News Roundup: Week of Oct 6, 2019

News Roundup: Week of Oct 6, 2019

TSA Releases Cloud Strategy 2.0

TSA’s Cloud Strategy 2.0 was released recently, “[calling] for a mix of public and private cloud” to properly deal with both sensitive and transactional data. According to Nextgov: “the most significant principle” of this strategy “requires TSA programs to only purchase agency-approved cloud services.” Although “the document does not provide details on TSA’s preferred procurement strategies,” the document did detail clearance criteria for potential cloud products:

  • Its security posture must be certified by the Federal Risk and Authorization Management Program, or FedRAMP
  • It must have an open architecture in order to avoid lock-in to a closed set of vendors
  • It must be capable of integrating with multiple clouds, platforms, and infrastructures

According to FedScoop, “the agency will first consider software-as-a-service (SaaS) solutions and then infrastructure- and platform-as-a-service alternatives.”

Investigating Worldwide VPN Vulnerabilities

The NCSC published an alert describing “vulnerabilities [that] exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials.” The alert claims that “an attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.” The list of “highest-impact vulnerabilities known to be exploited by APTs” are as follows:

Pulse Connect Secure:

Fortinet:

  • CVE-2018-13379: Pre-auth arbitrary file reading
  • CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
  • CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Palo Alto:

The NCSC recommends the following steps to “mitigate these vulnerabilities”

  1. Apply the latest security patches released by vendors
  2. Reset authentication credentials associated with affected VPNs and accounts connecting through them

How Much is Google’s Cloud Really Worth?

Barron’s recently published an article discussing a Deutsche Bank valuation of Google’s Cloud offering. Two Deutsche Bank analysts “place a 15 times revenue multiple on GCP” and “find that the total Google Cloud business is worth about $225 billion.” This valuation is presented in contrast to the market’s current valuation of the Google Cloud business at “zero” and might cause investors to rethink their GOOGL share valuation. The analysts are particularly optimistic about Tom Kurian’s continued positive influence on the success of Google Cloud.

The Cloud-Native and Serverless Future is Now

In an articlewritten for Forbes by Eugene Khazin, Principal and Co-Founder at Prime TSR, calls our attention to the fact that Amazon has “[started] an initiative to re-train 100,000 peopleacross their organization” as a clear sign that “cloud-native and serverless are the future” and the future is now. The article attributes the success of digital transformations to leveraging cloud-native data to “[build] a data-driven culture that includes self-service analytics as part of the company DNA.” This cultural transformation necessitates not only “[training] employees for a new way to build software” but emphasizes the importance of technological, programming, and analytical knowledge in other areas of the business.

AWS re:Invent 2019 Reserved Seating Opens Soon!

Here’s a friendly reminder for those of you joining us at AWS re:Invent 2019 that reserved seating for sessions opens this coming Tuesday, October 15, 2019. As you probably know, sessions tend to fill up pretty quickly so make sure to take a look at the se s sion schedule and pick out your favorites beforehand! If you have any questions about re:Invent, we recommend taking a look at the “ 2019 AWS re:Invent Ultimate Guide ” published by a re:Invent regular from A Cloud Guru. If you are planning to join us at re:Invent this year and would like to meet with our team we encourage you to contact usand let us know!

News Roundup: Week of Oct 6, 2019

News Roundup: Week of Sep 22, 2019

Feature Release of VNS3 Controller 4.8.0

We are very excited to announce the 4.8.2 release of our VNS3 controller! Version 4.8 includes a new API for dynamically configuring traffic monitoring on VNS3 as well as custom webhook alerts for real-time alerts on your network. Cloud meta-data was integrated to improve security of default passwords and adapter/address discovery. Enhancements were also made to the API system and time access URLs from our 4.6.1 release. This latest version of our VNS3 controller is currently available in the AWSand Azuremarketplaces. Please check out the release notesfor a full list of features and optimizations, and keep an eye out for upcoming feature-focused video briefs!

McAfee Reports Only 1% of Cloud Misconfigurations Are Caught

A recent survey from McAfee “[demonstrates] that 99 percent of IaaS misconfigurations go unnoticed.” The survey of 1,000 enterprise organizations worldwide exposed cloud misconfigurations as the dominant threat to network security. According to Yahoo Finance , “IaaS breaches don’t look like your typical malware incident, instead leveraging native features of cloud infrastructure to land the attack, expand to adjacent cloud instances, and exfiltrate sensitive data.”

