Your ZTNA 1.0 solution left you longing for more?

 

The first generation of ZTNA struggled.

• Policies were too complex so you got stranded on “Wildcard Mode” island

• It doesn’t support access to RDP, VOIP, ICMP, or AS400 protocols

• It can’t inspect private traffic

That wasn’t cool of them, so we decided
to do something about it.

 

Learn how we can buyout your ZTNA contract, and give you up to 6 months free Atmos ZTNA service.

Join those who have already made the switch:

Join those who have already made the switch:

The post ZTNA 1.0 Buyout Offer PPC appeared first on Axis Security.

Where it all began

I spent the first 25+ years of my career running global architecture teams for large multinational companies. I collaborated with and learned from my peers at some of the largest Fortune 2,000 companies in the world. We designed and implemented an architecture that enabled our businesses to transform. Security was but over the years it has become more critical as the infrastructure and data have evolved. 

At the start of my career, ‘security’ just meant locking the door when it was time to leave the office.  There was no such thing as usernames or passwords, and the largest network consisted of the users’ computers that required access to the corporate ERP system. Everyone had a desktop computer and only worked in an office.

Then came the Internet and email. People needed their own usernames so that they could get email (although passwords were still blank) and the network grew to facilitate this. To keep things secure you purchased a firewall and created that castle and moat we have all become so familiar with. Everyone on the network was fully trusted and could essentially flow seamlessly across the environment.

As time moved on the amount of data companies owned and stored grew, as did the number of applications and servers needed to run the business. People began to realize that this data had value and that if it got into the wrong hands, it would be bad. Security started to become more important. Things like virus protection software that was previously very basic became more enhanced, firewalls became more intelligent, and we added solutions such as IPS/IDS and email scanning. As the business grew, the networks grew huge and were still fully trusting everyone and everything on them.  In some cases, we tried to break networks into smaller chunks, but this more often than not created problems so the internal networks were just left wide open. 

Then came the cloud. Systems that had previously been only available on the corporate network became available in the cloud. This was supposed to make it simpler for people. We would no longer need to feed and water the on-premises systems and replace hardware that was costly and came with risk. This meant at first, very few companies adopted the cloud. It was relatively expensive and difficult to configure, there was a lack of skills, and it meant that the data and applications would be further from the users than ever. People were also concerned about security, after all, they had spent many years creating systems to protect that castle and moat design.

Then came COVID. The pandemic changed everything. All the users across the world who could work from home did. They got up from their desks and went home. Their office was now their dinner table, their garage, or their bedroom. All those companies who had adopted the cloud were now far better off. Those that hadn’t looked around and realized they needed to adapt, and they did. However, security was now at the back of people’s minds. Keeping the company functioning operationally was the most important thing. People adopted the cloud but forget about their wide-open networks. 

IT and security teams now have a significant issue. The network and security systems of the past no longer fit for purpose. The castle and moat architecture doesn’t meet our new world’s needs. We cannot just trust everyone that’s on our network whether they are an employee or not. Today’s networks are big, difficult to protect, prone to failure, and expensive to manage. Things need to change.  

Insider threat is now known to be the biggest threat a company is likely to face. Statistics show that in 2021 60% of all data breaches were caused by insider threats and 61% of companies had experienced an insider attack. Top insider threat actors include managers, contractors, and third parties—those people we all allow on the network without question.

The role of the IT architect in enabling Zero Trust

Since the pandemic, the term zero trust is one that every architect would have heard. It’s everywhere.  However, I have found that every cyber vendor has started to badge their product as ‘zero trust’ which has led to a lot of confusion. Even if you look hard, it is very difficult to find out the real meaning of zero trust. This has made it difficult for us architects to select the best products for our businesses and to understand how we can move away from that legacy castle and moat design.  

Since joining Axis, I have often been asked questions about zero trust and what it means to an architect like me. I get asked questions like what is zero trust? What is SASE? What is SSE? How do these technologies apply to me? Will these technologies help make my life and the life of the users easier? How do they help us become more secure? How do they fit in today’s world? Will they help me protect my business from things like ransomware, insider threats, and data leakage?

Questions like these seem to be top of mind for many security and network leaders in the world we live in today. So, to try and help my fellow architects, I’ve decided to create a series in the hope that I can help by answering some of these questions.

The world’s first series on zero trust designed for IT architects, by an architect

Dubbed “The Zero Trust Architect”, this new video series provides a platform to discuss zero trust from the architect’s vantage point. I will dig deep into the history of where zero trust started and why, and explain what it means for cloud, security, and network architects. 

