CREATING CLOUD-NATIVE SECURITY SOLUTIONS · OpenStack/KVM, Amazon Web Services and Microsoft Azure....

CREATING CLOUD-NATIVESECURITY SOLUTIONS

For Today’s Modern Enterprise Infrastructure

UNCOMPROMISED

SECURITY UNLIMIT

ED

SCALE

UNPARALL

ELED

ECONOMICS

UNCONVENTIONAL

SOLUTION

SH

IEL

DX

| BR

OC

HU

RE

| AIO

N™

SHIELDX CONFIDENTIAL

YOUR AGILE BUSINESSToday’s cloud-enabled business needs to rapidly turn-up secure and compliant services with workloads, user sessions, data and application tra�c sprinting across multiple providers, environ-ments and locations.

As a result, your infrastruc-ture, security and DevOps teams are on an accelerated path to embrace Cloud technologies and principles. And they need to actively collaborate to manage the complex mix of legacy technologies and applications that intersect within today’s highly-virtualized, orchestrat-ed data centers and diverse private and public services that create the multi-cloud.

YOUR REQUIREMENTSTo create a robust security posture and maintain compli-ance, you must e�ectively segment and secure. It is no longer su�cient to just secure the perimeter. Today’s threats demand security policy enforcement inside the cloud, so that post-breach, lateral movement that is the hallmark of APTs, can be detected and stopped.

This requires not only the visibility, security policies and advanced controls that you expect of an enterprise-class security system, but a solution that works uniformly within diverse environments, on-demand and at scale, without compromising your business or its budget.

YOUR CHALLENGEUnfortunately, while your existing security investments may stand guard at the network perimeter, server and endpoint, chances are when it comes to tra�c moving laterally within your mixed infrastructure, it’s your security leaving your business exposed and chaining it to painful and unacceptable trade-o�s between perfor-mance, cost and risk.

Why? Appliance, perimeter-based security solutions aren’t working well in the transition between the traditional data center and new cloud services. Boxes don’t float on clouds, and virtual appli-ances are ine�cient. New solutions relying on cloud-delivered services, or that require touch-ing every workload typically o�er only segmentation, stopping well short of a full set of security controls. And all seem to lack the full automation and orchestration capabilities, across all environments, needed to scale performance, your team and its financial resources. Your options are limited and your agile business and its IT services may be at risk.

95%

95% of IT professionals surveyed use cloud

services1

60%

60% plan to move to multi-cloud2

74%

74% of organizations abandon traditional security controls because

they’re not e�ective for cloud3

(1) Source: RightScale 2016 State of the Cloud Report

(2) Source: http://www.cloudcomputing-news.net/news/2016/sep/27/multi-cloud-increasingly-popular-among-enterprises-not-without-its-faults/

(3) Source: ESG Research Publication, ESG Infographic: Cloud Security Requires New Processes and Controls, November 2016

2 | S

HIE

LD

X | B

RO

CH

UR

E | A

ION

™


INTRODUCING AION™THE FIRST MICROSERVICES PLATFORM FOR NATIVE, MULTI-CLOUD SECURITY

Aion o�ers microsegmentation and full-flow, deep packet inspection, visibility, policy and controls able to cost-e�ectively and automatically insert, orchestrate and elastically scale to protect your data across the multi-cloud.

Aion is a complete rebuild of traditional, network-based security. Aion’s platform is true Software-Defined Security, built on a container-ized, microservices-based architecture. We’ve deconstructed the components of the monolithic, appliance-based solutions of yesteryear into their component microservices, and packaged them natively within individual containers. With Aion, IT teams can finally end the unaccept-able trade-o�s between performance, cost and risk.

3 | S

HIE

LD

X | B

RO

CH

UR

E | A

ION

™SHIELDX NETWORKS:INNOVATIVE BUSINESS, EXPERT ORGANIZATIONHeadquartered in Silicon Valley, ShieldX is series-A founded and funded by a consortium of veteran investors and colleagues from well-known venture firms and security companies.

Alongside our customers and partners, we’ve witnessed a major technology industry shift that has moved business IT into the age of virtualiza-tion, cloud, orchestration, containers and micros-ervices, while available security technologies, solutions, skill sets and investments remain at least a generation behind.

