Viewing posts categorised under: Business
16Aug
Why I Joined ShieldX
Business

We recently announced that I joined ShieldX Networks as CEO.

Like many job seekers, I relied on friends and trusted colleagues to inform my decision. Mike Fey first turned me onto ShieldX (he recently outlined his reasons for investing in ShieldX and it is a must read). Mike encouraged me to invest alongside him. Consequently, when the ShieldX team started to look for a CEO to partner with the founding team, a much more direct level of involvement began to surface. It did not take long for me to recognize that ShieldX is where I wanted to be, if the founders and board would have me. While there were several reasons this opportunity was so compelling, it came down to four main drivers.

Market opportunity.
The ShieldX Elastic Security Platform could well be THE enabling security offering with the ability to both enable the “migration to” and “security promises” of microsegmentation in the era of cloud computing. The move to the cloud is fundamentally changing how IT and networking are done, how applications are developed, where security risks need to be mitigated and how security needs to be inherently and elastically applied. To date, many enterprises have begun their data center transition to the cloud, but during this transition, hackers and malicious insiders have uncovered and exploited blind spots—particularly along the emerging East-West data center. We, as an industry, have spent a few decades focused on securing North-South network traffic boundaries; but as networks became flatter, larger and more dynamic, a growing attack surface within arose that led to an ever growing number of security breaches due to attacks spreading on the East-West axis.

What if we could offer improved network security by using elastic security software, which offers visibility, policy generation for microsegmentation and a rich set of dynamic security controls to enable fully automated security in this new world? What if we could simplify achieving and reporting on compliance in the cloud? For CISOs, the current set of market options means buying multiple point products, some of which are being shoehorned into solving a problem they were never designed to solve.

Further, what if we could offer security without increasing customer overhead? ShieldX does this with technology that was designed from the ground up to serve in this elastic environment where it once was impossible to define your network security posture. As Mike Fey stated in his blog, “East west security is more important than north south.”  ShieldX can—and will—protect all data center workloads in the future. As anyone interested in deploying a Zero Trust effort will understand—ShieldX is in the thick of an important market.

Technology
Today, the majority of approaches to microsegmentation require agents. Not ShieldX. Instead, ShieldX pioneered an application layer security approach that brings visibility to traffic patterns enterprises haven’t seen before the arrival of multi cloud.  And it is not just visibility. ShieldX’s approach also brings application layer threat prevention.  Remember what IPS brought to on-prem network perimeters? ShieldX does this in your cloud.  Being agentless allows for robust functionality like virtual patching, for example virtually patching cloud workloads which combats the new trend in ransomware, where the new target is unpatched workloads/VMs in your data center and cloud. And then there’s automation.  One of ShieldX’s customers used to have a firewall analyst update policies taking up four hours (!) daily. Our automated policy enforcement dynamically assigns policies based on predefined criteria aligned to your business process, enabling this valuable resource to be redeployed into more strategic activities.

Team
I knew Ratinder and Manuel professionally and by reputation from McAfee. Both are innovators and famous within the industry for good reason. When stars aligned and Ratinder and the ShieldX board were looking for a CEO partner, it was hard to not get excited. The team that built ShieldX is hard to duplicate. Few innovators could build a platform that promises to upend security as enterprises move to the cloud. Also, if one looks at the other people associated with the company, be it investors, board members or advisors, they would have to say this is truly a “hall of fame” caliber line up.

Competitive landscape
Today, if you want security in the cloud you have to choose between virtual firewalls, agent-based technology or go with cloud-native capabilities. Virtual firewalls suffer two fundamental problems—they don’t scale elastically in the cloud and they create way too much administrative overhead in an ever-changing cloud environment. If you require more TLS decryption in an environment for inspection, for instance, you need to buy more licenses of the firewall to achieve the required TLS decryption; even if you don’t need other features included in that license. Worse, because of the extra traffic incurred by virtual firewalls, you’ll end up paying excessive CPU overhead costs and you’ll have to hire additional network security staff to administrate ACLs in your ever-changing cloud environment. Cloud native providers supply basic security capabilities, but they are hardly best of breed, they too require way too much overhead to constantly re-configure, they only support their own platform, and lack the advanced application layer security capabilities security teams require. And many new entrants in this space require agents. The drawbacks of agents are pretty well known but you can always ask one self-answering question:  Is it OK in a production environment to deploy agents to workloads without extensive QA and compatibility testing? Perhaps the biggest deficiency of all the above approaches is their lack of automation. By contrast, ShieldX installs quickly and brings fast time to value.  More importantly, our software is architected to provide elastic scalability and makes policy and control management dramatically simpler.  At the end of the day, ShieldX lowers your operational costs to enable microsegmentation and lateral movement protection. Bottom line: ShieldX brings an unfair advantage to the market.

