Posts

Press Release:

OPAQ Customer Nyhart Receives 2019 CSO50 Award for Security-as-a-Service Deployment

Employee Benefits Firm Replaced Hardware and Software with Cloud-Delivered Network Security to Achieve Superior Protection, Performance and ROI

 

OPAQ, the network security cloud company, today announced that customer Nyhart, a privately held employee benefits and actuary service company, has been recognized with a prestigious 2019 CSO50 Award from IDG’s CSO for its managed security project. Nyhart was selected for replacing its hardware and software security infrastructure with the OPAQ security-as-a-service platform to achieve Fortune-100 grade protection from threats, higher network performance and lower IT operating and management costs.

The annual CSO50 awards recognize a select group of organizations for security projects that have demonstrated outstanding business value and thought leadership. Nyhart will be honored at a special awards dinner on April 10 during the CSO50 Conference + Awards at the Talking Stick Resort in Scottsdale, Arizona. A full list of the CSO50 Award honorees is posted online at: https://bit.ly/2za5PCv.

“Following a series of acquisitions, we recognized the need for more advanced protection against cyber threats than we were able to implement and manage with our in-house resources, so we set out to find an alternative,” said Dave Sherman, CIO of Nyhart. “The OPAQ Cloud has allowed us to replace a complex set of individual products with a single cloud service. As an added benefit, our locations are now connected over OPAQ’s high-speed, encrypted SD-WAN instead of much slower and more expensive MPLS links.”

Nyhart is headquartered in Indianapolis with offices in Chicago, Atlanta, San Diego, Houston, Denver, Kansas City and St. Louis. The company had been growing rapidly, both organically and through acquisitions, and its small IT department was stretched very thin supporting eight offices, with more planned domestically and internationally. A sprawling patchwork of networks, devices, applications and mobile users had become too complex to manage and protect. Nyhart eliminated an array of hardware and software products with OPAQ’s fully automated and orchestrated cloud platform.

“Like most midsize enterprises, Nyhart has limited security resources and expertise,” said Kenneth Ammon, Chief Strategy Officer of OPAQ. “The OPAQ Cloud enables Nyhart to consume Fortune-100 grade protection as a utility so they can invest in growing their business.”

The OPAQ Cloud protects Nyhart with best-of-breed security that includes fully integrated next-generation firewall, endpoint protection, web application firewall and Cloud SIEM capabilities. OPAQ’s fully encrypted SD-WAN also eliminates trade-offs between protection and performance across all of Nyhart’s distributed locations since more than half of the company’s traffic never touches the Internet.

“This year’s class of CSO50 award winners raise the bar on security innovation,” said Amy Bennett, executive editor, CSO. “While delivering business value and demonstrating thought leadership are the metrics on which they are measured, the greater value is in the peer-to-peer sharing of ideas across a range of industries, across company sizes, for-profit and not-for-profit, public and private. The magic really happens on the stage at the CSO50 conference when these projects are brought to life in presentations and panel discussions. It is an honor to give them the recognition they deserve.”

 

About the CSO50 Awards
The CSO50 Awards recognizes 50 organizations for security projects and initiatives that demonstrate outstanding business value and thought leadership. The CSO50 Awards are scored according to a uniform set of criteria by a panel of judges that includes security leaders and industry experts. The 2019 awards will be presented at the CSO50 Conference + Awards, April 8- 10, 2019, at the Talking Stick Resort, Scottsdale, Arizona.

About CSO
CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning web site (CSOonline.com), executive conferences, strategic marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Communications, Inc. Company information is available at www.idg.com.

Press Release:

OPAQ CTO Tom Cross Named an Industry Leader of the Year by SC Media

IT Security Researcher, Entrepreneur and Advocate Recognized for his Contributions with 2018 Reboot Leadership Award

 

OPAQ, the network security cloud company, today announced that its CTO Tom Cross has been recognized as a Reboot Leadership Award 2018 recipient by SC Media, publishers of SC Magazine, in the C-Suite category. The annual awards honor executive and professional leaders for their unique, inventive and inspiring contributions that improve security, shape the industry, provide thought leadership, and otherwise have a positive impact on cybersecurity.

