, very structured and secure – it even includes internal projects in “stealth mode” and external technologies that are in use.

Source: CSA Cloud Adoption Practices & Priorities Survey Report January 2015

Source: CSA Cloud Adoption Practices
& Priorities Survey Report
January 2015

Fair warning – at Cohesive Networks, we have yet to work with a customer in true “shadow IT.” We’ve never worked with a group inside a company that is hiding their cloud usage from management. We work with both cloud technology users and cloud technology providers, and based on our experience, we offer a balanced look at Shadow IT in the enterprise.  

Shadow IT getting employees into trouble

First, let’s take a look at a theoretical example of Shadow IT that is most common to enterprise management.

Company K requires all users to connect to an on-site server via Remote Desktop Protocol (RDP) when working away from the office. The purpose of the RDP is to keep all network traffic isolated inside of Company K’s walls, and to reduce the risk of man-in-the middle (MITM) attacks or packet tampering.

Steve, Company K’s system administrator, is not following best practices. He requires strong passwords and forces TLS encryption for the RDP connections, but gives users administrative privileges so that they can install programs on the server. He uses Windows Firewall to restrict access to only the home IP addresses of Company K’s employees.

Employee Edgar works from home about 50% of the time, and has a poor internet connection. As a result, he becomes frustrated by lag when he is connected to Company K’s RDP server and often moves to a Starbucks to connect to the network.

Since Edgar has heard about the dangers of public wifi, he installs a virtual private network (VPN) client his friends suggest. On his personal computer, he installs a Point-to-Point Tunneling Protocol (PPTP) VPN server, and opens network access port 1723 to the world.  

Edgar uses his VPN for a few months before a hacker breaks into the company’s network and steals the account information of 150,000 customers. The hacker took advantage of the fact that Edgar’s Starbuck location was using Wired Equivalent Privacy (WEP) encryption for their WiFi, his VPN’s PPTP encryption is generally weak, and Edgar’s VPN password was “1234”.

The issue in this example is that Edgar knew just enough to get into trouble. He realized that a VPN would improve the system’s performance, but he failed to restrict access to the VPN to only his IP address, to use strong encryption, and to use a strong password.

If Edgar had talked to Steve, it is likely that Steve would have been willing and able to set up a much more secure VPN such as Layer Two Tunneling Protocol (L2TP). Steve could have prevented this “Shadow IT” by setting up remote connects to all pass through a faster and more secure VPN. Steve should also enforce strong passwords and set Company K’s network to filter out connections from unknown IP addresses.

Shadow IT can lead to innovation

Shadow IT isn’t always a bad thing. Shadow IT can sometimes lead to new ideas and new ways to do business. In fact users have recognized more efficient ways to accomplish a goal with IT and incorporated better technologies into the system. The biggest benefit of Shadow IT is that it allows the enterprise to gain an insight into what is useful for employees and (on occasion) customers. Here are two examples:

Source: CSA Cloud Adoption Practices & Priorities Survey Report January 2015

Source: CSA Cloud Adoption Practices
& Priorities Survey Report
January 2015

Enterprise:  In one large company, several years ago, it took several weeks to get new hardware purchased for development and testing and even longer to get the production hardware. A new project was being discussed that could revolutionize certain aspects of the business, save millions, and speed up productivity. The development itself would take 2-4 months, a further 2-4 months for testing, and QA. The company predicted production could be expected within the year. On this timeline, it would take 3-4 months to get the development environment installed in the server room — longer than the actual development. A few junior developers took it on themselves to use a cloud service and had the prototype running within a few weeks. The bulk of the system was written within a month and it was being shown off the same quarter. In this scenario the developers were lucky; their managers had been upset at the bureaucratic hurdles and protected their team. And although there were rumblings, the overall positive results caused a reassessment of the cloud technologies and other Shadow IT projects.

Startup:  A small startup needed to spread their network across a couple of data centers and offices. In this instance, an unapproved Shadow IT project became the basis for an entire range of software products. Turns out one of the developers didn’t trust their systems administrator, so he came up with a new way of simplifying the network. While he received a little pushback from management, overall the project was deemed a success. Eventually this Shadow IT project became the primary product for the company, and the older product was mothballed.

Shadow IT can lead to disaster, tread carefully

Enterprise leaders must look for ways to improve systems, while stressing the importance of a security and administrative role. Security, system administrators, and IT professionals need to help colleagues use technology while protecting the enterprise from employees who might overestimate their technological prowess.  

