Subscribe to Blog Notification Emails

Latest Blog Post

Rethinking Security in Cloud Networking

Jayshree Ullal
by Jayshree Ullal on Aug 21, 2018 4:21:16 AM

Every CXO worries about security because the perimeter is changing; in fact, there are no walls for protection. The lines between cloud, workloads, applications, enterprise networks and hosts are blurring and the challenges are getting exponentially greater. The true security architect must rapidly address the reality of a more holistic network-wide security strategy. It must be one that goes beyond the cyber threat of the day to address the risk, scale and mitigation of persistent security issues. The state of cyber security needs urgent resolution because:

  1. It’s more expensive as security is a risk insurance policy
  2. Public Cloud should make it simpler, but it actually does the opposite-adding complexity
  3. No single vendor is taking a holistic customer view
  4. Security must move from being a noun to adjectives:  “simple and secure”

In the 2015 timeframe, VMware pioneered micro-segmentation by using virtualized firewalls within either a public or private cloud environment while Palo Alto, Fortinet and Checkpoint all drove next generation firewalls. Complementing Micro-segmentation and firewalls, Arista introduced Macro-Segmentation (MSS), another example of our pioneering innovation. MSS is dynamically applied to cloud networks depending on the type of host connected for secure workload mobility and workflow visibility. Arista, Next Generation Firewall partners (Checkpoint, Fortinet and Palo Alto) and VMware have been at the forefront of driving secure segmentation capabilities in a standards-based manner with uniform security control.


New Frontier in Cloud Security: Zone Segmentation

Regardless of the service or workload type, the location of these services and workloads must now transcend multi-cloud environments securely and seamlessly. Consistent network segmentation with Arista Any Cloud provides a powerful approach for applying the right security across applications, users, and places in the cloud. Arista vEOS now supports Zone Segmentation, allowing implicit traffic between workloads in the same zone while segmenting traffic between zones. Zone Segmentation can be automated and visualized with CloudVision. Users can create a zone and map cloud network attributes to that zone. The figure below shows the application of Zone based Segmentation in Azure, AWS or GCP cloud boundaries.

security-blog-graphic1

Figure 1: Zone Segmentation across Any Cloud works with existing segmentation and firewalls

The benefits of Arista’s cloud security with Zone Segmentation Services (ZSS) are compelling for customers and include:

  • Location Freedom: This allows larger datacenters to centralize and insert security in the path between any workloads on demand based on firewall rules at the premise or cloud boundaries for AWS, Azure or Google Cloud.
  • Easy Integration: By not changing any frame formats, traffic is monitored by existing tools with smooth integration across clouds and regions.
  • Open: Zone Segmentation can fully function in today’s firewall network of multi-vendors without lock-in or proprietary protocols.
  • Agile: Workloads can and do move across intra- and inter-cloud boundaries, and security groups can dynamically move with them across multiple zone segments to secure automated deployment model.
  • Seamless Co-existence: Arista's ZSS does not try to ‘own policy’, instead co-exists with defined security tool frameworks while new actions can be instantiated such as tracking protocols like SIP.

CloudVision Foundation for A to Z Partnerships

Arista CloudVision can manage and secure segmentation across the premise and cloud in a centralized manner. Together with Arista EOS state streaming and interface statistics, anomalous behavior can be detected, alerted and analyzed. For example, if a compromised workload tries to access other workloads that it isn't supposed to, alerts are captured in CloudVision and visualized to the network operator for rapid detection/actions. Thereby CloudVision establishes secure parameters and establishes trust relationships between zones with our cloud partners as well as new security partners, Zscaler and VMware. Arista and Zscaler offer a secure cloud architecture that recognizes the central role, often played by the cloud, in hosting corporate applications and general web content. Zscaler’s cloud, together with Arista vEOS Zone Segmentation secures inter-cloud traffic to and from the Internet for north-south workloads and east-west cloud networking.

Arista now complements its datacenter with MSS and campus functions. We have expanded our partnership with VMware to extend both Arista MSS and VMware’s micro-segmentation by enabling Arista switches to enforce NSX security directives. This ensures consistent segmentation actions can be applied to applications hosted on virtualized and bare-metal servers. 

Simple and Secure Cloud Networking

I am excited by the power and potential of Zone Segmentation for both the security and cloud networking industry where each is undergoing massive transitions. It secures and unifies two islands, bringing profound impact to our eco-partners and customers alike for secure cloud networking. Critical to successful deployment of uncompromised security in a private or hybrid cloud evolution are our partnerships with next generation firewall vendors and VMware and ZScaler. Arista is now extending secure segmentation beyond firewalls into virtualized datacenters and campuses for secure cloud networking.

Welcome to the new world of secure cloud networking. I always welcome your comments feedback@arista.com

 

Reference:

Press Release

Zone Segmentation Technical Brief

Arista Security White Paper

Video - Arista Security for Cloud Networking: A Customer Perspective

Gartner Catalyst - San Diego, Booth #505

VMworld 2018 - Las Vegas, Booth #1030 

 

Opinions expressed here are the personal opinions of the original authors, not of Arista Networks. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Arista Networks or any other party.

Jayshree Ullal
Written by Jayshree Ullal
Jayshree Ullal is a networking executive veteran with 30+ years of experience. In 2018 Barron's named her one of the "World's Best CEOs." In 2015 she was co-awarded "EY 2015 Entrepreneur of the Year" across National USA and "#3 IT Industry Disrupter" by CRN. In 2005, she was named one of the "50 Most Powerful People" by Network World and one of the "Top Executives" by Forbes magazine 2012. As President and CEO for a decade, Jayshree led Arista Networks to a successful IPO in June 2014 at NYSE. She is responsible for building a multibillion dollar business in cloud networking and has forged strategic alliances with Microsoft, HP and VMware to name a few.

Related posts

The Easiest Way to go Faster is to go Faster

Why 400G Ethernet? In one sentence, because the easiest way to go faster is to go faster. Over time, Ethernet speed transitions...

Andreas Bechtolsheim
By Andreas Bechtolsheim - October 23, 2018
Cognitive Campus - Next Frontier

Arista’s focus on disruption, with datacenters and routing, transforming siloed places in the network to seamless Places In the...

Jayshree Ullal
By Jayshree Ullal - October 16, 2018
Reflections on the Cloud Networking Decade

When I joined Arista ten years ago, we were in the midst of developing a novel purpose-built software architecture from a clean...

Jayshree Ullal
By Jayshree Ullal - September 17, 2018