Providing Out-of-Band Connectivity to Mission-Critical IT Resources

How To Keep Colocation Data Center Pricing in Check

Rows of data center racks in a colocation facility take up a lot of space, which contributes to colocation data center pricing.

With inflation and supply chain issues causing hardware prices to surge, and a winter recession looming on the horizon, every organization is looking for ways to cut technology costs. Though colocation hosting is often much less expensive than building and maintaining an on-premises data center, factors like physical space usage, power and bandwidth consumption, and remote support can cause your monthly colo bill to spiral out of control. This blog examines some of the most common reasons for colocation data center pricing increases and offers advice on how to keep these costs in check.

Colocation data center pricing considerations

First, here are four common factors that could cause your colocation data center pricing to increase.

1. Physical space

One of the major elements determining colocation pricing is the amount of physical space being rented. Some facilities charge by the rack unit and others by square footage (i.e., how much floor space is taken up by your racks). Costs for colocation space are typically calculated based on your portion of the facility’s operating expenses, which include things like physical security, building maintenance, and energy for cooling.

2. Power consumption

Power usage also heavily affects colocation data center pricing. While some facilities offer flat-rate power pricing, it’s more common to see pricing based on kilowatt usage. The price of data center power usage depends on many factors, such as electricity costs in the region, how energy-efficient the facility is, and how much energy it takes to cool your equipment.

3. Bandwidth consumption

Bandwidth is another usage-based expense that affects data center pricing. Organizations usually purchase bandwidth from the ISP, not directly from the facility, although some data centers do offer colo packages that also include internet access and bandwidth. That means that bandwidth pricing varies significantly from organization to organization.

4. Remote hands

Though colocation data centers handle many aspects of building and facility maintenance, customers are typically responsible for deploying and maintaining their own equipment. Most organizations do so via remote DCIM (data center infrastructure management) solutions, so they do not need to maintain a physical presence in the colocation facility. However, sometimes hardware failures or other issues make remote troubleshooting impossible, so they need to use on-site managed services, sometimes referred to as “remote hands.” Some colocation facilities include an allotted time for remote hands services in their pricing, but more often this is an added fee that’s paid for as needed.

There are many other factors contributing to the cost of colocation data center hosting—such as the location of the facility, the cost of your hardware, and the uptime promised by the provider. However, these four factors are relatively easy for you to change and control without needing to completely overhaul your infrastructure or move to a different facility.

Four ways to keep colocation data center pricing in check

Now, let’s discuss how to decrease your physical footprint, lower your power and bandwidth consumption, and minimize your reliance on managed support services.

Consolidated devices

Replacing bulky, outdated, single-purpose hardware with consolidated, high-density devices is a great way to reduce your colocation data center footprint without sacrificing functionality or performance. For example, the Nodegrid Serial Console Plus (NSCP) provides out-of-band management, routing, and switching for up to 96 devices in a single, 1U rackmount appliance. The NSCP helps reduce the number of serial consoles, KVM switches, or jump boxes in your colocation data center, allowing you to save money or use the extra space for new equipment.

Another option is the Nodegrid Net Services Router (NSR), a modular appliance that can replace up to six other devices in your rack. The NSR provides routing and switching with network failover and out-of-band management, with expansion modules for Docker & Kubernetes container hosting, Guest OS & VNF hosting, and more. The NSR is an ideal solution for small colocation deployments because it can reduce the number of computing and storage devices in your rack. For example, the NSR can reduce your footprint from 4U to 1U, allowing you to cut costs and reduce the complexity of your remote infrastructure.

Remote DCIM power management

As mentioned above, most organizations use remote DCIM solutions to manage colocation infrastructure. Power management is an important aspect of remote DCIM for keeping colocation data center costs in check. Remote DCIM power management allows you to visualize power consumption, both at the individual device level and at a big-picture level. If you can see where you’re using power inefficiently, you can correct the problem (for instance, by replacing a faulty UPS or simply redistributing the load) before costs spiral out of control.

For power cost savings, you should use remote management DCIM that supports automation, such as Nodegrid Manager. This vendor-neutral platform allows seamless integrations with third-party or self-developed automation tools and scripts. That means you can use Nodegrid to automatically monitor for and correct inefficient power load distribution to ensure consistent usage and prevent overage fees. Plus, Nodegrid supports end-to-end automation for all your network and infrastructure management workflows, helping to reduce the overall manual workload for your administrators.

