Cohesive Blog

We’ve been heads down working on the 3 P’s for a number of months (products, presence, and people).  As a result we’ve all but stopped our social media and dynamic content.  We’ll look to emerge from our cocoon in early 2019 but we had to pop out and do yet another re:Invent recap (YArIR!).

Cohesive Networks (and our parent company CohesiveFT) have attended/sponsored all AWS re:Invents.  Each year the conference gets denser yet more spread out… think about that one.  This year was no exception.  Now that our “away team” is fully recovered from the ill effects of desert entertainment, had some time to reflect, and get our hand dirty trying out a few new services, we’re ready to state our opinion.  That’s what the following is, the opinion of the smartest, coolest, and most experienced cloud networking experts in the game (see opinion).

Micro Blink Reaction – Crowd Sourcing the Self-driving Algos

AWS DeepRacer is awesome and the DeepRacer League is hilariously brilliant.  I ordered my discounted DeepRacer a few seconds after it was announced during Andy Jassy’s keynote.  The bummer is I won’t take delivery until March.  Hopefully the simulation environment holds me over (request preview access).

AWS DeepRacer (source: https://aws.amazon.com/deepracer/)

 

Macro Blink Reaction – AWS appetite for its ecosystem grows

AWS continues to eat the ecosystem and this year they stepped up their game.  Previous years had AWS entering markets and wiping out millions of $s in ecosystem players.  This year we think the number is in the capital B BILLIONS.

As a member of the AWS Partner Network (Advanced Technology Partner), we, like all AWS partners, look to re:Invent every year with mixed feelings of excitement and dread.  If you aren’t on the Customer Advisory Council, you never really know if this is the year AWS will announce a direct competitor to your business.  We all know the risks, and the AWS “not built here” corp dev mentality that drives their roadmap, but there is too much opportunity not to participate.  Multi-cloud helps, but AWS is still the King of Cloud both in usage and features/services.  I won’t go into detail about what competes with whom, take a look at these other recap posts:

  • https://www.zdnet.com/article/aws-reinvent-2018-recap-everything-the-tech-sector-does-aws-wants-to-do-better/
  • https://techcrunch.com/2018/12/02/aws-wants-to-rule-the-world/
  • https://www.crn.com/news/cloud/aws-ceo-jassy-taunts-oracle-s-ellison-after-amazon-turns-off-oracle-data-warehouse

 

Specific Announcement Reactions

We also won’t cover all the announcements because of the number of announcements per service category.

  • App Integration – 2
  • Analytics – 4
  • Compute – 11
  • Databases – 6
  • Developer Tools – 2
  • IoT – 7
  • ML – 14
  • Management – 6
  • Marketplace – 3
  • Media – 1
  • Migration – 2
  • Mobile – 1
  • Networking – 6
  • Robotics – 1
  • Satellite – 1
  • Security/Identity – 2
  • Storage – 10

Below we’ll review the features and service announcements that piqued our interest from a security and networking perspective.

Transit Gateway (GA)

What is it?
An AWS managed gateway service that allows a hub-and-spoke network topology connecting VPCs in the same region (expect multi-region support in the future) owned by a single or multiple AWS accounts as well as remote networks.   This offering replaces the multi-party solution that was previously being offered called the AWS Global Transit Network.  Check out the Transit Gateway announcement blog or product home for more information.

Why it matters?
Transit gateway solves a significant number of issues around the need to be able to route between VPCs “in cloud” at AWS. The manner in which it has been solved creates an economic opportunity for AWS as well – charging $.05 per hour for each connection to the gateway.

For Cohesive Networks, we spend our days (and nights) helping customers Connect, Federate, and Secure. Just like the introduction of the VPC itself, Direct Connect, AZs, Regions, GovCloud, China, and all the related facets of AWS – this creates more demand for connecting, federating, and securing.  “Transit” is a subset of the overall federation architecture, so definitely a feature – not a business, meaning this release is good news for Cohesive, and gives us parity with capability Azure and Google networking has had for some time (although they do it a bit differently).

