Whitepaper: NetFoundry Zero Trust and NIST
Complete this form to download whitepaper.
How NetFoundry Implements True Zero trust Networks
NetFoundry is the leader in zero trust Network-as-a-Service (NaaS). This paper provides an overview of the principles, key tenets, and fundamental assertions of zero trust as defined the National Institute of Standards and Technology (NIST) Special Publication 800-207. It also details how NetFoundry is architected with a cloud-native zero trust approach in alignment with the principles laid out by NIST, and how the NetFoundry Platform implements true zero trust across Users, Devices, Applications, and Networks.
OUR ABSTRACTION IS YOUR SALVATIONThe fourth digital transformation industrial revolution is bringing multi cloud change at a speed, scale, and force unlike anything we’ve experienced before. It has already begun to affect every aspect of the human experience. The rate of change is so rapid, many companies are struggling to understand how to respond. Firms around the globe are completely retooling their organizational structures, operating models, business processes, technology, skills, and cultures to effectively respond to a new reality of constant transformation.Agility in the face of this new, ever-changing reality is so fundamental to success, that younger tech-centric firms are often out-pacing their larger, established counterparts. Age-old monolithic banks are struggling to respond to change as fast as they can to compete with cloud and mobile-first disruptors like Square and Stripe, whose business models are almost entirely digital. Finance isn’t the only industry that’s digitally transforming. Disruptors such as Tesla are changing the automotive industry and transforming the way consumers expect to interact with it in their wake. As established businesses evolve to try to keep up, the agility these firms need to survive requires business service architectures focused on modularization. As a result, applications and services are moving to highly distributed, multi-cloud, interdependent microservices and APIs.To truly evolve and survive, all aspects of a business from customer engagement to fulfillment, and everything in between must embrace transformation as a constant, driving paradigm shifts in systems and process integration, and deeply influencing strategic decision-making at its core. In this whitepaper, we will investigate the demands that digital transformation is placing on modern businesses, discuss steps being taken to address those demands, and propose a solution to the greatest roadblock in successfully navigating constant digital change, agile interconnectivity.In this whitepaper, we will investigate the demands that digital transformation is placing on modern businesses, discuss steps being taken to address those demands, and propose a solution to the greatest roadblock in successfully navigating constant digital change, agile interconnectivity.IT’S ABOUT THE MULTI CLOUD DIGITAL TRANSFORMATION JOURNEYWith the immersion of everyday life in internet connectivity, customers typically interact with a company through multiple channels, often making buying decisions based on the perception of simple, seamless usability of channel interaction. If this interaction becomes painful, the customer will often move on to other companies that offer a better experience. In many instances, the better customer experience influences buying decisions more strongly than the actual product or service being purchased.While adaptable customer experiences and their underpinning processes are important, business functions must then be enabled in such a way that they too can be modularized and used in multiple places. In today’s world, this is done by implementing isolated, independent microservices. For example, if a customer purchases insurance, one step may require the customer to digitally sign their acceptance. If such a function is presented as a module, it can be reused in multiple places across many different customer engagement experiences. As digital transformation accelerates, the library of such reusable service modules will continue to grow. As the environment changes, business functions will be updated to meet the new requirements of the ecosystem. If at some point e-signatures are replaced by palm scans, updating a single module to meet that need ensures automatic propagation across all places that function is used. This adaptability enables fast and efficient change.A CASCADING EFFECTIdeally the modularity that the organization applies to their business services should be extended into the infrastructure that supports them, allowing for more cost-effective change and efficient scalability. Although integration between these systems is key, isolating technology in terms of the business services they provide makes it possible to swap certain modules of technology gradually instead of completely revamping the infrastructure. As a result, cloud virtualization and infrastructure-as-a-service (IaaS) have become the rule, rather than the exception. Making changes and adjustments in these environments is simple, inexpensive, and immediate.With constant change in applications and infrastructure, network