News Roundup: Week of Jun 03, 2019

News Roundup: Week of Jun 03, 2019

AWS Community Day | Midwest is Coming to Chicago!

Cohesive Networks is excited to be participating in AWS Community Day | Midwest in Chicago this month! The event will feature a keynote on Community & Cloud by Calvin Hendryx-Parker, as well as ‘Lightning Talks’ concerning “Building an HA enterprise search engine on ECS” (Jack Schlederer), “Cloud HSM: Frustration as a Service” (Paul Kuliniewicz), “Running Containers in AWS – Learn about ECS, EKS and Fargate” (Andrew May), and more! If you’re in the midwest we’d love to see you at the event! Click here to register.

Report on Insecure Enterprise IoT Networks

Zscaler released a report on the security of IoT networks finding a shocking 91.5% of traffic to be unencrypted. This of course leaves these networks vulnerable to network sniffing and Man-in-the-middle attacks. IoT adoption and connected device ubiquity is accelerating, in some cases at the expense of following security best practices. Regulation for IoT is looming , with some legislation already proposed. Zscaler recommends the following in securing your IoT networks:

  1. Change the default credentials for your connected devices
  2. Build network isolation into your IoT networks to prevent lateral traffic between devices, using firewalls to lockdown inbound and outbound traffic
  3. Restrict access to IoT devices from external networks and lock down unnecessary ports
  4. Apply regular security and firmware updates to your devices and secure your network traffic
  5. Deploy a solution to your IoT network for visibility into all IoT devices on the network

Google Network Outage: Jun 02, 19

This past Sunday Google’s Network experienced “ a disruption ” that “caused slow performance and elevated error rates on several Google services, including Google Cloud Platform, YouTube, Gmail, Google Drive and others.” As Google put it , the issue was caused by “a configuration change” that was “incorrectly applied” at a larger scale than intended, limiting various regions’ use of their potential network capacity. The foundation of Google’s resiliency is and has been their ability to learn from these events and successfully automate the prevention of similar events from occurring down the road.

Some takeaways:

  1. Build network and permission segmentation into your infrastructure and configuration deployments. Deployments should have temporary access to only the environment resources they need.
  2. Monitor expected resource allocations. This level of visibility reduces response time.
  3. For enterprises that require high resiliency, failover built with a multi-cloud approach might be required to prevent any downtime.

LabCorp Discloses Further Information on AMCA Breach

In a continuation of the Quest Diagnostics Breach narrative, LabCorp filed this week with the U.S. Securities and Exchange Commission claiming that “personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm” – KrebsonSecurity. This is likely the first of many disclosures by companies similarly impacted by the breach, raising questions about whether or not PCI-DSS regulations were followed or HIPAA laws were broken. The seriousness of the breach is compounded by how long the breach persisted and the fact that it was only discovered by a third-party compliance firm ( Gemini Advisory) and not the AMCA. The AMCA has provided very little info thus far as to where the systems in question are run, whether they’re cloud systems, ‘on-prem’ PaaS, or otherwise.

PSA: Patch Your CISCO Devices

If your company is running on a CISCO device, be sure to verify they’ve received all security patches. Multiple high impact bugswere reported by CISCO in the last month and security researchers have already released proof-of-concept exploits, leaving enterprises vulnerable. As always, continue to monitor CISCOs security advisories and alertsand if possible, automate your security patch updates.

AWS re:Invent Recap

AWS re:Invent Recap

AWS REinvent 2018

We’ve been heads down working on the 3 P’s for a number of months (products, presence, and people). As a result we’ve all but stopped our social media and dynamic content. We’ll look to emerge from our cocoon in early 2019 but we had to pop out and do yet another re:Invent recap (YArIR!).

Cohesive Networks (and our parent company CohesiveFT) have attended/sponsored all AWS re:Invents. Each year the conference gets denser yet more spread out… think about that one. This year was no exception. Now that our “away team” is fully recovered from the ill effects of desert entertainment, had some time to reflect, and get our hand dirty trying out a few new services, we’re ready to state our opinion. That’s what the following is, the opinion of the smartest, coolest, and most experienced cloud networking experts in the game (see opinion).