At our core, we share a common vision with our customers that delivering truly native, enter-prise-class security for today’s modern infrastruc-ture requires a full reboot. And we’ve done it. We’ve succeeded in our mission to build a platform that ends the unacceptable trade-o�s and redefines security by combining expert execution with innovation that, like our customers, embraces agility and cloud principles.


Stop Compromising, Start SecuringTo learn more about how you can natively segment and secure your multi-cloud infrastructure at unlimited scale with unparalleled cost savings, contact us at [email protected] or visit our website at www.shieldx.com.

Our Customers, Our PartnersCreating enterprise-class security for multi-cloud environments requires extensive partnerships across leading technology providers, open source communities, infrastructure and security vendors and of course, real-world customers. From our very inception, we’ve partnered with our custom-ers and their IT teams to help us test and focus our development along every step of our Agile methodology-way.

Our LeadershipOur organization is led by CEO, Silicon Valley serial entrepreneur, Dr. Ratinder Paul Singh Ahuja, former founder of Reconnex, WebStacks and Internet Junction, and CTO of Intel Security. Together with his co-founders, management team, and board of leading investors and security executives, he’s built the quintessential team to create a solution that works natively within today’s modern infrastructure, and represents a quantum leap in security capabili-ties for the enterprise.

© 2017 ShieldX Networks, Inc. All rights reserved. All ShieldX names and marks associated with ShieldX products are trademarks or service marks of ShieldX Networks, Inc. and are registered or common law marks in the United States and other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient’s personal use, without the express written permission of ShieldX Networks, Inc.

ShieldX Networks, Inc.2025 Gateway Place, Suite 400San Jose, CA 95110 USA

+1 408.758.9400 [email protected]

CREATING CLOUD-NATIVESECURITY SOLUTIONS

For Today’s Modern Enterprise Infrastructure


UNCOMPROMISED

SECURITY UNLIMIT

ED

SCALE

UNPARALL

ELED

ECONOMICS

UNCONVENTIONAL

SOLUTION

SH

IEL

DX

| DA

tA

SH

EE

t | A

IONAion™

The firsT conTainerized, microservices plaTform for naTive, mulTi-cloud securiTy

ShieldX Confidential

Automate orchestrated microsegmentation with full-flow traffic inspection and policy enforcement while elastically scaling to multi-terabit speeds at a fraction of the cost.

SeCure Your BuSineSS within the Multi-CloudTo contain risk and maintain compliance in today’s complex, mixed legacy

and multi-cloud environments, IT organizations like yours must collaborate

across Infrastructure, Security and DevOps teams to ensure rapid and

secure IT service turn-up.

You also need a flexible solution that can effectively segment and

secure, especially for new attack surfaces that have become targets

for advanced attacks and APTs, propagated via lateral movement. This

requires extending beyond basic role-based management, perimeter

security and access control. It requires a solution that offers deep packet

inspection and the visibility, policy management and enforcement you

expect of an enterprise-class security system. And one that aligns with

your infrastructure, working natively and uniformly at scale and across

environments, without forcing you to compromise your business with

unacceptable trade-offs between performance, cost and risk.

introduCing aionWith aion, you can finally segment and secure in depth and at scale, na-tively and automatically across your diverse, multi-cloud infrastructure, and with significantly lower Total cost of ownership (Tco.)

• Automate security insertion, orchestration and inspection elastically to multi-terabit

scale across both physical and virtualized environments such as VMware vSphere,

OpenStack/KVM, Amazon Web Services and Microsoft Azure.

• Manage and implement uniform security policy on demand and at scale based on en-

hanced microsegmentation, TLS decryption, full-flow threat prevention, malware detec-

tion and data loss prevention.

• Deploy over your existing, commodity infrastructure within 15 minutes and within your

preferred OpEx or CapEx-based financial model. Improve operations using Aion’s

inherent multi-tenancy, high availability, and API-first strategy that supports integration

with DevOps-oriented processes.