Software-defined networking

Traditionally, administrators set and monitor bandwidth usage by accessing the CLI (command line interface) or GUI (graphical user interface) on individual, hardware-based network devices like switches and routers. For complex and distributed network architectures using many switches in many locations (including remote colocation facilities), manual bandwidth control is so time-consuming and inefficient that organizations end up with a “set it and forget it” approach. That means bandwidth usage is free to fluctuate as much as it wants within certain thresholds, and organizations just eat the overage costs.

Software-defined networking, or SDN, decouples network routing and management workflows from the underlying hardware. This allows organizations to centrally control and automate their entire network architecture, which includes bandwidth management for remote colocation infrastructure. Centralized SDN management gives administrators a single interface from which to control all the networking devices and workflows, so they don’t need to jump from device to device to monitor and manage bandwidth usage.

The application of SDN technology to WAN management is known as SD-WAN, and when that extends into the remote LAN it’s known as SD-Branch. SDN, SD-WAN, and SD-Branch technology use intelligent routing to ensure efficient bandwidth usage and network load balancing. That means you can keep your colocation data center bandwidth costs in check while significantly reducing the amount of work involved for your network administrators.

Out-of-band management

Out-of-band management, or OOBM, separates your management network from your production network, allowing you to remotely manage, troubleshoot, and orchestrate your colocation data center infrastructure on a dedicated connection. This has numerous benefits, including:

  • Resource-intensive network orchestration workflows won’t affect the bandwidth or performance of the production network.
  • Administrators can still access remote infrastructure even if the primary ISP link goes down.
  • Administrators gain the ability to remotely troubleshoot even when a hardware failure or configuration mistake causes a production network outage.

OOBM can help reduce your reliance on colocation data center managed services because your administrators have an alternative path to critical infrastructure even during an outage. A Gen 3 OOB solution like Nodegrid can further reduce your colocation data center pricing in several ways:

  1. OOB management is built into all Nodegrid devices, so you don’t need to purchase any additional hardware (or rent additional rack space) to enable out-of-band management.
  2. Nodegrid OOB integrates with the vendor-agnostic Nodegrid Manager platform, which means you’ll have reliable 24/7 remote access to monitor and orchestrate power load distribution to ensure cost-efficiency.
  3. Nodegrid OOB devices can directly host your software-defined networking, SD-WAN, and SD-Branch solutions so you don’t need to purchase additional hardware. You can also integrate SDN, SD-WAN, and SD-Branch software with the Nodegrid Manager platform for unified control.

The Nodegrid solution from ZPE Systems can help you keep colocation data center pricing in check through consolidated devices, remote DCIM orchestration, software-defined networking support, and Gen 3 out-of-band management.

Want to find out more about reducing colocation data center pricing with Nodegrid?

Contact ZPE Systems today!

Why Cybersecurity-as-a-Platform (CaaP) is the Future of Holistic Security | ZPE Systems

cybersecurity platform zpe

A cybersecurity platform provides a unified interface from which to manage multiple security tools and controls. Traditionally, these platforms only work within a single vendor’s ecosystem of products. However, a new type of solution, called Cybersecurity-as-a-Platform (or CaaP), allows you to integrate your choice of third-party, multi-vendor solutions. In this blog, we’ll discuss the challenge of managing a complex cybersecurity environment and explain how CaaP can help.

Why Cybersecurity-a-a-Platform (CaaP) is the future of holistic security

Modern network security is rapidly evolving and expanding to deal with the increasing sophistication and frequency of cyberattacks. According to the Oracle and KPMG Cloud Threat Report from 2020, the average organization uses over 100 discrete cybersecurity controls. Often these tools come from many different vendors and perform many different functions, requiring specialized training to use each one effectively. This creates a highly complex cybersecurity environment that’s prone to human error.

In addition, there’s a lack of interoperability between products, meaning tools are often disjointed and working independently of each other rather than as a cohesive system. There’s also no centralized control or visibility over these independent solutions, which means administrators need to log in to each one to configure, monitor, and manage their functionality.

This leaves teams without a big-picture overview of their cybersecurity environment, making it impossible to achieve a complete security posture. This need for centralized management and monitoring of discrete security products led to the development of unified cybersecurity platforms.

What is a cybersecurity platform?