 

Tom is profiled in SC Magazine at: https://www.scmagazine.com/c-suite–tom-cross/article/790181/

 

“It’s an honor to be recognized by SC Media alongside so many great computer security professionals,” said Tom Cross, CTO of OPAQ. “We are constantly seeing the development of new attack techniques and new threats, yet millions of users are able to rely on the Internet every day because of the efforts of talented people throughout this industry, who work hard to confront these challenges.”

 

Tom Cross is currently CTO of OPAQ, which enables service providers to make Fortune 100-grade security accessible to midsize enterprises via the cloud over a fully encrypted SD-WAN. As CTO of Drawbridge Networks, he led the technical team that invented dynamic endpoint micro-segmentation security technology. He was previously Director of Security Research at Lancope and Manager of IBM Internet Security Systems X-Force Advanced Research team. Tom co-founded Industrial Memetics, which developed an early social networking platform called MemeStreams. He also co-founded EFGA (Electronic Frontiers Georgia).

Press Release:

OPAQ Joins Palo Alto Networks MSSP Specialization Partner Program

OPAQ Cloud Platform Makes It Possible for Midsize Companies to Access Palo Alto Networks Next-Generation Firewall-as-a-Service Capabilities from Service Providers

OPAQ, the network security cloud company, today announced it has joined Palo Alto Networks® MSSP Partner Program to enable managed services providers (MSPs) and managed security services providers (MSSPs) to deliver Palo Alto Networks enterprise-grade security as a cloud service to midsize companies.

“The partnership with OPAQ provides our NextWave partners a platform to provide managed security services to midsized companies. As more businesses make the shift to providing managed services, OPAQ provides partners the ability to deliver enterprise-grade security in a cost-efficient, scalable model,” said Nigel Williams, VP Global MSSP Channels for Palo Alto Networks.

According to 451 Research, “OPAQ’s cloud-based network-security-as-a-service platform simplifies traditional approaches to providing security services, delivering a robust set of security capabilities that help reduce complexity and minimize costs.”

As part of the agreement, OPAQ has selected Palo Alto Networks as the exclusive provider of next-generation firewall technology for the OPAQ cloud platform. OPAQ has deployed Palo Alto Networks appliances in its data centers across the US, and will scale up capacity to support growing demand among MSPs and MSSPs and their midsize enterprise customers.

“This alliance enables our channel partners to seamlessly deploy advanced firewall security protection through OPAQ’s fully automated and orchestrated cloud platform,” said Ken Ammon, Chief Strategy Officer for OPAQ. “Palo Alto Networks is a foundational partner for us, as their technology is an integral part of the security stack in the OPAQ Cloud.”

OPAQ’s enterprise-grade security is delivered through a per user subscription model that tightly integrates a fully encrypted SD-WAN and best-of-breed security capabilities powered by Palo Alto Networks and other trusted security technologies as well as OPAQ’s own patented technologies. It enables service providers to deliver robust protection, centrally monitor and manage customer networks, enforce policies, and generate customizable reports for security and compliance through a single interface. Midsize enterprise clients using OPAQ’s security-as-a-service have decreased costs by more than 40 percent and accelerated deployment time by 91%.

Together, OPAQ & Palo Alto Networks are raising the bar for small and medium-sized businesses

Small and medium-sized businesses face a unique set of challenges protecting their networks from attack. Beyond the constraints of budget and the availability of talented people, many of the best security tools & technologies are designed with large enterprises in mind. They are often architected for large footprint deployments and packaged in way that places them out of reach for smaller organizations. This makes small and medium-sized businesses a particularly attractive target for computer criminals, who know they can get access to valuable information in environments that may be struggling to implement effective controls and countermeasures.

Through our partnership, OPAQ & Palo Alto Networks are working hard to address these challenges. We’re proud to have been invited to participate as a Platinum Sponsor of Palo Alto Network’s 2019 Sales Kickoff event this month in Toronto. We’ll be there exhibiting solutions that we think will change the game in a major way.

