CREATING CLOUD-NATIVE SECURITY SOLUTIONS · OpenStack/KVM, Amazon Web Services and Microsoft Azure....
Transcript of CREATING CLOUD-NATIVE SECURITY SOLUTIONS · OpenStack/KVM, Amazon Web Services and Microsoft Azure....
CREATING CLOUD-NATIVESECURITY SOLUTIONS
For Today’s Modern Enterprise Infrastructure
UNCOMPROMISED
SECURITY UNLIMIT
ED
SCALE
UNPARALL
ELED
ECONOMICS
UNCONVENTIONAL
SOLUTION
SH
IEL
DX
| BR
OC
HU
RE
| AIO
N™
SHIELDX CONFIDENTIAL
YOUR AGILE BUSINESSToday’s cloud-enabled business needs to rapidly turn-up secure and compliant services with workloads, user sessions, data and application tra�c sprinting across multiple providers, environ-ments and locations.
As a result, your infrastruc-ture, security and DevOps teams are on an accelerated path to embrace Cloud technologies and principles. And they need to actively collaborate to manage the complex mix of legacy technologies and applications that intersect within today’s highly-virtualized, orchestrat-ed data centers and diverse private and public services that create the multi-cloud.
YOUR REQUIREMENTSTo create a robust security posture and maintain compli-ance, you must e�ectively segment and secure. It is no longer su�cient to just secure the perimeter. Today’s threats demand security policy enforcement inside the cloud, so that post-breach, lateral movement that is the hallmark of APTs, can be detected and stopped.
This requires not only the visibility, security policies and advanced controls that you expect of an enterprise-class security system, but a solution that works uniformly within diverse environments, on-demand and at scale, without compromising your business or its budget.
YOUR CHALLENGEUnfortunately, while your existing security investments may stand guard at the network perimeter, server and endpoint, chances are when it comes to tra�c moving laterally within your mixed infrastructure, it’s your security leaving your business exposed and chaining it to painful and unacceptable trade-o�s between perfor-mance, cost and risk.
Why? Appliance, perimeter-based security solutions aren’t working well in the transition between the traditional data center and new cloud services. Boxes don’t float on clouds, and virtual appli-ances are ine�cient. New solutions relying on cloud-delivered services, or that require touch-ing every workload typically o�er only segmentation, stopping well short of a full set of security controls. And all seem to lack the full automation and orchestration capabilities, across all environments, needed to scale performance, your team and its financial resources. Your options are limited and your agile business and its IT services may be at risk.
95%
95% of IT professionals surveyed use cloud
services1
60%
60% plan to move to multi-cloud2
74%
74% of organizations abandon traditional security controls because
they’re not e�ective for cloud3
(1) Source: RightScale 2016 State of the Cloud Report
(2) Source: http://www.cloudcomputing-news.net/news/2016/sep/27/multi-cloud-increasingly-popular-among-enterprises-not-without-its-faults/
(3) Source: ESG Research Publication, ESG Infographic: Cloud Security Requires New Processes and Controls, November 2016
2 | S
HIE
LD
X | B
RO
CH
UR
E | A
ION
™
SHIELDX CONFIDENTIAL
INTRODUCING AION™THE FIRST MICROSERVICES PLATFORM FOR NATIVE, MULTI-CLOUD SECURITY
Aion o�ers microsegmentation and full-flow, deep packet inspection, visibility, policy and controls able to cost-e�ectively and automatically insert, orchestrate and elastically scale to protect your data across the multi-cloud.
Aion is a complete rebuild of traditional, network-based security. Aion’s platform is true Software-Defined Security, built on a container-ized, microservices-based architecture. We’ve deconstructed the components of the monolithic, appliance-based solutions of yesteryear into their component microservices, and packaged them natively within individual containers. With Aion, IT teams can finally end the unaccept-able trade-o�s between performance, cost and risk.
3 | S
HIE
LD
X | B
RO
CH
UR
E | A
ION
™SHIELDX NETWORKS:INNOVATIVE BUSINESS, EXPERT ORGANIZATIONHeadquartered in Silicon Valley, ShieldX is series-A founded and funded by a consortium of veteran investors and colleagues from well-known venture firms and security companies.
Alongside our customers and partners, we’ve witnessed a major technology industry shift that has moved business IT into the age of virtualiza-tion, cloud, orchestration, containers and micros-ervices, while available security technologies, solutions, skill sets and investments remain at least a generation behind.