A cybersecurity platform is a software solution—typically, but not always, cloud-based—which unifies an ecosystem of security tools and controls behind one management interface. In the past, this has usually been vendor-specific (e.g., Trend Micro providing a single platform from which to manage their own security products). However, this type of platform leaves you locked in to whatever features and functionality are included by the cybersecurity vendor, or their chosen integration partners.

That leaves organizations with one of two choices:

1. Stay within that ecosystem and accept that they may have gaps in their coverage due to a lack of needed functionality. In this case, this means sacrificing the security of their network and systems for the convenience of using a single management system.

2. Add on additional products that must be managed outside of that platform, creating more management complexity for security administrators. In this case, this means sacrificing efficiency and interoperability in the hopes of improving overall security.

In either scenario, the organization is hurting its security posture by making compromises. A better solution is to choose a platform that gives you the freedom to combine the best security products and tools for your unique environment under one convenient management umbrella.

What is Cybersecurity-as-a-Platform (CaaP)?

Cybersecurity-as-a-Platform (CaaP) provides a vendor-agnostic interface from which to control a vast and complicated cybersecurity ecosystem. CaaP doesn’t care who you bought your security tools from or how you plan to use them—it provides the platform from which to integrate, manage, and monitor every component of your cybersecurity toolkit. This includes creating unified dashboards and visualizations that combine data from all your different security monitoring and analytics solutions, so you can get a complete picture of your cybersecurity environment.

How CaaP enables holistic cybersecurity

A unified Cybersecurity-as-a-Platform solution benefits businesses by:

  Reducing data overload – Security analysts must monitor and act on data from a wide variety of sources, including intrusion detection systems (IDS), firewalls, and security information and event management (SIEM) solutions. With so much data to sort through to filter out the false positives from the real threats, analysts can easily become overwhelmed and allow issues to fall through the cracks.

CaaP unifies the data from these individual sources and gives teams a single dashboard from which to view and analyze events. Plus, CaaP supports integrations with tools that can automatically analyze, filter, and remediate security incidents, reducing the risk of human error and freeing up security teams to work on high-priority issues.

  Simplifying security management – It’s very difficult (if not impossible) for a single security analyst to become an expert in 100+ different products, each of which has its own interface, nomenclature, compatibility issues, etc. Plus, simply logging into every one of these tools on a regular basis takes a significant amount of time, making it far too easy for analysts to neglect or forget critical security systems.

With the right Cybersecurity-as-a-Platform, analysts can integrate all their security tools into one common platform, reducing the number of discrete solutions they need to learn, maintain, and support. This both reduces the risk of human error and reduces the workload on overwhelmed security teams.

  Improving security posture – The more complex a system is, the more prone it is to failure. A cybersecurity strategy that relies on the continued operation and effectiveness of over 100 individual moving parts is more likely to fail because an issue with even one of those tools could lead to a breach. Plus, without a centralized view of how these parts work together, there’s no way to get a complete picture of an organization’s security posture.

CaaP gives analysts the ability to monitor and maintain all their security tools in one place, so they can see alerts about new vulnerabilities, apply patches, and more. They can also ensure all these tools are working together as expected so there are no gaps in coverage, and see data and visualizations about the security of the organization as a whole.

Adopt the CaaP approach to security with ZPE Systems

Cybersecurity-as-a-Platform is a unified, tightly integrated solution that rolls up a vast ecosystem of security tools behind one pane of glass. CaaP is the future of holistic security because it empowers efficient security monitoring and management while providing a complete overview of an organization’s security posture. True CaaP, like the Nodegrid solution from ZPE Systems, is completely vendor-neutral. This gives you the freedom to bring in your choice of cybersecurity solutions and automation tools, so you get the best features, functionality, and performance for your unique environment.

Want to learn more about cybersecurity platforms with Nodegrid?

Contact ZPE Systems today!

Contact Us

How SASE Technology Defends Your Network Edge

SASE technology can offer you defense for your network edge

Secure Access Service Edge, or SASE, is a cloud-based service that combines software-defined wide area networking (SD-WAN) with critical network security technologies like CASB, ZTNA, SWG, and FWaaS. SASE technology connects remote, branch office, and edge computing resources directly to web and cloud services, reducing the load on the main firewall while extending enterprise security policies and controls to protect this traffic. In this article, we’ll dive into the specific technology that SASE uses to defend your network edge.

How SASE technology defends your network edge

SASE protects network edge traffic by rolling up an entire network security technology stack into a single, cloud-delivered service. The key security components of a SASE solution include CASB, ZTNA, SWG, and FWaaS.

