Archive for the Blog Category

Break out of your datacenter: Go Hybrid!

The Fortress

“A successful breakout depends on three things: Knowing the layout, understanding the routine and help from an outsider” — Ray Breslin (Escape Plan)

To break out of the datacenter mindset and to a Cloud way of being requires one to embrace a cluster of all-new (for many) paradigms – virtualization and owning zero-hardware; having somebody else hosting and even managing your computing resources; instant provisioning and automation; cloud topology and global distribution of resources; scalability and elasticity; reduced operating man-hours. The combination of these paradigms is the heart of what we call Cloud Computing.

 The datacenter is a fortress with rigid rules, constrained by the hardware, to have a large number of IT staff dedicated to operations, and where provisioning anything new takes precious time away from the rhythm of the business. The modern enterprise still moves very slowly, even in an era where elephants are said to dance!

Data Security – A Game of Shadows

This November 2nd will mark the 25th anniversary of something momentous. November 2nd 1988, the first ever worm hit the internet, the Morris worm. Launched by a student of Cornell University as an experiment, not only did it end up bringing down many systems connected to that early version of the internet, but was also a true marker of the transition of the internet to an ‘insecure open network’.

Twenty five years later, as IBM leverages the power of the cloud to offer DoS protection, and some of the biggest brands including Apple, Google, and Adobe suffer from a wave of sophisticated internet attacks, it is tempting to look back at that moment and consider it a ‘Pandora’s Box’ event. The box was always meant to open, it was just the trigger event that set things in motion.

As individuals who have witnessed the breathless rush of technology changing the face of the internet every few years, its been a very long journey from bulletin board systems and telnet and usenet to AWS and Google Authenticator 2-factor authentication and private clouds hosted in datacenters. From hacked database servers on the public internet with default passwords and no IP restrictions to sophisticated sweeps of an organization’s networks, attacks that take weeks, months, or even years to execute.

Truly, data security for the business of 2013 is a game of shadows!

That reminds us of this quote from a favourite movie we rewatched recently (Sherlock Holmes: A Game of Shadows 2011) -

Sherlock Holmes: [v.o] His advantage, my injury. My advantage, his rage. Incoming assault feral, but experienced. Use his momentum to counter.

[as Holmes hits Moriarty in the face, everything stops and the audience watches Moriarty’s face]

Professor Moriarty: [v.o] Come now, you really think you’re the only one who can play this game?

[Back to the analyzed fight]

Professor Moriarty: Trap arm, target weakness. Follow with haymaker.

Sherlock Holmes: Ah, there we find the boxing champion of Cambridge.

[Holmes throws a hook at Moriarty’s face]

Professor Moriarty: Competent, but predictable. Now, allow me to reply.

[Moriarty throws several punches at Holmes’ shoulder]

Sherlock Holmes: Arsenal running dry. Adjust strategy.

[Holmes tries to kick Moriarty but fails]

Professor Moriarty: Wound taking its toll.

Sherlock Holmes: As I feared. Injury makes defense untenable. Prognosis, increasingly negative.“

The Inside Threat

While Holmes was able to discover his opponent, the business of today does not have that luxury. As Steve Pate writes in ComputerWorld (read here):

“Depending on which research you read, insiders are responsible for anywhere from 14% of data breaches (as published in the Verizon 2013 Data Breach Investigations Report), to over 36%, as Forrester Research has published. Both of these reports make the important distinction between malicious insiders, who seek access for profit or revenge, and the employees who simply make mistakes — leaving data exposed or vulnerable. Frankly, from a compliance or breach notification standpoint, these nuances don’t matter. If sensitive or regulated data gets out, you’ve got problems.”

How do businesses today handle a situation where they are engaged in a game of shadows with multiple opponents that they cannot possibly identify? And whats worse, how do they handle the fact that some of these opponents lie within the organization?

Simplify, Empower and strike the balance between Consistency and Adaptation

First, simplify.

Look for the simplest solutions that help organize and secure your networks, resources, and employees. For instance, when doing network security, look for solutions that work with networks, not with resources / servers. When securing data-at-rest, that’s the time to be able to work with servers – physical or virtual – and the resources that they host. Look for solutions that do one thing with simplicity, elegance, and transparency. Your overall architecture will be a lego-structure of solutions which address different requirements without huge overlaps. The ability to use abstract thought to plan your security arrangements is invaluable here – a practical approach will save you time and money until the first breach costs you a huge packet and makes you go back to the drawing board!