The release of Transit Gateway lets us create some federation structures for customers that were previously too complex, and requiring, dare I say it, too many VNS3 controllers needed to complete the task, as a result of AWS networking limitations.  Now our customers can spend a bit more money, reduce a little bit of complexity, and still get the attestable control they need as regulated or self-regulated businesses operating in 3rd party data centers over which they have no direct insight, visibility, or control (AKA “the cloud”).

AWS Security Hub (Preview)

What is it?
A monitoring platform service focused on security that aggregates security alerts and compliance status from native AWS services as well as from 3rd party services.  Many security vendors announced initial support for Security Hub.  Security Hub aims to create a single pane of glass for an organization’s security and compliance posture across all its AWS accounts.  Check out the Security Hub announcement blog or product home for more information.

Why it matters?
AWS Security Hub begins to solve the “feature glut” problem of the ever-growing Amazon services collection.  One reason organizations suffer from data exploits is NOT because they lack monitoring information with events and alerts – it is because they have TOO many events and alerts. Security Hub appears that it will provide an encompassing overview of outputs coming from AWS GuardDuty, Inspector and Macie.  Each of these has a rich set of features for your cloud deployments – running all three of them independently could be a bit overwhelming.

At Cohesive we have previously highlighted the world we are entering where the critical IT executive decision is “all-in vs. over-the-top”, meaning where on the spectrum of using cloud, AWS for example, do you position your organization? Do you go “all-in” on embedded AWS services which provide abstracted visibility and limited control – or do you go “over-the-top” and run many of your own layers of infrastructure and instrumentation, strung across AWS, Azure, Google, et.al.? For the “all-in” crowd we think Security Hub may make consuming some of these services easier.

Global Accelerator (GA)

What is it?
A service to help customers easily route traffic across multiple regions to improve availability and performance of cloud-based applications/deployments.  Global Accelerator provides an entry point to allow TCP or UDP traffic to use the AWS Global Network to reach AWS deployed application topologies instead of the Public Internet.  Global Accelerator provides static Anycast IPs that serve as a fixed entry point for an AWS deployed application available in any number of the currently support regions (us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, and ap-southeast-1).  The Anycast IPs are advertised from the supported AWS regions so traffic enters the global network as cloud to the uses as possible.  Global Accelerator can then be associated with cloud-based applications via application load balancers, network load balancers, or Elastic IPs.  In addition to data transfer fees Global Accelerator costs $0.025 per hour.

Why it matters?
Other than the obvious HA and performance benefits, the big theme from this and Transit Gateway is coalescence.  Clouds and cloud regions were built to be isolated by design.  Increasingly as companies a have grown in the cloud organically or via acquisition, organization cloud estates have experienced sprawl.   Providing avenues to bring the regions “closer together” while maintaining the logical separation is a key value for many of AWS’ largest customers.

We continue to experiment how our customers might benefit from using the Anycast IPs as static global cloud endpoint IPs for VPN connections and well as distributed and encrypted overlay networks.

EC2 C5n (GA)

What is it?
A new generation instance family focused on super fast networks speeds up to 100 Gbps.  These new instances use the latest nitro hardware and allow for some serious packets per second performance.  The instances sizes are available now in us-east-1, us-east-2, us-east-2, eu-west-1, and govcloud.  Prices start  Read more about the C5n instance family.

Why it matters?
We are getting a glimpse of the future of cloud network performance and throughput.  Eliminating the current VPC gateway throughput restrictions will open up more use-cases for the cloud.  Total throughput for VNS3 controller just increased dramatically.  Of course there are some restrictions (see placement groups) but it’s always exciting when you get a bandwidth upgrade.  Maybe AWS will soon host the first cloud-based high speed low latency trading app?

Amazon IoT

Why it matters? We are keeping an eye on this space… more to come.