CASB

A cloud access security broker, or CASB, is a software service that sits between your main enterprise network and your cloud-based infrastructure. A CASB allows you to extend your enterprise security policies to the traffic flowing between your WAN and the cloud so you can ensure consistent protection. A CASB is actually a collection of multiple security technologies, such as:

  • User and Entity Behavior Analytics (UEBA) – Monitors the behavior of users and devices on the network to detect suspicious activity and enforce security policies.
  • Cloud application discovery – Identifies all cloud applications and services in use by the organization and analyzes relative risk levels.
  • Data Loss Prevention (DLP) – Applies data governance policies to prevent the exfiltration of sensitive and proprietary information.
  • Adaptive access control – Uses session context (e.g., originating location, time, behavior) to determine whether to grant access.
  • Malware detection – Scans traffic between the enterprise and the cloud to detect and block viruses and other malware.

ZTNA

Zero trust network access, or ZTNA, connects remote users and devices to enterprise network resources, similar to a VPN. Unlike a VPN, however, ZTNA creates a direct connection to the specific resources requested by the user, rather than granting full access to the network. This prevents remote users from seeing or interacting with any network resources outside of the specific service they’ve explicitly authenticated to.

ZTNA follows the zero trust motto of “never trust, always verify.” It uses technologies like context and role-based identity verification and two-factor authentication (2FA) to prevent unauthorized access. And, since users need to re-authenticate to every enterprise resource, ZTNA is able to prevent malicious actors from discovering valuable systems and data or moving laterally on the enterprise network.

SWG

A secure web gateway, or SWG, is a service that sits between your enterprise network and the public internet. All web-destined traffic passes through the SWG, where enterprise web filtering and application control policies are applied. Traditionally, an SWG is a hardware device that sits in the data center, which means all remote, branch, and edge traffic needs to be backhauled through a single appliance. As part of a SASE solution, an SWG sits in the cloud instead, so remote traffic doesn’t need to pass through the data center. This improves overall network performance, reduces or eliminates bottlenecks, and ensures consistent application of acceptable use policies and application security controls.

FWaaS

Firewall-as-a-Service, or FWaaS, delivers next-generation firewall technology as a cloud-based service. That means remote and cloud-destined traffic can bypass the firewall in your data center, reducing bottlenecks and performance issues. At the same time, FWaaS provides the same level of security and protection as an NGFW, including features like URL filtering, intrusion detection and prevention, and deep packet inspection (DPI). FWaaS gives SASE solutions the ability to protect remote, edge, and cloud-destined traffic with the same policies and controls as the main enterprise network to ensure consistent security and optimal performance.

SASE technology uses CASB, ZTNA, SWG, and FWaaS to defend your network edge. However, you still need a way to direct remote, branch office, and edge traffic to your SASE security stack. That’s where SD-WAN technology comes in.

Accessing SASE technology with SD-WAN

While it’s possible to use standard WAN architectures to connect to SASE technology, the most reliable and efficient way to access SASE is with SD-WAN. SD-WAN uses software abstraction to create a virtual overlay management network on top of your WAN hardware. This virtual management network enables the use of automation and orchestration to manage the remote network traffic.

In a SASE deployment, SD-WAN uses intelligent routing to separate all remote traffic that’s destined for the cloud. Instead of backhauling this traffic through the enterprise firewall, SD-WAN routes it through the SASE technology stack, significantly reducing the load on your data center infrastructure. This improves network and application performance for your entire enterprise without sacrificing security.

SD-WAN solutions may sit on top of traditional WAN infrastructure, or they may replace that hardware entirely, using SD-WAN routers provided by the vendor. However, rather than investing in specialized vendor hardware, an even better approach is to use vendor-neutral network management devices that can host or integrate with every piece of your SASE and SD-WAN technology stack.

For example, the Nodegrid line of vendor-neutral serial consoles and network edge routers are the perfect on-ramp for your SASE solution. Nodegrid can directly host or integrate with third-party SD-WAN solutions like Palo Alto Networks’ Prisma SD-WAN, or you can use ZPE Cloud’s SD-WAN app. Nodegrid also supports seamless integrations with your choice of SASE provider, giving you a unified, centralized SD-WAN and SASE orchestration platform.