2 | S

HIE

LD

X | D

At

AS

HE

Et

| AIO

N


3 | S

HIE

LD

X | D

At

AS

HE

Et

| AIO

N

Aion

Azure

OrchestrationAPI

OrchestrationAPI

OrchestrationAPI

OpenStack

VMware ESXi

OrchestrationAPI

AWS

SegmentInterfaces

SegmentInterfaces

SegmentInterfaces

SegmentInterfaces

Data Plane

Management Plane

Data Plane Management Plane

Azure

Orchestration API

OpenStack

VMware ESXi

AWS

Segment Interfaces

Orchestration APISegment Interfaces



new Model, unConventional Solutionaion is a complete rebuild of traditional, network-based security.

featureS + SpeCifiCationS

uncompromised SecurityAion’s unique architecture allows you to create and implement uniform security policy, enforcement and microsegmentation via security controls and functions that are application, user, and traffic flow-aware. Its dynamic insertion combined with deep packet inspection and real-time analytics offers exceptional visibility and detection of Indicators of Pivot (IoP), helping analysts reduce false positives and identify attacks earlier in the kill chain.

taBle 1: aion Security Controls

*Available in subsequent releases.

MicrosegMentation Application-aware access control that identifies over 5000 applications

threat detection and prevention Employs behavioral, reputation, anomaly and signature-based techniques with over 10,000 rules

Malware detection Integration with FireEye™ AX-series appliances

tls decryption and terMination Allows full network-based decryption and termination where it’s needed, and at the scale and cost you determine

Url classification and filtering Validate safety of external connections and locations and enhance granularity of security policy, detection and enforcement

network-based dlp* Enhances deep-packet-inspection of data at rest and in-motion to identify data locations and flows for security policy and microsegmentation that is risk-profile aware

Aion’s platform is true Software-Defined

Security, built on a containerized,

microservices-based architecture.

We’ve deconstructed the monolithic,

appliance-based solutions of yesteryear

into their component microservices, or

xServices, and packaged them natively

within individual containers.

These containers auto-detect each

environment to replicate, distribute

and communicate between each

other and form a single logical unit,

or Virtual Chassis. The Virtual Chassis

dynamically inserts, orchestrates and

elastically scales out across and over

your commodity infrastructure and

public cloud services according to your

security intent, the constraints you

provide, and the policies you configure.


4 | S

HIE

LD

X | D

At

AS

HE

Et

| AIO

N

unlimited Scale While Aion’s use of containers allows for automatic insertion into multiple environments, its microser-vices-based architecture allows for dynamic, elastic and essentially unlimited scale of any component within its management and data planes in response to changes in your traffic flows, and according to the resources you allocate. Aion consumes only the resources it needs, when it needs them, remov-ing security as your infrastructure and service performance bottleneck, and over-provisioned cost.

taBle 2: aion Supported environments and requirements

Release 1: VMware ESXi/vSphere, OpenStack/KVM and AWS environments

VMware vSphere / ESXi 5.5 and later, OpenStack / KVM Mitaka and later

hardware coMpatibility

• Intel® Xeon™, Sandy Bridge or later for on-premises, hosted or colocation environments

base configUration reqUireMents (per xservice) per shieldx virtUal chassis

• Management plane: Total minimum xServices – 16 vCores, 32GB RAM, 500 GB storage per 40Gbps traffic inspection• Segment interface: 2 vCores, 2GB RAM, 2GB storage per 10Gbps traffic inspection• Flow and inspection: 4 vCores, 6GB RAM, 12 GB storage per 2Gbps traffic inspection • SSL/TLS decryption: 2 vCores, 3 GB RAM, 6GB storage per 0.5Gbps encrypted traffic inspection

10gbps 50gbps 100gbps 500gbps 1tbps 5tbps 10tbps

38 vCores64 GB RAM562 GB storage

142 vCores224 GB RAM1.3 TB storage



2600 vCores4 TB RAM18.7 TB storage

13,000 vCores20 TB RAM93.5 TB storage

26,000 vCores40 TB RAM187 TB storage

Estimated distributed resource requirements per Virtual Chassis for on-premises environment without decryption*

10gbps 50gbps 100gbps 500gbps 1tbps 5tbps 10tbps

1 x c3.4xlarge20 x c3.xlarge



13 x c3.4xlarge1,000 x c3.xlarge




Amazon Web Services

base configUration xservices reqUireMents per shieldx virtUal chassis

• Management plane: 1 x c3.4xlarge per 40Gbps traffic inspection• Segment interface flow and inspection: 2 x c3.4xlarge per 1Gbps inspected traffic• SSL/TLS decryption: 1 x c3.xlarge per 0.5Gbps encrypted traffic inspection

*Based on protocol and packet mix typical to data center application. For estimation purposes only, subject to change.