At our core, we share a common vision with our customers that delivering truly native, enter-prise-class security for today’s modern infrastruc-ture requires a full reboot. And we’ve done it. We’ve succeeded in our mission to build a platform that ends the unacceptable trade-o�s and redefines security by combining expert execution with innovation that, like our customers, embraces agility and cloud principles.
SHIELDX CONFIDENTIAL
Stop Compromising, Start SecuringTo learn more about how you can natively segment and secure your multi-cloud infrastructure at unlimited scale with unparalleled cost savings, contact us at [email protected] or visit our website at www.shieldx.com.
Our Customers, Our PartnersCreating enterprise-class security for multi-cloud environments requires extensive partnerships across leading technology providers, open source communities, infrastructure and security vendors and of course, real-world customers. From our very inception, we’ve partnered with our custom-ers and their IT teams to help us test and focus our development along every step of our Agile methodology-way.
Our LeadershipOur organization is led by CEO, Silicon Valley serial entrepreneur, Dr. Ratinder Paul Singh Ahuja, former founder of Reconnex, WebStacks and Internet Junction, and CTO of Intel Security. Together with his co-founders, management team, and board of leading investors and security executives, he’s built the quintessential team to create a solution that works natively within today’s modern infrastructure, and represents a quantum leap in security capabili-ties for the enterprise.
© 2017 ShieldX Networks, Inc. All rights reserved. All ShieldX names and marks associated with ShieldX products are trademarks or service marks of ShieldX Networks, Inc. and are registered or common law marks in the United States and other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient’s personal use, without the express written permission of ShieldX Networks, Inc.
ShieldX Networks, Inc.2025 Gateway Place, Suite 400San Jose, CA 95110 USA
+1 408.758.9400 [email protected]
CREATING CLOUD-NATIVESECURITY SOLUTIONS
For Today’s Modern Enterprise Infrastructure
SHIELDX CONFIDENTIAL
UNCOMPROMISED
SECURITY UNLIMIT
ED
SCALE
UNPARALL
ELED
ECONOMICS
UNCONVENTIONAL
SOLUTION
SH
IEL
DX
| DA
tA
SH
EE
t | A
IONAion™
The firsT conTainerized, microservices plaTform for naTive, mulTi-cloud securiTy
ShieldX Confidential
Automate orchestrated microsegmentation with full-flow traffic inspection and policy enforcement while elastically scaling to multi-terabit speeds at a fraction of the cost.
SeCure Your BuSineSS within the Multi-CloudTo contain risk and maintain compliance in today’s complex, mixed legacy
and multi-cloud environments, IT organizations like yours must collaborate
across Infrastructure, Security and DevOps teams to ensure rapid and
secure IT service turn-up.
You also need a flexible solution that can effectively segment and
secure, especially for new attack surfaces that have become targets
for advanced attacks and APTs, propagated via lateral movement. This
requires extending beyond basic role-based management, perimeter
security and access control. It requires a solution that offers deep packet
inspection and the visibility, policy management and enforcement you
expect of an enterprise-class security system. And one that aligns with
your infrastructure, working natively and uniformly at scale and across
environments, without forcing you to compromise your business with
unacceptable trade-offs between performance, cost and risk.
introduCing aionWith aion, you can finally segment and secure in depth and at scale, na-tively and automatically across your diverse, multi-cloud infrastructure, and with significantly lower Total cost of ownership (Tco.)
• Automate security insertion, orchestration and inspection elastically to multi-terabit
scale across both physical and virtualized environments such as VMware vSphere,
OpenStack/KVM, Amazon Web Services and Microsoft Azure.
• Manage and implement uniform security policy on demand and at scale based on en-
hanced microsegmentation, TLS decryption, full-flow threat prevention, malware detec-
tion and data loss prevention.
• Deploy over your existing, commodity infrastructure within 15 minutes and within your
preferred OpEx or CapEx-based financial model. Improve operations using Aion’s
inherent multi-tenancy, high availability, and API-first strategy that supports integration
with DevOps-oriented processes.