SASE learning center:

★   Understanding Key SASE Components & Benefits
★   SASE Implementation: A Step-by-Step Guide for Businesses
★   The SASE Model: Key Use Cases & Benefits

Want to find out more about accessing SASE technology with Nodegrid SD-WAN?

Contact ZPE Systems today!

Zero Trust Network Access vs. VPN for Branch and Edge Networking

When comparing zero trust network access vs. VPN, they both have benefits for security, speed, and scalability

Organizations are starting to recognize the benefits of edge computing, which moves data processing resources closer to the sources of data generation and away from the central data center. In addition, businesses are becoming more geographically dispersed, with branch offices, manufacturing facilities, and other remote sites around the world.

While larger remote sites are typically connected to the enterprise network via WAN or SD-WAN, this may not be feasible for smaller branches with fewer staff. Traditionally, VPNs (virtual private networks) are used to create a private connection for remote systems and users. However, a new technology called Zero Trust Network Access improves upon VPNs by providing faster and more secure remote connections.

What is a VPN?

A VPN, or virtual private network, is a service that creates an encrypted connection between a device and a network. In this particular use case, VPNs are used to extend the enterprise network to branch and edge locations. Often, organizations use VPNs as an alternative to installing expensive WAN solutions in very small remote sites. They’re also used to connect sites that are unreachable by traditional network infrastructure, such as offshore oil rigs.

Though VPN traffic is encrypted, there are still security risks. Many VPNs still use single-factor authentication, meaning all you need is a username and password to connect. If a remote user’s account information is stolen, a hacker could easily gain access because they don’t need to provide a second form of identity verification.

In addition, VPNs grant complete access to the enterprise network, trusting remote users and devices just like they were in the main office. That means a malicious actor could use a compromised account or stolen laptop to move laterally around your enterprise network, stealing whatever data they can find.

What is Zero Trust Network Access (ZTNA)?

Zero trust network access, or ZTNA, is another product or service that connects remote users and devices to enterprise network resources. However, instead of creating a tunnel to the enterprise network itself, ZTNA directly connects users to the applications and services they need. Users then need to re-verify their identity and re-establish trust before they access another application.

ZTNA follows the “dark cloud” concept, which prevents remote users from seeing or interacting with any of the data, systems, or applications they aren’t explicitly authenticated to. Microsegmentation is used to create perimeters around each resource with granular, context-based access control policies.

For example, if a branch office employee uses ZTNA to access the shipping system, they can’t see or touch the payroll application unless they authenticate to that specific resource. If the account is behaving suspiciously (logging in at unusual times, accessing resources it doesn’t typically need, etc.) then the account is locked until trust can be re-established. The dark cloud principle prevents malicious actors from discovering valuable resources and moving laterally on the enterprise network.

Comparing zero trust network access vs. VPN for branch and edge networking

Trust

Zero trust network access is more secure than VPNs because it follows the zero trust security model of “never trust, always verify.” Branch and edge accounts are assumed to be untrustworthy until they prove otherwise through repeated identity verification and trustworthy behavior. Remote accounts never have full access to the enterprise network and can only see and interact with the specific resources they’re presently authenticated to.

Authentication

While newer VPNs may allow integrations with third-party MFA (multi-factor authentication) providers like Okta, many organizations are still using single-factor authentication for VPN clients. That makes it much easier for a hacker to use a single set of stolen credentials to gain unrestricted access to the enterprise network. In addition, if a branch employee leaves their VPN session active and their laptop is stolen (for example, because it was in an unsecured building that’s open to the public), the thief can use that session to jump around the network without ever needing to re-verify or re-authenticate.

Performance

VPN connections are notoriously slow. All VPN traffic needs to be backhauled through a centralized concentrator, which creates massive bottlenecks and network latency. ZTNA, on the other hand, connects branch and edge devices directly to the resources they need. If that resource lives on the web or in the cloud, the traffic bypasses the enterprise network entirely, reducing the load and improving performance for everyone.

Scalability

Finally, VPNs are meant to be deployed to individual users on a case-by-case basis. Scaling up is difficult and expensive because you need to purchase licenses and install software for each machine that connects. Also, the more VPN connections, the greater the impact on network performance, and the more VPN concentrator solutions you’ll need to deploy to distribute the load. Gartner predicts that by 2025, 75% of enterprise-generated data will be processed at the edge, so individual VPN solutions won’t be able to keep up.

