What’s New in Guardicore Centra Release 31

With release 31 we’re continuing to expand our firewall capabilities while making it even simpler for you to build and enforce a segmentation policy.

We’re doing this with features such as identity and FQDN policies. With Identity-based policies, security administrators can set granular, per-user access policies to applications. Domain name (FQDN) rules allow you to set policies based on the target domain name and save time and hassle on typing lists of ever-changing IP addresses. We’ve also integrated a first of its kind Threat Intelligence Firewall that automatically feeds into Centra daily updated blacklists of known bad actors to create rules that alert and block these communications.

In this release we are also shipping many customer requested features that were evaluated on the merit of improving operational efficiency, reducing policy creation time and taking Guardicore usability to higher levels.

Here are some of the highlights of the version:

User-based Rules

One key feature introduced in v31 is user-based rules. With this new firewall capability, customers can create rules based on Active Directory user groups to provide granular per-user access to applications. This allows you to control user access to data center and cloud resources. By linking your Active Directory to Centra, Centra is able to retrieve user information. Based on user membership in those Active Directory security groups, we allow users different access to different resources. This way you can make sure that users only access what they are entitled to. For example, this can help allow just the Billing users in your environment to access Billing resources and just the HR users to access their HR resources. No additional infrastructure is required.

FQDN Rules

You can now create policies that allow access to a specific domain by its domain name rather than its IP addresses. For example, when you want to allow a server to access windowsupdate.com, instead of typing its IP or its IP lists, you can simply refer to it by its domain name. For example, when you want to allow a server to only access github.com, instead of typing its IP or its IP derivatives (dev.github.com, community.github.com, etc.) you can simply refer to it by its domain name – github.com or *.github.com. Select *.github.com to support wildcards. The ability to type a domain name saves the time and hassle of collecting all the possible IPs and keeping track of their validity.

Threat Intelligence Firewall

Guardicore is offering a threat intelligence-based firewall to Centra SaaS users. This feature uses Guardicore’s threat intelligence sensors, distributed across major cloud providers worldwide, to create blacklists of verified malicious IP addresses. Updated daily, these IP blacklists are automatically fed into Centra to create rules to alert and block communications via malicious IP labels: top attackers, top scanners, and top CnC. To get this feature, contact Guardicore Customer Success at support@guardicore.com.

Extended support for legacy systems

Since most of our customer environments include end of life Unix, Windows and Linux that can no longer be patched and therefore pose a risk to the organization, Guardicore has expanded its operating system coverage for those legacy systems and applications. With version 31, the Guardicore Agent supports more legacy operating systems such as Redhat, Oracle and Centos 5, and has also extended its support to AIX which is a proprietary UNIX operating system commonly used by enterprise customers. Now we have the ability to extend our policy coverage to these OSes and reduce the risk they may pose.

While we listed the features that seem to be the most important, there are many more enhancements. Fthe full list of enhancements and capabilities, see the release notes that can be accessed from our customer portal.

Desktop Virtualization Journey Can be Safe and Sound

Show me an industry that isn’t increasing its usage of Desktop Virtualization (DV) and I’ll show you an industry that doesn’t exist. While different DV technologies are available, Virtual Desktop Infrastructure and Desktop-as-a-service are the clear choice, DaaS is essentially VDI hosted in the cloud. With VDI one deploys virtual desktops in her own on-premises data centers while DaaS takes the In-house IT burden and responsibilities to the cloud.

From Education and Healthcare, to Financial institutions and Governmental agencies, Remote application and DaaS is growing year on year. In fact, industry experts Gartner predict that by 2023 the combined number of on premises VDI users and cloud DaaS will grow by more than 50%.

Organizations are using different types of remote desktop technologies and solutions for a number of key reasons, including operational efficiency, improving their end-point compliance and remote access opportunities, enjoying the centralized management and security backups, as well as the end-user support supplied by market leaders such as Citrix. Newer deployment models provide a popular way to streamline costs, with no need to purchase software licenses, or individual workstations, items that can quickly add up. But what about keeping your data and applications secure? How does security measure up in a VDI environment?

When Shared Infrastructure Raises Risk

Traditional data centers allow for servers to be monitored for signs of threat, and isolated where necessary. However, in a VDI environment, you’ll often find that all servers and applications are on the same infrastructure, even end-user applications and those which need more security and control. Desktops are likely to be shared among a large number of users, perhaps only a step away from critical assets, applications, and data. As all of this takes place inside the data center, you’re not covered by traditional security solutions such as perimeter firewalls that only protect the entrance to your network.

An added element to consider is traffic inspection. Most end-user application traffic is encrypted using SSL or TLS, and compliance mandates require a high level of data privacy. At the same time, for security you need to have insight into traffic and communications.

For many organizations, these risks of VDI are too great. If just one VDI machine is compromised, the attacker can make movements elsewhere within the data center, and may well go undetected because of the complex environment.

User Identity Access Management and Application Segmentation: Two Solutions that Work in Tandem to Mitigate this Risk

Two powerful technologies can be used together to allow enterprise organizations to leverage VDI without worrying about security concerns. First, let’s look at User Identity Access Management.

This solution often comes hand in hand with a Zero Trust model, as the idea is that any user can only access what they need for their role or activity, and no more. Rather than simply rely on initial authentication, smart User Identity Access Management allows you to create policy based on the identity of the user that is logged in, even when multiple users are connected to the same system at the same time.

Identities can be pulled from the Active Directory, and policy will control both new sessions, and ones that are currently active. Even before a user has logged into an application, protection is in place.

active directory app protection

Now Couple Access Management with Application Segmentation

A micro-segmentation solution with granularity can create control over even the most complex environment, helping you to build out your infrastructure in a secure way that gives you peace of mind when using VDI, even defining policy based on a process, label, or other asset information.

For example, using application segmentation, you can ensure that all applications and users within the VDI environment are segmented away from specific business-critical or sensitive applications in the wider data center. You can also ring-fence the VDI environment so that no attackers can achieve lateral movement elsewhere, even in case of a breach.

application segmentation and VDI

Together, you now have a powerful, unbeatable solution. First, your user is limited to only the applications and servers they are allowed to access as mandated by your User Identity Access Management policy. Secondly, each user cannot move outside of their relevant environment, an added layer of defense, without added reliance on any specific network or location.

Reducing Complexity with Visibility

Still in fear of attacker dwell time? Make sure that your security solution comes with real-time visibility into all of your active VDI sessions and their connections. You should be able to see:

    • What specific users are doing, with identification
    • Which processes are currently running and for what purposes
    • How and where the processes are communicating
    • The exact flows that are being generated
    • Which specific applications are being used, and by whom

Another Zero Trust model mandate is to ‘Assume Access’. In this situation, when the assumed breach occurs, your IT team has accurate visibility into the source of the attack, and can see in seconds, (and without any physical or virtual taps) any lateral movement attempts from the original VDI environment to the main data center.

Lose the Fear of a VDI Environment

First, restrict the access from your VDI environment. Secondly, block access by user identity. In two steps, you’re done.

Guardicore Centra makes it simple to say yes to the benefits of a VDI environment. It integrates with Citrix Virtual Apps and Desktops, and Active Directory to reduce the attack surface and improve visibility, even when considering the complex security reality of Virtual Desktop Infrastructure.

3 Game-Changing Reasons to Deploy User Identity Access Management

Segmenting critical applications is nothing new. We’ve long since established the benefits of isolating sensitive data or essential assets in the enterprise data center, preventing potential breaches from escalating, and stopping lateral movement in its tracks. User Identity Access Management is the next essential layer of control, establishing with fine-grained policy exactly which users can access various applications in the first place, and how.

Here are our top three use cases, all of which are revolutionary for today’s enterprise data center.

Control User Access Anywhere

Many enterprises networks currently have broad permissions to business-critical systems, dangerously coarse controls that can be taken advantage of by attackers, or even manipulated with the help of human error. Not only is this bad practice for any enterprise security posture, but it also makes it increasingly difficult for organizations to remain compliant with the latest regulatory mandates.

In contrast, strong user access management policies allow specific users to be either given access or denied entry, with granular options such as permissions over specific servers, ports and processes.

Even in cases where your organization started out with a network design that allowed all users equal access, user access can be segmented to only the applications, servers and processes to which each individual user or group is entitled. Not only will your organization keep the infrastructure of a single data center, there will be no physical changes, downtime, or additional overhead as there would be with network segmentation projects, and you will be massively simplifying the road to compliance. Take PCI-DSS for example. With strong access management, you can ensure that only those users who are allowed to view cardholder data can physically access your CDE (Cardholder Data Environment).

Just as Guardicore Centra’s segmentation follows the workload rather than any particular underlying infrastructure, our User Identity Access Management follows the individual user, enforcing user governance across any environment, from legacy and bare-metal, physical desktops and laptops, to VDI and hybrid cloud platforms.

follow the user with identity access management

Manage Multiple Users, Even When Logged in at the Same Time to the Same System

Think about users who are connected to the same servers at the same time, but who have different access requirements. Perhaps one employee works for HR, and needs access to sensitive personnel files stored in HR management servers, while another works for the Finance team, and is working on an accounting application. They are both administrators, and are working within the same data center.

Without User Identity Access Management policies, the traditional way to secure their access would be with multiple jumpboxes, setting up one for each, with its own network connectivity. This gets expensive and complicated, fast.

A smart access management tool removes the complexity, and streamlines the route to secure user access, even for simultaneous logins to the same server. Each admin can connect from the same jumpbox, at the same time, and yet only have access to their own application, and be blocked from any applications outside of their purview.

user identity access management ame jumpbox no problem

Handle Third Party or Administrators Access 

It’s more important than ever to manage access for third-party vendors and partners, who may be connected to your network through SaaS, IoT devices, or as contractors working on your own systems. Third-party access management needs to be able to seamlessly handle and define user groups based on these examples and more. Traditional solutions that are based on IP addresses are complex to manage, especially when multiple users are logging on simultaneously to the same server. By using policy creation based on user-identity rather than IP, each user group can have its own policies defined for entry, giving specific access to every group or even individual user, and blocking them from moving any further. 

As there is no centralized firewall needed, and access is controlled at the endpoint, your organization can enforce control of users between workloads, even within the same segmented section on the network. Policies take effect immediately, for both new and active sessions, allowing you to act quickly and incisively in case of a security gap. 

Solving Three Problems with One Tool

In conjunction with the benefits of application segmentation, User Identity Access is an obvious step to enhance your data center security. Not only can you keep critical assets away from an attack, you can now enforce exactly who should be accessing these applications in the first place, wherever they reside. 

Want to read more about how micro-segmentation can enhance your data center security? Download our white paper on how to choose the right segmentation solution.

Read More

How to Identify Accounts and Prioritize Risk for Privileged Access Management

Privileged Access Management (PAM) is understandably a high priority for today’s enterprises. The misuse of privileged accounts can allow attackers to escalate credentials and permissions across complex IT networks, finding open paths to access critical assets or steal sensitive data. This can have a dangerous impact on an enterprise’s ability to remain compliant with third-party regulations as well as internal governance mandates.

Let’s look in more detail at deploying Privileged Access Management, and how to prioritize risk for your own business needs.

Identifying your privileged accounts and credentials

In some cases, you might have hundreds of thousands of privileged credentials in your IT ecosystem, and in an increasingly connected world, this information might exist in an attack surface that’s larger than you’ve considered before.

Your first step is visibility, ensuring that you can uncover all credentials, from passwords and SSH keys to password hashes, access keys and more, and that you can do so across your entire environment, on premises, on the cloud, and across DevOps processes.

According to CyberArk, there are 7 types of accounts you need to consider, as poor hygiene or practices with any of them makes your enterprise a target for APTs and other dangerous cybercrime.

  • Emergency accounts: Access to these accounts requires IT management approval, and is only given in case of an emergency. As a manual task, it usually does not have any security measures in place.
  • Local Administrative accounts: These accounts are shared to provide admin access to the local host or session. Whenever IT staff need to perform workstation or server maintenance, or work on network devices, mainframes and other systems, these are the accounts they will use. Password hygiene may well be poor across these accounts, as IT professionals sometimes share passwords across an organization to make access easier. This is an open door for attackers.
  • Application accounts: Privileged accounts usually have access to critical applications or databases, used to access databases, run scripts, or provide access to other applications. Passwords might be embedded and stored in plain text files, copied across multiple channels and servers.
  • Active Directory or Windows domain service: Password changes for these accounts are complex, as your business will need to sync any updates across applications and infrastructure. Because of this, many businesses fail to regularly update application account passwords. If this happens in a critical system such as your Active Directory, you have created a single point of failure.
  • Service accounts: These local or domain accounts will interact directly with the operating system using an application or service. These may even have administrative privileges depending on their roles and requirements.
  • Domain Administrative accounts: These accounts have complete control over all domain controllers, and can access and make changes to all administrative accounts within the domain. The access they have extends to all workstations and servers within the organization network, and so therefore, these credentials are under regular attack from hackers, no matter the environment involved.
  • Privileged User accounts: One of the most common forms of account access granted on an enterprise domain, with these accounts users can have admin rights for their local desktops, or across a particular system. Users might choose complex or strong passwords, but this is often the only security control in place.

Identifying the risk of each kind of account will differ from enterprise to enterprise, and depend on your own digital crown jewels and most critical assets, as well as how you store and manage data, what systems hold intellectual property or other sensitive information, and where you’ve uncovered vulnerabilities in your own unique ecosystem. It’s common to start with your highest risk accounts, and then use a phased approach to build out your PAM.

What does protecting these accounts mean in practice?

Once you’ve established the accounts and credentials you want to protect, this should be approached in a number of ways. Credentials can and should be placed in a digital vault which uses multi-factor authentication for access. The best solutions will provide encrypted video monitoring of all privileged sessions, with alerts set up against suspicious activity and an easy playback option. In case of an audit or escalation,

IT admin should be able to access granular information about each session, down to single keystrokes, escalating this to the SOC or the next level where necessary. In case of a breach, automated behavior could include suspending or terminating sessions, or automatically rotating credentials to protect from further harm.

It’s also important to think about the local administrative access, even those these might seem less dangerous at a glance. Protecting these accounts is essential if you are working towards the principle of ‘least privilege’ or a Zero Trust security model. Every endpoint could be an entry point for hackers, allowing them to make lateral moves until they hit what they’re looking for, and many users have far more permissions and access than they need to do their job each day. Look for a solution with least-privilege server protection for both Windows and *NIX, allowing you to tightly manage permissions and gain insight into activity on each user. This can go a long way to remove the coarse controls and anonymity which often exists in today’s data centers. For *NIX, it also removes the risk of unmanaged SSH keys, a known exploit that can be taken advantage of to log in with root access control.

The same mentality needs to be front and center when you’re considering third-party applications and services, many of which require access to your network. These can be hard to keep track of, so a strong monitoring solution is essential. Think about best-practice hygiene for commercial off the shelf apps, such as removing hard-coded credentials and managing and rotating these privileged accounts in your digital vault.

Protect from on-premises to cloud deployments

The vast majority of today’s enterprises are working in a hybrid reality, with a network that spans on-premises and bare metal servers all the way to cloud and container systems. Any PAM solution that you deploy needs to be able to handle both, seamlessly. Managing DevOps secrets and credentials is an important part of your strategy, and that your code can retrieve the information it needs on the fly, rather than having them hardcoded into the application. This will allow you to rotate and secure these secrets and credentials the same way that you can on premises.

Another large area to consider is SaaS. These often have wide permissions, such as CRM software like Salesforce that is used by multiple teams. Privileged business users who access these applications are one click away from sensitive customer data, and the ability to move around a network far more freely than other stakeholders. Multi-factor authentication can help here, as well as isolating access to shared IDs.

Compliance and Privileged Access Management

Many of the benefits of Privileged Access Management support compliance and internal governance strategies. Firstly, you have one centralized repository for all of your audit data, reducing costs and making reporting fat easier. By enforcing privileged access automatically and monitoring this in real-time, many audit requirements are met, protecting all systems that handle information processing across a heterogeneous environment, and enforcing visibility and control over account usage.

In case of a breach, you have immediate insight into the incident, including where the breach occurred, when it happened, exactly what took place, and how to shore up defenses in the future. It’s easy to see how the right PAM solution can support compliance with a wide range of regulatory authorities, from SWIFT, and MAS-TRM, to SOX, GDPR and ISO 27001 certification.

Partnering with the best in the business

Guardicore has recently formed a partnership with market leader CyberArk, providing customers with a Privileged Session Management solution free of charge, ensuring that all Guardicore deployments meet the high security standards held by its customers. Joint customers will be able to leverage centralized control of all their privileged accounts and credentials, without duplication or sharing.

To download the Guardicore Privileged Session Management tool, head to the CyberArk Marketplace.

No System Left Behind: Why Legacy Systems Should be Part of Your Zero Trust Strategy

The rise of digital transformation dictates that businesses move faster, innovate harder and adopt new technologies to remain competitive in their industries. Many times, it means implementation of systems using the latest IT innovation and methods. While the Zero Trust model of security has risen to the challenge for the latest technologies such as cloud, microservices or container systems, it’s essential to ensure that legacy infrastructure has not been forgotten.

Identifying the legacy systems you rely on

Moving to deploy a Zero Trust model is often triggered by digital transformation, understanding that the attack surface is increasing beyond what traditional security controls can maintain and secure. While it used to be sufficient to look at traffic as it entered and exited your environment (North-South), today’s attackers can be assumed to reside inside your network already, and so control over internal traffic East-West is essential. Practically speaking, the Zero Trust model was created for the most modern and dynamic environments, where organizations come up against phishing scams, connections with IoT devices, partnerships with third-party networks and more on a daily basis. Built to secure a digitally transformed network, it’s easy for enterprises to forget about legacy systems and let business-critical applications fall by the wayside. However, unpatched (sometimes there are simply no patches for a current vulnerability for old systems) or decades-old legacy systems are exactly where gaps in security and flaws may occur, making it far easier for attackers to make that first step into your data center.

This is where visibility for Zero Trust is so important. Starting with an accurate, real-time map of your whole infrastructure will uncover the legacy systems that you need to include in your Zero Trust journey, some of which you might not even have been aware existed in the first place. In some cases, this could spur you on to modernize the system, such as updating a machine that is using an old operating system. In other cases, it’s more complex to make changes, such as legacy AIX machines that process financial transactions, or Oracle DBs that run on Solaris servers. These systems can be business-critical, and it can be years before they can be updated or modernized, if ever.

Identifying the legacy technology that you rely on is step one. The more difficult these are to update, the more likely they are to be essential to how your business runs. In which case, these are exactly the areas you need to be sure to secure in today’s high-risk cyber landscape.

Including legacy in your Zero Trust model

Make sure that you have coverage for your legacy servers with micro-segmentation policy enforcement modules. The best micro-segmentation technology can then use a flexible policy engine to help you create policy that includes legacy systems in your Zero Trust model. As a starting point, you should be able to use your map to ascertain the servers and endpoints that are running legacy applications, and how these workloads communicate and interact with other applications and business environments. Ideally, this should be granular enough to look at the process level as well as ports and IPs. This insight can help you to recognize how an attacker could use lateral movement to hurt your business the most, or access your most sensitive data and applications.

With this information in real-time, you can avoid the challenges of traditional security solutions for legacy systems in the same way that you would for the rest of your data center. After all, if you’ve acknowledged the limitations of VLANs and other insufficient security controls for your modernized systems, why would you rely on them for legacy infrastructure that is even more business-critical, or tough to secure? Network segmentation via VLANs often results in all legacy infrastructure being placed into one segment that can be easily accessed by a single well-placed attack, and firewall rules are tough to maintain between legacy VLANs and more dynamic parts of your network.

In contrast to this traditional method, a micro-segmentation vendor that is built for a heterogeneous environment takes legacy systems into consideration from the start. Rather than dropping support for legacy operating systems, hardware, servers and applications, intelligent micro-segmentation technology provides equal visibility and control across the whole stack.

Zero Trust means zero blind spots

Your legacy systems might be quietly running in the background, but the noise of the fallout in case of a breach could silence your business for good. Don’t let your pursuit of modernization allow you to forget to include legacy infrastructure in your Zero Trust model, where sensitive data and critical applications reside, and where you might well need it the most.

Want to read more about how Guardicore micro-segmentation can take you closer to adopting a Zero Trust framework? Download our white paper on getting there faster.

Read More

Guardicore Centra Integration now available on CyberArk Marketplace

We had our first integration with CyberArk in 2016. One of our very early adopters, a CISO for a large telecommunications company, realized that Guardicore Centra was becoming a critical part of his security infrastructure and decided to integrate the two products.

The CISO understood that one of the biggest security threats for his organization was the misuse of privileged accounts with elevated permissions on IT systems. He decided to use CyberArk with Guardicore in order to manage privileged accounts and protect his critical assets. Guardicore secured access to critical assets via micro-segmentation and detection capabilities, and CyberArk managed the privileged access on these systems.

Since then, we have added additional features such as identity-based policies to provide a stronger overall solution, and many other customers have benefited from these integrated capabilities.

I am happy to update you that this integration of Guardicore Centra security platform and the CyberArk Privileged Access Security Solution has recently been made available on the CyberArk Marketplace, helping our joint customers accelerate their ability to meet compliance requirements and reduce security risk without introducing additional operational complexity.

By providing the Guardicore plug-in via the CyberArk Marketplace, customers can now more easily evolve their privileged access management programs. Our integration enables CyberArk customers to protect their hybrid cloud and data center while maintaining strong privileged access controls.

As a CyberArk C3 Alliance member, Guardicore will continue to work alongside CyberArk to deliver value to shared customers through an integrated plug-in, as part of their security stack.

Privileged access is pervasive and provides attackers the “keys to the IT kingdom.”

It is widely recognized that nearly all damaging cyber-attacks involve privileged account compromise. Attackers are then able to exploit this legitimate privileged access to establish a foothold and make lateral moves across enterprise IT infrastructure. Additionally, without least privilege, internal users might abuse their access rights. By integrating the capabilities of Guardicore Centra with the CyberArk solution, customers can be better positioned to detect and stop lateral movement using both software-defined segmentation and privileged access management.

Thinking about zero trust implementation? CyberArk combines with Guardicore to take you that much closer to the adoption of the zero trust model of security.

Want to read more about how Guardicore micro-segmentation can take you closer to adopting a zero trust framework? Download our white paper on getting there faster.

Read More

Guardicore vs. VLANs. No Contest. All That’s Left is Deciding What to Do with Your Free Time

A fast-paced business world deserves security solutions that can keep up. Speed isn’t everything, but reducing complexity and time when deploying a new strategy can be the difference between success and failure. Let’s look at the process of segmenting just one business critical application via VLANs, and then compare how it works with Guardicore Centra micro-segmentation. Then you can decide how to use all that spare time wisely.

VLANs – How Long Does it Take?

If you decide to go down the VLAN route, you will need to spend around 4-6 months preparing your network and application changes. On the networking side, teams will configure switches, connect servers, and generally get the network ready for the new VLANs. On the application side, teams will build a migration strategy, starting with discovering all the relevant infrastructure, making changes to application code where necessary and preparing any pre-existing dependent applications for the change ahead of time.

After this 6-month period, you can start to build policy. It can take anywhere from 2-4 months to submit firewall change requests and have fixes and changes signed off and approved by the firewall governance teams. Meanwhile, your critical applications remain vulnerable.

Once you’re ready to move on to policy enforcement, you’ll need to spend a weekend migrating the application to the new VLAN. This includes manually reconfiguring IP addresses, applications and integration points. Don’t forget to warn your users, as there will be some application downtime that you can’t avoid. Altogether, you’ve spent up to 10 months performing this one segmentation task.

VLANs vs Guardicore

Guardicore Centra – How Long Does it Take?

Now let’s take a look at how it works when you choose smart segmentation for hybrid cloud and modern data center security with Guardicore. The preparation time is just a few days, as opposed to half a year, while Guardicore agents are deployed onto your application. This installation is simple and painless, and works with any platform. Labeling is also done during this time, integrating with your organizational inventory such as CMDB or cloud tags. Guardicore’s Reveal platform automatically discovers all traffic and flows, giving you an accurate map of your IT ecosystem, in real time, and continues to give you historical views as you proceed as well.

As policy creation is automatic, your policy suggestions can be tested immediately, and then run in ‘alert mode’ for two weeks while you tweak your policy to make sure it’s optimized to its full potential. When you’re ready to go – pick a day and switch from alert to enforce mode, with no impact on performance, and no downtime.

You’ve Just Saved 9 Months – Let’s Use It!

With security handled, and 9 months of time to kill, here are just some of the things you could achieve in your organization.

Start a Language Lunch Club

quick segmentation - start a language lunch club

90% of employees say that taking a regular lunch break helps them to feel more productive in the afternoon. Despite this, most of us often grab a quick sandwich, or don’t even manage to get up from our desks. Why not use some of your newfound company “free time” to encourage teams to eat lunch together, socializing and enjoying some much needed down-time? This time ‘off’can give colleagues a chance to get to know one another, forming new friendships, social bonds and levels of trust between your staff. If you want to try to combine this with learning a new skill and further enriching your staff (expanding their minds and improving memory and brain function), you could start a language club where your team members can learn basic skills that can support them in reaching global customers. With 180 hours to kill – that’s a whole lot of lazy, or super-productive, lunches!

Play with Lego!

quick segmentation - play with lego

Many organizations struggle with how to make team meetings more productive, especially when everyone is always so short on time. If you’re known for sharing memes like “I survived another meeting that should have been an email,” then isn’t it time you did something about it?

Lego Serious Play is one great methodology that can get staff thinking and working outside of the box. As 80% of our brain cells are connected to our hands, building and creating can unlock hidden thoughts and ideas. It’s also a fantastic way to get input from quieter team members, as it works for both introverts and extroverts, and uses visual, kinaesthetic and auditory communication. If you have some free time left over, why not try beating the world record for the tallest Lego tower, built in Tel Aviv in 2017. You’ll have to make it to 36 meters to stand a chance though!

Put more Time into Health and Wellness

quick segmentation - put time into health and wellness

With more time in the day, there’s no need to take shortcuts that adversely affect your health. Tell your employees to skip the elevator and take the stairs, or to come in slightly later and cycle instead of jumping on available public transport. If your staff take the stairs twice a day for the whole nine months of saved time – that’s 12,600 calories, or the equivalent of 50 pieces of cheesecake!

Research has shown that employees who have work wellness programs report taking 56% fewer sick days than those without. Use some of the free time you’re saving to set up 8:30am or 5:00pm wellness classes, such as yoga, mindfulness, aerobics or Zumba and give your employees more reasons to love coming to work! Activity also encourages greater focus and productivity while on the job, so consider it a triumph to flex the muscles of your body and your mind.

Do More with Your Day Job

quick segmentation - do more with your day job

Spend some time getting to know other departments in the company, sitting down with Procurement to understand recent contracts, or heading over to R&D and having that conversation you’ve been meaning to have about Intellectual Property. Nine months makes 1440 hour-long coffee meetings! Better yet, why not plan a stint to an at least semi-exotic location to visit your offshore development teams on site? Allow yourself a bit of time out of the office while getting some all-important face-time with other members of your team.

You could also use some of your extra time to visit some customers or other stakeholders in the supply chain, identifying the risks that they pose to your organization and the mitigation you could put in place. Interested in some more informal professional development? It’s the perfect time to start a training to develop or expand a new skill, or mentoring some junior employees, or think about your own career enrichment. After all, you’ve just saved nine months!

Encourage Innovation

quick segmentation - encourage innovation

Most people have heard of Google’s 20% rule, where employees are encouraged to work on side projects, new hustles, or research for 20% of their working day. But for many companies this is a huge privilege – only possible if you have enough time in the day to get all the urgent work off your desk- which we know is never the case. But now with more time to play with, literally, you can implement some enforced innovation time. With 9 months of extra time to use up, it will take four and a half years of an hour a day before your staff have used up the surplus.

Now It’s your Turn to Innovate: What Will Your Teams Do With Their Free Time?

Why not draw up a bucket list of what you could do with an extra nine months, and how it could benefit your company?

Take a look at the seven steps to operationalize micro-segmentation so you can see just how simple it would be to get started.

Read More

Guardicore Extends Support to AWS Outposts, Providing Holistic Visibility and Control Across the Hybrid Cloud

Like the real clouds that can be seen in the Earth’s atmosphere, the IT clouds are constantly changing in the DCsphere. Last year, AWS announced plans to expand the public cloud into on-premises data centers and introduced AWS outposts, which will allow customers to run AWS infrastructure on-premises or other co-location facilities, creating a new type of hybrid cloud.  AWS customers can expect to have a consistent experience, whether they are managing infrastructure on the public cloud or using Outposts. 

Today, I am excited to share the news that we will support AWS outposts just like any other part of the hybrid cloud. Together with AWS and their hardware partners we are looking forward to expanding the Guardicore ecosystem to additional areas of the ever-expanding cloud, securing customers wherever they might be.

Highlighting the Benefits of AWS Outposts

Using AWS Outposts, organizations can run services such as EC2, EBS, and EKS on-premises, as well as database services like Amazon RDS or EMR analytics. Running AWS services locally, you will still be able to connect to services from the local AWS Region, and use the same tools and technology to manage your applications. With this announcement from Guardicore Centra, security can also remain the same on-premises as you’ve come to expect with AWS on the cloud.

The value of this technology for data storage and management is powerful. For organizations that are bound by regulations for storing data off the cloud, or in countries with data sovereignty requirements or no AWS Region, Outposts is a valuable alternative that makes data processing and storage seamless.

Healthcare is a strong example of a vertical that can benefit from Outposts. Organizations can simply run Machine Learning and analytics models to their health management platforms, even where low latency processing requirements dictate that they remain on-premises. When it’s time to retrieve data, this information is stored locally and therefore quick to retrieve. Financial services is an example of another use case that can leverage Outposts to deliver banking or processing requirements within the confines of local data requirements.

Making it Happen

To provide the widest possible coverage, Guardicore will support the two variants of AWS Outposts: both VMware Cloud on AWS Outposts with our existing VMware orchestration integration, as well as the AWS native variant of AWS Outposts running on premises.

Read more about our ever-evolving capabilities for AWS security as a trusted AWS Technology Partner, and stay tuned for more details on this exciting news and other collaborations.

Want to know more about how Guardicore, a trusted AWS technology partner, helps you nail hybrid cloud security by partnering with AWS? Download our white paper on the shared security model.

Read More

Segmenting Users on AWS WorkSpaces – Yes It’s a Thing, and Yes, You Should Be Doing It!

I recently came across a Guardicore financial services customer that had a very interesting use case. They were looking to protect their Virtual Desktop (VDI) environment, in the cloud.

The customer’s setup is a hybrid cloud: it has legacy systems that include bare metal servers, Solaris and some old technologies on-premises. It also utilizes many Virtual environments such as VMware ESX, Nutanix and Openstack.

Concurrently with this infrastructure, the customer has started using AWS and Azure and plans to use containers in these platforms, but has not yet committed to anything specific.

One interesting element to see, was how the customer was migrating its on-premises Citrix VDI environment to AWS workspaces. The customer was happy using AWS workspaces and had therefore decided to migrate to using them in full production. AWS workspaces were especially useful for our customer since the majority of its users work remotely, and it was so much easier to have those users working with an AWS WorkSpace than relying on the on-premises, Citrix environment.

So, what is an AWS WorkSpace anyway?

In Forrester’s Now Tech: Cloud Desktops, Q4 2019 report, cloud desktops and their various offerings are discussed. Forrester states that “you can use cloud desktops to improve employee experience (eX), enhance workforce continuity, and scale business operations rapidly.” This is exactly what our customer was striving to achieve with AWS WorkSpaces.

AWS Desktops are named “Amazon WorkSpaces”, and they are a Desktop-as-a-Service (DaaS) solution that run on either Windows or Linux desktops. AWS provides this pay-as-you-launch service all around the world. According to AWS “Amazon WorkSpaces helps you eliminate the complexity in managing hardware inventory, OS versions and patches, and Virtual Desktop Infrastructure (VDI), which helps simplify your desktop delivery strategy. With Amazon WorkSpaces, your users get a fast, responsive desktop of their choice that they can access anywhere, anytime, from any supported device.”

To get started with AWS workspaces click here.

Our customer was using AWS WorkSpaces and scaling their utilization rapidly. This resulted in a need to add a security layer to these cloud desktops. In AWS when users access the WorkSpaces, upon access, they are automatically assigned a workspace, and a dynamic IP. Controlling this access is challenging using traditional network segmentation solutions that are IP based. Thus, our customer was looking for a solution with the following features:

    • Visibility:
      • First and foremost within the newly adopted cloud platform
      • Secondly, not just an understanding of traffic between legacy systems on-premises and in the cloud individually, but visibility into inter-platform communications, too.
    • Special attention for Amazon WorkSpaces:
      • User-level protection: Controlling which users from AWS workspaces should and could interact with the various applications the customer owned, on-premises or in the cloud.
      • Single policy across hybrid-cloud: What was once implemented on-premises alone, now needed to be implemented in the cloud, and not only in the cloud, but cross cloud to on-premises applications. The customer was looking for simplicity, a single tool to control all policies across any environment.

Tackling this Use Case with Guardicore Centra

Our customer evaluated several solutions, for visibility, segmentation and user identity management.The customer eventually choose Guardicore Centra, for the ability to deliver all of the above, from a single pane of glass, and do so swiftly and simply.

Guardicore was able to provide visibility of all workloads, on premises or in the cloud, across virtual, bare metal and cloud environments, including all assets, giving our customer the governance they needed of all traffic and flows, including between environments.

On top of visibility, Centra allowed an unprecedented amount of control for the customer. Guardicore policies were set to control and enforce allowed traffic and add an additional layer of user identity policies to control which users from the AWS workspaces could talks to which on-premises applications. As mentioned previously, upon access to AWS workspaces, users are automatically assigned a workspace, with a dynamic IP. Thus traditional tools that are IP based are inadequate, and do not provide the flexibility needed to control these user’s access. In contrast, Guardicore Centra enables creating policies based on the user’s identity to the datacenter and applications, regardless of IP or WorkSpace.

 

Where Guardicore Centra Stands Apart from the Competition

Guardicore Centra provides distributed, software-based segmentation, enabling user identity access management. This enables additional control of the network, among any workloads.

Centra enables creating policy rules based on the identity of the logged in user. Identities are pulled from the organizational Active Directory integrated with Centra. Centra requires no network changes and no downtime or reboot of systems. Policies are seamlessly created, and take real time effect, controlling new and active sessions alike.

This use case is just one example of how Guardicore Centra simplifies segmentation, and enables customers fine-grained visibility and control. Centra allows an enterprise to control user’s access anywhere, setting policy that applies even when multiple users are logged in at the same time to the same system, as well as managing third party, administrators and network users’ access to the network.

Want to learn more about securing and monitoring critical assets and applications on AWS? Join our live webinar with AWS on Thursday, December 12th at 1:00pm Eastern.
Register Now

Environment Segmentation is your Company’s First Quick Micro-Segmentation Win

We often tell our customers that implementing micro-segmentation technology should be a phased project. Starting with a thorough map of your entire IT ecosystem, your company should begin with the ‘low hanging fruit’, the easy wins that can show quick time to value, and have the least impact on other parts of the business. From here, you’ll be in a strong vantage point to get buy in for more complex or granular segmentation projects, perhaps even working towards a zero-trust model for your security.

One of the first tasks that many customers take on is separating environments from one another. Let’s see how it works.

Understanding the Context of your Data Center

Whether your workloads are on-premises, in the cloud, or in a hybrid mix of the two, your data center will be split into environments. These include:

  • Development: Where your developers create code, try out experiments, fix bugs, and use trial and error to create new features and tools.
  • Staging: This is where testing is done, either manually or through automation. Resource-heavy, and as similar as possible to your production environment. This is where you would do your final checks.
  • Production: Your live environment is your production environment. If any errors or bugs make it this far, they could be discovered by your users. If this happens in this environment, it could have the greatest impact on your business through your most critical applications. While all environments are vulnerable, and some may even be more easily breached, penetration and movement in this environment can have the most impact and cause the most damage.

Of course, every organization is different. In some cases, you might have environments such as QA, Local, Feature, or Release, to name just a few. Your segmentation engine should be flexible enough to meet any business structure, suiting your organization rather than the other way around.

It’s important to note that these environments are not entirely separate. They share the same infrastructure and have no physical separation. In this reality, there will be traffic which needs to be controlled or blocked between the different environments to ensure best-practice security. At the same time however, in order for business to run as usual, specific communication flows need to be allowed access despite the environment separations. Mapping those flows, analyzing them and white-listing them is often not an easy process in itself, adding another level of complexity to traditional segmentation projects carried out without the right solution.

Use cases for environment segmentation include keeping business-critical servers away from customer access, and isolating the different stages of the product life cycle. This vital segmentation project also allows businesses to keep up with compliance regulations and prevents attackers from exploiting security vulnerabilities to access critical data and assets.

Traditional Methods of Environment Segmentation

Historically, enterprises would separate their environments using firewalls and VLANs, often physically creating isolation between each area of the business. They may have relied on cloud platforms for development, and then used on-premises data centers for production for example.

Today, some organizations adapt VLANs to create separations inside a data center. This relies on multiple teams spending time configuring network switches, connecting servers, and making application and code changes where necessary. Despite this, In static environments, hosted in the same infrastructure, and without dynamic changes or the need for large scale, VLANs get the job done.

However, the rise in popularity of cloud and containers, as well as fast-paced DevOps practices, has made quick implementation and flexibility more important than ever before. It can take months to build and enforce a new VLAN, and become a huge bottleneck for the entire business, even creating unavoidable downtime for your users. Manually maintaining complex rules and changes can cause errors, while out of date rules leave dangerous gaps in security that can be exploited by sophisticated attackers. VLANs do not extend to the cloud, which means your business ends up trying to reconcile multiple security solutions that were not built to work in tandem. Often this results in compromises being made which put you at risk.

A Software-Based Segmentation Solution Helps Avoid Downtime, Wasted Resources, and Bottlenecks

A policy that follows the workload using software bypasses these problems. Using micro-segmentation technology, you can isolate low-value environments such as Development from Production, so that even in case of a breach, attackers cannot make unauthorized movement to critical assets or data. With intelligent micro-segmentation, this one policy will be airtight throughout your environment. This includes on-premises, in the public or private cloud, or in a hybrid data center.

The other difference is the effort in terms of implementation. Unlike with VLANs, with software-based segmentation, there is no complex coordination among teams, no downtime, and no bottlenecks while application and networking teams configure switches, servers and code. Using Guardicore Centra as an example, it takes just days to deploy our agents, and your customers won’t experience a moment of downtime.

Achieve Environment Segmentation without Infrastructure Changes

Environment segmentation is a necessity in today’s data centers: to achieve compliance, reduce the attack surface, and maintain secure separation between the different life stages of the business. However, this project doesn’t need to be manually intensive. When done right, it shouldn’t involve multiple teams, result in organizational downtime or even require infrastructure changes. In contrast, it can be the first stage of a phased micro-segmentation journey, making it easier to embrace new technology on the cloud, and implement a strong posture of risk-reduction across your organization.

Want to learn more about what’s next after environment segmentation as your first micro-segmentation project? Read up on securing modern data centers and clouds.

More Here.