This Zero Trust Architect series will outline top use cases seen throughout my career, and how a zero-trust approach can help you. Together we will look at how you can bring a zero-trust approach into your architectural plans to support digital transformation. We’ll zoom in on how to keep employees, and partners, off the network, and remove the default trust that inherently exists in the legacy castle and moat designs. We will explore the most significant risks that threaten remote work and third-party access, focusing on keeping your environments secure and protecting against things like insider threats and ransomware, and best practices and considerations along the way.

The only question now is, are you ready to become a zero trust architect?

Start by watching the first two videos of the Zero Trust Architect series.

The post This new series is the first ever to teach IT architects how to adopt Zero Trust appeared first on Axis Security.

In networking we often discuss routing, packets, protocols and latency.  It’s always been our lifeblood and our passion.  Another area we are passionate about is hardware.  A new router, firewall, switch or network appliance will elicit numerous debates and send us to a world of what if?  What if I deployed this box to my network?  How would it impact it?  Would it make the network faster?  Would it make my job easier?  Now, one topic we don’t discuss is the “green” impact of this new box. 

Our networks are complex, costly and truth be told, they impact the world around us.  At Axis Security, we often refer to the journey of Amy in HR.  Amy is part of the hybrid workforce.  Her day begins in her home office which is located at the kitchen table of her house.  Everyday Amy must use the corporate VPN to access the applications she requires to complete her job.  Her journey looks like this.  

Amy must run a virtual gauntlet of IT network and security hardware appliances.  Typically, this may include a series of seven systems each with a redundant twin for high availability.   

So, what is the impact of these 14 boxes on our planet?  Let’s break it down.  

Amy’s point of entry is the data center firewall.  Typically the firewall is the second most power consuming device.  For our scenario, we will select at Palo Alto Networks PA-5430 firewall.  The power ratings for this device come in at 630 watts.  Since our design is redundant, we will need two of them.  Therefore, the total for the two is 1260 watts.  

Next up is the Denial of Service appliance.  This time we will go with a product from Cisco Systems.  The selection will be a Cisco the Defense Pro 20.  Its power requirements are rated at 320 watts.  Again, we will need two for high availability so the number is 640 watts.  

NAC and ADC are next in the path.  While there are appliances in this area, we will leverage Cisco ISE.  While we could build this out a number of ways, let’s keep it simple and call it two servers running a dedicated application.  Power requirements will come in around 850 watts per server.  Again, we need two so 1700 watts is our total for NAC and ADC.  

On to the SSL!  For the SSL decryption, we will go back to Cisco.  The Cisco Firepower 5555 is our most efficient solution at 134 watts at peak.  We need two so 268 watts is our number!

Now comes the IPS system.  Again, we will go with a Cisco Firepower product, the 9300 appliance.  Unlike the Firepower 5555, the 9300 is power hungry at 1000 watts for both.  

And we are almost done.   One more firewall to go!!  Again, we’ll go back to Palo Alto Networks.  Add a pair of PA-5430 at 1260 watts.  

Now that we’ve completed Amy’s journey from a network and security appliance point of view, let’s add up our power budget and determine the power costs as well as most importantly, the impact on the planet.  

The power budget comes to 6,128 watts at peak.  Based on a cost of power at .32 per kWh, at 24 hours a day, creating 146 kW/h per day (aka 53,681.28 kW/h per year), our total per datacenter cost comes to $17,178 each year – just in electricity costs.  This doesn’t include Manufacturing costs either.

But what is the total carbon impact? We used the free Greenhouse Gas Equivalent calculator provided by the EPA and found that 53,681.28 kW/h per year is equivalent to 25.6 tons of Co2 per datacenter! That is equivalent to what 27 acres of US forests sequesters per year. Check out some other interesting equivalencies below.

A report commissioned by Statistica found that 73% of companies have 3 to 5 data centers in use. 40% of companies have 6 or more! 

So if we assume 5 data centers for each Fortune 2,000 company (most will likely have more), the electricity costs alone for the VPN gateway would be $85,890 per year (again only for electricity). The environmental impact would be a whopping 128 tons of CO2 emissions. Times that by 2,000 Fortune companies and that’s 253,475 tons of CO2 emissions. The equivalent to carbon sequestered by 272,129 acres of US forests. 

That’s a lot of green, for too much green. It’s time to say bye to hardware based VPN and move to a new software based solution designed using the Security Service Edge framework.  It can be delivered from the Cloud from data centers with carbon offsets.  Result, better for the environment, better for the planet and likely, lower cost. 

