Posts

Migrating to the Cloud Fast and Securely

There are numerous different ways to make your move to the cloud. According to Gartner, the five most common techniques are rehosting, refactoring, revising, rebuilding, or replacing. Yet every one of those options has a few commonalities: you will always need to understand what assets will be involved, how they communicate, and the ways they interact with your broader IT environment.

After helping organizations of all sizes and complexity levels simplify and accelerate their cloud migration projects, Guardicore has identified five simple steps that can streamline those common points. Following these steps helps assure a fast migration while also enabling you to ensure that security and compliance policies extend to the new infrastructure

5 simple steps to a fast and secure cloud migration

Ready for a sneak preview? Check out this short video for the quick overview before diving into the detailed instructions for how to achieve a fast and secure cloud migration.

1. Map application workloads

Typically, 73% of cloud migrations take more than a year to complete1. Even migrating a single application can take as long as four months2. However, with Guardicore, you can drastically speed up the timeline of your project from step one.

Once installed, Guardicore Centra automatically generates a detailed map of activity across all your environments. Process-level activity is correlated with network events, giving you a visual view of all workloads.
You can then drill down for more detail, including granular information on specific assets and processes. This helps you determine what elements you need to consider during your migration, so you can accurately scope your project.

2. Identify service dependencies

Many applications have service dependencies that they rely on to operate, such as DNS, active directory, or update services. These need to be documented and correctly configured as a part of the migration process.

For instance, you may not want your newly migrated cloud application to have access to the on-premises active directory for security or compliance reasons. Therefore, rehosting it or setting up another instance may be a better option for your business.

Guardicore can help you determine what dependencies exist today. Once those dependencies are identified, you can make a proactive and informed decision on how you would like to set up these services before you migrate. In this way you can avoid unplanned delays.


Guardicore provides detailed insights into service and business dependencies

3. Identify business dependences

In addition to ensuring service dependencies are taken care of, other elements in your environment likely require access to the newly migrated asset to keep your business running as usual. One common use case for financial services organizations, for instance, is the need for billing, accounting, and SWIFT applications to communicate with a banking application migrated to the cloud.

In order to ensure that everything continues operating as expected post-migration, Guardicore provides you with the granular visibility you need to understand communication between each relevant element. This includes insights into connections between protocols, ports, and processes.

This visibility lets you plan how to configure for today’s dependencies. It also helps you decide whether or not to make a change moving forward (like creating a cloud instance of an accounting application in order to avoid an on-premises-to-cloud dependency). Moreover, it allows you avoid potential outages that can occur when you decommission on-premises versions of applications after a migration.

4. Migrate your assets to the cloud

Once you’ve gone through the process of mapping assets and thoroughly understanding dependencies, you can confidently begin your cloud migration. During this time, you can also define any segmentation policies needed to further reduce risk and ensure compliance.

Guardicore Risk Reduction Analysis Report

See how micro-segmentation can shrink attack surface up to 99%

Learn about our free, no-touch, zero-impact, personalized report that quantifies risk reduction from using software-based segmentation in your own environment

MEASURE RISK REDUCTION RESULTS

 

Because Guardicore presents real-time and historical network data in a centralized platform, it’s easy to spot communication flows that might increase risk or result in non-compliance. You can then limit exchanges between assets as needed.

There is an additional bonus to defining policies before undergoing a cloud migration. Since Guardicore operates independently of the underlying infrastructure, policies follow the workloads. Thus, existing security controls carry over to the cloud. There, they can be fine-tuned for an asset’s new environment, saving even more time.

“The entire segmenting of the Somos infrastructure, applications, and data had been completed when we entered the new environment.”

Alex Amorim – Information Security Manager

5. Check and validate your cloud migration

After you’ve completed your cloud migration, it’s important to do one last thorough check. Now is the time to validate that you have accounted for all dependencies and that the correct security policies are in place.

Once you’ve confirmed everything is as it should be, you can securely shut down any on-premises assets you want to decommission. All that’s left is to toast to a successful migration!

Congratulations on completing your fast and secure cloud migration!

Going through these five steps with Guardicore Centra can drastically simplify and speed up your migration to the cloud. Ready to see that kind of success in action for yourself? Check out this five-minute walkthrough of moving an e-commerce application to the cloud:

Rethinking Segmentation for Better Security

Cloud services and their related security challenges will continue to grow

One of the biggest shifts in the enterprise computing industry in the past decade is the migration to the cloud. As more and more organizations discover the benefits of moving their data centers to private and public cloud environments, this trend is expected to continue dominating the enterprise landscape. Gartner projects cloud services will grow exponentially from 2019 through 2022, with Infrastructure-as-a-Service (IaaS) being the fastest growing segment of the market, already showing an increase of 27.5% in 2019 compared to 2018.