Micro Blink Reaction – Crowd Sourcing the Self-driving Algos

AWS DeepRacer is awesome and the DeepRacer League is hilariously brilliant. I ordered my discounted DeepRacer a few seconds after it was announced during Andy Jassy’s keynote. The bummer is I won’t take delivery until March. Hopefully the simulation environment holds me over (request preview access).

Macro Blink Reaction – AWS appetite for its ecosystem grows

AWS continues to eat the ecosystem and this year they stepped up their game. Previous years had AWS entering markets and wiping out millions of $s in ecosystem players. This year we think the number is in the capital B BILLIONS.

As a member of the AWS Partner Network (Advanced Technology Partner), we, like all AWS partners, look to re:Invent every year with mixed feelings of excitement and dread. If you aren’t on the Customer Advisory Council, you never really know if this is the year AWS will announce a direct competitor to your business. We all know the risks, and the AWS “not built here” corp dev mentality that drives their roadmap, but there is too much opportunity not to participate. Multi-cloud helps, but AWS is still the King of Cloud both in usage and features/services. I won’t go into detail about what competes with whom, take a look at these other recap posts:

Specific Announcement Reactions

We also won’t cover all the announcements because of the number of announcements per service category.

  • App Integration – 2
  • Analytics – 4
  • Compute – 11
  • Databases – 6
  • Developer Tools – 2
  • IoT – 7
  • ML – 14
  • Management – 6
  • Marketplace – 3
  • Media – 1
  • Migration – 2
  • Mobile – 1
  • Networking – 6
  • Robotics – 1
  • Satellite – 1
  • Security/Identity – 2
  • Storage – 10

Below we’ll review the features and service announcements that piqued our interest from a security and networking perspective.

Transit Gateway (GA)

What is it?
An AWS managed gateway service that allows a hub-and-spoke network topology connecting VPCs in the same region (expect multi-region support in the future) owned by a single or multiple AWS accounts as well as remote networks. This offering replaces the multi-party solution that was previously being offered called the AWS Global Transit Network. Check out the Transit Gateway announcement blog or product home for more information.

Why it matters?
Transit gateway solves a significant number of issues around the need to be able to route between VPCs “in cloud” at AWS. The manner in which it has been solved creates an economic opportunity for AWS as well – charging $.05 per hour for each connection to the gateway.

For Cohesive Networks, we spend our days (and nights) helping customers Connect, Federate, and Secure. Just like the introduction of the VPC itself, Direct Connect, AZs, Regions, GovCloud, China, and all the related facets of AWS – this creates more demand for connecting, federating, and securing. “Transit” is a subset of the overall federation architecture, so definitely a feature – not a business, meaning this release is good news for Cohesive, and gives us parity with capability Azure and Google networking has had for some time (although they do it a bit differently).

The release of Transit Gateway lets us create some federation structures for customers that were previously too complex, and requiring, dare I say it, too many VNS3 controllers needed to complete the task, as a result of AWS networking limitations. Now our customers can spend a bit more money, reduce a little bit of complexity, and still get the attestable control they need as regulated or self-regulated businesses operating in 3rd party data centers over which they have no direct insight, visibility, or control (AKA “the cloud”).

AWS Security Hub (Preview)

What is it?
A monitoring platform service focused on security that aggregates security alerts and compliance status from native AWS services as well as from 3rd party services. Many security vendors announced initial support for Security Hub. Security Hub aims to create a single pane of glass for an organization’s security and compliance posture across all its AWS accounts. Check out the Security Hub announcement blo g or product home for more information.

Why it matters?
AWS Security Hub begins to solve the “feature glut” problem of the ever-growing Amazon services collection. One reason organizations suffer from data exploits is NOT because they lack monitoring information with events and alerts – it is because they have TOO many events and alerts. Security Hub appears that it will provide an encompassing overview of outputs coming from AWS GuardDuty, Inspector and Macie. Each of these has a rich set of features for your cloud deployments – running all three of them independently could be a bit overwhelming.

