Cohesive Blog

In this interview with Dwight Koop, CFO and COO at Cohesive Networks, we ask what’s the big deal with cloud security? Should security doubts put enterprises off moving their businesses to the cloud?

Why, from a security standpoint, are people typically hesitant about moving their operations to the cloud?

Fear, uncertainty and doubt (or FUD). The news can sound pretty scary: 43% of companies worldwide have reported being breached in 2014 (Ponemon Institute report), the Sony hack cost over $100M to correct (Reuters), and systems are vulnerable for an average of 229 days before IT teams detect a data breach (Tripwire).

But, the good news from all this FUD is that there is more attention from the board level down. A 2015 PwC survey reports that 76% of respondents are more concerned about cybersecurity threats this year, up from 59% the year before. Plus, companies are moving to the cloud. 42% of respondents to 451 Research’s Voice of the Enterprise survey rated cloud services as being ‘very important’ to strategic objectives.

When we first started using AWS other public clouds in 2008, we weren’t sure what kind of data and workloads our enterprise customers would migrate to the cloud. Some early industry watchers predicted the entire IT operation would move in one leap, others thought only non-critical, internal operating systems would migrate.

perimeter insecurity

Now as more mission-critical systems and operations move, enterprises must be able to prove that their data is secure. Cloud providers spend far more on security than a small business ever could, so it makes sense to use the cloud rather than trying to build and maintain your own data center.

 Why are you passionate about this topic?

My co-founders and I created our first network security product in 2008 because we saw that cloud technologies could help enterprises demand more scalable, secure, on-demand and easily consumed computing capabilities. Our backgrounds in networking, enterprise IT, and global financial services allowed us to watch organizations “grow into cloud” from concept to reality.

Reality has really set in now – with news of expensive and embarrassing hacks happening almost weekly. Since the beginning we’ve advocated for user-controlled security, and now is the time for enterprises to really start listening.

 What steps can companies take to mitigate these concerns? / What are your best tips for cloud security?

  1. Use layers of security. Usually, providers offer firewalls, edge protection, isolation, and hypervisor rules. But, who really owns those security features? Cloud providers. Service providers often write in their SLAs that the ultimate responsibility for security lies with the cloud users. Build your own layer of security on top of all the security features in the cloud. Use things like VPNs, network firewall, data encryption, and cryptographic keys that you alone control.
  2. Start thinking about risk-based security, not audit compliance. Traditional compliance-based procedures focused on audits, objectives, policies, and transactions. A risk-based approach of cybersecurity focuses on the business and customer, emphasizes risk management over compliance tracking, and incorporates diverse knowledge and experiences. Or, put another way: the Ponemon Institute estimates the actual costs of compliance with regulations such as PCI-DSS, SoX, HIPAA for a mid-size organizations averages $3.5 million while the cost of non-compliance was estimated at $9.4 million (3 times the cost to comply!).
  3. Get everyone involved. Put that increased board scrutiny to good use and have the entire organization participate in security awareness and prevention. Delegate security assessment tasks across the organization to ease the workload, raise awareness, and help everyone involved shift security thinking toward actionable risk management.
  4. Learn from others, and use the NIST Framework. After the publicity of big hacks, more regulatory and government agencies and are updating security standards to match modern cybercrime. Some of the best, most comprehensive guides include the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the European Banking Authority (EBA), and the Payment Card Industry (PCI) Data Security Standard 3.0. By using the NIST Framework in particular, IT organizations can do their own cybersecurity “health check” to compare their current security procedures with industry best practices.
Posted by:

- - - -

 AWS Summit Chicago highlights

We’ve noticed the trend at the last few events with AWS – huge growth. It shouldn’t be surprising since AWS in general is growing a a huge rate. Analysts estimate that the AWS segment of Amazon’s larger business is growing at almost 70% in the latest quarter. AWS’ current growth is the steepest ramp ever seen in tech companies at its scale.

AWS growth

AWS customers get cloud

From our booth at the partner expo, we noticed the questions we got about VNS3 and our company were more “cloud user” questions, and very few “cloud curious.” We heard very few people ask about how AWS works, the mechanics of launching VNS3, and so on. Most people jumped right into questions about underlying technology, features and use cases. Cohesive Networks at AWS Summit Chicago

One of the VNS3 customer use cases that kept popping up was our friends at Geezeo.  Rather than building their own switching tunnel architecture between their AWS-based app and customer data centers, Geezeo found VNS3 back in 2009. They grew one simple IPsec tunnel connection to over 30 encrypted IPsec tunnels connecting 400+ banks and credit unions.

