Stand Apart – but be Cohesive (part 2)

Stand Apart – but be Cohesive (part 2)

by | Dec 4, 2024 | Compliance, News, Security

Some more thoughts about standing apart, but being Cohesive.

As Cohesive Networks grows, we do struggle to keep the elements of our company that are fundamental, without being too much of a constraint on evolution and responsiveness to changing markets.

Separate from very specific policies are the stories, mantras, aphorisms that guide you. Not too long ago we had a partner company ask us to tell them why they should work with us. In response we distilled some of the essence we try to hold forth in our words and actions. Here they are with a bit of elaboration.

Our favorite code is code we never write, but we solve a customer problem.
In general people do what you pay them to do, not what you tell them to do. If your reward and identity systems are built around writing and delivering code, you get a lot of code. You get change for change’s sake. We do not do that. The expression of our brutalist approach to software development is:
– Our favorite code is code we never write, but we solve a customer problem.
– Our second favorite code is the code we removed from the most recent release.
– Our third favorite code, is that code, which sadly, exists in order to have a product.

“Run on the cloud not in the cloud.” (Avoid the economically defined architecture)
We go more in depth in this post. To boil it down, the cloud vendors have built massive feature sets that both provide value and extract payments. As a consumer of cloud one needs to ask continuously, am I getting the value?

Unfortunately, certifications in cloud expertises can become so dominant in reward and identity systems that cloud services are incorporated not to serve the ultimate customer, but to serve a certification sense of satisfaction. Customers not acutely aware of this are at risk of implementing an ‘economically defined architecture’, which is a working system architecture, but while correct, it also maximizes cloud vendor revenue. Sometimes “over the top” visible services are a better path to multi-cloud and cost control.

Networks are addresses, routes, and rules; everything else is implementation detail.
This simple statement has gotten me rapidly exited from meetings at one large scale networking vendor interested in acquiring Cohesive Networks. The product management team I was talking to took insult that I could be so reductive. That said, we as a team stand by it. There are names and numbers for things, paths to these things, and the ability to say ‘yes you can’ or ‘no you can’t’ get to those things. The question then becomes how to manifest that in a way that gives enough power to someone with in-depth network expertise, but also empowers a person “just trying to connect these two things”.


Do your best to not surface implementation detail in customer experience.
This is the corollary to above. We definitely have not succeeded at this in all parts of the VNS3 Network Platform, but we try.  Obviously we provide a networking system, so there are elements of the implementation that have to surface technical detail.

For example, there are such things as “IPsec connections” and IPsec has elaborate configuration constraints which need to be managed. That said, it can probably still be simplified. As an example, our single page UI for defining an ipsec endpoint tries to achieve this objective. I had one user tell me, “The first time I saw your IPsec UI, I wondered what college intern wrote it. After I used it for a while I decided it was genius.”

Support is the critical sales function.
Some companies will claim this to be true, and then they have the support staff hound you with upsell offers, surveys, and other actions that have NOTHING to do with solving your problems. What we mean at Cohesive is, when a customer has a question or concern, your ability to quickly and knowledgeably assist them is a critical part of your trust relationship.

There can be no ulterior motive other than you want to help them in that distinct moment. In our case where the majority of our customers are SaaS/BPaaS providers, initial connectivity issues are a key obstacle to time-to-value for both the SaaS provider and their customer. Eliminating any issues in this dimension helps our customer and their customer alike.

FNA – full network accountability is a company culture.
Multi-party networking and security by definition is a collaborative endeavor. When there is a problem, there is a risk that collaboration devolves to finger pointing. When you have a solution like the VNS3 Network Platform that is SO reliable it can be difficult to look at your self as the culprit when a customer has issues. Well over 90% of all inbound “P1” support issues that we receive come as a result of our customer’s customer has <changed misconfigured broken> something in the network path.

It is tempting to enter the interaction with a bias towards a “it’s not us, it’s you” mindset. To counter this we practice what we call “Full Network Accountability” which means to the best of our ability we will work with our customer, their customer, their customer’s outsourced networking people, whomever, to solve the problem. In doing so, our team has to start with the premise, that no matter how unlikely, our customer has run into a never-before experienced, one time only, horrible bug in Cohesive VNS3, until proven otherwise. Then we move forward through the entire connection path with customers (as desired) to find the ultimate issue.

This list is not exhaustive, but is indicative of how we have approached the long term health of the VNS3 platform and our company Cohesive Networks. Software, security and network skills are the table stakes for serving customers in our space, but how to have those skills and deliver them to customers through time and across hype cycles is the additional critical capability that we strive for.

3 Key Steps to GDPR Compliance

3 Key Steps to GDPR Compliance

by | Aug 29, 2017 | Compliance, News

Don’t be caught off guard by GDPR requirements in 2018!

A recent study by KPMG of the boards of FTSE 350, few are prepared for the General Data Protection Regulation, or GDPR. All new data your organisation gathers should include more clear evidence of data collection consent and opt-out options. How should IT teams prepare for the upcoming changes? Which initiatives should be a part of your program to be compliant?