agility is paramount, but networks such as MPLS and the equipment that drives them have remained largely unchanged. While SD-WANs and multi cloud similar technologies have introduced some abstraction into site-to-site connectivity, they are often location, hardware, and service-provider specific. The modularity that makes thriving in a world of digital transformation possible requires a paradigm shift, where network edges are no longer defined by physical locations, but by applications. In application-specific networking, application endpoints define the edges and application contexts programmatically define the networks.NetFoundry makes it possible to spin up highly secure, performant, application-specific networks at scale using web-based orchestration tools and APIs. These “AppWANs” abstract the network in the same way that containers and virtual machines abstract applications from underlying compute infrastructure. Moreover, because digital transformation is a gradual process, NetFoundry’s technology and orchestration tools give businesses the ability to meet the needs of the digitally transformed application environment, while interworking with existing networks and systems to continue to serve current needs. As business services are modularized in a transformation cycle, AppWANs can be spun up, segmented, and adjusted in minutes to secure and connect them to the appropriate context within the company ecosystem or over the Internet.THE APPWAN SHALL SET YOU FREEOverlay networking is a method of using software to create layers of network abstraction that can be used to run multiple separate, discrete virtualized network layers on top of a physical network, providing new applications or security benefits. NetFoundry AppWANs are software defined encrypted overlays capable of dynamically adjusting to meet performance requirements created using our console, command-line interface, or APIs, that define how endpoints are permitted to access services (such as applications) across the Internet and/or existing private networks such as MPLS. One major benefit of AppWANs is that since they are abstracted above network infrastructure, they are completely service provider agnostic.HOW DO APPWANS WORK?First, an administrator uses NetFoundry’s web-based orchestration console and/or APIs to design and instantly deploy AppWANs. An AppWAN is created when an endpoint or group of endpoints (which can be any combination of virtual gateways, virtual machines, IoT devices, smartphones, laptops, etc.) is assigned permission to access a set of services (applications). The console and APIs enable the administrator to enforce their policies, without needing to manage the infrastructure itself.Each AppWAN is managed by a virtual NetFoundry controller, enabling the administrator to benefit from NetFoundry’s overlay fabric without needing to manage the underlying network. These controllers interact with business and application systems such as IAM, IoT identity, and cloud policies to enable each AppWAN to be programattically controlled by the application contexts and needs.NetFoundry’s global network fabric and endpoint software enable secure, reliable networking from anywhere to anywhere. The endpoint software connects to the fabric from any Internet connection, extending each AppWAN to the application edge. The software routes each session to the NetFoundry network fabric, and adaptively manages Quality of Experience (QoE) during each session.Our orchestration tools, overlay fabric, and endpoint designations are integration-first, designed to integrate inside applications and platforms to provide businesses with full stack solutions, which enable developers to control the network inside their apps.PURPOSE BUILT FOR DIGITAL TRANSFORMATIONNetFoundry’s AppWANs replace the need for private circuits, proprietary hardware, and telco solutions, so developers can integrate secure, performant multi cloud networks in software, and use any WAN technology or Internet connection for traversal. We designed our technology to meet four key sets of requirements, providing a new networking paradigm purpose-built to enable digital transformation.Programmable, On-Demand, & Made For Platform Integrations• Untether networking from the engineering of the underlying networks, enabling virtual networks to be programmed to be fit for purpose• Enable app-specific virtual network overlays to be driven by the identities, contexts and needs of each app and set of IAM policies• Enable apps and network orchestration to communicate via APIs, eventually incorporating user and AI inputs.• Enable app connections to be on-demand and elastic such that provisioning app connections is as simple and powerful as spinning up a virtual machine in the cloud• Enable ecosystem partners to integrate the previously disparate silos of apps, network, and security, creating platforms which deliver full stack solutionsInternet-First• Provide Internet-connected endpoints and applications with the security, performance, and reliability they require, independent of the networks they traverse• Enable the use of any Internet Service Provider (ISP) or mix of ISPs to connect to NetFoundry’s overlay fabric and reliably deliver application connectivity across the InternetSecure & Performant By Design• The Internet’s permissive architecture is powerful, but it is also a security vulnerability. NetFoundry enables secure, isolated, private AppWAN overlays across the Internet, without requiring security infrastructure such as VPNs.