According to Yahoo Finance, the key findings of the report are:

  • Cloud-Native Breaches are not like the typical malware-based attacks of the past, instead capitalizing on misconfigured, native features of the cloud
  • Only one percent of misconfiguration incidents in IaaS are known—companies claim they average 37 per month, when in reality they experience 3,500
  • Data loss prevention incidents in IaaS increased 248 percent YoY

In light of this report, TechRepublic suggests the following:

  • Build IaaS configuration auditing into your CI/CD process
  • Evaluate your IaaS security practice using framework like Land-Expand-Exfiltrate
  • Invest in cloud-native security tools, and training for security teams

In both cases, the emphasis here is on increasing communication and understanding relative to this new type of Cloud Native Breaches (CNB) and the potential vulnerabilities created by cloud misconfigurations. Designing a network with as simple (not simplistic) approach to cloud security that is easy to implement and maintain (see VNS3) is essential to avoiding a misconfiguration.

5G Potential for India and Huawei

With the deployment of 5G spectrum-based trials on the horizon for India, The Economic Times released an articlediscussing Huawei’s potential involvement in the project being under renewed scrutiny. Huawei brings “more than 2,500 standard essential patents for 5G” to the table and is “[advocating] to the industry to sign [a] ‘no backdoor’ agreement with the Indian government” as it works to solidify its official participation in the project.

Published on the same day by Forbes is an articlewritten by Andy Purdy, CEO of Huawei Technologies USA, titled “Why 5G Can Be More Secure Than 4G.” The article is optimistic about the security of 5G, reassuring readers that “5G maintains a clear separation between RAN and core” even though “some 5G applications do push computing power to the network edge.”

Department of Defense Embraces Zero Trust Model

The US Department of Defense released an articleurging users to “Assume Networks are Compromised.” The article supports the trend towards implementing a zero trust model as opposed to a “perimeter defense model.” When faced with the reality that “there is no secure system,” microsegmentation of your network can provide a lattice of security within a network that prevents an intruder’s ability to freely traverse a compromised network.

Edge Computing Considerations

In a Forbes articlediscussing edge computing, especially as it relates to the possibilities of 5G networks, Irina Farooq from Kinetica lays out “5 strategies for leveraging edge computing for enterprise applications.” These strategies are: focus on the application use cases, understand your options, make explicit decisions about security, privacy, and governance, develop the right data and machine learning strategy, and be prepared to learn and adapt. The article emphasizes informed, careful, and explicit decision-making when it comes to “[processing] data close to the end user.”

News Roundup: Week of Oct 6, 2019

News Roundup: Week of July 30, 2019

Concerning CapitalOne’s Security Breach

The news about the CapitalOne security breach has been covered media outlets all over from the traditional to the security and tech-focused. AWS and CapitalOne have agreed that this was not the result of a cloud specific issue but a misconfiguration on a web application firewall (WAF). Given the public disclosures by the accused, we have more information on this breach than normal. Social media posts and websites mentioned in the criminal complaint suggest a Server Side Request Forgery (SSRF) was used. While not a new exploit, SSRF is likely to get more attention in the coming days along with AWS Metadata Service and AWS IAM Roles.

AWS Expands into the Middle East

Werner Vogels recently announcedthat AWS has now successfully launched three new Availability Zones in the Middle East (Bahrain), creating new innovation opportunities for all manner of organizations in the region. AWS continues to devote resources towards expanding their network into new regions, with Indonesia, Italy, and South Africa on the radar in the next few years. Significant investments also continue to be made in the education, training, and certification programs. Increased service availability, increased access to training, new use cases and solutions, and new developer insight should prove to fuel some creative innovations in the not-so-distant future.

Airlines Taking off into the Cloud

According to a recent articlefrom ZDNet, ATPCO, the company who “has collected and distributed fare and fare-related data for the airline and travel industry” for more than 50 years, has taken its automation journey to the AWS cloud. When you factor in the more than 1600 data elements the company provides airlines into the equation, the move to the cloud seemed to be the only cost-effective and efficient way to manage, automate, and fully leverage this increasing pool of data. Exposing a new industry to the capabilities of big data, blockchain, machine learning, and real-time data could create some interesting new innovations in pricing and business models for airlines.