If you’re ready to say goodbye to VPN, we’ve got your back. Let us buyout your VPN contract and replace it with our Atmos ZTNA solution, part of our Atmos Security Service Edge (SSE) platform.

The post Dirty appliances: The hidden environmental costs of VPN gateways appeared first on Axis Security.

The air has a crispness to it, kids are back in school and the afternoon shadows are growing longer. For me, Fall has always been the season when the last revisions for projects and business as usual (BAU) budget requests were finalized. It was one of the last opportunities to dial in the plan of work for the upcoming year as well as align the projects with the critical financing which makes it all possible. If you are considering a Security Service Edge (SSE) project for 2023, here are some tips as you enter the final lap of budgeting season.  

Create the map

The most critical aspect is the scope. Implementing an SSE project is a journey. It’s not something you accomplish overnight or even a year. Often, these types of projects take multiple years. So, start with a phased plan.  Determine what your first phase is as well as the follow-on aspects of your journey.  Set guideposts and determine the schedule. Think in terms of 6 months. What do you want to accomplish in H1 and H2? What is the order? Understand which technologies in your portfolio will be impacted and the timing for each. Based on this, take inventory. Create a schedule to replace each item.  

Technology meet finance 

Once you have the list of technologies that the project will impact, attach them to a proposed schedule. Now it is time to work on the details. As simple as it may seem to replace one technology with another, unfortunately, it is not. Here’s where technology meets the real world of finance. Your roadmap for the journey must align with the interests of your finance department. And trust me, this is where projects and budgets get complex fast!! But keep in mind, by doing the hard work upfront, you will lower the inevitable amount of budget friction in your future. The key here is to take inventory of the technologies impacted and then align them with terms the finance team will understand. 

OpEx, CapEx, BAU….. Oh my!

You need to be aware of how each item is treated. Is it an OpEx or CapEx expense? Is there a “Business As Usual” (BAU) line item associated with it? If the item is CapEx based, is the item on the depreciation schedule? Is it 12 months into a 36 month depreciation schedule? If so, the finance team is going to frown upon your proposed replacement plan. As you will find out, much like Cloud, SSE tends to be weighted on the OpEx side of the coin. What this means is you will need to learn how to trade in CapEx investments for OpEx ones. For example, if are you proposing to move off a legacy firewall that is listed at $100K and depreciated on a 3-year schedule? If so, you will not be able to trade the amount dollar for dollar in year one. Rather, from the financial perspective, you will need to divide by three. Thus $100K becomes $33K for budgeting.  

Make friends and reduce the budget friction

If these terms and concepts are new to you, this is when you make fast friends with your resource on the finance team. As a technology leader, you must understand the complexities of how finance views technology investments. Ask questions. If you are not familiar with the terms finances is using, ask them for a lesson. The more you can speak their language, the more success you will have on your SSE journey. Once you get the finance side of the coin dialed in, you can determine if your project plan is possible or not. Based on this, revise your project plan and timelines.  

Eating the whale, one bite at a time

Next, break down the phases into digestible units. Now that you know where each item fits within the technology and finance puzzle, you can start putting your overall project together. Maybe during the financial analysis, it was determined a key VPN gateway was just purchased 18 months ago but the Secure Web Gateway (SWG) subscription is up for renewal in March. If so, it would be a good idea to pivot your project and tackle the SWG first and VPN in the following year. This will help you not only in the coming year but also create a multi-year story from both the finance and technology angles. The more you can help guide finance over 12, 24, and 36 months, the less time you will need to spend on constantly revising your budgets. You will quickly find out the finance team prefers the predictable path. At the end of the day, your job is to be the storyteller from both a technology and financial perspective.  

SSE value calculator

And to help you with your story, Axis has created an SSE Value Calculator. It allows you to take the puzzle pieces of your project and help guide you on your journey. The value calculator will help you to put the story together. It includes common inputs such as investments in services like SWG, VPN gateways, and CASB along with expected savings by transitioning from costly MPLS transport to Internet connectivity. You can also consider cost savings such as reduced operational overhead for managing SSE services vs traditional approaches. You can even run “what if” scenarios. The output will help guide you to success in both the technology area as well as the finance one too. It will also assist you in determining how to accomplish the best Return on Investment (ROI). Keep in mind, at the end of the day, all IT projects are business projects. The link is here – https://www.axissecurity.com/atmos-value-calculator/

If you have questions, feel free to reach out.  Hopefully, your Fall is full of fun and excitement!  

The post CxOs: Here’s how to budget for success during your Security Service Edge (SSE) project appeared first on Axis Security.