• Traditional security infrastructure often compromises performance. Thus, businesses often move performance-sensitive applications such as voice and video outside of VPNs.NetFoundry builds both security and performance into the architecture, as it is not acceptable to compromise either in a digitally transformed worldManageable In A DevOps Paradigm, Rather Than A Traditional Network Ops Model• Networking needs to be an agile, fit for purpose innovation enabler, which integrates with DevOps automation, continuous integration, and quality assurance frameworks• NetFoundry’s web-based orchestration console and APIs enable administrators to orchestrate AppWANs without requiring specialized network engineering skills or toolsSECURE BY DESIGNEach multi cloud AppWAN is fortified by a military-grade, five layered security architecture which isolates and protects data flows, resulting in a private, dark network, microsegmented by application. In an ecosystem defined by AppWANs, security and compliance needs are defined by application, rather than the combination of application, network, and security infrastructure. This eliminates potential vulnerabilities introduced by separate policies.Security Layer 1: Authenticate-Before-ConnectBy design, AppWANs authenticate endpoints before the endpoints are given network access. This authenticate before-connect security paradigm is becoming a best practice with advocates including the Cloud Security Alliance (“Software Defined Perimeter”), US Defense Information Systems Agency (“black cloud”), and Google (“BeyondCorp”).Security Layer 2: Least Privilege Access (LPA)Each authenticated endpoint is only given the access it needs, as defined by the security polices of the business. LPA enables application-level, centralized (one IAM policy across apps and network), micro-segmentation. For example, an IoT device may be diverted to a honeypot network depending on its identity or location.Security Layer 3: Dark NetworkProtected endpoints open an outbound connection to the NetFoundry overlay fabric which “listens” for authorized data. AppWANs deny any packets which have not been authorized, making the network dark. Even if a device inside the network is vulnerable, AppWANs mask the deficiency by rejecting the externally originated attempts before it can reach the vulnerable device.Security Layer 4: Data-In-Motion ProtectionAppWANs use strong encryption, on demand. NetFoundry partnered with Dispersive Technologies to incorporate Dispersive session splitting technology, which is currently used for the transmission of US power grid data, and fragments each individual data session into multiple, individually encrypted data flows. Our web-based orchestration console and APIs enable administrators to centrally manage encryption and session splitting on an application-by-application basis.Security Layer 5: Move the Attack Surface Away From the BusinessNetFoundry manages infrastructure at data centers around the world, including data transit nodes, proxies, session border controllers, and security infrastructure. These data centers move the attack surface to the highly resilient and protected NetFoundry overlay fabric, and away from business networks, assets, and data.PERFORMANT BY DESIGNTraditional networking solutions such as MPLS and SD-WAN lose control of data once it is routed to a destination which is not front-ended by WAN CPE, thus relying on best effort Internet over those routes. Conversely, NetFoundry’s overlay fabric optimizes data across the Internet, assuring quality of experience (QoE) with a quad-layered architecture.QoE Layer 1: Supplementing BGP-Based RoutingBGP, the dominant inter-AS routing protocol, is tolerant of latency and packet loss until they result in “outage” conditions, and ISP routing is often built to optimize costs over performance. AppWAN endpoints work on top of BGP to adaptively route across the best performing paths on NetFoundry’s global overlay fabric (multiple tier one Internet backbones).QoE Layer 2: Proxying TCPTCP, the protocol underlying most Internet data, suffers from well documented problems which constrain performance, particularly when there is material latency or packet loss. NetFoundry overcomes this issue by proxying TCP, substituting a performant method over UDP with reliable delivery mechanisms, dramatically outperforming traditional single-path VPNs in terms of throughput and latency.QoE Layer 3: Hybrid WAN Local AccessNetFoundry’s optimizations for BGP and TCP significantly improve “middle mile” performance. However, AppWANs optimize the local access segment as well. Each endpoint can aggregate multiple networks such as wired and wireless into a single overlay according to application policies, improving performance, throughput, and cost. In addition to providing better access network resiliency, this multiplies route diversity, enabling the AppWAN to utilize more paths to