2 | S
HIE
LD
X | D
At
AS
HE
Et
| AIO
N
ShieldX Confidential
3 | S
HIE
LD
X | D
At
AS
HE
Et
| AIO
N
Aion
Azure
OrchestrationAPI
OrchestrationAPI
OrchestrationAPI
OpenStack
VMware ESXi
OrchestrationAPI
AWS
SegmentInterfaces
SegmentInterfaces
SegmentInterfaces
SegmentInterfaces
Data Plane
Management Plane
Data Plane Management Plane
Azure
Orchestration API
OpenStack
VMware ESXi
AWS
Segment Interfaces
Orchestration APISegment Interfaces
Orchestration APISegment Interfaces
Orchestration APISegment Interfaces
new Model, unConventional Solutionaion is a complete rebuild of traditional, network-based security.
featureS + SpeCifiCationS
uncompromised SecurityAion’s unique architecture allows you to create and implement uniform security policy, enforcement and microsegmentation via security controls and functions that are application, user, and traffic flow-aware. Its dynamic insertion combined with deep packet inspection and real-time analytics offers exceptional visibility and detection of Indicators of Pivot (IoP), helping analysts reduce false positives and identify attacks earlier in the kill chain.
taBle 1: aion Security Controls
*Available in subsequent releases.
MicrosegMentation Application-aware access control that identifies over 5000 applications
threat detection and prevention Employs behavioral, reputation, anomaly and signature-based techniques with over 10,000 rules
Malware detection Integration with FireEye™ AX-series appliances
tls decryption and terMination Allows full network-based decryption and termination where it’s needed, and at the scale and cost you determine
Url classification and filtering Validate safety of external connections and locations and enhance granularity of security policy, detection and enforcement
network-based dlp* Enhances deep-packet-inspection of data at rest and in-motion to identify data locations and flows for security policy and microsegmentation that is risk-profile aware
Aion’s platform is true Software-Defined
Security, built on a containerized,
microservices-based architecture.
We’ve deconstructed the monolithic,
appliance-based solutions of yesteryear
into their component microservices, or
xServices, and packaged them natively
within individual containers.
These containers auto-detect each
environment to replicate, distribute
and communicate between each
other and form a single logical unit,
or Virtual Chassis. The Virtual Chassis
dynamically inserts, orchestrates and
elastically scales out across and over
your commodity infrastructure and
public cloud services according to your
security intent, the constraints you
provide, and the policies you configure.
ShieldX Confidential
4 | S
HIE
LD
X | D
At
AS
HE
Et
| AIO
N
unlimited Scale While Aion’s use of containers allows for automatic insertion into multiple environments, its microser-vices-based architecture allows for dynamic, elastic and essentially unlimited scale of any component within its management and data planes in response to changes in your traffic flows, and according to the resources you allocate. Aion consumes only the resources it needs, when it needs them, remov-ing security as your infrastructure and service performance bottleneck, and over-provisioned cost.
taBle 2: aion Supported environments and requirements
Release 1: VMware ESXi/vSphere, OpenStack/KVM and AWS environments
VMware vSphere / ESXi 5.5 and later, OpenStack / KVM Mitaka and later
hardware coMpatibility
• Intel® Xeon™, Sandy Bridge or later for on-premises, hosted or colocation environments
base configUration reqUireMents (per xservice) per shieldx virtUal chassis
• Management plane: Total minimum xServices – 16 vCores, 32GB RAM, 500 GB storage per 40Gbps traffic inspection• Segment interface: 2 vCores, 2GB RAM, 2GB storage per 10Gbps traffic inspection• Flow and inspection: 4 vCores, 6GB RAM, 12 GB storage per 2Gbps traffic inspection • SSL/TLS decryption: 2 vCores, 3 GB RAM, 6GB storage per 0.5Gbps encrypted traffic inspection
10gbps 50gbps 100gbps 500gbps 1tbps 5tbps 10tbps
38 vCores64 GB RAM562 GB storage
142 vCores224 GB RAM1.3 TB storage
268 vCores416 GB RAM2.1 TB storage
1308 vCores2016 GB RAM9.6 TB storage
2600 vCores4 TB RAM18.7 TB storage
13,000 vCores20 TB RAM93.5 TB storage
26,000 vCores40 TB RAM187 TB storage
Estimated distributed resource requirements per Virtual Chassis for on-premises environment without decryption*
10gbps 50gbps 100gbps 500gbps 1tbps 5tbps 10tbps
1 x c3.4xlarge20 x c3.xlarge
2 x c3.4xlarge100 x c3.xlarge
3 x c3.4xlarge200 x c3.xlarge
13 x c3.4xlarge1,000 x c3.xlarge
25 x c3.4xlarge2,000 x c3.xlarge
125 x c3.4xlarge10,000 x c3.xlarge
250 x c3.4xlarge20,000 x c3.xlarge
Amazon Web Services
base configUration xservices reqUireMents per shieldx virtUal chassis
• Management plane: 1 x c3.4xlarge per 40Gbps traffic inspection• Segment interface flow and inspection: 2 x c3.4xlarge per 1Gbps inspected traffic• SSL/TLS decryption: 1 x c3.xlarge per 0.5Gbps encrypted traffic inspection
*Based on protocol and packet mix typical to data center application. For estimation purposes only, subject to change.
