Bonus cloud security best practices: VNS3
By: Margaret Valtierra
For a discussion on cloud security and networking best practices we’d be remiss if we didn’t mention our product, VNS3. For the first 4 sections we remained (somewhat) neutral about best practices.
The essential takeaways are to use cloud providers’ security features but keep a healthy skepticism about shared environments. Some offerings, like key storage in cloud, are convenient but absolutely impractical for keeping clear lines of control and security between vendors and your own data.
Here, we’ll cross over into the clearly biased best practices: use VNS3 to get even more security on top of standard cloud provider offerings. First, a look at what Layer 4–7 security VNS3 offers, then VNS3 Best Practices, and finally what makes VNS3 unique.
Cloud environments are an opportunity to update and enhance security
From the research report from IDC, Assessing the Risk- Yes, the Cloud Can Be More Secure Than Your On-Premises Environment:
In particular, cloud architectures make it easier for organizations to create security models that leverage the following capabilities:
- More segmentation (separation). More shared resources means a greater need for more segmentation. In a conventional datacenter, this separation can be very resource intensive, and many organizations believe that the risk is limited. Cloud architectures open eyes to the use of service orientation, grid and mesh communications, and other dynamic capabilities that drive the need for new protection mechanisms.
- More encryption. While it seems obvious that public cloud environments need encryption, many organizations have ignored the need inside their existing environments that have often become large and complex themselves. The cloud makes introducing encryption much easier.
- Stronger authentication. Enterprises still frequently limit their multi-factor authentication capabilities to the edge — remote VPNs accessing enterprise data centers. The move to the cloud highlights the “anytime, anywhere” use of sensitive applications and reinforces the need for strong authentication everywhere.
- More logging and monitoring. Once the bane of any IT shop (as in “too much overhead”), logging and monitoring are facts of life if only to ensure that shared responsibilities between enterprises and service providers have been addressed.
VNS3 User-Owned/User-Controlled Security
VNS3 network virtualization allows application owners to control addressing, protocol, topology and security. Network virtualization solves the problem of unencrypted data traveling over public internet or shared regions, beyond a public cloud providers’ virtual network protections. VNS3 provides unique cryptographic keys for each host on the network, as well as additional network firewalls on the virtual network adapter. VNS3 encrypted virtual networks allow application owners to lock down applications independently of cloud provider settings.
Encrypted IPsec/SSL/TLS network traffic
VNS3 uses IPsec, Transport Layer Security (TLS), and Secure Sockets Layer (SSL) cryptographic protocols to secure network traffic to and from the cloud. This means all traffic is private, authenticated and encrypted. VNS3 is a vital addition to cloud security because users can verify there has not been any eavesdropping in transit.
VNS3 Best Practices
VNS3 creates secure and encrypted VPN connections to cloud deployments using standard IPsec tunnels and data-in-motion encryption in the cloud. Using VNS3 you can better:
- Control: Regain control of addressing, protocols and encrypted communications in third party controlled cloud environments. VNS3 uses encrypted overlay networks to assign IPs and use cloud disabled protocols (e.g. UDP Multicast) as required for deployment.
- Secure: Encrypt data in motion to, from, and in the cloud.
- Extend: Achieve cloud network mobility and agility by extending connectivity to a cloud VNS3 deployment or multiple VNS3 deployments across disparate clouds.
- Federate: Configure VNS3 Controllers in a mesh to eliminate vendor lock-in and allow for high availability, geographic distribution, and cloud federation.
- Reuse: Integrate VNS3 with existing edge and DMZ equipment like IPSsec extranet, intrusion prevention, IDS and stateful inspection devices. VNS3 requires no new knowledge or training to implement.
- Comply: Meet compliance requirements by confidently attesting to security and control measures the application owner implemented and managed.
- Configure: Dynamically launch and configure a software-defined network (SDN) to deploy in minutes using a REST API or web-based interface.
What makes VNS3 Unique
We’ve changed the cloud networking game with the latest VNS3 with Docker container integration. Cloud users can now load applications into a single VNS3 Controller instead of building separate, costly virtual machines (VMs). Customers can build custom functionality such as load balancing, proxy, and network intrusion detection (NIDS), into their VNS3 Controller instance to match their networking use case. Each containerized VNS3 network saves VM run times, simplifies network management, and bundles applications functions in the same VM instance as VNS3.
Unlike hardware solutions, VNS3 customers can control cloud-based projects using their own software. Enterprise cloud users can guarantee secure access between corporate data centers and cloud-based systems using end-to-end encryption and federated multi-cloud overlay networks.
VNS3 is different from other networking products because it creates a customer-controlled network on top of underlying cloud networks. This “overlay network” opens up cloud computing for even more possibilities, including ways to connect and secure data centers and businesses not allowed in public cloud networks.
Previously, security and networking solutions could not guarantee the level of access and accountability enterprises need to attest to industry and regulatory specifications. Plus, VNS3 is provider, vendor, application, OS and script neutral. This eliminates the risky and painful “re-architect everything” attitude typical of many cloud computing solutions. Built using industry standards, VNS3 allows users to reuse existing network infrastructure and expertise. VNS3 is the only overlay networking product that offers both a highly available overlay network and end-to-end encryption.
Make sure to also read:
- Chicago School of Cybersecurity: How the NIST Cybersecurity Framework Can Apply to All IT Organizations (Part 1) — the history and implications of the NIST Framework
- “Putting the NIST Cybersecurity Framework to Work” a use case for applying the Framework to an IT organization
Follow all the Cohesive Networks stories on Medium and sign up to get our weekly RSS update delivered to your inbox!
Originally published at cohesive.net on July 6, 2017.