At Cohesive we have previously highlighted the world we are entering where the critical IT executive decision is “all-in vs. over-the-top”, meaning where on the spectrum of using cloud, AWS for example, do you position your organization? Do you go “all-in” on embedded AWS services which provide abstracted visibility and limited control – or do you go “over-the-top” and run many of your own layers of infrastructure and instrumentation, strung across AWS, Azure, Google, et.al.? For the “all-in” crowd we think Security Hub may make consuming some of these services easier.

Global Accelerator (GA)

What is it?
A service to help customers easily route traffic across multiple regions to improve availability and performance of cloud-based applications/deployments. Global Accelerator provides an entry point to allow TCP or UDP traffic to use the AWS Global Network to reach AWS deployed application topologies instead of the Public Internet. Global Accelerator provides static Anycast IPs that serve as a fixed entry point for an AWS deployed application available in any number of the currently support regions (us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, and ap-southeast-1). The Anycast IPs are advertised from the supported AWS regions so traffic enters the global network as cloud to the uses as possible. Global Accelerator can then be associated with cloud-based applications via application load balancers, network load balancers, or Elastic IPs. In addition to data transfer fees Global Accelerator costs $0.025 per hour.

Why it matters?
Other than the obvious HA and performance benefits, the big theme from this and Transit Gateway is coalescence. Clouds and cloud regions were built to be isolated by design. Increasingly as companies a have grown in the cloud organically or via acquisition, organization cloud estates have experienced sprawl. Providing avenues to bring the regions “closer together” while maintaining the logical separation is a key value for many of AWS’ largest customers.

We continue to experiment how our customers might benefit from using the Anycast IPs as static global cloud endpoint IPs for VPN connections and well as distributed and encrypted overlay networks.

EC2 C5n (GA)

What is it?
A new generation instance family focused on super fast networks speeds up to 100 Gbps. These new instances use the latest nitro hardware and allow for some serious packets per second performance. The instances sizes are available now in us-east-1, us-east-2, us-east-2, eu-west-1, and govcloud. Prices start Read more about the C5n instance family.

Why it matters?
We are getting a glimpse of the future of cloud network performance and throughput. Eliminating the current VPC gateway throughput restrictions will open up more use-cases for the cloud. Total throughput for VNS3 controller just increased dramatically. Of course there are some restrictions (see placement groups) but it’s always exciting when you get a bandwidth upgrade. Maybe AWS will soon host the first cloud-based high speed low latency trading app?

Margaret Valtierra featured in “Business Data Security Tips: 40+ Experts Reveal Their Best Advice”

Margaret Valtierra featured in “Business Data Security Tips: 40+ Experts Reveal Their Best Advice”

Global headcount

See the full article on Phoenix NAP : Business Data Security Tips: 40+ Experts Reveal Their Best Advice

Margaret’s Tip: Self-evaluate to keep pace with both risk and compliance

Your business is small, but risks are enterprise-size.

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of data security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

Data breachs affecting SMBs – from the Ponemon CODB

Keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection policies to focus on preventing vulnerabilities and to set goals to improve and maintain security.

Traditional standards and protections all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

 

Read more: Why All Enterprises Should Adopt the NIST Cybersecurity Framework

Don’t become a victim of your own success – growth.

As SMBs grow and add employees and partners, they must share access to vital business data and systems. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the SMB grows and adds employees and offices, a “single point of failure” becomes a risk for the company. Security for data and networks should grow with the business, with precautions built into business goals.

Watch: Dwight Koop’s CircleCityCon talk on the NIST Cybersecurity Framework

Margaret Valtierra, Senior Marketing Specialist, Cohesive Networks

Margaret Valtierra is Senior Marketing Specialist at Cohesive Networks. She is responsible for growing business through digital and written content, public relations, and community events.

See the full article on Phoenix NAP : Business Data Security Tips: 40+ Experts Reveal Their Best Advice

Dwight Koop Elected to the FBI’s InfraGard National Member Alliance

Dwight Koop Elected to the FBI’s InfraGard National Member Alliance

Along with acting as Cohesive Networks COO and CFO, Dwight is now also the Treasurer of the FBI’s InfraGard National Member Alliance. This week, Dwight is in Dallas to attend the InfraGard National Congress, a meeting for all InfraGard chapters. He is officially sworn in and was even asked to impromptu moderate a session on Insurance for Cyber Security Incidents.

