Defense in depth: practical steps to securing your data and achieving compliance Presented by Chris Purrington, the VP Sales Europe at Cohesive Networks Perimeter-based security approaches have not evolved to meet the modern application-focused enterprise. The weaknesses of the perimeter-based approach are on display in the east/west attacks on Sony, Target, and Home Depot exploits where hackers gained access to the perimeter, then ransacked the internal networks with minimal resistance. What can modern enterprises do? A “defense in depth” approach to security at the network layer. Enterprises must strengthen existing core networking hardware and virtualization layer security with added application security. In data centres, physical network isolation is not practical, and logical segmentation can be very difficult without using evolved networking approaches. As data centers became wholly virtualized and blur the line between data center and private cloud, we can finally add and control logical segmentation at the virtualization layer. This “Application Segmentation” provides the most comprehensive security model available today. You can apply application segmentation defense in depth using Cohesive Networks’ VNS3:turret. VNS3:turret creates a cryptographically unique micro-perimeter around each application topology. This presentation will examine how an defense in depth at the application layer can stop the next Sony attack.

1. Defense in depth:
practical steps to securing
data & achieving compliance

2. © 2016 @cohesivenet
about me
Chris Purrington
VP Sales and Managing Director, UK
Cohesive Networks

3. © 2016 @cohesivenet
about Cohesive Networks
VNS3 security and
connectivity solutions
protect cloud-based apps
2100+ customers in 20+
countries across all industry
verticals and sectors
Enterprise
Security
Top 20 Most Promising
Company 2015
Partner
Network
TECHNOLOGY PARTNER
Cloud Marketplace Provider

4. © 2016 @cohesivenet
2,100+ customers in 20+ countries
• 800+ Self Service Customers
• 18+ SI Resellers
• 45+ ISV OEM
Including Industry Leaders
• Global Mutual Fund Company
• US ERP provider
• Global BPMS provider
• Cloud-based Threat Detection
• UK Fashion Brand
• Global Big Data Analytics Provider
customers run businesses in the cloud

5. © 2016 @cohesivenet
agenda
• Perimeter-based security has not evolved
• Data center security is not cloud security
• Modern defense in depth
• Application segmentation
• Customer use cases

6. © 2016 @cohesivenet
Perimeter-based security has not evolved

7. © 2016 @cohesivenet
security no longer #1 barrier to cloud adoption - still a top priority
2016

8. © 2016 @cohesivenet
weaknesses of the perimeter-based approach frequently on display:
METHOD OF LEAK
hacked
accidentally published
configuration error
inside job
leak
lost/stolen computer
lost/stolen media
poor security
World’s Biggest Data Breaches - Information is Beautiful

9. © 2016 @cohesivenet

10. © 2016 @cohesivenet
Perimeter Security
private data center security: walls
80% of security spend is on perimeter, leaving only 20% for interior
network security

11. © 2016 @cohesivenet
Perimeter Security
private data center vulnerability
hacker penetration

12. © 2016 @cohesivenet
Perimeter Security
private data center vulnerability
vulnerabilities go undetected for an average of
234 days!

13. © 2016 @cohesivenet
data center security is not cloud security

14. © 2016 @cohesivenet
Source: Azure Compliance
public cloud providers do build secure clouds…
• CSPs must meet tougher standards
• Reputation = vested interest in high levels of security
• Bigger budgets for infrastructure, data centres, compliance
• Better systems to vet and manage security staff
• Security software: dedicated instances, VLANs, VPNs, firewalls, edge protection

15. © 2016 @cohesivenet
• “49% of IT decision makers admit they are ‘very or extremely anxious’ about
the security implications of cloud services” - BT study 2015
• 75% of enterprises use additional security measures beyond what CSPs
offer - Clutch survey, March 2016
• Security risks exist beyond the “shared responsibility model”:
• 3rd party shared environments
• lack of insight into and control of underlying infra.
• isolation from other cloud users
• lack of in cloud encryption in transit
… yet CIOs and CEOs are still concerned.

16. © 2016 @cohesivenet
modern defense in depth

17. © 2016 @cohesivenet
deliver your applications in your over the top cloud networks
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 3
Layer 2
Layer1
Layer 0
Cloud Layer 3 Network
Limit of user access,
control and visibility
Hardware
You Can’t Get To
Hypervisor You
Don’t Control
Application
Policies
You Control
Overlay Network 1 Overlay Network 2
Cloud
Service
Provider
Applications

18. © 2016 @cohesivenet
add cloud network and security with VNS3
firewall vpn concentrator
protocol
distributor
extensible nfv
VNS3 Core NetworkComponents
router switch
•Deploy in any cloud/virtual infra
•Create your own application specific network
•Separate network identity from physical location
•Control end to end encryption, IP addressing & network
topology

19. © 2016 @cohesivenet
extend overlay networks beyond single CSPs
Active IPsec Tunnel
VNS3 Controller 1 VNS3 Controller 2 VNS3 Controller 3
VNS3 Overlay Network - 172.31.1.0/24
Peered Peered
Overlay IP: 172.31.1.1
Cloud Server A
Overlay IP: 172.31.1.2
Cloud Server B
Overlay IP: 172.31.1.3
Cloud Server C
Overlay IP: 172.31.1.4
Primary DB
Overlay IP: 172.31.1.5
Backup DB
ireland frankfurt
Data Center 2
London
Data Center 1
Seattle, WA
Failover IPsec Tunnel
vpc 1 vlan 2 vpc 3
VNS3:ha 1
ireland

