Rethinking Security in Cloud Networking
Every CXO worries about security because the perimeter is changing; in fact, there are no walls for protection. The lines between cloud, workloads, applications, enterprise networks and hosts are blurring and the challenges are getting exponentially greater. The true security architect must rapidly address the reality of a more holistic network-wide security strategy. It must be one that goes beyond the cyber threat of the day to address the risk, scale and mitigation of persistent security issues. The state of cyber security needs urgent resolution because:
- It’s more expensive as security is a risk insurance policy
- Public Cloud should make it simpler, but it actually does the opposite-adding complexity
- No single vendor is taking a holistic customer view
- Security must move from being a noun to adjectives: “simple and secure”
In the 2015 timeframe, VMware pioneered micro-segmentation by using virtualized firewalls within either a public or private cloud environment while Palo Alto, Fortinet and Checkpoint all drove next generation firewalls. Complementing Micro-segmentation and firewalls, Arista introduced Macro-Segmentation (MSS), another example of our pioneering innovation. MSS is dynamically applied to cloud networks depending on the type of host connected for secure workload mobility and workflow visibility. Arista, Next Generation Firewall partners (Checkpoint, Fortinet and Palo Alto) and VMware have been at the forefront of driving secure segmentation capabilities in a standards-based manner with uniform security control.
New Frontier in Cloud Security: Zone Segmentation
Regardless of the service or workload type, the location of these services and workloads must now transcend multi-cloud environments securely and seamlessly. Consistent network segmentation with Arista Any Cloud provides a powerful approach for applying the right security across applications, users, and places in the cloud. Arista vEOS now supports Zone Segmentation, allowing implicit traffic between workloads in the same zone while segmenting traffic between zones. Zone Segmentation can be automated and visualized with CloudVision. Users can create a zone and map cloud network attributes to that zone. The figure below shows the application of Zone based Segmentation in Azure, AWS or GCP cloud boundaries.
Figure 1: Zone Segmentation across Any Cloud works with existing segmentation and firewalls
The benefits of Arista’s cloud security with Zone Segmentation Services (ZSS) are compelling for customers and include:
- Location Freedom: This allows larger datacenters to centralize and insert security in the path between any workloads on demand based on firewall rules at the premise or cloud boundaries for AWS, Azure or Google Cloud.
- Easy Integration: By not changing any frame formats, traffic is monitored by existing tools with smooth integration across clouds and regions.
- Open: Zone Segmentation can fully function in today’s firewall network of multi-vendors without lock-in or proprietary protocols.
- Agile: Workloads can and do move across intra- and inter-cloud boundaries, and security groups can dynamically move with them across multiple zone segments to secure automated deployment model.
- Seamless Co-existence: Arista's ZSS does not try to ‘own policy’, instead co-exists with defined security tool frameworks while new actions can be instantiated such as tracking protocols like SIP.
CloudVision Foundation for A to Z Partnerships
Arista CloudVision can manage and secure segmentation across the premise and cloud in a centralized manner. Together with Arista EOS state streaming and interface statistics, anomalous behavior can be detected, alerted and analyzed. For example, if a compromised workload tries to access other workloads that it isn't supposed to, alerts are captured in CloudVision and visualized to the network operator for rapid detection/actions. Thereby CloudVision establishes secure parameters and establishes trust relationships between zones with our cloud partners as well as new security partners, Zscaler and VMware. Arista and Zscaler offer a secure cloud architecture that recognizes the central role, often played by the cloud, in hosting corporate applications and general web content. Zscaler’s cloud, together with Arista vEOS Zone Segmentation secures inter-cloud traffic to and from the Internet for north-south workloads and east-west cloud networking.
Arista now complements its datacenter with MSS and campus functions. We have expanded our partnership with VMware to extend both Arista MSS and VMware’s micro-segmentation by enabling Arista switches to enforce NSX security directives. This ensures consistent segmentation actions can be applied to applications hosted on virtualized and bare-metal servers.
Simple and Secure Cloud Networking
I am excited by the power and potential of Zone Segmentation for both the security and cloud networking industry where each is undergoing massive transitions. It secures and unifies two islands, bringing profound impact to our eco-partners and customers alike for secure cloud networking. Critical to successful deployment of uncompromised security in a private or hybrid cloud evolution are our partnerships with next generation firewall vendors and VMware and ZScaler. Arista is now extending secure segmentation beyond firewalls into virtualized datacenters and campuses for secure cloud networking.
Welcome to the new world of secure cloud networking. I always welcome your comments email@example.com
Zone Segmentation Technical Brief
Video - Arista Security for Cloud Networking: A Customer Perspective
Gartner Catalyst - San Diego, Booth #505
VMworld 2018 - Las Vegas, Booth #1030
Opinions expressed here are the personal opinions of the original authors, not of Arista Networks. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Arista Networks or any other party.