Estimated distributed resource requirements per Virtual Chassis, if deployed in AWS only without decryption*
ShieldX Confidential
unparalleled economicsAs 100% cloud-native software, Aion is based on cloud principles, technologies and economics. Aion can drive a revolution in the way infrastructure and security organizations purchase and operational-ize security within their organizations, at up to 50% less than comparable solutions.
purChaSe + SupportAion is available precommercially in controlled releases through customer proof-of-concept deploy-ments and our beta program. When Aion becomes generally available, customers will be able to purchase it from ShieldX’s authorized Partners.
ShieldX understands our global customers will use our product to secure their business-critical infra-structures. We offer 24x7 support online and by phone. Support contracts for perpetual licenses are purchased as annual subscriptions.
For more information including to request a briefing, please visit our website at www.shieldx.com or contact us at [email protected], +1 408-758-9400.
5 | S
HIE
LD
X | D
At
AS
HE
Et
| AIO
N
© 2017 ShieldX networks, inc. all rights reserved. all ShieldX names and marks associated with ShieldX products are trademarks or service marks of ShieldX networks, inc. and are registered or common law marks in the united States and other countries. all other trademarks are property of their respective owners. no portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient’s personal use, without the express written permission of ShieldX networks, inc.
ShieldX networks, inc.2025 gateway place, Suite 400San Jose, Ca 95110 uSa
+1 408.758.9400 [email protected]
ClOud-PrinCiPlEd
• Flexible, transparent purchase models for CapEx or OpEx budgets
• Easy, inspection-based, all-inclusive licensing
• Elastic, multi-tenant scale at 2-4 commodity cores per microservice
OPS-ACCElErAting
• Segment and secure Terabits of traffic in less than 15 minutes
• Improve productivity with real-time analytics and automation
• Visualize, import/export, report, integrate or control with REST-APIs
SlA-rEAdy
• Maintain business performance, security, and compliance
• Highly available with non-disruptive install, upgrade and removal
• Role-based access separates duties with logging for audit trails
ShieldX Confidential
T R A I N N U s e C a s e s
ShieldX Networks Inc.
w w w . s h i e l d x . c o m
Agenda
o TRAI Pre-Consultation issueso TRAI NN Consultation issueso ShieldX Solution
©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *2
TRAI Pre-Consultation• Relevant topics from the pre-consultation
- Precautions required to preserve national security- Precautions required to maintain customer privacy- Precautions required to maintain customer privacy- Network security and integrity: Protect their networks from
viruses, spam, denial of service attacks, hacking attacks against network/terminal equipment, malicious software etc.
