Announcing Successful Type 2 Soc 2 Examination

Announcing Successful Type 2 Soc 2 Examination

We’re happy to announce that Cohesive Networks has successfully completed a Type 2 SOC 2 examination. The examination confirmed that our systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems. 

Examination Details

  • Selected SOC 2 Categories:  Security
  • Examination Type:  Type 2
  • Review Period:  November 1, 2021, to April 30, 2022
  • Service Auditor:  Schellman & Company, LLC

Our Secure History

Security and privacy are at the core of our business model and part of our culture. Cohesive Networks was spun out in 2014 from Cohesive Flexible Technologies in part due to a realization we were no longer in the cloud migration business. We were in fact a security and networking company. As a result we had the opportunity and experience to create internal systems and controls to a high standard. All are still overbuilt by today’s measure.

By design, we have no access to customers’ VNS3 provided networks. Access and visibility are completely in the hands of the owner. Given that deployment mode, VNS3 has mechanisms to ensure limited attack surface with no backdoor access: Access URLs and API Tokens.

We also “eat our own cooking.” VNS3 was created by our parent company, Cohesive Flexible Technologies back in 2008.  The purpose was first to secure our Elastic Server product cluster (see Bill-of-Materials approach to virtual machine image creation) and second to provide IP address control and security for the wild west EC2-classic 10/8 network space of the day. Our company runs internal Overlay Networks for our production systems, support engineers, as well as PeopleVPN for our remote/post-geographic team.

Future Plans

Cohesive Networks is committed to continuing annual Type 2 SOC 2 examinations and will plan on adding Availability and Privacy Trust Service categories in the future. Additionally we’ll be evaluating if a SOC 3 examination is more appropriate given our role as a provider of critical network infrastructure for our globally distributed customer base.

News Roundup: Week of Feb 21, 2022

News Roundup: Week of Feb 21, 2022

U.S. Cyber Officials Issue Official Warning Against Potential Russian Cyber Attacks

During a call this Monday, FBI and DHS cyber officials urged government agencies “to look out for signs of Russian activity on their networks” as a result of the evolving Ukraine crisis. According to Yahoo: “federal officials also urged those on the call to dramatically lower their threshold for reporting suspicious activity.” Citing “an uptick in Russian scanning of U.S. law enforcement networks” as well as “in Russian disinformation and misinformation about Ukraine,” cyber officials urge increased care and caution with links and communications as the crisis progresses.

IBM Opens Cyber Security Hub in India

IBM recently announced the opening of their first IBM Security Command Center in the Asia Pacific region. The center hopes to provide a cybersecurity incident response plan for enterprise customers with deployments in the region, as well as “a fully immersive, interactive, and experiential learning facility.” IBM plans to use simulations and experiential training to help enterprises protect themselves from cyberattacks. IBM promises that by co-locating this training center with their X-Force Command Center, IBM’s Security Operations Center, both live practice and training for cyber security precautions will benefit immensely.

Microsoft Brings Cloud Security to GCP

Yesterday Microsoft announced the release of Microsoft Defender for Cloud for Google Cloud Platform, making Microsoft the first major cloud provider to offer security solutions in all major cloud platforms. The offering from Microsoft boasts Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) across both containers and servers. According to the release, GCP deployments of Microsoft Defender for Cloud will come “with out-of-box recommendations that allow you to configure GCP environments in line with key security standards like the Center for Internet Security (CIS).” Microsoft is also emphasizing the necessity of Zero Trust Management and event log management in cloud environments with two more ‘upgraded’ cloud security offerings.

News Roundup: Week of Feb 21, 2022

News Roundup: Week of Dec 26, 2021

Could Continuing AWS Outages Give Rise to Distributed Cloud Deployments?

Widespread disruption of high-use internet services was recently experienced as a result of the third AWS outage in the span of a month. AWS reported this latest disruption was caused by “a power outage at a data center in Northern Virginia” which saw giants like Hulu and Slack offline for about two and a half hours. A recent article from The Washington Post suggests that having a cloud deployment with a singular, critical point of failure creates opportunities for widespread outages, in a world where distributed cloud deployments can offer you some protection from these outages. As “the cloud’s increasing intricacy and demands” continue to increase, and companies continue to migrate and develop in the cloud, the potential for outages caused by the “over-centralization” of infrastructure into heavily-used AWS regions also increases.