Google Brings VMware to Their Cloud

Google continues to follow AWS when improving their cloud offering. In this instance they too are bringing a “VMware in cloud” solution to market. According to Forbes, this VMware solution (powered by CloudSimple) will be available later this year. This move by Google is yet another step in closing the gap between their cloud and others. Slowly but surely Google will look to combine this partnered growth with the addition of new and competitive features within their cloud offering in order to increase service usage and solve new use cases.

Freeing Your Data via Native Cloud Infrastructure

Forbes published an articlerecently discussing the benefits of native cloud infrastructure for enterprises working to “provide real-time services to their customers.” Providing real-time access to ever-growing lakes of data in efficient and meaningful ways requires new levels of automation and scalability that can only be achieved in via cloud infrastructure. The article suggests managing your data at the container and app level to support automating from the app down instead of from the infrastructure up. Some of the suggestions they provide to start your journey in this direction are:

  • Break down monoliths

  • Ensure a robust CI/CD process

  • Begin with stateless apps

  • Crawl, walk, then run

News Roundup: Week of Oct 6, 2019

News Roundup: Week of Jun 03, 2019

AWS Community Day | Midwest is Coming to Chicago!

Cohesive Networks is excited to be participating in AWS Community Day | Midwest in Chicago this month! The event will feature a keynote on Community & Cloud by Calvin Hendryx-Parker, as well as ‘Lightning Talks’ concerning “Building an HA enterprise search engine on ECS” (Jack Schlederer), “Cloud HSM: Frustration as a Service” (Paul Kuliniewicz), “Running Containers in AWS – Learn about ECS, EKS and Fargate” (Andrew May), and more! If you’re in the midwest we’d love to see you at the event! Click here to register.

Report on Insecure Enterprise IoT Networks

Zscaler released a report on the security of IoT networks finding a shocking 91.5% of traffic to be unencrypted. This of course leaves these networks vulnerable to network sniffing and Man-in-the-middle attacks. IoT adoption and connected device ubiquity is accelerating, in some cases at the expense of following security best practices. Regulation for IoT is looming , with some legislation already proposed. Zscaler recommends the following in securing your IoT networks:

  1. Change the default credentials for your connected devices
  2. Build network isolation into your IoT networks to prevent lateral traffic between devices, using firewalls to lockdown inbound and outbound traffic
  3. Restrict access to IoT devices from external networks and lock down unnecessary ports
  4. Apply regular security and firmware updates to your devices and secure your network traffic
  5. Deploy a solution to your IoT network for visibility into all IoT devices on the network

Google Network Outage: Jun 02, 19

This past Sunday Google’s Network experienced “ a disruption ” that “caused slow performance and elevated error rates on several Google services, including Google Cloud Platform, YouTube, Gmail, Google Drive and others.” As Google put it , the issue was caused by “a configuration change” that was “incorrectly applied” at a larger scale than intended, limiting various regions’ use of their potential network capacity. The foundation of Google’s resiliency is and has been their ability to learn from these events and successfully automate the prevention of similar events from occurring down the road.

Some takeaways:

  1. Build network and permission segmentation into your infrastructure and configuration deployments. Deployments should have temporary access to only the environment resources they need.
  2. Monitor expected resource allocations. This level of visibility reduces response time.
  3. For enterprises that require high resiliency, failover built with a multi-cloud approach might be required to prevent any downtime.

LabCorp Discloses Further Information on AMCA Breach

In a continuation of the Quest Diagnostics Breach narrative, LabCorp filed this week with the U.S. Securities and Exchange Commission claiming that “personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm” – KrebsonSecurity. This is likely the first of many disclosures by companies similarly impacted by the breach, raising questions about whether or not PCI-DSS regulations were followed or HIPAA laws were broken. The seriousness of the breach is compounded by how long the breach persisted and the fact that it was only discovered by a third-party compliance firm ( Gemini Advisory) and not the AMCA. The AMCA has provided very little info thus far as to where the systems in question are run, whether they’re cloud systems, ‘on-prem’ PaaS, or otherwise.

PSA: Patch Your CISCO Devices

If your company is running on a CISCO device, be sure to verify they’ve received all security patches. Multiple high impact bugswere reported by CISCO in the last month and security researchers have already released proof-of-concept exploits, leaving enterprises vulnerable. As always, continue to monitor CISCOs security advisories and alertsand if possible, automate your security patch updates.