Second, empower.

It’s so easy for us to forget that employees are human beings, not mechanical objects. Because an organization has so many areas where they cannot control their employee actions, employees will always end up with power. To recognize this reality and pro-actively empower employees in a sensible manner gives businesses a better chance of ensuring they aren’t cracked wide open by the maverick actions of their employees. For instance, some organizations fear and bar BYOD – this does not mean that BYOD does not happen on their premises. A little planning allows IT to select BYOD mechanisms that are sensible and yet limit the risk involved.

Third, strike the balance.

Organizations – especially in the enterprise segment – tend to be large and have many disparate departments, sections, units… A uniform data security policy or IT policy across all segments is much harder to achieve. This is precisely why regulations for compliance (like PCI-DSS) are so carefully written, and allow for different forms of implementation, because such regulation itself is to be imposed on industries with companies of all shapes and sizes. We would suggest that businesses create uniform policies, but focus more on the requirements (what is to be achieved) than the instructions (how it is to be achieved). For instance, we hear of large corporates with ‘renegade’ teams hosting on AWS without consulting their superiors, just because IT responds so slowly to individual requests. Far better to legalise these deployments but put pressure on departments to ensure that such deployments conform to the mandated requirements, even if they don’t follow the instructions of “Use only our private cloud!”.

Understand Security in Cloud + DataCenter better

You can read more of our articles (link to blog) or better still, contact us today! Email us at info@ciphergraph.com – we have what it takes to help you make sense of this treacherous game of shadows.

Your business is already secure. Or is it?

The Illusion of Security

A common response we hear from companies is, “Our installation is already secure”. Another “Nobody can intercept our traffic, so its secure”. Another, “This kind of security is a solved problem”. At this point, we ask them for a description of the solution that they currently use to protect their cloud or datacenter deployment. And the answers are often stunning! Sample this “I open up ports for end users manually, it doesn’t matter if I have to work in the middle of the night to do this”. “We use SSL, so nobody can hijack our traffic”. “We use <some random security appliance with a thousand features thrown together haphazardly> to protect our network and do remote access”.

The reality isn’t as pretty

All of these have one thing in common – a perception of security which allows your business to rest easy. Until that fateful breach which takes advantage of the holes in your security that you just haven’t noticed! Manual port configuration and manipulation of firewall rules requires your IT to work overtime, which makes it harder for them to do a good job of proactive monitoring of security threats. SSL security or other means of encrypting traffic do not protect against attacks targeted at the endpoints exposed by your applications and services. Security appliances with a thousand features and a thousand blades don’t just do everything, they do everything rather poorly.

Manual Firewall Tinkering

Its obvious why manual firewall configuration is a bad thing – it is opaque, hard to manage, incredibly error prone and requires excessive IT effort. From our own experience, we hear of IT admins who discover ports left open 6 months after the need for them has ended. Firewalls and firewall-rules are not setup with the intent for ad-hoc permissions, they are set up so that only the services and applications you really need to expose are exposed.

SSL Security and Encrypted Traffic

AlertLogic writes in its State of Cloud Security bulletin (read here).

67 percent of energy companies experienced brute force attacks, versus 34% of entire customer set. Attackers look for opportunistic points of vulnerability in networks housing confidential business information. Breaches of geophysical data, in particular, are intended to damage or destroy the data used in energy resource exploration. Brute force attacks are also used to steal a company’s intellectual property for the purpose of industrial espionage.”

SSL security does not protect against brute force attacks. Nor does it protect against any other attacks aimed at the end-point of an application or service. For instance, if the login page of your web application has an SQL injection weakness, then your application will be compromised, whether or not you implement SSL / encryption for all traffic to the web application. SSL does transit security very well. It does not however do Perimeter Security. The more critical your data (for instance, energy companies in the above quote), the greater the chances of attackers targeting accessible endpoints via brute force attacks or zero-day vulnerabilities which do not require the user to login. For instance, if your Apache web server has a zero-day vulnerability, protecting the web apps it hosts with impregnable passwords does not protect it.