So what’s the big challenge?

The added agility of cloud infrastructure comes with a trade-off, in the form of increased complexity of cyber security. Traditional security tools were designed for on premise servers and endpoints, focusing on perimeter defense to block the attacks at the entry point. But the dynamic nature of hybrid cloud services meant that perimeter defense became insufficient. When the perimeter itself is constantly shifting, as data and workloads move back and forth among public and private clouds and on premise data centers, the attack surfaces became much larger and required network segmentation to control lateral movement within the perimeter.

From the early days of clouds, segmentation became a popular concept. Traditionally, businesses were looking to divide the network into segments and enforce some sort of access control between the segments. In practice, the way it worked was that relevant servers were put into a dedicated VLAN and routed through a firewall. The higher level of segmentation meant smaller segment size, which reduced the attack surface and limited the impact of any potential breach.

Then – the rules of the game changed! Moving from one static cloud to dynamic, hybrid cloud-based data centers

Simple segmentation by firewalls used to work in the past, when the networks were comprised of relatively large static segments. However, the “rules of the game” have changed significantly in recent years. Dynamic data centers and hybrid cloud adoption have created problems that cannot be solved with legacy firewalls, and yet achieving segmentation is now more vital than ever before. The cadence of change to the infrastructure and application services is very high, accentuating the need for granular segments with an understanding of their dependencies and impacting their security policy.

Take, for example, the 2017 Equifax breach. The US House of Representatives report on this incident pointed directly to the lack of internal segmentation as one of the key gaps that allowed the breach impact to be so big, affecting 143 million consumers.

Regulation is another driver of segmentation. One of Guardicore’s customers, a global investment bank, needed to comply with a new regulation of SWIFT – which requires all SWIFT servers to be put into a separate segment and whitelist all connection allowed in and out of this segment. Using traditional methods, it took the bank 10 months and a costly labor-intensive process to complete this change, spurring them on to find smarter segmentation methods moving forward.

The examples above demonstrate how although segmentation is a known and well understood security measure, in practice organizations struggle to implement it properly in a cost-effective way.

Adapt easily to these changes and start micro-segmentation

To deal with these challenges, micro-segmentation was born. Micro-segmentation takes enterprise security to a new level and is a step further than existing network segmentation and application segmentation methods, adding visibility and policy granularity. It typically works by establishing security policies around individual or groups of applications, regardless of where they reside in the hybrid data center. These policies dictate which applications can and cannot communicate with each other.

Micro-segmentation includes the ability to fully visualize the environment and define security policies with Layer 7 process-level precision, making it highly effective at preventing lateral movement in a hybrid cloud environment.

Take the first step in preparing your enterprise for a better data security

Want to learn more? Listen to Guardicore’s CTO and Co-founder, Ariel Zeitlin, as he walks through the challenges and the solutions to better secure your data in his latest interview with the CIO Talk Network. In this podcast, Ariel discusses the new approaches to implementing segmentation, the key aspects you need to consider when comparing different vendors and technologies, and what comes ahead of the curve for security leaders in this space.

 

Want to learn more about how to first think through, then properly implement micro-segmentation? Read our white paper on operationalizing your segmentation project.

Read More

What is AWS re:Inforce?

AWS re:Inforce is a spin-off of AWS re:Invent. Why the need for a spinoff? Legend has it that the security tracks during re:Invent got so crowded that AWS decided that the security track should have a conference of its own.

AWS re:Inforce is a different kind of conference, a highly-technical conference of curated content meant for security professionals. This is a conference where knowledge runs deep and conversations go deeper, with few marketing overtures and high-level musings. Even the vendor-sponsored presentation were very technical with interesting takeaways. If your organization is invested in AWS at any level, it’s a great conference to attend. You get two condensed days of dedicated security content for the different services, architectures, and platforms offered by AWS. The content is available for multiple levels of expertise. You also get access to the top-tier AWS experts, with whom you can consult with on your different architecture dilemmas. Being that this conference turned out to be very popular, one tip I’d give next year’s attendees is to book your desired sessions as far ahead of time as you can (at least a few weeks, if possible). In conversations with colleagues, I learned that there were many who couldn’t get into all the sessions they had wanted. So I suggest you plan well for next year.

Here are some of the takeaways from the conference that I’d like to share with you:

  1. Humans don’t scale – This is not a revolutionary new thought, it’s common knowledge in the DevOps world. However the same understanding is becoming prevalent in the security industry as well. Organizations are starting to understand that as they move to the cloud, managing security for multiple dynamic environments just doesn’t scale- both from the configuration and IR perspectives. Organizations are moving away from complaining about security personnel shortage, and instead are looking to converge their multiple security platforms into 2-3 systems that provide a wide coverage of use cases and allow a high level of automation and compatibility with common DevOps practices.
  2. Security platforms converge – Organizations are transforming their IT operations to be efficient and automated. Security has to follow suit and be an enabler instead of a road block. The end goal from a CISO perspective is to achieve governance of the whole network, not just the cloud deployments or just the on-prem ones. Vendors can no longer have separate solutions for on-prem and cloud. A single unified solution is the only viable, sustainable option.
  3. Migration is hard – Migrating your workloads to the cloud is hard, migrating your security policy is even harder. Organizations moving all or some of their workloads to AWS find it very hard to keep the same level of security posture. Running a successful migration project while not compromising on security requires changing controls that do not exist any in the cloud. The existing security tools these organizations are using are not suitable or sufficient for enforcing the same security posture in the cloud.
  4. Hit F5 on your threat model – One of the main takeaways for security practitioners on AWS is to have a fresh approach to what actually needs to be secured. Make sure that as new cloud constructs and services are adopted by the organization, you actually have the right tools or policies in place to secure them. For example, solutions like AWS Control Tower (announced GA at the time of the conference), which helps you govern your AWS environment and accounts policy. When looking at the hybrid or cloud-only topologies that require a complex network model, you realize that you would need a hybrid solution to provide an overlay policy for both your cloud and on-prem assets.
  5. API is king – As our architectures and networks become more complex the ability of a human to monitor or maintain a network is becoming unrealistic. A great example is the SOAR (security automation and remediation) space. Organizations are moving away from shiny SOCs (security operation centers) with big TVs and hordes of operators. Human operators are not an effective solution over time and especially at scale. The move to automated playbooks solves both the staffing issue and the variable quality of incident handling. Each incident is handled according to a premeditated script for that scenario, with no need to reinvent the wheel. Sometimes it’s smart to allow automation to be our friend, and make our lives easier.

As CISOs need to be able to secure their entire network, and not just the cloud elements, the same concepts should apply more widely to network security. These have been the cornerstones of building Guardicore Centra, a micro-segmentation solution that works across all environments, and can complement and secure your AWS strategy. Modern infrastructures are dynamic and can change thousands of times over a span of a day. Security policies should be just as dynamic and be applied just as fast and be able to adhere to the same cadence. Guardicore enables security practitioners to integrate with APIs and move at the speed of the organization. Tools that require your security and network engineers to define security policy only through the UI and do not provide a way to script and automate policy creation are not transitioning to the cloud.

We believe that security shouldn’t be an obstacle or a cause for delay, and so one single, unified solution is a must-have. This obviously needs to work in a hybrid and multi cloud reality, without interfering with AWS best practices for it to be beneficial and not slow you down.

Want to learn more about hybrid-cloud security? Watch this video about micro-segmentation and breach detection in an increasingly complex environment.

 

Interested in cloud security for hybrid environments? Get our white paper about protecting cloud workloads with shared security models.

Read More

Cloud migration challenges and risks – prevent and overcome them

Even though it seems to be almost ubiquitous, cloud computing continues to grow at an impressive rate. According to Gartner, public cloud revenues as a whole will grow by 17.3% in 2019, and the IaaS (Infrastructure as a Service) market will experience 27.6% growth. What this means is that more and more organizations will need to navigate the cloud migration challenges associated with maintaining a hybrid cloud infrastructure in order to reap the benefits of the cloud.

While there are a number of benefits to cloud migration, there are also operational, security, and financial risks that must be accounted for. In this piece, we’ll dive into the different approaches to cloud migration, some of the cloud migration challenges many organizations face, and how to effectively address those challenges to minimize your risk and maximize the upside of the cloud.

Approaches to cloud migration

At a high-level, there are 3 different approaches an organization can take to cloud migration, each with its own set of pros and cons. Aater Suleman did a good job summarizing the 3 main approaches in his Forbes piece, they are:

  • Rehost. Simply move workloads as they are. While simple and less work-intensive than the other methods, the downside here is the inability to maximize the cost and performance benefits of operating in the cloud (e.g. elasticity).
  • Replatform. Make minor changes to workloads to help capture some of the inherent benefits of the cloud (e.g. use a managed database for an app). Replatforming seeks to find a middle ground between the benefits of rehosting and refactoring.
  • Refactor. Re-architect the workloads to maximize the benefits of the cloud. While refactoring is the most work-intensive upfront, it also positions enterprises to maximize the cost and performance benefits of the cloud.

Common challenges and risks of cloud migration

In addition to weighing the pros and cons of the different cloud migration strategies, organizations must be able to identify and overcome the inherent cloud migration risks and challenges that come with shifting workloads off of on-premises hardware. Below, we’ll review three of the most common.