AWS re:Invent Recap

AWS re:Invent Recap

AWS REinvent 2018

We’ve been heads down working on the 3 P’s for a number of months (products, presence, and people). As a result we’ve all but stopped our social media and dynamic content. We’ll look to emerge from our cocoon in early 2019 but we had to pop out and do yet another re:Invent recap (YArIR!).

Cohesive Networks (and our parent company CohesiveFT) have attended/sponsored all AWS re:Invents. Each year the conference gets denser yet more spread out… think about that one. This year was no exception. Now that our “away team” is fully recovered from the ill effects of desert entertainment, had some time to reflect, and get our hand dirty trying out a few new services, we’re ready to state our opinion. That’s what the following is, the opinion of the smartest, coolest, and most experienced cloud networking experts in the game (see opinion).

Micro Blink Reaction – Crowd Sourcing the Self-driving Algos

AWS DeepRacer is awesome and the DeepRacer League is hilariously brilliant. I ordered my discounted DeepRacer a few seconds after it was announced during Andy Jassy’s keynote. The bummer is I won’t take delivery until March. Hopefully the simulation environment holds me over (request preview access).

Macro Blink Reaction – AWS appetite for its ecosystem grows

AWS continues to eat the ecosystem and this year they stepped up their game. Previous years had AWS entering markets and wiping out millions of $s in ecosystem players. This year we think the number is in the capital B BILLIONS.

As a member of the AWS Partner Network (Advanced Technology Partner), we, like all AWS partners, look to re:Invent every year with mixed feelings of excitement and dread. If you aren’t on the Customer Advisory Council, you never really know if this is the year AWS will announce a direct competitor to your business. We all know the risks, and the AWS “not built here” corp dev mentality that drives their roadmap, but there is too much opportunity not to participate. Multi-cloud helps, but AWS is still the King of Cloud both in usage and features/services. I won’t go into detail about what competes with whom, take a look at these other recap posts:

Specific Announcement Reactions

We also won’t cover all the announcements because of the number of announcements per service category.

  • App Integration – 2
  • Analytics – 4
  • Compute – 11
  • Databases – 6
  • Developer Tools – 2
  • IoT – 7
  • ML – 14
  • Management – 6
  • Marketplace – 3
  • Media – 1
  • Migration – 2
  • Mobile – 1
  • Networking – 6
  • Robotics – 1
  • Satellite – 1
  • Security/Identity – 2
  • Storage – 10

Below we’ll review the features and service announcements that piqued our interest from a security and networking perspective.

Transit Gateway (GA)

What is it?
An AWS managed gateway service that allows a hub-and-spoke network topology connecting VPCs in the same region (expect multi-region support in the future) owned by a single or multiple AWS accounts as well as remote networks. This offering replaces the multi-party solution that was previously being offered called the AWS Global Transit Network. Check out the Transit Gateway announcement blog or product home for more information.

Why it matters?
Transit gateway solves a significant number of issues around the need to be able to route between VPCs “in cloud” at AWS. The manner in which it has been solved creates an economic opportunity for AWS as well – charging $.05 per hour for each connection to the gateway.

For Cohesive Networks, we spend our days (and nights) helping customers Connect, Federate, and Secure. Just like the introduction of the VPC itself, Direct Connect, AZs, Regions, GovCloud, China, and all the related facets of AWS – this creates more demand for connecting, federating, and securing. “Transit” is a subset of the overall federation architecture, so definitely a feature – not a business, meaning this release is good news for Cohesive, and gives us parity with capability Azure and Google networking has had for some time (although they do it a bit differently).

The release of Transit Gateway lets us create some federation structures for customers that were previously too complex, and requiring, dare I say it, too many VNS3 controllers needed to complete the task, as a result of AWS networking limitations. Now our customers can spend a bit more money, reduce a little bit of complexity, and still get the attestable control they need as regulated or self-regulated businesses operating in 3rd party data centers over which they have no direct insight, visibility, or control (AKA “the cloud”).

AWS Security Hub (Preview)

What is it?
A monitoring platform service focused on security that aggregates security alerts and compliance status from native AWS services as well as from 3rd party services. Many security vendors announced initial support for Security Hub. Security Hub aims to create a single pane of glass for an organization’s security and compliance posture across all its AWS accounts. Check out the Security Hub announcement blo g or product home for more information.