Security is still top priority

With the overwhelming amount of data breach and security news, encryption and security were hot topics at booth 604. Our VNS3 diagram drew people in, and I enjoyed watching as a few people’s eyes got wide as I mentioned the VNS3 plug in system for even more networking and security functions.

News from the Summit

Yesterday’s big announcements were focused on data. Moving data around the cloud (Snowball), and deploying and running apps and services in AWS. A quick rundown of the announcements:

  • Amazon Inspector GA
  • Amazon S3 Transfer Acceleration
  • 80 TB Snowball
  • New Amazon Elastic Block Storage Volume Types
  • AWS Application Discovery Service (ADS)
  • AWS Elastic Beanstalk managed platform updates
  • Remote Access to Devices in Amazon’s Farm
  • Cognito sign up and sign up features
  • Kinesis stream updates

Check out all the announcements from yesterday’s summit from Network World Business Cloud News and the AWS blog.

Slides from the talks are online now, and videos are promised to be out soon.

AWS Chicago meetup groups

On a related note, we help organize, host, and sponsor the AWS user group here in Chicago. Over the last 6 months we’ve seen a huge spike in attendance at meetups as well.

As most of you know the AWS Chicago summit is this week! With all of the excitement of having Amazon in Chicago we wanted to remind you of our upcoming AWS Meetup events!

If you’re in Chicago, make sure to check out the AWS Chicago meetup page to RSVP for our spring and summer events and follow us on Twitter at @awschicago.

Check out this recent video of the most recent Chicago AWS Meetup on Lambda Functions and Serverless Architectures:

1. “AWS Lambda & Serverless Architecture”
Jared Short, Director of DevOps at Trek10 – @ShortJared

2. “The Serverless Framework in Action”
Jared Short, Director of DevOps -at Trek10 – @ShortJared
(Starts at 31:55)

3. “Lambda-fying a Legacy Webapp”
Chris Johnson Bidler, Senior Cloud Computing Engineer at TransUnion – @hlprmnky

Posted by:

- - - -

We’ve connected to pretty much every networking device out there, and we’ve learned the hard way what not to do while routing traffic to, from, and between cloud deployments. Today we’d like to share a few tips we’ve learned while working with the major network vendor “boxes” and some 2,000 VNS3 customers.

First up, Cisco ASAs

Cisco has a concept of “interesting traffic.” If there isn’t any interesting traffic going on, the ASA will not complete the tunnel connection. The ASA also has an idle timeout default setting that closes a tunnel after 30 minutes. That means if you are connecting a VNS3 device to an ASA, you’ll need to keep traffic flowing in order to connect and maintain your connection.

Since you likely just set up your IPsec tunnel connection in the VNS UI, you know for sure that there is a “ping-able” host at the address. In order to keep the ASA from timing out, you can set VNS3 to send a ping to that host every 30 seconds.

From the IPsec page, you can edit the Ping host and add a Ping interval. That should keep the Cisco ASA timeout from kicking in. Or, ideally, you can have your partner/customer set their ASA to idle timeout at 0, meaning the connection will stay open until you need to edit it again.

VNS3 screenshot - ping interval
Cisco ASA running versions 8.4.2 to 8.4.4 are just buggy. We’ve had trouble with 8.4.2, 8.4.3 and 8.4.4. Once you upgrade above 8.4.5, we’re fine. Remember to check your ASA updates if you’ve noticed any issues.

Firebox Watchguard

The Watchguard runs into issues with the VNS3 static LAN. To fix this, just add our local private IP (usually 192.0.2.254 or something like that) as your IKE Peer ID.

Checkpoint

Surprisingly, as one of the biggest network vendors in the world, Checkpoint does not follow NAT-Traversal standards. If you’re using Checkpoint, you will have to use something like AWS VPC and enable Native IPsec on VNS3 to use Protocol 50 (ESP) to encapsulate traffic.

Check it twice!

Make sure check everything twice! The easiest way to make troubleshooting better is to do it right from the first time. We’ve got a network checklist to share with partners and customers, as well as a Google Forms format. Share the network knowledge.

With EOL’d software, there can be interop issues due to the age of the IPsec standards used. For example, we know that Cisco 1945ios router 15.4TM was end-of-life’d (EOL) in 2005. If we see that listed on your network checklist, we know to look out for some aging hardware and we can help you sort out any issues.

At the end of the day, your best resource is the product resource page (aka Documentation!): cohesive.net/support/product-resources

Make sure contact us if you run into any trouble!

Posted by:

- - - -

Blog Resources