Infragaurd

Dwight’s path to InfraGard leadership has been a long time in the making. He began his career post-Masters Degree as one of the founders of the Chicago Board Options Exchange (CBOE) during its early and rapid growth years. He became an EVP, learning from some of the financial and security industry greats. This was Dwight’s first exposure to the challenges of a start-up facing the inertia and monopoly power of the ‘owners’ of the securities industry.

Dwight has been a founder of several software tools and cryptography companies along the way. At O’Connor Associates, which was later acquired by The Swiss Bank Corporation, Dwight become the person responsible for infrastructure architecture, system engineering, network Engineering, and global data center operations for the company’s Trading and Markets Divisions. Dwight saw first hand how mass market retail chips (such as Intel and ADM) eventually eliminated all the expensive custom equipment in the market. The first sector to first to fall was storage, then processing, and now networking as commoditization continues to sweep established sectors.

Through Borland Software, which acquired Patrick Kerpan’s Bedouin Inc, Dwight worked more closely with our now CEO. They collaborated again when they founded CohesiveFT. From CohesiveFT, they successfully spun out Rabbit Technologies Limited (makers of RABBITMQ) to VMware. Today, Cohesive Networks focuses on software connectivity and security.

Dwight takes on many of the security compliance projects at Cohesive Networks, including his work on the NIST Cybersecurity Framework. He’s authored the NIST Cybersecurity Framework white paper , and recently presented at CircleCityCon. Dwight is also a member of the Chicago Secret Service Electronic Crimes TaskForce.

Dwight’s tips for cloud network security:

  1. Assume all networks are dangerous. Protect internal networks the same way you’d guard against hackers and snoops on public internet. Google’s BeyondCorp is proof that we should dump the edge protection corporate network model.
  2. Focus on securing all data as it travels across networks or in shared environments. Use strong encryption, network segmentation, and defense in depth to limit interactions between critical applications.
  3. Segment internal networks . Most enterprises focus on perimeter defenses and overlook internal network security. But, network segmentation is the best way to protect all applications, servers, systems. Even with only basic interior firewall rules and encrypted VPN tunnels, an organization can protect themselves from the east/west exploit in the Sony hack.
  4. Use the NIST Cybersecurity Framework to review and update corporate risk-management approaches. The Framework combines existing security assessments, regulations and guidelines into a workable reference guide – and it’s free.

What the new Data Protection Bill means for UK businesses

What the new Data Protection Bill means for UK businesses

The UK government has published a “statement of intent” on data privacy and security this summer. The law, an updated version of the Data Protection Bill, will mirror the EU’s upcoming General Data Protection Regulation (GDPR) rules for data privacy and the fines for non-compliance. The UK law will likely go into effect in September 2017, which does not give organisations time to meet the GDPR requirements by 28 May 2018.

About the Data Protection Bill

The new Data Protection Bill requires any organisation that collects or manages personal data to be accountable for that data. All data collection, storage, and management must prioritize end user privacy rights. Any organisations that deals with high-risk data processing must protect that data, allow end users to remove and transport their data.

Worryingly, only one in 10 FTSE 350 companies (10 percent) do not currently have a response plan for dealing with a cyber incident. Less than a third of organisations’ boards have a comprehensive cyber risk plan. Only 6% of UK businesses completely prepared for new data protection rules, which makes the Data Protection Bill and GDPR deadlines even more important.

Bottom line: businesses must ensure their data is secure, private, and well managed or pay the price.

Unlike the GDPR, the UK law sets the national data protection regulator as the Information Commissioner’s Office (ICO). The ICO will have the power to defend consumer interests and issue higher fines. Organizations that do not properly protect personal data or fail to report security breaches can be fined up to £17 million or up to 4% of their global turnover. Previous laws set the maximum fine at £0.5 million.

From the Government, the Data Protection Bill intends to:

  • make it simpler for users to withdraw consent for the use of personal data;
  • allow people to ask for their personal data held by companies to be erased;
  • enable parents and guardians to give consent for their child’s data to be used;
  • require ‘explicit’ consent to be necessary for processing sensitive personal data;
  • expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA;
  • update and strengthen data protection law to reflect the changing nature and scope of the digital economy;
  • make it easier and free for individuals to require an organisation to disclose the personal data it holds on them;
  • make it easier for customers to move data between service providers.