Why it matters?
AWS Security Hub begins to solve the “feature glut” problem of the ever-growing Amazon services collection. One reason organizations suffer from data exploits is NOT because they lack monitoring information with events and alerts – it is because they have TOO many events and alerts. Security Hub appears that it will provide an encompassing overview of outputs coming from AWS GuardDuty, Inspector and Macie. Each of these has a rich set of features for your cloud deployments – running all three of them independently could be a bit overwhelming.

At Cohesive we have previously highlighted the world we are entering where the critical IT executive decision is “all-in vs. over-the-top”, meaning where on the spectrum of using cloud, AWS for example, do you position your organization? Do you go “all-in” on embedded AWS services which provide abstracted visibility and limited control – or do you go “over-the-top” and run many of your own layers of infrastructure and instrumentation, strung across AWS, Azure, Google, et.al.? For the “all-in” crowd we think Security Hub may make consuming some of these services easier.

Global Accelerator (GA)

What is it?
A service to help customers easily route traffic across multiple regions to improve availability and performance of cloud-based applications/deployments. Global Accelerator provides an entry point to allow TCP or UDP traffic to use the AWS Global Network to reach AWS deployed application topologies instead of the Public Internet. Global Accelerator provides static Anycast IPs that serve as a fixed entry point for an AWS deployed application available in any number of the currently support regions (us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, and ap-southeast-1). The Anycast IPs are advertised from the supported AWS regions so traffic enters the global network as cloud to the uses as possible. Global Accelerator can then be associated with cloud-based applications via application load balancers, network load balancers, or Elastic IPs. In addition to data transfer fees Global Accelerator costs $0.025 per hour.

Why it matters?
Other than the obvious HA and performance benefits, the big theme from this and Transit Gateway is coalescence. Clouds and cloud regions were built to be isolated by design. Increasingly as companies a have grown in the cloud organically or via acquisition, organization cloud estates have experienced sprawl. Providing avenues to bring the regions “closer together” while maintaining the logical separation is a key value for many of AWS’ largest customers.

We continue to experiment how our customers might benefit from using the Anycast IPs as static global cloud endpoint IPs for VPN connections and well as distributed and encrypted overlay networks.

EC2 C5n (GA)

What is it?
A new generation instance family focused on super fast networks speeds up to 100 Gbps. These new instances use the latest nitro hardware and allow for some serious packets per second performance. The instances sizes are available now in us-east-1, us-east-2, us-east-2, eu-west-1, and govcloud. Prices start Read more about the C5n instance family.

Why it matters?
We are getting a glimpse of the future of cloud network performance and throughput. Eliminating the current VPC gateway throughput restrictions will open up more use-cases for the cloud. Total throughput for VNS3 controller just increased dramatically. Of course there are some restrictions (see placement groups) but it’s always exciting when you get a bandwidth upgrade. Maybe AWS will soon host the first cloud-based high speed low latency trading app?

Margaret Valtierra featured in “Business Data Security Tips: 40+ Experts Reveal Their Best Advice”

Margaret Valtierra featured in “Business Data Security Tips: 40+ Experts Reveal Their Best Advice”

Global headcount

See the full article on Phoenix NAP : Business Data Security Tips: 40+ Experts Reveal Their Best Advice

Margaret’s Tip: Self-evaluate to keep pace with both risk and compliance

Your business is small, but risks are enterprise-size.

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of data security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

Data breachs affecting SMBs – from the Ponemon CODB

Keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection policies to focus on preventing vulnerabilities and to set goals to improve and maintain security.

Traditional standards and protections all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

 

Read more: Why All Enterprises Should Adopt the NIST Cybersecurity Framework

Don’t become a victim of your own success – growth.

As SMBs grow and add employees and partners, they must share access to vital business data and systems. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the SMB grows and adds employees and offices, a “single point of failure” becomes a risk for the company. Security for data and networks should grow with the business, with precautions built into business goals.

Watch: Dwight Koop’s CircleCityCon talk on the NIST Cybersecurity Framework

Margaret Valtierra, Senior Marketing Specialist, Cohesive Networks

Margaret Valtierra is Senior Marketing Specialist at Cohesive Networks. She is responsible for growing business through digital and written content, public relations, and community events.

See the full article on Phoenix NAP : Business Data Security Tips: 40+ Experts Reveal Their Best Advice