ZTNA is often delivered on the “as-a-service” model, which means it’s hosted in the cloud and doesn’t require any customer premises equipment (CPE). Licenses are scaled up or down at the click of a button, and there’s no software to install on remote machines. This makes ZTNA the ideal choice for enterprises hoping to expand their global reach or scale up their edge computing capabilities.

Deploying ZTNA for branch and edge networks

Zero trust network access is available as a standalone service, but you can also find it among the cloud-oriented security stack in a Security Service Edge (SSE) solution. SSE combines ZTNA with security technology such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Firewall-as-a-Service (FWaaS). This suite of cloud security features delivers comprehensive protection for branch and edge networks while reducing the need for remote traffic to pass through the central data center.

Learn more about branch and edge networking:

Need more help on branch and edge networking?

Need more help comparing zero trust network access vs. VPN for branch and edge use cases?

Contact ZPE Systems

How Enterprise Network Security Software has Evolved for the Edge

Enterprise Network Security Software.

Modern enterprise networks are no longer contained to a single building or LAN. They’re highly distributed, with branch offices, remote employees, and global data centers that communicate and work together. That’s why traditional enterprise network security software—designed for on-premises infrastructure and castle-and-moat protection strategies—often struggles to secure the edge.

The challenge of traditional enterprise network security software at the edge

For years, enterprise network security followed the castle-and-moat approach. All the enterprise’s valuable systems and data are kept on the internal network (a.k.a. the castle), and a firewall creates a security perimeter (a.k.a. the moat) around those resources. This is easier to do when everything is housed in the same location. This becomes challenging (if not impossible) when those resources are spread across large geographical and logical distances.

For example, organizations may have a hard time extending their enterprise security policies to users, devices, and applications that aren’t on the main network. That goes beyond remote workers to also include cloud platforms and remote edge data centers. Some teams overcome this challenge by creating separate policies, but then they’re left with the logistical nightmare of updating and maintaining these policies across many different systems and locations. Due to errors or negligence, inconsistent security policies can leave gaps in your network security coverage.

In addition, traditional network security requires all remote traffic to be backhauled through the main firewall for inspection, creating a network bottleneck. That means all network requests worldwide must travel to the central data center, even if the traffic is ultimately destined for remote or cloud resources. This added network load can cause latency, timeouts, and other performance issues for the entire enterprise.

Challenges like these led to the evolution of enterprise network security software for edge deployments.

How enterprise network security software has evolved for the edge

Edge computing is all about moving resources closer to the users, systems, and applications that need them. Enterprise network security software for the edge does the same thing—it places security policies and controls in the cloud or small regional data centers, so remote systems and users don’t need to be routed back to the central network. The leading solution for edge security is Security Service Edge, or SSE.

SSE rolls up multiple security technologies into one integrated, cloud-based platform. Traffic from the edge is routed through the SSE security stack using SD-WAN (software-defined wide area networking). If that traffic is bound for cloud- or web-based resources, it’s allowed to bypass the central network entirely. Zero Trust Network Access (ZTNA) ensures safe and secure access if the traffic is destined for resources on the enterprise network.

Let’s discuss the specific technology that makes SSE the best solution for edge network security.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access allows remote users and systems to access resources on the enterprise network, similar to a VPN. ZTNA is more secure than VPNs because it only gives users access to one specific resource at a time. They cannot jump around the network without re-authenticating and re-verifying trust. That means the lateral movement of a compromised account is limited, with malicious actors needing to re-verify their identity repeatedly, increasing their chances of getting caught.

ZTNA gives edge users and devices seamless access to the enterprise resources they need while reducing the risk of remote connections. It allows you to apply zero trust security principles to your network’s edge to ensure consistent security across your enterprise.

Firewall as a Service (FWaaS)

Firewall as a Service delivers network firewall capabilities as a cloud-based service. Incoming and outgoing edge traffic is routed through the FWaaS instead of the physical firewall in the data center, reducing the load on the enterprise network. FWaaS solutions for SSE typically include features like:

  • ❖URL/IP filtering
  • ❖Intrusion detection and prevention
  • ❖Network monitoring
  • ❖Deep packet inspection (DPI)

A Firewall as a Service is entirely cloud-based, which means you don’t need to deploy any additional hardware to edge locations. This also makes FWaaS easily scalable, allowing you to protect new branch offices or add additional features with the click of a button. FWaaS delivers powerful firewall functionality to the edge without expensive hardware or network bottlenecks.