Security in a Box

Then finally, we look at the security appliances with a rich feature set. We believe in simplicity, and in function. Anything we build or use must be built exactly for the intended purpose. When we examine ‘security appliances’ on AWS or elsewhere, we see a disturbing trend – the feature set is created to convince the customer that ‘We solve all of your problems’. You will see firewall, VPN, UTM, forensics, log monitoring; an endless list of features in one appliance (virtual or otherwise).

UTMs have existed to make hardware management easier, the vendors know that customers only use a fraction of services and by the time you do the math on economy, the sale is already done. In the Cloud and Virtual world, hardware is completely eliminated, putting virtualized or aggregated services like what UTMs on a VM based or cloud platform is completely wasteful and severely chokes performance.

Theoretically, it is possible to give you every single solution in one compact package. But realistically speaking, no company out there is going to be able to do that. Not even our own. We believe in a clearly defined solution to an explicitly defined problem, with the right mix of features. Not in building solutions which claim to implement every aspect of security in an effort to get more customers. We’ll pass on getting more confused customers, and instead focus on customers and relationships which are based on experience, trust, understanding and wysiwyg – what you see is what you get.

Do we walk the talk?

We give you perimeter security. For cloud and datacenter. With simple secure remote access to empower your end-users. And role-based access control allowing you to give the concerned users access to the resources they need to access. In a virtual appliance (no hardware!) with clearly defined features and focused functionality. We’re not even talking about the costs and how much you’ll save – we’re proud of what we offer to you and we’d like you to see cost-savings as a bonus, not as your reason for buying from us.

Reduce the clutter around your security thinking – contact us today! Email us at info@ciphergraph.com – we’d love to hear from you.

Image courtesy pbkwee

Cloud Computing: There is no spoon!

A recent Techcrunch article by Alex Williams was a fine read about how major players have had cognitive bias in their assessment of cloud computing and its impact on their market dominance. It is not completely unfounded, the players have enjoyed tremendous success in the traditional datacenter model, they would prefer to use that to their advantage.

About providers of private cloud technology, Alex says:

The reality: these systems have to be purchased, installed in a data center, loaded with software and then maintained by an IT team. To reiterate, customers do have a need for this infrastructure but it is more a retooling of the data center more than anything else.

This simply could not be more accurate. Private cloud will quickly evolve to being a niche segment. For most companies, the cloud offers the benefits they simply will be unable to do without.

Public Cloud Gaining Dominance

Gartner says public cloud is growing at an excellent rate of 18.5% but IaaS is at a staggering 42.4%.

The evidence is unassailable; AWS, Azure and other cloud providers are increasing marketshare by tremendous percentage each year. Their offering is not just a business execution, the technology is evolving, creating more options that are more versatile and powerful.

The utility of public cloud is fast approaching near ubiquity and the corner cases are becoming more and more marginal.

The utility of public cloud is fast approaching near ubiquity and the corner cases are becoming more and more marginal. How is this all happening? While the argument of focus, that AWS has only the software/tech to focus on, may hold some water but the truth is that the incumbents for private cloud may have wanted their reputation to stand for itself, disregarding the fact that IT efforts does not reduce to zero, may not even reduce substantially enough.

Charles Fitzgerald says:

IBM’s fundamental problem: they supply those being disrupted by technology, not those doing the disrupting. Today an IBM dependency can be an existential risk.

This argument can be interpreted in multiple ways; one may be that IBM may be making a mistake, but the more important one is that IBM is evolving and their current business model will be superceded. If you depend on that, you may soon fall into “legacy support” for them and that will harm your business operations.

Assess your needs carefully

Everyone craves comfort zones but the cloud has no room for players that need familiarity. “You cannot leap the chasm in two jumps”, and I’d also add, you cannot leap without getting both feet in the air. Simply put, if you keep trying to retrofit cloud to your hardware, you would have poorly addressed the strain from competition and may completely have you beaten, unless fixed fast. The phenomenal cloud growth and the numbers leave  no breathing room for slow incremental shift towards cloud.

Move fast, or risk complete wipeout.

Fortunately, experimenting with cloud is not expensive or risky as experimenting with owning datacenters. Most of the cloud is OpEx/subscription model and you only pay for a short duration. There is no risk of sunk costs, yet the potential gains are disproportionately high.

Cloud Computing: There is no spoon

Its time to abandon conventional way of thinking. See past the obvious choices and retrofitted solutions. Choosing hardware for your cloud security is the most likely to be wrong right off the bat, will certainly be wrong in the long run where the massive leaps in cloud computing will make every shiny hardware obsolete much sooner than you want.