Azure App Service Insecurity Exposing Source Code Since 2017

A recently discovered insecurity in the Azure App Service has “exposed the source code of applications written in PHP, Python, Ruby, and Node” and has been prevalent since September 2017. SC Magazine purports that this security flaw was first widely reported to the public by The Wiz on Oct. 7, 2021, and Microsoft has since updated it’s security recommendations document and mitigated the default behavior that caused this issue. Further research suggests that this vulnerability was likely not a well-kept secret and would have been widely exploited during the purported four year window of this vulnerability. We recommend double-checking your deployments against these new recommendations to ensure that your source code isn’t vulnerable.

Security Attacks Likely to Continue to Increase in 2022

2020 and 2021 have been marred by an increase in the commonality and sophistication of security attacks on companies as we all navigate the uncharted waters of remote work, and address the new connectivity and security concerns that have surfaced as a result of this necessary transition. A recent article from Bloomberg law suggest that some of the most damaging attacks have targeted backbone systems and solutions, such as the Microsoft Exchange software attacks that affected many companies in 2021. Alarmingly, many of the “exploits used in the first quarter of 2021 are still being used today” which only serves to create added pressure on both the solutions providers and companies that build critical systems upon such backbones solutions. These attacks are complemented by more ‘traditional’ phishing attacks, “which remains one of the highest-volume types of vulnerabilities” across all business sectors. Having proper security procedures and communication channels in place is more important than ever, and the criticality of such considerations will only increase as we move into 2022.

JEDI Becomes JWCC With Decision Target of Q3 2022

In the wake of four years of legal challenges and congressional inquiries, The JEDI contract has been replaced with a new framework, the Joint Warfighter Cloud Compatibility (JWCC), “from which to deliver commercial cloud services to Defense personnel.” The Pentagon “issued formal solicitations for JWCC” to AWS, Microsoft, Google, and Oracle, effectively leveling the playing field for the biggest US cloud providers. According to Nextgov “The Pentagon plans to make JWCC awards in the third quarter of fiscal 2022” which could bring some interesting infrastructure developments from these cloud providers.
News Roundup: Week of Feb 21, 2022

News Roundup: Week of Apr 18, 2021

News roundup

FCC Re-Establishes CSRIC to Tackle 5G and Solar Winds Attacks

The FCC recently announced that a federal advisory committee will be re-established “with a primary focus on improving 5G network security.” This announcement also cites the recent security breaches affecting the communications sector, especially the Solar Winds breach, in needing to revamp the CSRIC for today’s and tomorrow’s challenges. The FCC intends to “re-establish CSRIC on or before June 30, 2021 for a period of two years.”

SASE Market Continues to Grow

VentureBeat recently highlighted the Secure Access Service Edge (SASE) market as “showing tangible, long-term momentum in just its second year as a new technology segment.” The article states that SASE provides “long-term assurances for unified security across the entire organization,” which is especially important in our widely WFH world. SASE technology also allows you to streamline “complex security and WAN implementations” and build “user-centric security frameworks,” that are a necessity as the 5G-powered cloud edge begins to develop.

FBI Begins Court-Ordered Culling of Microsoft Exchange Servers

The US Department of Justice recently issued an unprecedented court order for the FBI “removal of the malicious web shells” from vulnerable versions of Microsoft Exchange servers from networks in the US. Months after a January Chinese-led espionage campaign that exploited four day zero vulnerabilities in Microsoft Exchange Server, many of the vulnerable web shells were still in place. According to released court records, “FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each” of the web shells, to delete them. The announcement did include a promise from the FBI to attempt to inform all network owners impacted by the search and of impacted computers affected by this process.

News Roundup: Week of Feb 21, 2022

News Roundup: Week of Jan 31, 2021

Ford and Google Partnership Announced

Ford announced this week that they’re partnering with Google Cloud “in first-of-its-kind partnership” that aims to “accelerate Ford’s transformation and reinvent the connected vehicle experience.” Ford intends to leverage the data, AI, and ML capabilities of Google Cloud as they move to power their vehicles with built-in Android OS and Google apps services. Ford is hoping to leverage this partnership to get ahead in the race for “electrification, connectivity and self-driving” cars that is happening in the industry today. This partnership highlights the initial integration of Google Assistant, Google Maps as primary navigation, Google Play media playback, and an Android development base for other apps.