meet the QoE requirements of the application.QoE Layer 4: Direct RoutingSince AppWANs are network agnostic, provide embedded security, and do not require custom CPE, businesses can directly connect any endpoint or site to its destination. The latency added by the “trombone” routing above is one of the major causes of QoE problems to SaaS and IaaS services. Although SD-WAN could theoretically route directly via Nashville in our example, the policy will most often steer data to the MPLS network, because the SD-WAN cannot control security or performance once it hands the data off to the Nashville ISP. NetFoundry’s embedded, Internet native security and performance optimization enables the business to route isolated AppWANs directly from Nashville.REAL CHALLENGES, ELEGANT SOLUTIONSExtend SD-WANs & MPLS to Multi-cloud & SaaSVelocloud announced their SD-WANs used NetFoundry to meet Proen’s Office 365 needs. The Velo CPE routed the data via AppWAN to improve Office 365 performance. Proen continued to use Velocloud for their site-tosite SD-WAN needs, but could now secure and optimize apps such as SaaS and B2C with NetFoundry.SD-WAN and MPLS CPE can’t be provisioned at all SaaS, cloud, IoT, mobility, B2B, and B2C sites, so the on-site CPE is forced to hand the data off to the local ISP, traversing best effort Internet. Using AppWANs, that data can be secured and performance optimized, just like the site-to-site SD-WAN or MPLS data, without the need for private telco circuits and hardware.Industrial IoT (IIoT) Solution StacksPatients use Integron delivered healthcare IoT solutions, such as networked dialysis machines over residential Internet connections. NetFoundry’s AppWANs enable these B2C apps to be delivered reliably and securely to healthcare and pharmaceutical organizations, regardless of what homenetwork the patient is using.Micron leverages NetFoundry’s platform to provide identity secured networking for cases such as connected car, and Neustar is leveraging AppWANs to provide identity secured networking.Secure, Business-to-Business ExtranetcleverDome, a leading financial consortium, uses NetFoundry to enable their members to participate in a secure, encrypted extranet without the high cost and unwieldiness of private telco circuits.NetFoundry’s AppWANs enable extranets and supply chains provides superior security by only granting access to specific apps, rather than forcing the exposure of entire networks, and enabling administrators to control the access by web console, IAM integrations, and APIs.SaaS Performance & Security OptimizationIBM and NetFoundry showcased how IBM Watson customers can securely and reliably connect contact centers and enterprises to Watson cognitive services using existing Internet connections, rather than provisioning telco circuits to IBM Watson data centers. SaaS providers can use AppWANs to offer “platinum” tiers of increased security and performance.Multi-Cloud ApplicationsAlliance Technology group harnesses NetFoundry AppWANs to meet their banking customer needs for secure connectivity without requiring telco circuits and custom hardware.Businesses can use NetFoundry to optimize internal private apps and to migrate apps to the cloud without causing security or performance problems while optimizing public cloud services.CONCLUSIONAs the fourth industrial revolution affects every aspect of the human experience and drives cycles of change, all aspects of a business from customer engagement to fulfillment, and everything in between must embrace transformation as a constant, driving paradigm shifts in systems and process integration, and deeply influencing strategic decision-making at its core. To enable the agility required to meet these needs, businesses are turning to highly distributed, multi-cloud, interdependent microservices and APIs which demand agility in network connectivity.NetFoundry leads the next generation of software defined networking, purpose-built to meet the needs of a digital transformed application landscape which cannot be fulfilled by the separate-from-apps, hub-and spoke, private circuit and hardware reliant architectures of MPLS and SD-WAN.With the distribution and software speeds of a digitally transformed world, WAN hardware no longer defines all network edges. Application endpoints are the new edges, and their contexts need to programmatically define the networking which connects them. AppWANs are built using NetFoundry’s orchestration console or APIs to connect apps, rather than connecting WAN sites. Since digital transformation is enacted in phases, AppWANs supplement existing networks, rather than requiring rip and replace migrations.You cannot control every network in a digitally transformed world, so NetFoundry ensures QoE and security mechanisms are agnostic of the underlying network. NetFoundry’s QoE and security is purpose-built to optimize Internet segments, and to interoperate with applications and ecosystem partners to be a part of a full stack solution. NetFoundry’s orchestration tools, global private overlay fabric, and AppWANs are uniquely capable of providing businesses with the networking paradigm required to meet the needs of the digitally transformed application landscape.