Security is the top inhibitor to cloud adoption

Security is seen as the number one inhibitor to the cloud, that is true for two reasons

  1. There is little understanding for cloud-freshers of where their provider’s responsibility ends and their own begins.
  2. Cloud Security is not the same as what you are used to in the datacenter.

I’ll make things simpler. Security is always your problem. You may not need to be directly involved to solve it, but you need to know what you have chosen. In the recent past there have been several security breaches with embarrasing and expensive data thefts, you do not want to be one of them.

The second point is self-explanatory. Cloud is not the same as datacenter, the technology is different, the underlying assumptions are different and most importantly the infrastructure is mostly opaque to your IT. You have to make a informed choice, there is no way a tool as powerful as cloud computing would be trivial to use effectively.

CipherGraph gives you speed and security in one simple powerful package

If your cloud strategy involves IaaS, you need CipherGraph. CipherGraph gives you the security you need to make the cloud leap *now*. Do not wait till your competition starts to chip you away, by then it will be too late.

Talk to us at info@ciphergraph.com to learn more about cloud security and what CipherGraph can do make your cloud migration secure, swift and economical.

 

Single biggest cloud inhibitor is Trust and everyone has a right to choose

Can we trust the cloud?

Often these discussions tend to leave out IaaS, which ironically is the fastest growing cloud service there is.

Gartner says that one of the biggest factors inhibiting cloud adoption is security. I’ll go one step further and say a critical factor acting to block cloud adoption is trust. Security as a business requirement and genuine trust is never blind.

Here is Ron Miller on the subject -

In an interview this weekend with All Things Digital, Google CIO Ben Fried articulated Google’s policy on bringing your own devices and using external cloud services — in short they don’t allow it in most instances because of security concerns.

When discussion cloud storage SaaS companies, Fried told All Things Digital that when users use it in a corporate context, corporate data is being held in someone else’s data center.

This is not an attack on cloud in general. It is easy to interpret it as lack of trust in cloud, but I believe it only says that the company needs more control over the handling and security of how their data is held externally. If the kind of security they need is not offered economically by third party vendors, they have no choice but not to do it themselves.

Not every company can host their own datacenters, but all companies can exert the practically same levels of control by adopting IaaS (with the security characteristics they want).

Helping companies adopt IaaS cloud securely

IaaS is the sweet spot between owning your own datacenters and being powered by cloud. All the advantages and control of owning your datacenter, without all the management of hardware and other datacenter-related things.

A good beginning for any business looking at the cloud is to map the risk points. Where does using the cloud expose you to risk as opposed to the safe environs of your on-premise deployment?

Often these discussions tend to leave out IaaS, which ironically is the fastest growing cloud service there is.

With IaaS, applications are now hosted within your cloud deployment, and you are in full control of data security and data-loss-prevention. Most businesses can comfortably go with almost any reputed IaaS provider like AWS, Azure etc.

Cloud Security and IaaS

Many of our articles go into detail about how to go about securing your IaaS deployments (more than even your datacenter ever was). What we’d like to emphasize here is that awareness of the risks associated with data in transit and data at rest when using IaaS gives your business the ability to trust the cloud as a platform. A great starting point to neutralize those risks is to try to list risks that your datacenter already tackles for you and gain similar security characteristics on your cloud, but using building blocks from the cloud era, not the datacenter era.

For data in transit, CipherGraph delivers you a platform centered around two concepts from the datacenter paradigm – remote access and perimeter security. Together, these traditionally formed the heart of datacenter security – create a secure perimeter around your servers, and allow remote access only through a secure VPN appliance. We’ve reworked those to create virtual appliances that give you datacenter grade security in the cloud with the perimeter security that assures safety of your apps and servers.

Protect your servers, data and data-in-transit

We’ve implemented enterprise-grade features that can be used by any size of business to manage their end-users – Role Based Access Control & Audit, Multi-Factor Authentication, etc. your apps and data-at-rest data benefits from the security of being within a datacenter like firewalled perimeter and access to intranet servers/data (data-in-transit) is securely enabled only for authorized users over our encrypted channel.

We’ve worked very hard to give your business a complete package to secure your IaaS cloud deployments – a package to help you trust cloud and benefit from its incredible power.

