What is AWS re:Inforce?

AWS re:Inforce is a spin-off of AWS re:Invent. Why the need for a spinoff? Legend has it that the security tracks during re:Invent got so crowded that AWS decided that the security track should have a conference of its own.

AWS re:Inforce is a different kind of conference, a highly-technical conference of curated content meant for security professionals. This is a conference where knowledge runs deep and conversations go deeper, with few marketing overtures and high-level musings. Even the vendor-sponsored presentation were very technical with interesting takeaways. If your organization is invested in AWS at any level, it’s a great conference to attend. You get two condensed days of dedicated security content for the different services, architectures, and platforms offered by AWS. The content is available for multiple levels of expertise. You also get access to the top-tier AWS experts, with whom you can consult with on your different architecture dilemmas. Being that this conference turned out to be very popular, one tip I’d give next year’s attendees is to book your desired sessions as far ahead of time as you can (at least a few weeks, if possible). In conversations with colleagues, I learned that there were many who couldn’t get into all the sessions they had wanted. So I suggest you plan well for next year.

Here are some of the takeaways from the conference that I’d like to share with you:

  1. Humans don’t scale – This is not a revolutionary new thought, it’s common knowledge in the DevOps world. However the same understanding is becoming prevalent in the security industry as well. Organizations are starting to understand that as they move to the cloud, managing security for multiple dynamic environments just doesn’t scale- both from the configuration and IR perspectives. Organizations are moving away from complaining about security personnel shortage, and instead are looking to converge their multiple security platforms into 2-3 systems that provide a wide coverage of use cases and allow a high level of automation and compatibility with common DevOps practices.
  2. Security platforms converge – Organizations are transforming their IT operations to be efficient and automated. Security has to follow suit and be an enabler instead of a road block. The end goal from a CISO perspective is to achieve governance of the whole network, not just the cloud deployments or just the on-prem ones. Vendors can no longer have separate solutions for on-prem and cloud. A single unified solution is the only viable, sustainable option.
  3. Migration is hard – Migrating your workloads to the cloud is hard, migrating your security policy is even harder. Organizations moving all or some of their workloads to AWS find it very hard to keep the same level of security posture. Running a successful migration project while not compromising on security requires changing controls that do not exist any in the cloud. The existing security tools these organizations are using are not suitable or sufficient for enforcing the same security posture in the cloud.
  4. Hit F5 on your threat model – One of the main takeaways for security practitioners on AWS is to have a fresh approach to what actually needs to be secured. Make sure that as new cloud constructs and services are adopted by the organization, you actually have the right tools or policies in place to secure them. For example, solutions like AWS Control Tower (announced GA at the time of the conference), which helps you govern your AWS environment and accounts policy. When looking at the hybrid or cloud-only topologies that require a complex network model, you realize that you would need a hybrid solution to provide an overlay policy for both your cloud and on-prem assets.
  5. API is king – As our architectures and networks become more complex the ability of a human to monitor or maintain a network is becoming unrealistic. A great example is the SOAR (security automation and remediation) space. Organizations are moving away from shiny SOCs (security operation centers) with big TVs and hordes of operators. Human operators are not an effective solution over time and especially at scale. The move to automated playbooks solves both the staffing issue and the variable quality of incident handling. Each incident is handled according to a premeditated script for that scenario, with no need to reinvent the wheel. Sometimes it’s smart to allow automation to be our friend, and make our lives easier.

As CISOs need to be able to secure their entire network, and not just the cloud elements, the same concepts should apply more widely to network security. These have been the cornerstones of building Guardicore Centra, a micro-segmentation solution that works across all environments, and can complement and secure your AWS strategy. Modern infrastructures are dynamic and can change thousands of times over a span of a day. Security policies should be just as dynamic and be applied just as fast and be able to adhere to the same cadence. Guardicore enables security practitioners to integrate with APIs and move at the speed of the organization. Tools that require your security and network engineers to define security policy only through the UI and do not provide a way to script and automate policy creation are not transitioning to the cloud.

We believe that security shouldn’t be an obstacle or a cause for delay, and so one single, unified solution is a must-have. This obviously needs to work in a hybrid and multi cloud reality, without interfering with AWS best practices for it to be beneficial and not slow you down.

Want to learn more about hybrid-cloud security? Watch this video about micro-segmentation and breach detection in an increasingly complex environment.

 

Interested in cloud security for hybrid environments? Get our white paper about protecting cloud workloads with shared security models.

Read More

Guardicore Achieves AWS Security Competency Status for Micro-Segmentation and Zero Trust

Guardicore Centra Security Platform Provides Segmentation for Applications, Flows and Processes, Providing Granular Policy Controls to Establish Zero Trust Micro-perimeters

Boston, Mass. and Tel Aviv, Israel – June 28, 2019 – Guardicore, a leader in internal data center and cloud security, today announced that its Centra Security platform is one of the first cloud and data center micro-segmentation solutions in the market to achieve Amazon Web Service (AWS) Security Competency status. This designation recognizes that Guardicore has demonstrated proven technology and deep expertise that helps customers achieve their cloud security goals.

“By implementing Guardicore Centra combined with the range of powerful tools from AWS, our customers are able to gain the highest level of visibility and implement micro-segmentation for enhanced security. And they can do it faster and more effectively than traditional firewall technology with our simple-to-deploy overlay that can go to the cloud, stay on-premise, or do both at the same time,” said Pavel Gurvich, CEO and Co-founder, Guardicore. “Achieving AWS Security Competency status demonstrates our ability to deliver innovative solutions that help our forward-thinking enterprise customers quickly secure their business-critical applications and data, reduce the cost and burden of compliance and secure cloud adoption.”

Moving applications and workloads to the cloud, or between clouds, is now a common attribute of the modern IT environment. However, the current security controls of such environments are still not adequate, and cloud migration presents multiple challenges for IT teams, including the loss of visibility and control over their assets.

Isolation is the solid foundation for cloud workload protection and compliance. Segmentation of network applications and their components can ensure isolation and reduce the attack surface. Guardicore Centra enables deep application dependency mapping and policy enforcement, ensuring an ongoing management process for the creation and maintenance of micro-segmentation policies. Guardicore Centra delivers a complete and flexible solution for micro-segmentation.

Achieving the AWS Security Competency differentiates Guardicore as an AWS Partner Network (APN) member that provides specialized software designed to help enterprises adopt, develop and deploy complex security projects on AWS. To receive the designation, APN Partners must possess deep AWS expertise and deliver solutions seamlessly on AWS.

AWS is enabling scalable, flexible, and cost-effective solutions from startups to global enterprises. To support the seamless integration and deployment of these solutions, AWS established the AWS Competency Program to help customers identify Consulting and Technology APN Partners with deep industry experience and expertise.

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Want to know more about securing workloads in AWS? Get our white paper about Protecting Cloud Workloads with Shared Security Models.

Read More

Are You on Top of the Latest Cloud Security Trends?

As enterprises embrace public and private cloud adoption, most find themselves working in a hybrid environment. Whether a hybrid architecture is a step towards becoming a fully cloud-enabled business, or an end-goal choice that allows you more freedom and flexibility over your business, you need the ability to protect your critical applications and assets across multiple environments while reducing your overall attack surface.

Understanding the Effect of Cloud Security Future Regulations

Achieving compliance can feel like an uphill struggle, with regular updates to existing regulations, as well as new regulations being written to handle the latest issues that enterprises face. While compliance doesn’t guarantee security, it’s tough to be secure without being compliant as a minimum foundation. The EU’s GDPR, for example, was created in response to the large amount of data breaches that businesses are facing, protecting PII (personally identifiable information) from attackers who would use it for identity theft, crime, and fraud. Another example is the new California Privacy laws that will go into effect in 2020. These are supposedly as strict as GDPR regulations and will affect all companies who have customers living in California, both businesses in America and internationally.

As fines and consequences for non-compliance get up and running, (GDPR fines for instance have totaled €56 million in its first year) it’s likely that businesses will start uncovering their own limitations. This will include their legacy architecture and security techniques, and prompt the companies to make changes to include public cloud services that have been built with GDPR or California Privacy compliance in mind, and extending their networks to include cloud as well as on-premises assets. It’s more important than ever that businesses put security first when making this kind of change, or they may be solving the problem of compliance at the expense of overall security and visibility.

Visibility is More Important than Ever as Businesses Adopt New Cloud Security Trends

All three main public cloud providers, AWS, Azure, and Google use the shared responsibility model. Simply put, the cloud providers manage infrastructure, and you as a customer are fully responsible for all customer data, access management, and network and firewall configuration. Each enterprise will have its own unique needs in terms of governance, SLA requirements and security overall, and in a multi-cloud environment, staying on top of this can be complex.

The bottom line is that customers often experience a lack of visibility and control when they consolidate their IT on the cloud, exactly where they need that insight and attention the most. If you have specific regulatory or industry needs, you will need more assurance that you have control over your workloads and communication flows.

Cloud-Native Environments are the Cloud Security Future

Improving your visibility across a hybrid IT ecosystem limits the chances of you falling victim to attacks on vulnerable or poorly authenticated infrastructure. Guardicore Centra offers automatic asset and dependency mapping down to the process level, allowing IT to quickly uncover and manage misconfigurations or dangerous open communications, providing early value to your business.

Once these are dealt with, a continuous view of all communication flows and assets moving forward puts your business in a strong position as attackers begin launching more sophisticated campaigns in the cloud. As cloud adoption continues to grow, future-focused businesses need to be on the lookout for cloud-native attacks that take advantage of container vulnerabilities and architectures, for example.

Shift-Left on Cloud Security

Enterprises are realizing that cloud providers are not responsible for their workload or application security, and that cloud solutions do not remove a business’ own responsibility when it comes to data security and compliance. One of the popular cloud security trends is that businesses are looking to adopt an early and continuous security solution to meet this challenge head-on. The latest micro-segmentation technology is smart and modern, robust enough to take control of an increasingly complex environment, while accomplishing early value use cases when it comes to solving infrastructure problems. As a built-in security method, the strongest micro-segmentation technology can handle a heterogeneous data center, covering legacy solutions, bare-metal, VMs, hybrid, containers, server-less and multi-cloud. One security vendor reduces complexity, which explains why many companies are opting for solutions that include strong complementary controls such as breach detection and incident response.

‘Application-Aware’ is a Cloud Security Future Must-Have

Moving to the cloud is all about businesses being able to be more flexible, scale faster and larger, providing and benefiting from new and exciting services. Your micro-segmentation solution needs to be able to keep up. Application-centric security takes over from traditional manual implementation, providing deep visibility, smart policy creation and airtight governance, protecting against threats in a holistic way. Cloud security future success is dependent on security that is built both for the cloud and all its vulnerabilities, at the same time as effortlessly managing legacy systems and everything in between.

Want to learn more about cloud security trends and how to manage a heterogeneous environment? Check out this white paper.

How to Establish your Next-Gen Data Center Security Strategy

In 2019, 46 percent of businesses are expected to use hybrid data centers, and it is therefore critical for these businesses to be prepared to deal with the inherent security challenges. Developing a next gen data center security strategy that takes into account the complexity of hybrid cloud infrastructure can help keep your business operations secure by way of real-time responsiveness, enhanced scalability, and improved uptime.

One of the biggest challenges of securing the next gen data center is accounting for the various silos that develop. Every cloud service provider has its own methods to implement security policies, and those solutions are discrete from one another. These methods are also discrete from on-premises infrastructure and associated security policies. This siloed approach to security adds complexity and increases the likelihood of blind spots in your security plan, and isn’t consistent with the goals of developing a next gen data center. To overcome these challenges, any forward-thinking company with security top of mind requires security tools that enable visibility and policy enforcement across the entirety of a hybrid cloud infrastructure.

In this piece, we’ll review the basics of the next gen data center, dive into some of the details of developing a next gen data center security strategy, and explain how Guardicore Centra fits into a holistic security plan.

What is a next gen data center?

The idea of hybrid cloud has been around for a while now, so what’s the difference between what we’re used to and a next gen data center? In short, next gen data centers are hybrid cloud infrastructures that abstract away complexity, automate as many workflows as possible, and include scalable orchestration tools. Scalable technologies like SDN (software defined networking), virtualization, containerization, and Infrastructure as Code (IaC) are hallmarks of the next gen data center.

Given this definition, the benefits of the next gen data center are clear: agile, scalable, standardized, and automated IT operations that limit costly manual configuration, human error, and oversights. However, when creating a next gen data center security strategy, enterprises must ensure that the policies, tools, and overall strategy they implement are able to account for the inherent challenges of the next gen data center.

Asking the right questions about your next gen data center security strategy

There are a number of questions enterprises must ask themselves as they begin to design a next gen data center and a security strategy to protect it. Here, we’ll review a few of the most important.

  • What standards and compliance regulations must we meet?Regulations such as HIPAA, PCI-DSS, and SOX subject enterprises to strict security and data protection requirements that must be met, regardless of other goals. Failure to account for these requirements in the planning stages can prove costly in the long run should you fail an audit due to a simple oversight.
  • How can we gain granular visibility into our entire infrastructure? One of the challenges of the next gen data center is the myriad of silos that emerge from a security and visibility perspective. With so many different IaaS, SaaS, and on-premises solutions going into a next gen data center, capturing detailed visibility of data flows down to the process level can be a daunting task. However, in order to optimize security, this is a question you’ll need to answer in the planning stages. If you don’t have a baseline of what traffic flows on your network look like at various points in time (e.g. peak hours on a Monday vs midnight Saturday) identifying and reacting to anomalies becomes almost impossible.
  • How can we implement scalable, cross-platform security policies?As mentioned, the variety of solutions that make up a next gen data center can lead to a number of silos and discrete security policies. Managing security discretely for each platform flies in the face of the scalable, DevOps-inspired ideals of the next gen data center. To ensure that your security can keep up with your infrastructure, you’ll need to seek out scalable, intelligent security tools. While security is often viewed as hamstringing DevOps efforts, the right tools and strategy can help bridge the gap between these two teams.

Finding the right solutions

Given what we have reviewed thus far, we can see that the solutions to the security challenges of the next gen data center need to be scalable and compliant, provide granular visibility, and function across the entirety of your infrastructure.

Guardicore Centra is uniquely capable of addressing these challenges and helping secure the next gen data center. For example, not only can micro-segmentation help enable compliance to standards like HIPAA and PCI-DSS, but Centra offers enterprises the level of visibility required in the next gen data center. Centra is capable of contextualizing all application dependencies across all platforms to ensure that your micro-segmentation policies are properly implemented. Regardless of where your apps run, Centra helps you overcome silos and provides visibility down to the process level.

Further, Centra is capable of achieving the scalability that the next gen data center demands. To help conceptualize how scalable micro-segmentation with Guardicore Centra can be, consider that a typical LAN build-out that can last for a few months and require hundreds of IT labor hours. On the other hand, a comparable micro-segmentation deployment takes about a month and significantly fewer IT labor hours.

Finally, Centra can help bridge the gap between DevOps and Security teams by enabling the use of “zero trust” security models. The general idea behind zero trust is, as the name implies, nothing inside or outside of your network should be trusted by default. This shifts focus to determining what is allowed as opposed to being strictly on the hunt for threats, which is much more conducive to a modern DevSecOps approach to the next gen data center.

Guardicore helps enable your next gen data center security strategy

When developing a next gen data center security strategy, you must be able to account for the nuances of the various pieces of on-premises and cloud infrastructure that make up a hybrid data center. A big part of doing so is selecting tools that minimize complexity and can scale across all of your on-premises and cloud platforms. Guardicore Centra does just that and helps implement scalable and granular security policies to establish the robust security required in the next gen data center.

If you’re interested in redefining and adapting the way you secure your hybrid cloud infrastructure, contact us to learn more.

Want to know more about proper data center security? Get our white paper about operationalizing a proper micro-segmentation project.

Read More