I encourage you to try ShieldX. Three of our customers not only influenced my decision to join, but also echoed my sentiments in these detailed reviews including this compelling testimonial from Alaska Air:

We switched to ShieldX because traditional firewalls are more expensive, and they require you to take all of your traffic outside of your virtual environment to inspect it and then return it back to the virtual environment. ShieldX also enables us to migrate to cloud environments faster.

Read More
30Jul
Capital One Breach—Its Cloudier than you Think
Business

Looks like another breach—but this one continues a recent trend we’ve been seeing on the rise.  Namely, the attacker took advantage of poorly or mis-configured firewall to access cloud-based data.  Some claim it was a web application firewall, other reports aren’t clear.  Regardless, as we move into multi cloud, this problem is becoming more and more pervasive.

Capital One was, like many companies, is stuck in a time warp.  Historically security was done mostly by fortifying the perimeter of the network, assuming that the adversaries could be kept out by locking a single gate or chokepoint.  More and more, we learn that this architecture is no longer effective, as there is an incongruity between the physical data center boundary and virtual perimeters. Those new perimeters can take up any size and shape and change at cloud speeds making it impossible for traditional security to follow—especially traditional firewalls. Worse, the security controls offered by cloud vendors are weaker than traditional options and are often no match against sophisticated attacks.  In this case, the attacker was a former AWS employee who likely knew the ins and outs of the fragmented, cloud-based network.

What are the lessons?

  1. Without auto-generation of policies, those dynamic environments will always have sub optimal configurations on the firewalls. Today, many enterprises employ people whose sole function is to update firewalls policies.  Spending hours every day—often a full time role!—security teams have people who constantly update firewall policies.  When you move the cloud, this isn’t scalable, its impossible for humans to keep up.
  2. Its not just the automated security policy generation—you also need automated control deployment. Policies are only as good as the controls that drive them.  Even if you get policies under control, the dynamic nature of the cloud still means the controls must adapt at the same, instant speed.
  3. Intention, intention and intention.  Automation isn’t enough if you can’t tell your system what you want it to do.  When you input a destination into Waze, hiccups happen.  Does Waze say, “sorry, you can’t go there anymore.”?  No, it adjusts,  The same flexibility is required in security: continues and automated transformation of the security intent into security controls eliminating configuration errors over time.
  4. East West is the new North South.  Tracking lateral movement in a fragmented cloud environment is more critical than ever.

You’ve moved to the multi cloud—welcome to the new reality.  One of the biggest questions facing every senior security professional is figuring out how to secure enterprise networks as they fundamentally and constantly change over time. This requires a level of flexibility and scale heretofore unknown in the security industry. Traditional appliance-based solutions were built monolithically and are not well suited to cloud architectures. And new cloud friendly products do not provide the depth of security to protect environments from the variety of attacks typically faced.

So what can you do?  Check out our CISO’s Guide to Multi Cloud Security which provides more than a few clues.

Read More
24Jul
Why I invested in ShieldX
Business

I have had the pleasure of working with the Shield X team for a couple years and recently made a significant personal investment in the company.  Why?

First, let’s assess just how cloud computing has impacted security.  In my view, the future of how we defend workloads in the cloud requires a ground up re-architecture.  We all grew up with a “defend the north-south” mentality and didn’t think much about east-west defense.  And for good reason—defending east-west was extremely difficult, expensive and simply couldn’t scale.  In a cloud native future, however, east west is as risk-laden as north south in the “old” days. As enterprises place their data centers in the cloud, you’ve essentially fragmented your crown jewels.  Enterprises are now realizing just how much security and compliance postures become downgraded by a move to the cloud.