Penalties for not complying with GDPR will be steep. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). While this is the maximum amount an organisation will face, the requirements are rigid for all levels of infringements. GDPR has a tiered approach to fines so organisations might be liable for multiple offenses. Internal IT teams and legal depatrments should take note – the GDPR applies to any company that controls data or processes data — ‘clouds’ are not exempt.

Which initiatives should be a part of your program to be compliant with GDPR?
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it.

Takeaway: Any organisation that collects or processes data of an EU citizen should comply with GDPR.

At the core, the GDPR requires data protection by design. Organisations must design data security into business processes.

Another requirement is “pseudonymisation” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the decryption keys, must be kept separately from identifying data.

Specifically, IT teams can ease into GDPR with better monitoring and management. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance.

Next, teams should re-evaluate access controls to sensitive data. With cloud-based systems, it should be easier to implement strong authentication programs to apply the rule of “least privilege” required for each application.

Finally, add encryption in-transit to any existing security best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

How can Cohesive Networks help you?

VNS3 helps meet data security measures for data privacy compliance:

  • Encrypt data in transit using VNS3’s IPsec tunnels to connect to all data sources and applications
  • Protect Personal Data by encrypting all data across open public networks
  • Guard against Vulnerability with a VNS3 intrusion detection system (IDS)
  • Maintain Strong Access Control by controlling access to data and encryption keys
  • Enhance Data Portability with a VNS3 overlay network over the top of any cloud or virtual network

5 ways VNS3 can help meet GDPR data privacy compliance

5 ways VNS3 can help meet GDPR data privacy compliance

by | Aug 23, 2017 | Compliance, News

According to a study by KPMG of the boards of FTSE 350, few are prepared for the General Data Protection Regulation, or GDPR. Organisations are running out of time to get their IT systems and operations in order. Protecting and securing existing data is only half the battle, with the GDPR’s strong emphasis on security by design and data portability.

On May 25, 2018 the European Union’s new data protection and personal information laws will go into effect. The GDPR governs the privacy and security of personal data for practically every person and entity connected to the EU.

Don’t take the risk

Fines for non-compliance will be harsh. Companies that do not maintain information security best practices could be fined up to 4% of “total worldwide annual turnover of the preceding financial year.” If a US-based financial institution was found to have data on EU citizens, they could face a fine of 4% of total global revenues or up to 20 million Euros ( $22 million US).

VNS3 can help organisations meet data security measures for data privacy compliance. Even if your company is not located in the EU, your data might include information on a “data subject.” For organisations with large amounts of data and data that travels between networks the best options include adding encryption in-transit. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

What type of data is covered?

For GDPR compliance, personal data is defined as “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

Plus, there are 2 new data categories: genetic and biometric data.

“Genetic and biometric data” means anything that may reveal an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life and sexual orientation. These 2 categories join existing sensitive and special personal data, such as home addresses, credit card details, and health care records.

VNS3 meets data security measures for your GDPR compliance by helping you:

  1. Encrypt data in transit
  2. Protect Personal Data
  3. Guard against Vulnerability
  4. Maintain Strong Access Control
  5. Enhance Data Portability

1. Encrypt data in transit

Use VNS3’s secure IPsec tunnels to connect to all data sources and applications. With end-to-end encryption that only you control your organisation can guarantee GDPR compliance for your customer’s data, even if you collect it in one region and process it in another. Section 83 of GDPR event states “…the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.” VSN3 offers a superior level of encryption, with AES 256-bit encryption.

2. Protect Personal Data

VNS3 lets you encrypt all data across networks, regions, and cloud providers. This way you can add protection in shared environments like public clouds, partner networks, and across regions. This part of the critical GDPR tenant of “data protection by design.” In Article 25 , organizations must design data protection into business processes to protect personal data. GDPR leaves it up to companies to decide what security measures are needed to match the risks of a data breach. Encryption is a proactive approach to data security and can save organisations heavy fines.

3. Guard against Vulnerability

Section 83 states all organisations should consider “the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Prevent unwanted access to your customers’ data with a VNS3 intrusion detection system (IDS). With VNS3, you can securely connect your network across multiple public and private clouds and use our plug-in system to add in monitoring for possible intrusions. By combining network functions, you can ensure data in motion security and privacy.

4. Maintain Strong Access Control

Control access to data and encryption keys with VNS3. Enforce security policies and multiple orthogonal layers for added security with VNS3. Not only does VNS3 provide layer 4-7 network security, but using the Docker container system allows you to create “in mesh” application plugins, including network intrusion detection (NIDS), proxy, and monitoring controls. Prepare with security, but plan for a data breach. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.

5. Enhance Data Portability

Data portability might seem unrelated to privacy interests, but it is another goal we’ve always championed at Cohesive Networks. Data portability will allow organisations to free themselves from any non-compliant vendors or partners, which could limit the risks for organisations just taking on GDPR compliance projects. The GDPR likely will only require data portability for data that were originally provided by the data subject (including as photos or documents stored in the cloud). Interoperable standards are encouraged, but not mandated by GDPR.

With a VNS3 overlay network over the top of any cloud or virtual network you can make your applications, and the data they use, more agile.

What is VNS3?