Cloud Access Security Broker (CASB)

A Cloud Access Security Broker allows you to extend your enterprise security policies to cloud resources and traffic. The CASB acts as a gatekeeper between your enterprise network and the cloud, enforcing zero trust policies on any traffic flowing between the two. In an SSE solution, the CASB performs many functions, such as:

  • Analyzing the behavior of users and entities to determine if they’re trustworthy before allowing access to cloud resources. This is also known as User and Entity Behavior Analytics, or UEBA.
  • Using firewall and antivirus technology to detect malicious software (malware) and block it from entering the enterprise network
  • Using enterprise data governance policies to prevent data exfiltration, which is known as Data Loss Prevention (DLP).
  • Discovering, identifying, and analyzing all the enterprise’s cloud resources to determine relative risk. This is known as Cloud Discovery.

The CASB is what an SSE solution uses to extend your enterprise security policies to remote and cloud-based systems. This allows you to maintain precise and consistent zero trust policies across your distributed infrastructure, so your edge doesn’t become a weakness in your defense strategy.

SSE is powerful because it combines a complete security stack into one cloud-based service. That means you don’t have to force your edge resources into the perimeter created by traditional enterprise network security software.

Connecting your edge to SSE solutions

There’s still one critical component that’s missing: the technology that connects your edge resources and traffic to the SSE stack in the cloud. The most reliable and efficient on-ramp to an SSE solution is SD-WAN technology. SD-WAN creates a virtual overlay network on top of your WAN hardware, which enables automation and orchestration of remote, edge traffic management. SD-WAN uses intelligent routing to automatically separate edge traffic destined for the cloud, allowing it to bypass your firewall and flow through your SSE stack instead.

For example, the Nodegrid SD-WAN solution from ZPE Systems allows seamless integrations with SSE solutions. Placing Nodegrid Services Routers in your edge locations creates an access on-ramp to SSE and provides powerful branch networking functionality.

Learn more about securing your edge with SSE:

Top Security Service Edge Use Cases & Benefits for Enterprises
Security Service Edge (SSE) Implementation Guide for Enterprises
SSE Magic Quadrant: Key Takeaways of the 2022 Report

Want to learn more about network security software?

Watch a free demo of Nodegrid in action to see for yourself how enterprise network security software has evolved for the edge. Or get in contact with us!

Contact us!

Why cybersecurity can make you feel lost in space

Space Odyssey – Frank Poole

Cybersecurity has been a hot topic for years. With many high-profile breaches, malware attacks, and pricey payouts, it’s no wonder why companies continue to add more and more protection for their IT systems.

Despite this, hackers continue to succeed at exploiting vulnerabilities. Why are there still vulnerabilities in the first place? All it takes is one weak spot and one bad actor (looking at you, HAL 9000) to lock you out and leave you scrambling to regain control.

In this post, we’ll cover how network infrastructure has evolved in the past decade, why cybersecurity can make you feel lost in space, and why recovery is crucial to modern cybersecurity.

 

How network infrastructure evolved

The movie 2001: A Space Odyssey predicted that by the year 2001, technological advancements would enable things like space travel and virtual conferencing. In reality, we were still rolling around in gas-powered cars or waiting for 56kbps dial-up connections to load our email inboxes.

Times were simpler, but that also meant that network infrastructure and cybersecurity were simpler. Most people would go to work at a physical location like an HQ or branch office, and distributed or remote work technologies were very much in their infancy. This meant that network infrastructures were more simple and localized, usually requiring a simple MPLS connection from their off-site data center (if they had one) to their branch offices. Cybersecurity was simple: it was either inherent to the connection type (like MPLS), or required something like a basic firewall or encryption method.

Network architecture showing simplicity of data center connected via MPLS to branch office

Fast forward more than 20 years, and the network infrastructure common to 2001 is barely recognizable. With customers and employees demanding companies adapt to their on-the-go and remote-work lifestyles, the network infrastructure exploded, causing a sort of Big Bang of cybersecurity as we know it today.

Network architecture showing complexity of data center, CDN, remote user, branch office, all connected via many paths

Modern networks need to serve many branch offices and remote locations, and the only way to succeed is by incorporating a myriad of on-prem, cloud, and SaaS solutions. This creates a hybrid infrastructure of data, security, networking, and computing distributed everywhere. In other words, the attack surface continues to expand much like the universe itself, and security professionals have been struggling to contain all the vulnerabilities left in its wake.