©2016 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *3
Issues for consultation• 14 areas for discussion• Ensuring non-discrimination • Creating exceptions for certain emergency traffic
- Emergency situations and services;- Emergency situations and services;- Restrictions on unlawful content;- Maintaining security and integrity of the network;- Services that may be notified in public interest by the Government/ Authority, based on certain criteria; or- Any other services.©2016 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *4
How Can ShieldX Aion Help• Containerized, Microservices Platform for Network-Based + Native Multi-Cloud Monitoring & Security• Economical elastic DPI for inspection, security and • Economical elastic DPI for inspection, security and policy• Scales to Terra BPS of inspection• No custom HW. Runs on standard Intel CPUs & Hypervisors
©2016 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *5
How Can ShieldX help• Pervasively & Economically deploy ShieldX Virtual
Chassis across ISP infrastructure• Passively monitor, classify and measure traffic• Passively monitor, classify and measure traffic
- Flag any discrimination• Actively enforce policy for exceptions (Q6 in issues)
©2016 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *6
Mult i -Cloud + Secur i ty Chal lengeAgile Core Business & Data Center Services
Rapid TTS at scale across mixed environmentsNew attack surfaces and GRC concerns
Cloud principles and economics
7 ©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
Security Alignment RequiredSoftware-Defined, native to architectures
Ubiquitous, comprehensive and risk-profile awareFlexible and transparent ops and economics
Trading Secur i ty , Performance & Cost
Checkpoint
Cisco
FortinetPalo Alto
©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *8
CiscoJuniper
vArmourIllumio
CloudPassage
U n c o n v e n t i o n a l S o l u t i o nT h e F i r s t C o n t a i n e r i z e d , M i c r o s e r v i c e s P l a t f o r m f o r N e t w o r k - B a s e d + N a t i v e M u l t i - C l o u d S e c u r i t y
S h i e l d X A i o n ™
9
U n l i m i t e d S c a l e
Native, On-demand Cloud Scale – Elastic, automated + orchestrated to multi-terabits
and beyond
U n c o m p r o m i s e d S e c u r i t y
Comprehensive – full-flow policy, microsegmentation and IoP via scalable
DPI and real-time analytics
U n p a r a l l e l e d E c o n o m i c s
New paradigm – consumption-based, DevOps and provider-ready at a fraction of the TCO
and price
©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
Bui l t for F lexib i l i ty + Unl imi ted ScaleTraditional Monolithic Appliances ShieldXMicroservices Architecture
10 ©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
Costly to scaleDifficult to insert Elasticcontainerized + distributed
Automated Orchestrat ion + Insert ionDevOpsPush to API
Cloud Orch.Pull via Rules
REST API-First Strategy
11 ©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
Insertion+ PolicyDiscovery+ Monitoring
Security Policy+ Controls Microsegmentation Real-time analytics Centralized management Uniform, risk-aware policy
Uncompromised Secur i ty
IDS/IPS Threat detection + preventionFull packet capture and logging
TLS traffic decryption and termination
12 ©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
NGFW
Classification, reputation, filtering and inbound/reverse proxy
Network-based malware detection and detonation with FireEye
Anomaly detection via payload inspectionVirtualTAP traffic collection + aggregation
DLP monitoring and enforcement at rest and in motion*
Secur i ty Orchest rat ion Pol icyWW
DDDD
• Automated discovery, profiling & grouping of workloads• By name• By tag• By network• By IP
• Automated SI insertion
Webservers
WebserverPolicy
DB ServerPolicy
13 * * * C O N F I D E N T I A L * * *
WW WWWWDD
DD
WW
• Automated SI insertion• Automated policy recommendation & updates
• ACL• Threat• Malware• DLP
• Dynamic group maintenance across multi-cloud
DB Servers
DD
Unparal le led Secur i ty EconomicsA revolution in purchasing and operationalizing security – at up to 50% less than comparable solutions.
14 ©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
C l o u d - P r i n c i p l e d O p s - A c c e l e r a t i n g S L A - R e a d y Flexible, CapEx or OpEx models Easy, inspection-based, all-inclusive Elastic, multi-tenant scale with public cloud “lights off”
Segment and secure <15 minutes Productivity+ with real-time analytics and automation Visualize, integrate or control with REST-APIs
Maintain performance, security, and compliance HA with non-disruptive install, upgrade, patch and removal Role-based management + logging
Secur i ty in Minutes
ESXi
VSwitch
VSwitchESXi
VSwitchKVM
VCVMVM
VMVM
OS
VMVM
VM
NSX OpenStack
Updates + Feeds
ShieldXVirtualChassis
15 ©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
NSX OpenStack
11 Download .ova file
22 Connect, configure and discover
33 Start monitoring and managing
U s e C a s e sShieldX Aion™
Lateral protection of Enterprise and Provider core
business and datacenterservices
“Clean pipe” services telcos and ISPs use to
differentiate with security at scale and lower cost
Multitenant, consumption-based, security services MSPs
can deliver without CPE or onsite management
16 ©2016 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *
Next Steps• Demo• Proof-of-Concept• Sizing• Sizing
o Licensing starting at 10Gbps in 2Gbps incrementso Annual support subscription
• Partner engagement
©2017 ShieldX Networks. Inc. * * * C O N F I D E N T I A L * * *17
T h a n k Y o u
w w w . s h i e l d x . c o m