VNS3 is a software-only virtual machine that integrates with existing network equipment and can be delivered as part of the application deployment in most virtualized infrastructures.

VNS3 cloud overlay diagram

With over 3,000 connected customers in more than 22 countries, VNS3 has provided more than 500 million devices hours of application networking for the cloud. VNS3 offers customers more dynamic network controls on top of cloud offerings, including multiple VLAN peering, end-to-end data in motion encryption, application layer firewall rules, multicast, and multi-region peering.

But, don’t just take our word for it! Use VNS3 in any cloud environment with our Free Edition. Try it today from the AWS Marketplace or Azure Marketplace.

Get in touch with our sales team for BYOL versions for other large clouds, custom pricing, or for a POC.

3 Key Steps to GDPR Compliance

One year to go: what IT teams need to know about the GDPR

by | Aug 3, 2017 | Compliance

In less than 1 year, the GDPR will go into effect for all organisations using, processing, and holding data on EU citizens. What do businesses need to know?

European Union: General Data Protection Regulation (GDPR)
The European Union passed the General Data Protection Regulation (GDPR) on 14 April 2016. Beginning on 25 May 2018 the EU will begin enforcing the regulation. Currently European companies and global technology firms are making the shift to compliance, but organisations in non-compliance will face heavy fines beginning in May 2018.

Any organisation that does business with Europe or specifically handles personal data of EU citizens must comply with the General Data Protection Regulation (GDPR).

Infringement carries heavy fines: €20 million or 4% of worldwide annual gross revenue, depending on the violation. This new piece of EU legislation is the legal framework for data protection across Europe.

Worryingly, an early 2017 study by Mailjet found that only 17% of respondents have taken all of the recommended steps towards GDPR compliance, while the same proportion admit they have not enacted any such checks or changes.

What do organisations need to do to comply?

  1. Know if it a applies. Businesses doing business in Europe and any business that handles personal information for European citizens. The regulation applies if any of the following are based in the EU:
    • data controller (organization that collects data)
    • data processor (organization that processes data , including cloud providers)
    • data subject (person)
      NOTE: The UK’s decision to leave the European Union will not affect the commencement of GDPR.
  2. Know how to apply it.
    • Data protection by design. Article 25 requires organizations to design data protection into business processes to protect personal data.
    • Data privacy. GDPR requires “pseudonymisation” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the decryption keys, must be kept separately from identifying data.
    • Data removal. EU citizens (data subjects) have the right to request their data be erased from organisations. This is a revision of the “ right to be forgotten ” concept proposed in earlier drafts.
    • Data portability. A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
  3. Know when it applies. All organizations must be in compliance by May 2018.

How can organisations comply?

One of the big benefits of GDPR will likely cause the most headaches: full organisation involvement. This cross-functional exercise should involve legal, risk and compliance, IT, and security departments. Involve teams from both technical and business perspectives.

The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’s personnel files, and so on. Understanding what you must protect is the first step to protecting it.

Next, the teams from multiple departments should compare data policy and procedures already in place. An in-depth audit of policies can help reduce the burden of beginning a new data protection policy later on. The upfront work of comparing compliance standards now will save efforts in the future.

Asses your organisation’s requirements. Changes in GDPR include added protections for children, the “right of erasure” and new timelines for consent for data collection. Under GDPR, an individual has the right to request information from a company within 30 days and the data must be in electronic format. Likewise, the rules on data portability will require forethought about how data are being managed currently.

Hire a data protection officer. The GDPR requires a data protection officer (DPO) to coordinate reporting with the EU and manage data requests with data subjects. This DPO will manage the Data Subject Access Request (“DSAR”) Systems to coordinate data subject’s request for access, erasure, correction or portability. For all private sector enterprises, a single point of contact can manage IT processes, data security, and business continuity processes.

How can IT teams prepare?

In addition to working with the cross-functional teams, IT should evaluate incident reporting and responses. IT systems should be re-evaluated with security in mind. Now is the time to reign in “shadow IT” in other departments so that all data processing is in compliance.

Monitoring and compliance can be very time consuming. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance. In cloud-based systems providers usually offer tools like Amazon Inspector, AWS CloudTrail, Azure Service Trust Portal (STP), Microsoft Common Controls Hub in addition to many third-party tools.

Reevaluate access controls for IT teams and other departments. With cloud-based systems, it should be easier to implement strong password and authentication programs. With access mangaement tools IT teams can also gain insight into what users require access to each service or application and apply the rule of “least privilege” required for each.

Add encryption in-transit to any existing encryption best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

Prepare with security, but plan for a data breach. GDPR requires all organisations report any data breaches involving personal information within 72 hours of discovery. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.

VNS3 can help organisations meet data security measures for data privacy compliance. Even if your company is not located in the EU, your data might include information on a “data subject.” For organisations with large amounts of data and data that travels between networks the best options include adding encryption in-transit. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

But, don’t just take our word for it! Use VNS3 in any cloud environment with our Free Edition. Try it today from the AWS Marketplace or Azure Marketplace.

Get in touch with our sales team for BYOL versions for other large clouds, custom pricing, or for a POC.