Historically security was done mostly by fortifying the perimeter of the network.  That architecture is no longer effective, as there is an incongruity between the physical datacenter boundary and virtual perimeters. Those new perimeters can take up any size and shape and change at cloud speeds making it impossible for traditional security to follow. Additionally, the security controls offered by cloud vendors are weaker than traditional options and are often no match against attacks hindering confidence and compliance in cloud adoption.

Today, many vendors tackle the problem with agents, rigid rules sets or hard coded approaches.  Inevitably, you’ll be let down in your cloud migration journey if you deploy any of these options with negative repercussions on compliance, security and cost. Many early adopters of agent-based approaches already regret their decision.

This is where ShieldX comes in.

ShieldX represents a new and very needed way to do security.  ShieldX, is a perfectly designed solution built for the new cloud paradigm.  Not only does ShieldX fix the flat network problem, but it also makes compliance a no brainer.  And ShieldX doesn’t stop there, bringing:

  • Visibility:  ShieldX discovers infrastructure assets such as networks, virtual switches, DV switches, virtual private clouds, vNets, subnets, workloads, tags and so on. Monitor network traffic and using machine learning arrange assets in application views. ShieldX uses traffic classification and network scanning to understand the attack surfaces and vulnerabilities.  In addition, ShieldX uses data classification of both data in motion and data at rest to understand information loss risk.
  • Compliance: Passing an auditwhen your data and applications are all over the cloud often serve as a wakeup call for cloud security.  The ever-changing nature of the cloud are diametrically opposed to the neat, orderly and segmented environments auditors like to see.  With ShieldX’s microservices architecture, security enjoys a cloud-native solution that works the way cloud tools are supposed to—elastic and scalable while satisfying auditors.
  • Automation:  Combined with machine learning, ShieldX uses its visibility to provide a risk view and suggest appropriate micro segmentation and advanced security policies. The security operator can use the application model, along with the risk view and the suggested security policies to create their security intent easily and quickly.
  • Full-stack security controls to extend coverage where you don’t have any–ShieldX provides a comprehensive set of controls that go beyond basic ACLs, including micro-segmentation, access control, threat prevention, malware detection, URL classification and filtering, TLS decryption, indicator of pivot detection, anomaly detection, sensitive data migration detection and more which are policy-based and adaptive.

Moving forward, as enterprises continue their massive shift away from VMs and into true cloud architecture, ShieldX will be at the forefront of their defense strategy. In summary, ShieldX is the only solution that continuously discovers workload applications and associated risk, automates policy generation and control deployment in the multi cloud.

Read More
30Jan
The Rubric Automated Security Policies
Business

No matter how security focused an organization is, the cloud era has brought on a new set of issues tied to lack of visibility and control over what gets deployed and where it’s deployed. This is why having automated security controls is critical in the protection of critical information being exposed, and more importantly leaked.

Today, Tech Crunch reported a security flaw at Rubrik, a major IT security and cloud management provider that could have lead to the exfiltration of key customer data had it not been caught. The article noted that a server, which was a part of developing a new customer support system, was improperly configured, leading to the risk of data being exfiltrated. It would be easy to point the finger at Rubrik and say they are responsible, however the truth is, in a consistently changing environment such as the cloud,  it is difficult for us as humans to effectively ensure all systems are properly protected during provisioning and migration of workloads and applications.

Many people who are deployed in Azure and AWS assume they are automatically protected through native cloud security controls. This is a perfect example of how those controls are not sufficient in protecting the workloads that are being rapidly provisioned and constantly migrated due to agile development of new applications to support customer functionality and business operations.  But even with a solid level of security in place, the system could have still gone unnoticed. This is where automation becomes important.

Preventing this type or issue is exactly why ShieldX was founded.  With ShieldX you can set Application Aware ACLs to be automatically applied to servers as they are provisioned or migrated. This means ShieldX security policies would have been applied to the elastic search service and guaranteed the same access restriction no matter where it appears in the cloud environment. With ShieldX, customers get “Layered Security and Layered defense” by means of “ACLs/Micro segmentation”, and Indicator Of Pivot modeled around “Cyber Kill chain”, providing single pane of glass for security controls deployed on-premise, AWS and Azure.  With ShieldX in place, organizations like Rubrik can create automated policies that will automatically apply the appropriate security controls as the systems come online. Finally, enterprises can focus on defining the appropriate security intent and have cloud native security platform offered by ShieldX  transform that intent into actual policy and rich set of controls with automation and orchestration to increase security posture and reduce TCO .