A recent survey showed that 61% of the 760+ business managers in European firms of over 1000 employees would check first with IT before bringing a new device onto the network. That really means 39% of management level employees would not check with IT teams before creating potential security issues for their company. Sadly this happens because IT departments do not emphasize security for the entire organization or their rigid technology policies discourage employees from seeking help.

So the question facing both managers and system administrators is “how can enterprises embrace the benefits of Shadow IT without exposing themselves to unnecessary risks?”

The answer is: isolate traffic to prevent unauthorized access. In fact, a modern enterprise can be protected from a data disaster with application-centric network security, using micro-segmentation. The enterprise can achieve greater security and granular control by making cloud or data center resources invisible and undetectable to each other.

Application Segmentation - by Cohesive Networks

 

Big thanks to Cohesive team contributors Nicholas Clements and Bob Smetana

Posted by:

- - - -

A week ago, CEO Patrick Kerpan and I headed to the UK for AWS Summit London. We meet up with UK Managing Director Chris Purrington and Solution Architect Sam Mitchell. The four of us staffed the Cohesive Networks booth for both days of the Summit – Enterprise day and the general summit day. The Summit was held at ExCeL and boasted an impressive lineup of AWS stars including Amazon.com CTO Dr. Werner Vogels and AWS experts and partners.

Our booth display featured a security message without any red-letter FUD screaming at attendees. We asked attendees “who is pulling your cloud strings?” with two puppet-master hands comparing “their security” to “your security.” If you choose VNS3, you can take back control of your network security.  The video in the photos is our latest VNS3:ms and VNS3:ha demo, showing high availability and instance-based failover in AWS.

Enterprise day – security first

Day 1 was the Enterprise Summit. While attendance was light – we estimate about 400 people came – the quality of interactions was high. We had several people stop by the Cohesive stand and immediately identify security as one of their top priorities. On the down side, most day 1 attendees were only starting to evaluate cloud and AWS. Good and bad news for us, since most of our customers use VNS3 after they get set up in AWS or launch a few cloud projects but it’s a very promising sign for “security maturity.”

The day 1 crowd had excellent questions and discussion with us. On average, most people were evaluating cloud and AWS. I took it as a great sign that people still just dipping their toes in cloud and AWS already know that security is a top priority. When cloud newbies identify security as something they need before they even log on to the AWS Console, I have a great feeling about the direction of the cloud marketplace and cloud buyers in general.

Your apps connected and secureDeveloper day – security by priority 

Day 2, the AWS Summit was marketing more as a developer conference open to all. The crowds came out for this one! As soon as doors opened, we were flooded by attendees looking to learn more and grab a VNS3 sticker. Even during the 2 hour keynote, people kept coming by to chat.

A major difference I noticed was the change in AWS usage from day 1 to day 2 attendees. While day 1 attendees were looking to get started with AWS, day 2 folks seemed to be old pros at cloud. Everyone attended sessions on day 2, proving that the biggest draw to AWS events is still the desire to learn more.

After the VPC specific session I had a long conversation with 2 software developers about some limitations in VPC. They were surprised that VPC limits things like the number of VPCs you can peer, endpoints, and protocols in their cloud. Of course, AWS doesn’t list off the ways their products don’t work. Over the years, we’ve developed VNS3 to enhance Amazon VPC because of our own needs, and customers needs that developed over time.

Cohesive Networks at AWS London 2016Once you begin building more complex, important, and larger cloud networks in AWS, things like IPsec interoperability, traffic in motion encryption, and IP address conflict resolution can make or break a cloud project.

Currently, traffic in AWS EC2 and VPC travels across untrusted, third party networks in plain text. With VNS3, you can encrypt all data to, from, and within the cloud using unique keys only you control. As those networks grow, you can add IPsec interoperability and flexibility by using a wide range of encryption algorithms to accommodate industry regulations like HIPAA, PCI, FIPS, etc.

VNS3 can also help you span subnets across Availability Zones, Regions and even into other clouds, beyond what VPC offers. Likewise, VNS3 lets you easily manage network address overlap and eliminate Public IP address conflict so you can better connect to any IPsec endpoints so you don’t get locked out of mission-critical connections. VNS3 also enables IPsec with NAT-Traversal encapsulation or GRE over IPsec (AWS only allows native IPsec), and UDP multicast. Want to learn more about VNS3 in AWS?

Get help with VNS3 in AWS:

Posted by:

- - - -

Blog Resources