An Evolution of Digital Security
The DCMS has evolved from the Department of National Heritage (DNH), into the Department for Culture, Media and Sport (DCMS) was renamed in 1997, to today’s Department for Digital, Culture, Media and Sport on 3 July 2017. PM Theresa May’s government updated the name to reflect the department’s increased activity in the Digital sector.

On 7 August the DCMS released a “statement of intent” to update and strengthen data protection laws. A new Data Protection Bill will mirror the EU’s General Data Protection Regulation (GDPR). Like the agency, the original Data Protection Act first came into law in 1984, then updated again in 1998. The proposed 2017 law will bring the EU’s GDPR into UK law, so data security will remain a priority regardless of Brexit.

How is the Data Protection Bill is similar to GDPR?

The Data Protection Bill is designed to enact the GDPR into UK law. The Bill is very similar to the GDPR – it includes the famous “right to be forgotten” data removal requirements, “explicit consent” for collecting new data, and “data portability” for moving data between providers.

Another key similarity is the concept of “privacy by design/default.” Organisations must build applications and systems with data privacy protection built in.

What can you do today to prepare?

Reevaluate access controls for IT teams and other departments. With cloud-based systems, it should be easier to implement strong password and authentication programs. With access management tools IT teams can also gain insight into what users require access to each service or application and apply the rule of “least privilege” required for each.

Add encryption in-transit to any existing encryption best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

Prepare with security, but plan for a data breach. GDPR requires all organisations report any data breaches involving personal information within 72 hours of discovery. Along with controls to detect any unwanted network access, your teams should also have a plan to control and shut down any malicious actors.

VNS3 and data protection

VNS3 can help organisations meet data security measures for data privacy compliance. Even if your company is not located in the EU, your data might include information on a “data subject.” For organisations with large amounts of data and data that travels between networks the best options include adding encryption in-transit. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

But, don’t just take our word for it! Use VNS3 in any cloud environment with our Free Edition. Try it today from the AWS Marketplace or Azure Marketplace.

Get in touch with our sales team for BYOL versions for other large clouds, custom pricing, or for a POC.

What the new Data Protection Bill means for UK businesses

3 Key Steps to GDPR Compliance

Don’t be caught off guard by GDPR requirements in 2018!

A recent study by KPMG of the boards of FTSE 350, few are prepared for the General Data Protection Regulation, or GDPR. All new data your organisation gathers should include more clear evidence of data collection consent and opt-out options. How should IT teams prepare for the upcoming changes? Which initiatives should be a part of your program to be compliant?

Penalties for not complying with GDPR will be steep. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). While this is the maximum amount an organisation will face, the requirements are rigid for all levels of infringements. GDPR has a tiered approach to fines so organisations might be liable for multiple offenses. Internal IT teams and legal depatrments should take note – the GDPR applies to any company that controls data or processes data — ‘clouds’ are not exempt.

Which initiatives should be a part of your program to be compliant with GDPR?
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it.

Takeaway: Any organisation that collects or processes data of an EU citizen should comply with GDPR.

At the core, the GDPR requires data protection by design. Organisations must design data security into business processes.

Another requirement is “pseudonymisation” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the decryption keys, must be kept separately from identifying data.

Specifically, IT teams can ease into GDPR with better monitoring and management. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance.

Next, teams should re-evaluate access controls to sensitive data. With cloud-based systems, it should be easier to implement strong authentication programs to apply the rule of “least privilege” required for each application.

Finally, add encryption in-transit to any existing security best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.

How can Cohesive Networks help you?

VNS3 helps meet data security measures for data privacy compliance:

  • Encrypt data in transit using VNS3’s IPsec tunnels to connect to all data sources and applications
  • Protect Personal Data by encrypting all data across open public networks
  • Guard against Vulnerability with a VNS3 intrusion detection system (IDS)
  • Maintain Strong Access Control by controlling access to data and encryption keys
  • Enhance Data Portability with a VNS3 overlay network over the top of any cloud or virtual network