 

Why cybersecurity makes you feel lost in space

You might relate to Frank Poole. In the movie, the HAL 9000 supercomputer leads Frank to perform a spacewalk in order to repair a portion of their ship. While Frank floats toward the ship, the corrupted HAL takes control of an EVA pod and slams it into Frank, causing him to tumble helplessly through the black void of space and eventually meet his demise.

Frank Poole death

Trying to secure your IT infrastructure can make you feel just as helpless and out of control. That’s because cybersecurity presents several challenges that make it difficult to gain your footing. And with 2021’s executive order regarding zero trust security, cybersecurity seems even more daunting as previous protection methodologies are becoming wholly obsolete.

Here’s a brief look at some of the challenges of modern cybersecurity.

 

Too many products

Regardless of your industry, there are so many security products to choose from that it can easily feel like you’re floating amongst an endless sky of stars. It’s difficult enough choosing properly secured servers, routers, storage devices, and other physical equipment. Add on the other crucial pieces of the modern network architecture, and it’s easy to make a full time job of researching, comparing, and selecting the right cloud and SaaS security products. Here’s a list that barely scratches the surface of different types of security products to choose from:

  • Firewalls & next-gen firewalls (NGFWs)
  • Security information and event management (SIEM) systems
  • Identify and access management (IAM) products
  • Pen testers
  • Data analytics
  • Intrusion prevention and detection systems (IDPS)
  • Endpoint protection apps
  • Database security solutions
  • Ransomware/malware detection and removal
  • Authentication and single sign-on

 

Too many vendors

All of these products have to originate from somewhere, which brings us to the next challenge: there are too many cybersecurity vendors to choose from. This isn’t necessarily a bad thing, since competition creates better products, but it does complicate the cybersecurity professional’s journey to achieving holistic protection.

At RSA Conference 2022, for example, there were 450 security exhibitors present, 70 of which were funded well enough to afford the cost of a booth. During the show, many discussed that in the previous 18 months there were 1,800 new cybersecurity vendors that received funding to be installed in networks. The TL;DR — this multi-vendor ecosystem will persist (and probably grow even more), and so will the challenge of achieving holistic security.

Of course everyone wants the best of the best, which might draw your attention to staples like Cisco, Fortinet, and Palo Alto Networks. But because the modern hybrid infrastructure is so diverse, there now exist so many niche products available from thousands of vendors. In fact, CyberDB compiled a database that includes more than 3,500 security companies from the United States alone.

Here’s a graphic that puts into perspective just a fraction of the available vendors:

so many security vendors

 

Too many gaps

The third and most important challenge stems from the first two above: there are just too many security gaps to address. Part of this problem is due to the diversity of hybrid infrastructure. But once you’re able to identify the gaps, you’ll find that addressing these will more often than not create even more gaps.

That’s because there’s no single vendor or suite of products that provides holistic cybersecurity. You deploy a variety of products but inevitably run into interoperability issues, which only perpetuates more vulnerabilities as you add more solutions to address these gaps.

What you end up with is a plethora of solutions that are secure themselves, but that don’t provide protection for your infrastructure as a whole.

 

Why recovery is key to modern cybersecurity

According to a Sophos survey, 66% of surveyed organizations suffered ransomware attacks in 2022. And when attacks happened, 70% of organizations needed more than two weeks to recover. Ransomware is the modern disaster, which makes minimizing recovery times an essential part of modern cybersecurity.

Recall the Fortinet 7.0 CVE from 2022. Customers upgrading to the then latest release of FortiOS suddenly found themselves vulnerable to an authentication bypass, where attackers could gain admin access using certain HTTP/S requests. This typical scenario leaves IT teams waiting for a solution while their business remains vulnerable. What’s needed is the ability to recover quickly and automatically, whether from an active attack or an at-risk configuration.

 

Get the blueprint for fast recovery times

Big Tech companies have spent years building this capability into their infrastructure. At ZPE Systems, we’ve directly collaborated with these companies and have created best practices based on these proven architectures. This Network Automation Blueprint details the components and practical steps to take, from automating IT/OT production infrastructure, to implementing an effective design for orchestration and automation environments.

The blueprint is your template to achieving fast recovery times and reducing your risk of attack. Download the blueprint now.

 

Watch the blueprint recover a failed upgrade

Watch this tech demo from Tech Field Day 26, where Rene Neumann shows how the blueprint helps you recover a failed device upgrade in minutes.