My vision of Zentera is to provide infrastructure security to the market known as the multicloud. As a new kind of infrastructure, the multicloud demands a convergence of networking and security, which challenges practices in enterprises and security providers. For this post, I will talk about how enterprise IT operates and the challenges presented by multicloud environments.
Enterprises have typically used network technology such as L2/L3 VLAN and VXLAN to segregate networks and isolate workloads behind the corporate firewall or in enterprise datacenters. But the network configuration is static and can therefore be challenging to set up in a global enterprise. Today, many companies still have a large proportion of workloads running in a mixed environment on premise, that is without service isolation.
When enterprises migrate production workloads to the multicloud outside of the corporate firewall, service isolation becomes critical. However, the conventional network infrastructure is static, and the security method, controlled and provisioned by enterprise IT, is time-consuming in such a hybrid environment. Next-generation infrastructure security technology is needed to deliver the promise of cloud service isolation.
I founded Zentera Systems in 2012 to realize my vision of converging networking and security technologies in the multicloud. Zentera is a next-generation infrastructure security company. We offer multicloud service isolation, shield, and filter solutions to help protect enterprise production workloads in the cloud, as shown in the diagrams below.
The table above depicts the solution stack for cloud service isolation. Notice how CoIP is in the two topmost layers.
The second diagram above is a zoomed out version of the first diagram. This one includes the location of the public cloud and its relationship with the physical enterprise datacenter.
Our CoIP® (Cloud over IP®) platform is an overlay virtual network platform that combines both networking and security capabilities for enterprises. CoIP performs three distinct tasks to meet the requirements of cloud security as follows:
1. Multicloud Service Isolation
CoIP provides service isolation by implementing a closed whitelist network like an enclave at L5. The enclave authenticates and connects all virtual machines in the cloud that belong to a particular application for isolation (e.g., an HR web service). The enclave runs across multiple cloud datacenters, and the security policies are adaptive to the addition and deletion of virtual machines in the application. Since CoIP runs at L5 (similar to a VoIP system), the provisioning process is quick and simple for the enterprises or managed services providers who are provisioning workloads in a multicloud environment.
2. Multicloud Service Shield
CoIP shields the application workloads running inside an enclave by encrypting all the LAN and WAN communications among all virtual machines, regardless of where those VMs are provisioned. CoIP can also shield application communications in the underlying L3 network in the cloud such that the L3 network is used only for CoIP secure transport. All IP addresses, public or private, can be modeled in CoIP L5 (in any cloud at any location) and are isolated away from the L3 network. This solution prevents man-in-the-middle attacks in the cloud and addresses cloud security compliance requirements.
3. Multicloud Service Filtering
To further protect the workloads for an application inside an enclave, CoIP provides east-west microsegmentation capabilities to filter application tier traffic among VMs associated with a single application. CoIP also provides the capability to define a whitelist of software binaries that are allowed access to the enclave network. This technology avoids deep packet inspection methods widely used in L7 security solutions that require significant CPU consumption. As a result, the CPU usage by CoIP in a guest OS is minimal. Lastly, CoIP allows inline insertion of third-party security filtering engines such as IPS/IDS to monitor tier communications inside application workloads.
We at Zentera are currently enabling top-tier IPS/IDS solutions to run in widely used clouds such as AWS, Azure and Oracle Cloud. Enterprises who have been using these security engines for their compliance sign-off can now check the same box when migrating their workloads to the cloud. We are the industry’s first solution for merging on-premise security functionality with cloud workloads and applications, addressing a critical industry need that is preventing widespread production use of the cloud.