Posted by:

- - - -

See the full article on Phoenix NAP: Business Data Security Tips: 40+ Experts Reveal Their Best Advice

Self-evaluate to keep pace with both risk and compliance

Your business is small, but risks are enterprise-size.

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of data security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

Ponemon 2016 CODB SMB data breach

Data breachs affecting SMBs – from the Ponemon CODB

Keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection policies to focus on preventing vulnerabilities and to set goals to improve and maintain security.

Traditional standards and protections all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

NIST Cybersecurity Framework

Read more: Why All Enterprises Should Adopt the NIST Cybersecurity Framework

Don’t become a victim of your own success – growth.

As SMBs grow and add employees and partners, they must share access to vital business data and systems. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the SMB grows and adds employees and offices, a “single point of failure” becomes a risk for the company. Security for data and networks should grow with the business, with precautions built into business goals.

Watch: Dwight Koop’s CircleCityCon talk on the NIST Cybersecurity Framework

Margaret Valtierra, Senior Marketing Specialist, Cohesive Networks

Margaret Valtierra is Senior Marketing Specialist at Cohesive Networks. She is responsible for growing business through digital and written content, public relations, and community events.

See the full article on Phoenix NAP: Business Data Security Tips: 40+ Experts Reveal Their Best Advice

Posted by:

- - - -

Once there was a little girl named Goldilocks who used cloud computing.

Starting out she launched a C5.18xlarge instance but at over $3.00 per hour, she realized it would cost more per month than the rent of her little cottage in the woods.

See the full article featured on Information Security Buzz

Next she tried a t2.nano, but try as she might, 500 meg of memory was not for the Photoshop work she wanted to do on her photo library, comprised of montages of her friends the three bears.

Then Goldilocks fired up an m4.medium, it did the trick, with multiple cores, and enough memory to run here Iheartporridge.com retail site.

That is pretty much the story. When you get started in the cloud, you often don’t know how much CPU, how much memory, how much net bandwidth – and the “M”s feel “JUST RIGHT”.

Once you get experienced then the banquet of instance-type offering start to make sense as you optimize your workloads.

Why use an M family instance in AWS?

cloud workload-botmetric

Image source: Botmetric 2017 survey

In Amazon AWS EC2 is the most used AWS service. According to a Botmetric report, 46% of EC2 usage is with the M family and M4 is the most popular for production instances.  So why do AWS users keep coming back to M family instances?

Behavior – traditional environment you were locked into a specific hardware configuration. Many organizations treat cloud similarly despite the simple and cost effective elasticity of cloud to profile and load test different instance sizes. People start with the general purpose M family, set it and forget it.

Unknown Requirements – selecting instance types that match the application needs is an obvious advantage to using a cloud like AWS with may instance family and size choices. This of course means the DevOps or OpsDev group deploying the cloud application knows their application components’ resource requirements enough to make decisions on specific instance types.

Reserved Instances – the fewer instance types and sizes included in a reserved instance contract, the easier it is for cost allocation. Buy a bunch of cheap M family instances and use them.

Cost Efficiency – R and M family instance sizes rank at the top of the chart when looking at both Compute Efficiency (Compute ECU / $-hr) and Memory Efficiency (Memory GB / $-hr)

Known Resources – T family instances would be more popular if not for the known of when the compute credits run out. AWS addressed this with the “unlimited” option. Expect T family to become more popular as more users become aware.

Evaluation of Alternatives – M family instance sizes map most closely to the generic instance/VM sizes of other clouds. When making a purchase decision the M family is the easiest to use when seeking out alternatives for price/performance comparisons.

Access to Extras – M4 instance sizes allow for optional Enhanced Networking and EBS-optimized.

This post was a team effort, written by Patrick Kerpan and Ryan Koop. Our favorite AWS instance type is t2 large with the t2 unlimited option. According to Botmetric, 83% of the non production workloads run on T family. 

Posted by:

- - - -

Blog Resources