Jeff Bezos to be Replaced as Amazon CEO by AWS Chief Andy Jassy

Amazon announced this week that Jeff Bezos will be stepping down as CEO and will be replaced by longtime AWS leader Andy Jassy. After 27 years, Bezos will be stepping into an executive chair role, effective in Q3 of this year. As reported by c|net, this “transition comes as Amazon navigates a tricky period in its history.” Amazon is attracting regulatory scrutiny as its profits continue to grow during the economic shifts caused by the COVID-19 pandemic. This coming on the back of challenges Amazon has faced keeping its vast workforce safe from COVID-19 infection.

New Administration Brings Renewed Scrutiny of JEDI Contract

The lengthy legal battle led by AWS against the results of the JEDI cloud competition is creating renewed pressure on the Department of Defense under the new administration. According to Nextgov, “The Defense Department may not continue with the embattled Joint Enterprise Defense Infrastructure cloud contract if a federal judge does not dismiss charges of improper political influence in Amazon Web Services’ protest, according to a document sent to Congress.” AWS continues to allege that government officials, including the former president, improperly influenced the outcome. The Department of Justice expects a ruling from a federal judge soon.

Remote Threats to Remote Work Continue to Evolve

A recent article from InformationAge warns us of continued and evolving threats to remote work IT security. The post warns that hackers are changing their tactics to utilize a much more people-centric attack vector and targeting end employees directly. It is critical that we all take extra care to train employees and screen external communications for these evolving threats. As CISOs around the world continue to focus on securing their remote workforce, often for the first time in their company’s history, this challenge can seem incredibly daunting. Many companies scrambled to push out a cloud solution to address the remote work necessity and are now having to backtrack to secure them. The article warns that ransomware might continue to focus more on cloud environments and increase in complexity as 2021 progresses.

Salesforce Launches Vaccine Cloud as Vaccinations Become a Reality

Salesforce recently announced the launch of “Vaccine Cloud” in an effort to help institutions “more rapidly, safely and efficiently deploy and manage their vaccine programs.” The announcement comes as many states are working towards the end of their first phase of vaccination and registrants are eagerly awaiting the second phase of vaccination. The immense challenge of administering and managing the global scale of vaccination “efficiently, effectively, and equitably,” is proving to be quite the challenge for government agencies, healthcare organizations, businesses, nonprofits, and educational institutions alike. Salesforce is hoping to leverage their experience to help with vaccine inventory management, appointment scheduling, outcome monitoring, public health outreach and more.

Announcing the Launch of our New Website!

Announcing the Launch of our New Website!

As our customers’ needs continue to evolve our controller and plugin systems have grown from a Swiss army knife of virtual devices to full-blown cloud edge networking functionality. We are hard at work finalizing the next major release of our VNS3 controller and as we look into the future we saw a need to reposition and re-package our offerings. In order to facilitate this transition we’re thrilled to announce that we’re starting off the new year with a brand new website, and we wanted to take the opportunity to explain our design choices and some of the decision making that is leading us forward.

New Messaging Goals

Our main goal in redesigning our website is to help new and existing customers better understand all of the many pain points that our offerings address while giving us a platform to talk about new packaging, pricing, and features as they relate directly to these use cases. We’ve also put a lot of work into our UI over recent years and are excited to be able to put product screenshots in the spotlight. We’re hoping new and existing customers will appreciate the increased transparency of a more direct messaging style as we move forward.

Plugin Manager

Another major focus of this transition is to get more users launching VNS3 to try it for themselves. We’ve spent a lot of time revamping our documentation site, and we’re adding more quickstarts with AWS Cloudformation, terraform, Azure, and more. As we move forward we’re planning to release more short-form, tutorial-focused content to help new and existing users get the most out of their VNS3 deployments. We’re also releasing new free tier packages like our People VPN offering that went live to address remote work needs that arose last year.