Learn More

Ready to trust us enough to validate what we’re talking about? Give us a spin, email us at info@ciphergraph.com

Access Control may be the Killer-App in Cloud

Access Control has always been at the heart of the top end security technology. The modern cloud may be the the first time ever that you can implement powerful security that is clearer to visualize and has stronger trust boundaries.

What is Access Control?

In a sentence, it is about allowing access to certain network/data locations based on the origin. Of course, that is a very loose and basic definition. Modern Access-Control has evolved to be much more sophisticated now. Before we move forward let’s consider a few questions:

  • Within your datacenter/cloud, where is the trust boundary?
  • Do your manage different departments using different network locations (like subnet, VLAN etc.)?
  • Are the individual servers themselves responsible for defending themselves against unauthorized access?
  • Do all users (including your consultants and partners) get treated the same when connecting to your datacenter?

If the answers to these questions are mostly technical in nature, you may have already made a mistake. Quite possibly you’re already paying for it in ways you may not directly associate with such setups. Simple follow up question, do you often have “maintenance” windows that last several hours or cover large parts or all of your network? How long does it take to get things back to fully functional?

Perhaps its now easier to see where we are going with this, the only true way to define your deployments access rights is to use user roles and not subnets, VLANs, groupIDs or IP Addresses.

In Focus: Role Based Access Control

Declaring “everyone in my engineering department should have access my version control server” is more intuitive than “subnet 10.0.0.0/24 has version control servers and build servers and my engineers are coming from 192.168.0.0/24 and 192.168.2.0/24; Let’s connect them”. Then there are other things to consider, users are allocated xyz groupID on the VPN and there will need to be a few rules in the DMZ firewall and the internal router to allow this traffic too.

There are many problems with the latter approach apart from being unnecessarily complicated. Sizes of subnets arn’t flexible, capacity of each is limited, groupIDs secrets are hard to manage and change across the board and changing anything in the topology will invalidate everything that I have built the policy on.

Role Based Access Control is just what it says it is, use the existing corporate roles of your employees that you keep already in your directory server (Microsoft Active Directory or LDAP etc.) and use them to define access rules without worrying about the numbers of people in each role or where the actual server is placed (IP, Subnet, VLAN etc.). Advanced engines go a step further and define, exactly which protocol is allowed. Certainly you do not want the management console to your Microsoft Sharepoint server to have the same access rights as the Sharepoint portal itself. Just so you know, that is how you should be able to define the policy as well, “Allow access to management console to IT and Deny access to everyone else”.

Access Control and The Cloud

There is one big difference between hosting your datacenter yourself vs hosting your apps on the cloud; user communication leaves the devices and reaches the cloud using an insecure, public Internet. This small change, turns the entire trust equation on its head. Every assumption you have ever made about your servers and users in an on-prem setup is no longer true.

The opportunity

Good news, it’s not a problem, there is a solution and a rather elegant one. Having your trusted applications selectively walled from any “uncontrolled/semi-controlled” agents is a good thing. Using a single Cloud Access Gateway, you accomplish three things

  • Datacenter Perimeter
  • Selective Access to Authorized Users only
  • Encrypted communication to protect against Internet threats
  • Unified Access Control and Access Management
You get enterprose VPN like Security for all your users irrespective of where they are and what device they are using. Your apps and data are secure within a network perimeter and 100% invisible to unauthorized users (same as a datacenter behind a Firewall). Role Based Access Control is simple and uniform, with no exceptions, all your users comply with a single policy and your IT defines it at just one place, our CAG admin console.

Manageable IT

Simple rules are easier to manage, there is no secret to it. But that should not mean loss of precise control. CipherGraph allows Role Based Access Control that is incredibly granular and can handle very precise as well as very broad rrules.

Never slow down

With modern technology, speed is not a luxury any more, you even have high network speed and processing power on your mobile phones, why would you setup a security solution that becomes a bottleneck to your datacenter? CipherGraph has a patented high performance network engine for the speeds of tomorrow. Resilience, high availability and failovers are available to deployments of all sizes and not limited to the large enterprises.

Contact us at info@ciphergraph.com for more information and free consultation.

Hardware is Dead

Technically, hardware can never really ‘die’, because all software in existence runs on hardware of some kind or the other. So when we make an admittedly provocative statement about the death of hardware, what we’re really talking about is the dying emphasis on hardware as the determining factor in businesses of today.

The incredible fragmentation that we are witnessing today on the client computing side due to the explosion of mobile devices of all kinds is one half of the story. The transformation of server side computing to cloud computing is the other half of this compelling story.

The first revolution: BYOD. Or just ‘Use any device’

Larry Dignan of ZDNet talks about Gartner’s predictions on the BYOD front (read here)

“In a presentation by Gartner analysts Leslie Fiering and Stephen Kleynhans, the client computing world in 2018 is heavy on bring your own device and bring your own application. The average personal cloud will sync with at least six different devices.”

 

BYOD is widely acknowledged as a big challenge facing organizations today, and a large numbers of security vendors look to capitalize on the uncertainty created by the need to allow end-users to use their own devices in a hitherto tightly restricted environment. As we see it, the real implication of BYOD is that end-users will increasingly find their job functions becoming device-agnostic. The client device (usually a workstation or laptop) will no longer be important, and organisational security policy will have to evolve to embrace this new trend by insulating end-users from the risks of device compromise.

For instance, the NERC (North American Electricity Reliability Corporation www.nerc.com ) standards discuss ways to protect against end-user device compromise when implementing electronic secure perimeters (for instance, a perimeterized datacenter). These standards help protect systems which run the US national electricity grid! Businesses of today need to take a leaf out of their books and develop elegant procedures which allow end-users to use virtually any device without compromising security.

We here at CipherGraph deliver mobile device support out of the box, so that end-users can use any device they like.

The second revolution: Cloud

On the server side, the trend is even more disruptive and exciting. Dedicated servers and on-premise deployments are giving way to cloud deployments that are easy to maintain and scale on demand. Routers and network hardware are giving way to software defined networking that allows you to modify network policy and operation on the fly. The ‘Cloud State of Mind’ is all about doing away with the need for specialized hardware with rudimentary software embedded – which is hard to maintain, higher TCO involved, and does not adapt to your changing requirements.

We believe that the network of the future will be software focussed – and hence software-defined rather than hardware-defined. Traditional hardware vendors will have to adapt or find that their customer-base prefers to go with virtual appliances and cloud-based solutions that are simpler, more affordable, and perform better than any hardware equivalent! After all, a while ago, a representative of a traditional hardware vendor claimed to us that ‘This can’t be done in the cloud as the cloud lacks hardware acceleration’. The cloud is larger and more capable than any hardware, any device that any of us can deploy.

And what the ‘Cloud State of Mind’ brings to VPN hardware and clunky remote access solutions – the CipherGraph Cloud Access Gateway.

Learn More

Unleash the power of TWO revolutions in your business today! Contact us at info@ciphergraph.com

 

 

Security will hit unprecedented highs in Cloud Computing era and disrupt the ecosystem forever

Simon Crosby of Bromium writes today about the post-PC era on GigaOm

“But the biggest opportunity of the post-PC era is user empowerment. Courtesy of a dramatically more secure supply chain and device architecture we will be able to securely empower users to roam freely on untrusted networks, and to be productive at the same time – seamlessly switching between work and play, without a need to forgo the innovative power of the web. We can get back to IT’s real role: user productivity and enablement, while more easily meeting regulatory requirements, and worrying a lot less about security.”

That is an emphatic affirmation of something we said a couple of days ago in our previous blog (read here)

“We at CipherGraph firmly believe that the IT department in an organization is a pro-productivity department put in place to enable end-users to find it very easy to perform their job functions without being restricted by technological barriers or barriers that technology can help them transcend.”

Simon covers many aspects of the post-PC era in his insightful essay, but the overall thesis of his essay covers the tremendously fragmented and uncontrollable nature of technology in the modern world. He also writes about something we can really identify with – the tremendous challenge facing the enterprise of today in ensuring data security in an environment where accessibility and convenience are king.

 “Too big” data

Serendipitously, Gartner has this to say today about what to expect by 2015: “The amount of data stored and used by enterprises and governments is growing exponentially, such that any attempt to protect it all is unrealistic. Instead of facing an unfathomable task of protecting all data, enterprises and governments will focus on protecting only a small part of it, but protecting it well”

This is an incredible threshold developing in the digital era, 3 decades after the first truly influential personal computers arrived. It is the threshold at which different trends converge to bring about global change – closed standards giving way to open ones, specialized hardware and the datacenter giving way to commodity computing and the cloud, routers and networking devices giving way to software defined networking (SDN), specialized client devices giving way to personal do-it-all devices (like android/iOS devices). Work is no longer defined by the location at which it is performed or the time spent on it, it is the outcome which defines it.

Enter CipherGraph Cloud + Datacenter Security

We here at CipherGraph see the tremendous opportunity that these trends bring to the world of technology. And that is precisely what made us sit down and build something truly revolutionary rather than an improvement on your standard firewall or UTM device, better encrypted storage, or a nicer way to connect devices to each other. We decided to leverage the power of one of the most exciting and inexorable trends – the shift towards cloud. We believe cloud is more than merely an instrument – it is a design philosophy.

Just as the cloud is commoditizing computing, by allowing you to now buy computing resources in ‘units’ like you would buy groceries, we’re commoditizing remote access and cloud + datacenter security for your internal apps and data. While commoditization is all about allowing you to procure exactly the quantum of resources you need, the biggest challenge is in abstracting away the complexities for the people within your business who manage those resources – the IT department.

We have worked, and are working very hard on giving our solution the perfect blend of features and conveniences that reduce your IT burden in terms of maintenance, support, and operations. For instance, you don’t need to install our software on every single server you manage – one virtual appliance acts as a gateway to an entire network, and secures all applications and protocols. Our appliance bridges cloud and datacenter, may be used to protect multiple cloud deployments, integrates with your existing corporate directory…complexity and fragmentation are no longer the burdens they used to be. To top it all, IT gets even more control over the resources they manage, via Role Based Access Control & Audit. And on the security front – we provide perimeter security that’s far tighter than security configurations that protect individual applications; as well as two-factor authentication to protect end-users from the consequences of their passwords being compromised.

The outcome? The end-user finds it a breeze to work from anywhere on any device without compromising on security or waiting for IT to work around faulty hardware or open up ports on the corporate firewall. Result? Actual work getting done, faster!

Learn More

See how we walk the talk – contact us at info@ciphergraph.com today and take a strong step forward towards handling the requirements of the brave new IT world.

CXO Series III: Jumpbox – The Cloud Security Shortcut is a Ticking Timebomb

Note on CXO Series: The CXO series is our effort to bring awareness to decision makers in the geo-distributed organization of today. CipherGraph helps you navigate the frontier area of cloud-computing with a special emphasis on data security, contingency planning, and risk mitigation.

If you started your cloud deployment in-house, chances are that someone in your enterprise is using a jumpbox to access your intranet or IaaS cloud.

Jumpboxes are cheap basic alternatives to VPNs, essentially intermediate VMs (typically Linux or some terminal server) that are exposed directly to the internet. The process is very manual, perhaps even has some scripts for some functions. Users log in to these using SSH and then log into other private services from there. The advantages are obvious, your entire deployment is hiding behind a single public IP address hidden from the threats of the internet.

The Ticking Timebomb

There is a little problem though with this picture of simplicity and ingenuity. The problem was completely invisible when just a handful of people used the jumpbox. If your IT is very diligent, each user has only one key, manually duplicated over a few of his devices, it’s basically a simple text file. Can Bob, your IT guy answer a few simple questions; If 25, 50, 100 or more users were on the jumpbox, how many devices did Bob give access to? Can he know? Did he trust everyone with his entire network? Is the key safely stored in all of the devices? When Alice left, did Bob remove her key from her devices and the jumpbox? Did she ever share it with someone without telling Bob? Or did she put the key on a device she forgot about? Worst of all, did Bob ever give the same key to more than one person?

The questions do not just end at user facing issues, does that Jumpbox have a backup? If not, your users will be cut off in case of failure, if yes, can a deleted key come back to haunt you? Managing keys is hard, it’s highly error prone and worst of all distribution and safe storage is completely opaque to any monitoring or alarm system.

Insider Threat

Simple mistakes like keeping ad-hoc security solutions like Jumpboxes lack the manageability and enforcement your organization needs to ensure that Alice’s access into your organization’s intranet or cloud is completely cut off after she leaves. Deleting keys is not error prone, managing and controlling distribution of keys is often impossible.

Jumpbox is not really free!

On paper, setting up a jumpbox is free or almost free, but maintaining it requires diligence and careful maintenance, both of these are things that take time and resources. Spend time on your business, deploy a solution that is cost effective not “free with hidden costs”.

Build your IT to scale from the start

In the day and age of cloud computing, it is practical to have full scale solution, simplicity and quick deployment in one product. Gone are the days of using labor intensive SoHo/hacked together solutions till you could afford and consume a paid solution. Scalable security for your cloud is now available for the deployment size of your choice and you pay for only what you choose.

CipherGraph CAG and CAG-vx the elastic and scalable security you need

Forget dealing with complex key management. Deploy CipherGraph CAG for your AWS or other IaaS cloud or CAG-vx for your Datacenter or private cloud. Deploy secure perimeter for your cloud with your intranet completely invisible from Internet threats. Manage users based on their identities, centrally control their access rights across your network and keep unauthorized users out, completely.

Deploying CipherGraph security takes minutes and can be rolled out for just a few users or thousands without need for key distribution and any user specific management. Centrally control exactly which user or group has access to which parts of your intranet or services. Enjoy the benefits of flexible pricing and pay only for the capacity you need.

Read Jude Chow’s insightful article on SSH Key management to learn more about the dangers.

For free consultation on your IaaS cloud and Datacenter needs, email info@ciphergraph.com

The Big Fight: IT vs end-user

The always insightful Ron Miller said this about mobile device security at CiteWorld -

So how do companies secure that content and ensure that outsiders can’t gain entry to the work-related content on your phone? That would mean securing the apps themselves and you can see that would involve a comprehensive strategy that moves beyond the device.

Read full article here 

As Ron points out, chaining mobile devices with an intrusive security solution may seem to simple IT, end-users do not take kindly to such a rigid approach, especially when it is their own personal device being subject to restrictions. His article explores solutions which solve this problem in a more elegant manner, allowing IT to avoid antagonizing end-users.

Our earlier article on Shadow IT and the risk of data loss (read here) talks about the fundamental gap between the end-user and the IT department, and the risks that gap creates for your organization. End-users are eternally focused on ease of use, convenience and getting the job done, while IT is mandated to ensure that the organization doesn’t lose out in any way through the power given to an end-user.

We at CipherGraph firmly believe that the IT department in an organization is a pro-productivity department put in place to enable end-users to find it very easy to perform their job functions without being restricted by technological barriers or barriers that technology can help them transcend. At the same time, we appreciate the herculean uphill struggle that IT faces trying to manage a plethora of devices, operating systems, networks, hardware, servers, cloud resources, applications…it is a never-ending array of technology that they have to be able to administer. Not only do they have mandate to enable end-users, they also are mandated to enforce corporate policy. If a data breach occurs, they are the ones to face the brunt of the crisis and the aftermath. Naturally this makes them conservative and inclined to take choices which do not put them at risk (The ‘Nobody gets fired for buying ABC’ syndrome).

What can IT do?

Enlightened IT departments can change this backward-looking approach and adopt a new proactive approach which allows them to build a new way to administer the technological resources of the organization without compromising on end-user happiness. Our simple recipe involves -

  1. Work with vendors who give you simple, non intrusive, minimal disruption solutions (e.g perimeter security rather than controlling every application/endpoint)
  2. Treat yourselves as end-users and live the end-user experience, to understand which restrictions are acceptable and which just chain end-users
  3. Bring unregulated deployments, devices, and technologies into the fold by making them legal to use, with simple policy controls to be enforced
  4. Ensure that your corporate IT policy, particularly security policy is unified across datacenter and cloud

Where does the buck stop?

This cannot happen without management support, so the call is for CXOs and executives of the organization to enter a new constructive dialogue with their IT to get them to feel comfortable embracing this new paradigm. As the elegance and sophistication of security solutions grows, we believe that every single one of those 4 points can be implemented without compromising on the security of your organization or its exposure to data theft.

How can CipherGraph help?

We believe our solution helps you with points 1, 3, and 4 above – the right solution, allows legalization of unregulated shadow IT, and enables a unified corporate security policy across datacenter and cloud, with a special focus on remote access / branch office access.

 

Engage with us to learn more about how we can help your organization embrace an approach that empowers end users without making life harder for your IT – email us at info@ciphergraph.com today!

 

 

Page 1 of 212