Estimated distributed resource requirements per Virtual Chassis, if deployed in AWS only without decryption*


unparalleled economicsAs 100% cloud-native software, Aion is based on cloud principles, technologies and economics. Aion can drive a revolution in the way infrastructure and security organizations purchase and operational-ize security within their organizations, at up to 50% less than comparable solutions.

purChaSe + SupportAion is available precommercially in controlled releases through customer proof-of-concept deploy-ments and our beta program. When Aion becomes generally available, customers will be able to purchase it from ShieldX’s authorized Partners.

ShieldX understands our global customers will use our product to secure their business-critical infra-structures. We offer 24x7 support online and by phone. Support contracts for perpetual licenses are purchased as annual subscriptions.

For more information including to request a briefing, please visit our website at www.shieldx.com or contact us at [email protected], +1 408-758-9400.

5 | S

HIE

LD

X | D

At

AS

HE

Et

| AIO

N

© 2017 ShieldX networks, inc. all rights reserved. all ShieldX names and marks associated with ShieldX products are trademarks or service marks of ShieldX networks, inc. and are registered or common law marks in the united States and other countries. all other trademarks are property of their respective owners. no portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient’s personal use, without the express written permission of ShieldX networks, inc.

ShieldX networks, inc.2025 gateway place, Suite 400San Jose, Ca 95110 uSa

+1 408.758.9400 [email protected]

ClOud-PrinCiPlEd

• Flexible, transparent purchase models for CapEx or OpEx budgets

• Easy, inspection-based, all-inclusive licensing

• Elastic, multi-tenant scale at 2-4 commodity cores per microservice

OPS-ACCElErAting

• Segment and secure Terabits of traffic in less than 15 minutes

• Improve productivity with real-time analytics and automation

• Visualize, import/export, report, integrate or control with REST-APIs

SlA-rEAdy

• Maintain business performance, security, and compliance

• Highly available with non-disruptive install, upgrade and removal

• Role-based access separates duties with logging for audit trails


T R A I N N U s e C a s e s

ShieldX Networks Inc.

w w w . s h i e l d x . c o m

Agenda

o TRAI Pre-Consultation issueso TRAI NN Consultation issueso ShieldX Solution

©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *2

TRAI Pre-Consultation• Relevant topics from the pre-consultation

- Precautions required to preserve national security- Precautions required to maintain customer privacy- Precautions required to maintain customer privacy- Network security and integrity: Protect their networks from

viruses, spam, denial of service attacks, hacking attacks against network/terminal equipment, malicious software etc.


Issues for consultation• 14 areas for discussion• Ensuring non-discrimination • Creating exceptions for certain emergency traffic

- Emergency situations and services;- Emergency situations and services;- Restrictions on unlawful content;- Maintaining security and integrity of the network;- Services that may be notified in public interest by the Government/ Authority, based on certain criteria; or- Any other services.©2016 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *4

How Can ShieldX Aion Help• Containerized, Microservices Platform for Network-Based + Native Multi-Cloud Monitoring & Security• Economical elastic DPI for inspection, security and • Economical elastic DPI for inspection, security and policy• Scales to Terra BPS of inspection• No custom HW. Runs on standard Intel CPUs & Hypervisors


How Can ShieldX help• Pervasively & Economically deploy ShieldX Virtual

Chassis across ISP infrastructure• Passively monitor, classify and measure traffic• Passively monitor, classify and measure traffic

- Flag any discrimination• Actively enforce policy for exceptions (Q6 in issues)


Mult i -Cloud + Secur i ty Chal lengeAgile Core Business & Data Center Services

Rapid TTS at scale across mixed environmentsNew attack surfaces and GRC concerns

Cloud principles and economics

7 ©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *

Security Alignment RequiredSoftware-Defined, native to architectures

Ubiquitous, comprehensive and risk-profile awareFlexible and transparent ops and economics