Read More
03Jan
PART III: AWS and Azure–Cloud security isn’t true security
Business

This is part III of III.

Solve it

If individual cloud-based security isn’t the quick fix customers are seeking, what is? Well, that was a trick question of course. There is no quick fix. There IS a fix. And that is a pre-planned comprehensive stack that addresses your responsibility in cloud computing. Theses include but are not limited to segments such as the storage and exchange of customer data according to HIPAA compliance, GDPR, PCI-DATA, the SEC, and the list goes on.

 

When you go with a trusted multi-cloud provider like ShieldX, you replace the patchwork of features and providers with a high-visibility solution that addresses the above and more. You get your manager off of your behind when you remove those licensing and maintenance fees. Your costs go down. And instead of playing 3-D chess to avoid misconfigurations, you can breathe.

 

Some CISOs get started by consulting with their team, then building a map to show the missing pieces of their security apparatus and their solutions. Don’t forget to work with application owners to understand any potential threat vectors. A solid strategy will address:

  • Missing security apparatus
  • Threat vectors in application/components
  • A good security hygiene
  • Access control permissions

 

Regardless of what your security approach you are planning in your cloud or multi-cloud environment, please do not go with the approach of lift and shift. Understand the security implications of your presences by evaluating the difference and exchange between on-premises and cloud security. Then call us.

Read More
17Dec
VMWare Security Analysis
Business

Data center virtualization was originally designed to improve the utilization rates of computing, networking and storage assets. As the early pioneer of such technologies, VMWare grew to become the dominant vendor of data center virtualization software. Unfortunately, cloud providers’ popularity and rapid feature expansion have not matched the limited security solutions they offer along with their data packages.

Unaware customers who migrate their assets via providers like VMWare, without a holistic inter-cloud security strategy in place, are left both insecure and financially vulnerable.

While every cloud provider should be considered an analog, in this advisory we will address VMWare specifically as both a trendsetting example and leading cloud provider. Here we provide users with five reasons to consider an inter-cloud security approach when those assets are in play.

 

A successful software-defined data center implementation should support scaling of computing resources

This allows for business units to add new applications rapidly and with enhanced DC security. This should be enabled in a VMWare-powered data center. But this is not a feature VMWare offers. A barely hidden secret in IT corners is that many previous loyalists have chosen to convert to AWS and prompted a rapid rise in demand for cloud computing and IaaS.

A comparison of the growth in AWS-based virtualization and VMWare’s on-premise virtual servers illustrates the movement toward AWS.

Solution 2013 2014 2015 2016 2017
AWS 3108 4644 7880 12,219 17,459
VMWare 5150 6040 6650 7090 7920(*)

(All figures in $mil.)

*Re-statements to account for Dell acquisition

 

The result has been that enterprises now own two separately virtualized assets. One is in their data centers with VMWare, and the other is in AWS VPCs and/or Azure Vnets. The public cloud has delivered economic benefits for them as well as more flexible control over their resources.

 

VMWare’s virtual networking and security toolkit are not built to maximize security

While VMWare has robust server virtualization offerings, its security features are simply too underdeveloped for the majority of customers’ needs.

To supplement them, customers seek alternatives with Cisco ACI and a multi-vendor mix for their security needs. Meanwhile, the cumulative cost to VMWare customers keeps rising. Gartner has seen consistent adoption of these offerings over the past year, and Cisco now reports over 3,500 paying ACI customers. (Gartner MQ on Data Centers)

 

VMWare never quite ‘got’ public cloud standards

VMWare initially took an adversarial stance towards their competitors. Of course, these were public clouds, most notably Amazon’s AWS. Not only did VMWare downplay the compelling benefits of AWS, but more importantly they did little to match their capabilities or provide alternative, legitimate pathways for customer workload migration.

Then they followed up with their own public cloud solution which experienced a myriad of growing pains. Their vCloud Air was sold to OVH in May 2017.