Developing the right strategy to address cloud migration risks

Strategy is vital to any major IT endeavor, and cloud migration is no different. A major part of developing the right strategy is selecting the right approach (rehost, replatform, or refactor) to your migration. While this will have a major impact on ROI and operations, it is not the only area to consider when planning a cloud migration.

Another key component of a cloud migration strategy is knowing what solutions you should say “no” to. Wasted spend is a big cloud migration risk. How big? Consider the statistics that suggest 35% of cloud spend is wasted. Understanding what your business needs, and what it doesn’t, will help you properly plan and avoid wasted spend. Paying for additional cloud infrastructure you don’t need and won’t use isn’t only a poor investment, it also unnecessarily increases your attack surface.

Maintaining application visibility in a hybrid cloud

The cloud comes with challenges beyond wasted spend as well. Generally, security policies are applied within the context of a given cloud platform (e.g. AWS, Azure, GCP, private clouds, etc) or on-premises data center. This siloed approach to infrastructure leads to disjointed security policies and one-off configurations that make capturing a holistic and granular view of data across the entirety of a network a real challenge.
Lack of visibility can hurt both before and after a migration, particularly when using a “rehost” approach. For example, in order to understand how an application performs, its dependencies, and what ports it uses, granular, process level visibility is required. Similarly, detailed visibility is required after the migration to ensure the app is operating as expected.

Adapting security to fit the hybrid cloud model

Another important part of executing a cloud migration is understanding and accounting for the complexity it can add to network security once it is complete. We often think of cloud migrations as a way to minimize complexity in IT. After all, the provisioning, maintenance, and patching of software and hardware can be abstracted away and taken care of by a service provider. However, from a security perspective, the more discrete clouds and solutions you implement, the more silos you create. As a result, it becomes more difficult to maintain robust, scalable, and holistic security policies. This complexity is only compounded when a single application spans multiple cloud configurations.

In short, the hybrid cloud model is fundamentally different than an on-premises model. Multiple discrete infrastructures and services each have their own wrinkles that make developing policies that can scale and span the entirety of an enterprise difficult. As a result, you are left with multiple silos within your infrastructure that create blind spots, lead to more maintenance, require more resources, and demand more time and energy from the security professionals on your team.

Addressing cloud migration challenges with Guardicore

Some of the challenges we have discussed thus far, namely selecting the right approach for your cloud migration and knowing when to say “no” to unnecessary solutions, can be mitigated with proper planning and an understanding of your infrastructure needs. However, from an operational perspective, you’ll still require tools that enable the visibility, flexibility, and security required to effectively execute a cloud migration and implement enterprise-grade security thereafter.

This is where a solution like Guardicore Centra can add a tremendous amount of value. Since it is designed from the ground up to solve the security and visibility problems facing the modern enterprise, Centra users are able to create and enforce security policies that span clouds and on-premises environments, helping to break through silos. Further, Centra enables the creation of cloud-ready policies with features like auto-scaling that enable users to get the most out of the flexible, burstable nature of the cloud without compromising security.

Centra offers process level visibility across clouds and on-premises which enables detailed planning before a migration and performance monitoring after. Centra also supports a wide variety of cloud API integrations that enable enterprises to capture granular details on migrated infrastructure. Additionally, Centra is able to use dynamic labeling and integrate with Software Defined Data Center (SDDC) controllers, orchestration tools, and bare metal hardware to ensure that security policies follow instances no matter where they are deployed. You can learn more about Centra on the Centra Product Page.

Ready to get started with your cloud migration?

As we have seen, there are a number of factors to consider when planning a cloud migration. Enterprises must be diligent and ensure they aren’t making strategic or operational errors when making the leap. By properly strategizing prior to your migration and leveraging a solution like Guardicore Centra, you can help resolve the inherent cloud migration challenges involved in shifting workloads to the cloud. This will position your business to get the most ROI on your cloud spend and help ensure your IT security is not compromised due to silos and blind spots.

If you’re interested in learning more about how Guardicore can help ensure your next cloud migration is a success, check out our Cloud Migration Use Case Page or contact us today.

Musing on Springs, Cloud Stiffness and K

Congratulations to our friends at Dropbox that announced earlier last week plans to raise $500 million through an initial public offering . Well done!

Dozens of news articles and blog posts talked about this upcoming event however, I would like to to focus on GeekWire’s article that was highlighting one specific topic reported in the S1 document: How Dropbox saved almost $75 million over two years by building its own tech infrastructure .

After making the decision to roll its own infrastructure and reduce its dependence on Amazon Web Services, Dropbox reduced its operating costs by $74.6 million over the next two years. 

 

Read more