End-to-end security as a solution provider competitive advantage

Businesses leverage many solution providers to gather and analyze data related to our operations, security, app performance and system health (e.g. Splunk, Dynatrace, Informatica, Datadog, etc.).

Unfortunately, the collection of this data has become increasingly expensive, insecure and complex.  So we end up in a catch-22 type situation: we need to collect the data to run our businesses, but collecting the data hurts our businesses.

The good news is the solution providers can now break free of the catch-22 – solution providers can leverage new Security as Code solutions to provide the needed end-to-end simplicity, security and agility.  Security as code is no longer solely leveraged by cloud native or innovative startup solution providers.  For example, the NetFoundry security as code platform is used by the world’s largest companies such as Microsoft (Zero Trust, Azure Private MEC) and Oracle (Autonomous database, Kubernetes APIs).

Security as Code ushers in a new art of the possible

Leading solution providers in areas like monitoring, instrumentation, APM, SIEM, observability, security and operations management (e.g. Splunk, Dynatrace, Informatica, Datadog, etc.) can now feature stronger security and better agility (for both the provider and their customers):

#1: As a differentiated selling point of their existing services, relative to less secure alternatives.

#2: To expand their addressable market to the most security and compliance sensitive verticals.

#3: To offer higher value (and higher priced) solutions (both because the solutions result in better agility, automation and security for end customers, and because some of the budget which used to go to telcos and infrastructure for bolted-on security can now go to the solution provider for built-in security).

#4: To shorten sales cycles (local loops take weeks to months to provision, and MPLS cloud connections cost at least $1000 per Gbps in competitive locations and far more in other locations).*

Leading solution providers have leveraged the security of their solutions in this revenue-producing manner in the past, but couldn’t control end-to-end security, and were subject to the inherent vulnerabilities of the bolted-on infrastructure.  Now, with built-in (Security as Code), solution providers can control end-to-end security, as code, introducing a new art of the possible on the revenue side.

* Note: #4 has always been important for cases in which business don’t have pre-existing private cloud connections with available capacity, but is now becoming even more important as businesses move to cloud native and multicloud architecture.  Businesses are eliminating private DCs and WAN architectures, so businesses increasingly demand the direct private cloud connections which are enabled by Security as Code platforms.

Security as Code is an important source of cost savings

Built-in also helps solution providers (e.g. Splunk, Dynatrace, Informatica, Datadog, etc.) on the cost side:

  • Their connections are currently at risk of being hijacked – turning them into a Solarwinds or Vaseya type victim.
  • Even if the solution provider is not the next victim, bolted-on infrastructure like VPNs and firewall configs are notorious sources of trouble tickets and customer dissatisfaction.  So, even if fortunate enough to avoid the catastrophic costs of being part of a breach, the operational and support costs are considerable.

Both of these factors are being multiplied as businesses and applications become even more distributed, multicloud and cloud native.  It is making priorities like eliminating VPNs and closing vulnerabilities move from the nice to have list to the must have list.

Bolted-on wasn’t designed for distributed, dynamic app topologies

Our current bolted-on architectures were based on a much more centralized and static app topology:

Problem #1 leaps off the page: open inbound firewall ports.  In more centralized and static architectures, we tried to compensate for the inherent insecurity of open ports by bolting on VPN, MPLS, IPS/IDS, ACLs, more monitoring systems, etc.  And that leads to problem #2 – those bolted-on solutions are:

  • Targets of cyberattackers (especially VPNs and open firewall ports)
  • Are prohibitively complex and expensive at modern levels of app distribution
  • Block our automation and agility goals.

Problem #1 and problem #2 are multiplied because there are many more VPNs and open firewall ports than shown in the simplified diagram above:

  • Multiple connections from the WAN to collection points.
  • There is often a layer between initial collection and ultimate datastores.
  • Multiple systems – e.g. APM systems, SIEM, ops systems.

We can try to ‘patch’ the problem, e.g. add more bolted-on solutions, and that is often necessary.  But the only sustainable (architecturally and economically) solution is to change our approach – to move to a framework which is designed to solve the challenges of our modern distributed, dynamic architectures.

Built-in replaces bolted-on: security goes everywhere your apps go, as software

Build-in architectures are optimized for modern, distributed application topologies, meeting our automation and agility goals (DevOps, SecOps, NetOps), while providing the strongest security via software instead of infrastructure.

Here’s how the NetFoundry Security as Code implementation closes inbound firewall ports and eliminates VPN/MPLS:

This architecture:

#1: Closes the inbound firewall ports.  This secure by design architecture both drastically improves security and removes the need to invest in adding bolted-on solutions like complex firewall rules and ACLs, IPS/IDS, VPN, etc.

#2: Improves automation and agility.  Everything you see in the diagram above is cloud orchestrated code, managed by your DevOps tools, APIs or web console.  You can literally spin it up in minutes!

#3: Enables flexibility.  NetFoundry open sourced the underlying software (Ziti).  Or you can choose to NetFoundry’s turnkey, consumption-based SaaS (free forever for up to 10 endpoints).

#4: Enables simple scale and extensibility.  Adding a new datastore, site or cloud takes minutes.  Use high bandwidth, low cost Internet ports rather than low bandwidth, high cost MPLS ports.  Control it all from the cloud, as code.

How do solution providers implement Security as Code?

When solution providers (or MSSPs / MSPs) are hosting the solution, and leveraging NetFoundry SaaS, they have two main options:

Similarly, there are many deployment options within both the SaaS and open source models, including:

  • Agentless (embedded in the application, as code, rather than a complex/insecure DNS redirect)
  • ZDBC driver (a Zero Trust wrapper around the existing JDBC drivers; again resulting in an agentless type approach for cases in which JDBC is used)
  • App-specific agents (VM, container, Win, Mac, Linux, Android, iOS).  One key here is that the agents enforce policy, e.g. they can send web apps to a SWG or Internet gateway, while optimizing the specific application of the solution provider.
  • Cloud-specific agents (available in every cloud marketplace).

Useful links

Most of us in the security, tech and networking worlds are cynics, and for good reason.  Meanwhile, the marketeers have flocked to use and abuse the Zero Trust terms.  So here are links to enable you to quickly filter through the noise and judge for yourself if you want to learn a bit more before diving into the SaaS or open source:

Watch a DevOps SRE leverage NetFoundry to do simple, Zero Trust data collection in 10 minutes (video)

Download a whitepaper to get into the nitty gritty details, and read through some customer case studies.

See how NetFoundry’s Zero Trust aligns with NIST Special Publication 800-207

Schedule a briefing or demo with a product expert

Discuss On: