“Although the security benefits of AWS are unquestionable, a major challenge for AWS customers is the growing volume of new users with shared or changing IP addresses,” says Leo Taddeo, Chief Security Officer, Cryptzone. This challenge becomes more complex to deal with as more and more organizations adopt BYOD, transfer data and applications to the cloud and hybrid environments, and deal with employees who often use remote networks.
Enterprises using native AWS controls to secure users in these circumstances are left with two suboptimal choices. Either leave the IP address range for users wide open, or tightly control user access by limiting the range of IP addresses. The first option reduces security and raises risk while the second option significantly obstructs business agility. Going beyond traditional perimeter-based security, Cryptzone offers identity-centric security solutions to AWS users that protect applications and content while delivering enhanced user access control. The company’s flagship product, AppGate, enables organizations that embrace AWS to simplify compliance and operations and adopt a Software- Defined Perimeter model for granular security control. “AppGate provides a secure, encrypted, point-to-point tunnel to protect network resources and dynamically provision access from any device and location,” says Taddeo.
Issuing Fine-Grained Access
Built for enterprise scalability, AppGate is an integrated and distributed security gateway architecture that verifies user context, identity, and device attributes before granting access to an application. “A fundamental flaw in the Transmission Control/ Internet Protocol (TCP/IP) is that credentials are checked only after establishing a connection. By leveraging a Software-Defined Perimeter, we ensure that all users and devices are authenticated prior to network access,” remarks Taddeo. Once a user device is securely onboarded to a software-defined perimeter, the user device in turn transparently connects to the Controller, a central authentication and token-issuing service. The Controller issues a set of three cryptographically secured tokens to the client.
By leveraging a Software-Defined Perimeter model, we ensure that all endpoints are always authenticated prior to network access, whether they connect from an internal or an external network
The claims token stores user and device attributes, and an entitlement token keeps track of the resources a user is allowed to access behind a certain Gateway. Lastly, the clients token is used to establish a connection between a client and the Gateway. “Gateways are distributed dynamic firewalls that consume tokens and enforce access policies,” states Taddeo. After granting access, the LogServer saves permanent and auditable records of user and device access. “If one of the Gateways fall out of service, instead of re-authenticating to the Controller, the client can simply find another Gateway (one that protects the same set of resources) by transferring the entitlements and claims tokens, and reinitiate the connection. It’s a powerful way to ensure availability,” he notes.
Purpose-built for AWS, AppGate does not pre-save any network access rules, but creates a secure ‘network segment’ of one in real-time for each new session. Whether on-premises, in private or public cloud, AppGate makes a server infrastructure invisible until a user is authorized. In addition, if there is a change in user context, for example, a shift from a corporate to public network, then enhanced security requirements like multi-factor authentication are enforced. “Using AWS APIs, AppGate also detects changes inside the customer’s AWS infrastructure to dynamically adapt the network access rules, while a pre-correlated audit log helps surface who accessed what and under what circumstance,” adds Taddeo.
In one customer case, a U.S. based regulatory body took a strategic decision to move all their IT assets to AWS. The client was dealing with large volumes of data, compliance needs, and computing requirements. They were mandated to protect U.S. investors by keeping a keen watch over trading activity, which included thousands of security firms and brokers. Being a regulatory body, they also had significant compliance requirements. Since the regulatory agency had a large developer community and a mature DevOps process, they needed a way to transition securely and one of their main challenges was to manage access control for their developers and administrators across both on-premises and cloud environments. With AppGate, the client could segment their users in an AWS environment by configuring privileged user access and benefit from simplified compliance audit and reporting. “What previously took them weeks to prepare for an audit now takes hours.
Since traditional security tools like firewalls and NAC were originally designed for static environments and have been repurposed to suit the cloud, an added advantage with AppGate is that it is architected keeping the cloud and the IaaS servers in mind. “To top it all, we are fully supportive of multiple Identity and Access Management (IAM) tools and can scale linearly to an unlimited size in accordance to AWS deployments,” points out Taddeo.
The company puts immense effort into thought leadership and together with the Cloud Security Alliance (CSA), a non-profit organization that promotes security assurance within cloud computing, Cryptzone constantly enhances its software-defined perimeter initiative. Moreover, Cryptzone constantly keeps in touch with their customers for feedback to fill the gaps in security and operational needs. “We also keenly study the pervasive threat landscape to understand attack patterns and vectors in an effort to stay ahead of threat sequences with advanced products,” mentions Taddeo.
"We are fully supportive of multiple Identity and Access Management (IAM) tools, third party users, and can scale linearly to an unlimited size"
Next Generation Security Approach
To further cement their leadership in secure infrastructure services, Cryptzone will soon be acquired by two prominent private equity firms, BC Partners and Medina Capital as part of a new joint venture to create a global secure infrastructure company. This venture will combine a portfolio of 57 global data centers along with Medina Capital’s security, compliance, and data analytics portfolio. “We are thrilled that market experts have decided to invest in our Software-Defined Perimeter (SDP) approach, which will help us accelerate and implement next generation cyber security and data analytics tools,” reveals Taddeo. The company also recently released the latest version of AppGate which comprises new enterprise-class functionality, such as extensible integration into an organization’s security ecosystem, high availability, and load balancing. Over the years, the SDP model has gained significant momentum and according to reports from Gartner, by the end of 2017, 10 percent of organizations will leverage SDP and by 2021, 60 percent of enterprises will replace VPNs with SDP technology. “Our vision is to emerge as a world-class cyber security solutions provider with a strong focus on SDP. We will relentlessly march toward this goal ensuring that AppGate is the go-to solution for AWS customers with robust DevOps and compliance driven needs,” ends Taddeo.