Trading Secur i ty , Performance & Cost

Checkpoint

Cisco

FortinetPalo Alto


CiscoJuniper

vArmourIllumio

CloudPassage

U n c o n v e n t i o n a l S o l u t i o nT h e F i r s t C o n t a i n e r i z e d , M i c r o s e r v i c e s P l a t f o r m f o r N e t w o r k - B a s e d + N a t i v e M u l t i - C l o u d S e c u r i t y

S h i e l d X A i o n ™

9

U n l i m i t e d S c a l e

Native, On-demand Cloud Scale – Elastic, automated + orchestrated to multi-terabits

and beyond

U n c o m p r o m i s e d S e c u r i t y

Comprehensive – full-flow policy, microsegmentation and IoP via scalable

DPI and real-time analytics

U n p a r a l l e l e d E c o n o m i c s

New paradigm – consumption-based, DevOps and provider-ready at a fraction of the TCO

and price

©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *

Bui l t for F lexib i l i ty + Unl imi ted ScaleTraditional Monolithic Appliances ShieldXMicroservices Architecture


Costly to scaleDifficult to insert Elasticcontainerized + distributed

Automated Orchestrat ion + Insert ionDevOpsPush to API

Cloud Orch.Pull via Rules

REST API-First Strategy


Insertion+ PolicyDiscovery+ Monitoring

Security Policy+ Controls Microsegmentation Real-time analytics Centralized management Uniform, risk-aware policy

Uncompromised Secur i ty

IDS/IPS Threat detection + preventionFull packet capture and logging

TLS traffic decryption and termination


NGFW

Classification, reputation, filtering and inbound/reverse proxy

Network-based malware detection and detonation with FireEye

Anomaly detection via payload inspectionVirtualTAP traffic collection + aggregation

DLP monitoring and enforcement at rest and in motion*

Secur i ty Orchest rat ion Pol icyWW

DDDD

• Automated discovery, profiling & grouping of workloads• By name• By tag• By network• By IP

• Automated SI insertion

Webservers

WebserverPolicy

DB ServerPolicy

13 * * * C O N F I D E N T I A L * * *

WW WWWWDD

DD

WW

• Automated SI insertion• Automated policy recommendation & updates

• ACL• Threat• Malware• DLP

• Dynamic group maintenance across multi-cloud

DB Servers

DD

Unparal le led Secur i ty EconomicsA revolution in purchasing and operationalizing security – at up to 50% less than comparable solutions.


C l o u d - P r i n c i p l e d O p s - A c c e l e r a t i n g S L A - R e a d y Flexible, CapEx or OpEx models Easy, inspection-based, all-inclusive Elastic, multi-tenant scale with public cloud “lights off”

Segment and secure <15 minutes Productivity+ with real-time analytics and automation Visualize, integrate or control with REST-APIs

Maintain performance, security, and compliance HA with non-disruptive install, upgrade, patch and removal Role-based management + logging

Secur i ty in Minutes

ESXi

VSwitch

VSwitchESXi

VSwitchKVM

VCVMVM

VMVM

OS

VMVM

VM

NSX OpenStack

Updates + Feeds

ShieldXVirtualChassis


NSX OpenStack

11 Download .ova file

22 Connect, configure and discover

33 Start monitoring and managing

U s e C a s e sShieldX Aion™

Lateral protection of Enterprise and Provider core

business and datacenterservices

“Clean pipe” services telcos and ISPs use to

differentiate with security at scale and lower cost

Multitenant, consumption-based, security services MSPs

can deliver without CPE or onsite management


Next Steps• Demo• Proof-of-Concept• Sizing• Sizing

o Licensing starting at 10Gbps in 2Gbps incrementso Annual support subscription

• Partner engagement


T h a n k Y o u

w w w . s h i e l d x . c o m

CREATING CLOUD-NATIVE SECURITY SOLUTIONS · OpenStack/KVM, Amazon Web Services and Microsoft Azure....

Documents

Transcript of CREATING CLOUD-NATIVE SECURITY SOLUTIONS · OpenStack/KVM, Amazon Web Services and Microsoft Azure....