 

Add-ons add up

After launch when it was forced to reconsider its position, VMWare offered its cloud customers an option of deploying its virtualization toolset (VMWare cloud on AWS) on top of the already virtualized AWS cloud (functionality illustrated by VMPro).

The following table quantifies the cost of running VMWare Cloud on AWS compared to native AWS virtual servers, VMWare providing no additional benefit.

Note the additional cost requirement to heavily invest in VMWare’s private data center in order to access preferred pricing in AWS.

 

VMWare on-premise license requirements Yearly cost of 10 VMWare servers on AWS (1) Yearly cost of 10 AWS EC2 instances without VMWare overhead (2)
100 CPUs of vSphere Enterprise Plus $467,883 $193.20
100 CPUs of vSphere Enterprise Plus & 10 CPUs of NSX $441,890 $193.20
100 CPUs of vSphere Enterprise Plus & 20 CPUs of NSX and 20 VSAN licenses $389,903 $193.20

(1)(VMWare data procured from their blog.)

(2)(AWS pricing is based on a reserved instance standard for a 3-year term as derived from their pricing sheet)

 

VMWare has not delivered on its promise of a robust security platform

When it comes to segmentation and threat prevention across the data center and public cloud, its customers are still waiting for answers. VMWare has underdeveloped inter-cloud security offerings—and they are hampering customer adoption of true multi-cloud infrastructure.

Let’s go back to the very beginning of connective security, starting with virtual servers. Virtual servers naturally gave rise to virtual network switches, which connected them within a single physical server and across their data center. The servers needed to be segmented and inter-server traffic inspected for threats.

Initially, VMWare offered the VMSafe API to allow partners to bring their expertise to bear in order to keep this virtual network safe for their customers. But after getting their partners invested in this approach, VMWare abruptly canceled their API effort in favor of internally developed techniques. The outcome was that the virtual network suffered in its security posture compared to what was delivered on the physical network. This limited security foundation is unfortunately coupled with an aging virtual network and repackaged as an “inter-cloud” offering called NSX-T. NSX-T is not lacking in bold claims.

While the NSX-T design guide claims to provide “micro-segmentation for AWS workloads,” it does not offer any threat mitigation beyond the original NSX offering, which is limited to working on top of AWS with little support for other leading clouds such as Azure and GCP.

The security offered by NSX-T is based on basic firewall functionality for N-S traffic and  coupled to the segmentation built into each vNIC.

NSX-T does not begin to address the fundamental requirements of a multi-cloud security solution. The security policy must be expressed as an intention to be applied not to VMs, but to operations from application workloads. The solution must work seamlessly across all major clouds.

Customers who have integrated their assets with VMWare have been struggling to absorb and deploy this limited model as they look to mitigate inter-cloud security challenges.

Take a hint from a proprietary major utility company, which had to deploy virtual firewalls in addition to NSX to protect their virtualized data center. Operationally, these dual security frameworks were challenging to maintain.

The customer was unsure, after all their efforts, whether they had the protection they needed. When they moved their workloads to AWS, the same data center security implementation could not be deployed there. The increasing opex and capex burdens, and reduced confidence in security, set back their timeline for moving additional workloads to the cloud.

VMWare’s capitulation to AWS has resulted in a new marketing approach wherein VMs from the data center can migrate to AWS. As noted earlier, this doubles their customers’ spend and reduces their flexibility. Additionally, this migration is currently supported on AWS, but not on Azure or Google Cloud.

Meanwhile, VMWare has taken to the airwaves stating that there are too many security offerings in the marketplace. The implication is that customers should turn to VMware for a simplified and seamless security umbrella.

 

Summary

Enterprise customers are attuned to VMware messaging and some have absorbed its technology and marketing pitch. While VMWare has robust server virtualization offerings, its security solutions are inadequate in relation to its features.

When what is being provided does not meet their fast-changing usage needs, customers either turn to complex and costly add-on solutions, or are otherwise hampered in their search for workload security across multi-cloud platforms.

Moving forward, enterprises should consider a true SDDC strategy that offers overarching protection for cross-platform assets. Don’t put blind faith in security for your entire company as provided by one of several cloud platforms in use.

Read More
07Nov
Cathay Pacific: Get Off of My Cloud
Business

Just today, government authorities in Hong Kong launched a formal investigation into the breach to understand if privacy laws were violated. While privacy laws are extremely important, the investigation should also focus on HOW this happened. While post-mortems for any breach is useful, I think this attack highlights a new category of cloud attacks we haven’t seen much before—but will with increasing frequency.

First, a little about Cathay Pacific and their cloud deployment.  Like many, they’ve adopted a multicloud strategy:

“In the past three years, Cathay Pacific has been making a shift away from legacy systems to the cloud,” says Aloysius Cheang, executive vice president for Asia Pacific at the Center for Strategic Cyberspace + Security Science, a U.K. think tank for cyber centric leadership. “It now employs a hybrid cloud as part of its strategy to replace their legacy systems,” he says.

The airline is using software from Redhat to build the underlying open platform infrastructure, and it is using Amazon Web Services to hold customer-facing applications, such as online check-in system, flight schedule, fares and web hosting, as was described during AWS Summit Hong Kong in 2017, Cheang points out. “As a result of these front-end apps, I presume that the customer data will be accessible from these apps which are hosted on AWS,” he says.

Last April, we wrote about the new attack surface that comes with cloud migration. One of the attacks, X-Cloud, seems to have been the attack method deployed against Cathay Pacific. By all measures, it was pretty successful as hackers took, according the headlines, 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).

What is a X-Cloud attack?  From our April blog:

Many enterprises are under the impression that they can go easy on security if they don’t host ‘critical workload’ or ‘sensitive data’ resources in the cloud, but they couldn’t be more wrong. Attackers commonly use public clouds to gain entry into on-premise data centers.

Once your organization makes the decision to migrate any workloads into the public cloud, the perimeter of your on-premise data center also extends into that public cloud environment.

So the appropriate defenses are needed but, the security controls used to protect your on-premise data center cannot easily extend into your public cloud environment.

This forces many organizations to adopt a fragmented security posture that is complex to maintain and leaves the door open for attackers. Public cloud workloads can become infected with malware. As the malware replicates and spreads, the attack can easily jump from the public to the private cloud using standard protocols—if there are no lateral defenses in place.

Cathay Pacific style attack patterns

Cathay Pacific moved application front-ends to the public cloud—extending their perimeter into the great beyond.  Many companies discover quickly that you can’t easily keep your old security tools in front of those migrated workloads as it would require them to migrate into the public clouds as well. Congratulations, you have a new attack surface.

In the past, the infrastructure was all on premise and shielded by comprehensive security controls.  With the onset of cloud computing, now if the web tier is extended—how do you protect assets in this contorted, new architecture?

Attackers understand this very well. One typical trick is to breach the web server in AWS and drop a backdoor accessible from the outside.  Then they tell the backdoor to copy all the data from the database, which needs to be accessible to fulfill the web application’s purpose. However, data is typically served in parts dependent on the authenticated user. With that backdoor, the authentication is bypassed, and the web server has access to the whole data set.

What is really important to note here is that even micro segmentation alone (!) wouldn’t protect against such an attack — the web server needs access to the data that it serves.

So Willkommen (I’m Austrian) to the new realities of cloud security. In this new era, we have to break old habits and old ways of thinking rooted in yesterday’s security approach and we have to admit to ourselves that the chokepoint approach won’t work anymore. For the CISO in today’s IT world, the security game has, in many ways, become a whole new model to work with.  In years past, the name of game was “containment – with chokepoints”. It was a tightly controlled world – and CISO’s had the ability to lock it down and only allow dataflows through a select set of avenues.

What is the right way?  Let’s start with some inspiration from Mick:  https://www.youtube.com/watch?v=z8HHqUwKdP8

Read More
16Jun
The Strategy Behind the Startup Madness
Business

Welcome to ShieldX and our Blog. This inaugural post provides insight into ShieldX, the company, its mission and how ShieldX is able to offer, within only 18 months, a validated, market-changing innovation with market-renowned recognition as a Gartner 2017 Cool Vendor in Cloud Security.

Read More

About Author

Ratinder Ahuja

Ratinder Ahuja

Founder & CEORatinder leads ShieldX and its mission as its central pivot point, drawing from a career as a successful serial entrepreneur and corporate leader, bringing with him his unique blend of business acumen, industry network and deep technical knowledge.
+ READ FULL BIO