20. © 2016 @cohesivenet
VNS3:net extending your network functions
Plug-in model allows you to easily customize your network appliance to
add additional layer 4-7 network capabilities
firewall vpn concentrator
protocol
distributor
extensible nfv
VNS3CoreComponents
router switch
waf content caching nids proxy load balancing custom
L4-L7 Plugin System

21. © 2016 @cohesivenet
build on CSP’s layers of control and access
Provider Owned/Provider Controlled
Provider Owned/User Controlled
VNS3 - User Owned/User Controlled
User Owned/User Controlled
Key security elements must be controlled
by the customer, but separate from
the provider
Cloud Edge Protection
Cloud Isolation
Cloud VLAN
Cloud Network Firewall
Cloud Network Service
VNS3 Virtual Firewall
VNS3 Encrypted Overlay
N
etwork
VNS3 NIDS, WAF, e
tc.
Instance
OS Port Filtering
Encrypted Disk

22. © 2016 @cohesivenet
application segmentation with VNS3

23. © 2016 @cohesivenet
application segmentation
micro-perimeter around critical apps in any

24. © 2016 @cohesivenet
limit server interactions
Ensure the “right” traffic is going through
secure app-layer switches

25. © 2016 @cohesivenet
control network flow
traffic only flows in permitted directions,
from permitted locations

26. © 2016 @cohesivenet
security for each app

27. © 2016 @cohesivenet
enforce traffic policies with firewalls

28. © 2016 @cohesivenet
detect malicious traffic with NIDS
! !
!!

29. © 2016 @cohesivenet
limit intra-app network traffic with WAF

30. © 2016 @cohesivenet
monitor traffic with app-layer switches

31. © 2016 @cohesivenet
Perimeter Security
private data center vulnerability
vulnerabilities go undetected for an average of
234 days!

32. © 2016 @cohesivenet
VNS3 security use cases

33. © 2016 @cohesivenet
Investment Management Firm meets
PCI and FISMA requirements for Data
Center deployments using VNS3:turret
north america
VNS3:turret secured and segmented
applications deployed to the private
data center allowing IMF to enforce
security policies at the application
layer
private cloud
$230B in Funds Under
Management
financial services
Customer DC
App
Application 1
Web
DB
MO
Application 2
App
Web
DB
MO
Application 3
App
Web
DB
MO
Application 4
App
Web
DB
MO
Application 5
App
Web
DB
MO
Application N
App
Web
DB
MO

34. © 2016 @cohesivenet3434
Telecom Retail and Services company
productized mobile, fixed line and
broadband provisioning as SaaS
europe
VNS3 used to secure all public &
private VLAN traffic for adherence to
Data Protection Standards
cloud WAN / hybrid cloud
$4.5B Mobile and Mobile
Related Revenues
telecommunications
MVNO Carrier
MVNO Brand
VNS3 Overlay Network
Topology per Customer
IPsec Tunnel
Mobile
Customer
Mobile
Customer
internet
internet
us-west-2
MVNO Infrastructure Overlay
logical
subnet 1
logical
subnet 2
logical
subnet 3
logical
subnet N
server database
database database
server
server server

35. © 2016 @cohesivenet35
Disruptive payment processor built
loosely coupled infrastructure in public
cloud with DR resource networks for
database replication/failover
north america
VNS3 created overlay network to
federate multiple AWS regions, IP
mobility, and secure db replication
cloud dr
Available in over 8,000
7-Eleven stores nationwide
financial services
¡
Devops
VNS3 1 (NAT + Bastion) console-east
1a-edge logical subnet
1a-private logical subnet DevOps
1c-private logical
subnet
VNS3 logical
subnet 4
1c-edge logical
subnet
Resource Network/ DR
us-east-1b us-east-1e us-west-1a us-west-1b
us-east-1 us-west-1
1a-edge logical
subnet
1a-private logical
subnet
Overlay Network
1e-private logical subnet
1e-edge logical subnet
VNS3 2 VNS3 3 VNS3 4
VNS3 logical
subnet 3
VNS3 logical subnet 1 console logical subnet VNS3 logical subnet 2
server database

36. © 2016 @cohesivenet36
BMP and CRM vendor offered Fortune
500 customers an alternative SaaS
version of their software in the cloud
ISV
north america
VNS3 isolated each customer in the
cloud and allowed them to integrate all
deployments to their existing NOC
partner/customer network
$600m Annual Revenue
us-west-2
us-east-1
Customer 1
Customer 2
Customer 3
Customer N
ISV data center
Customer 1
Customer 3
Customer N
Customer 2
server
server
server
server
database
database
database
database
Overlay Network
Overlay Network
Overlay Network
Overlay Network
with VNS3:ms
server database

37. © 2016 @cohesivenet
Cohesive Networks
Security and
connectivity at the
top of the cloud
2,100+ customers
protect cloud-
based applications
cloud demands
grow, along with
complexity
Your Applications Connected and Secure