Enabling a Network of Service Providers

A keystone of our strategy is to engage with security service providers. Small and medium-sized businesses need trusted advisors who understand their business and can help them mature their security programs in the right way. We recognize the essential role that service providers play, and our mission is to enable them with tools that have the right fit for their customers. This is why OPAQ announced in January of this year a pivot to a 100% channel based sales model.

Every technology that we build at OPAQ has been designed from the ground up to meet the needs of service providers. A few examples include our unique policy management interface, which makes it easy to set customer security policies across multiple control technologies from a single place. Our zero-trust endpoint technology, which provides visibility and control deep within client networks without having to go on-site. And, our reporting engine, which is specifically designed to enable service providers to illustrate the value of the work they’re performing on behalf of their clients, and facilitate conversations with clients about specific gaps in their security programs.

The Firewall-as-a-Service Model

The way to make network security technologies more accessible while achieving economies of scale is to provide them from the cloud as a service. Clients who are serious about security should accept no substitutes in terms of the protection capabilities they are deploying. We start with best-of-breed next generation firewalls from Palo Alto Networks. The intrusion prevention capabilities, threat intelligence, and Wildfire 0-day malware and exploit analysis engines that are built into the Palo Alto Networks platform are second to none.

We deploy Palo Alto Networks firewalls in OPAQ’s high performance cloud infrastructure at multiple points of presence throughout the world, and allocate fractions to serve each individual customer. The service can scale down to handle small offices with a handful of employees, it can scale up to facilities with thousands of end-users, and it can grow elastically as each client’s needs change. New customer networks can be rapidly connected with a hardware edge device or virtual appliance from OPAQ, in a variety of standalone as well as high availability configurations. The result is that service providers can quickly deploy security capabilities that their customers know and trust, which are scaled to fit demand.

Zero-Trust Software Defined Network Segmentation

Security professionals increasingly realize that we need to operate networks on a Zero-Trust footing to contain sophisticated threats. Moving network security devices from the edge into the cloud provides flexibility and economies of scale, but it is also important to segment internal networks properly to prevent the propagation of malware within them, and service providers need the ability to do this remotely.

This is where OPAQ’s ground breaking endpoint segmentation software comes into play. OPAQ’s software dynamically controls the firewall policy on each endpoint in real-time, providing service providers with full visibility into east/west traffic within client networks and the ability to control that traffic. Incident responders can use this capability to quickly investigate security incidents on the internal network and take action to remotely quarantine infected hosts. OPAQ’s policy management interface also allows granular internal policies to be defined, based on user and host identities as well as IP address ranges, which are automatically synchronized by the OPAQ platform between endpoint and network firewalls.

OPAQ and Palo Alto Networks are Raising the Bar

OPAQ’s Zero-Trust endpoint technology and Palo Alto Networks’ Next-Generation Firewalls work in concert through the OPAQ platform to enable security service providers to deliver an unprecedented level of protection to their small and medium-sized clients. These advanced security capabilities were previously inaccessible in a cost effective manner, but now they can be deployed rapidly at a scale that is right-sized for these clients, with a platform that is elastic enough to grow with them.

What is a Next-Gen Host-Based Firewall and why would anybody care?

Host-Based Firewalls are a simple technology that is generally used to prevent unwanted inbound traffic by port number. They don’t play a significant role in most enterprise security programs because its too much work to manage policies for each individual host. Instead, organizations prefer to enforce policies with network firewall devices that can protect large numbers of hosts from a single location.

New technologies have recently started to change this by providing a way to manage large numbers of individual endpoint firewall policies from a central system. We call these solutions Next-Generation Host-Based Firewalls, although the term Micro-Segmentation is also sometimes applied to this space. There are two primary trends that are driving this change:

Cloud Adoption: Workload mobility combined with the absence of traditional network architecture in cloud environments has meant that in some cases, firewall policies have to be managed on an individual endpoint basis, and there need to be tools that facilitate this.

Sophisticated Targeted Attacks: These days the initial point of infection for an attacker within a network is just a foothold that is used to spread internally in search of vital information to steal or encrypt with ransomware. This fact has driven organizations to pursue a Zero Trust approach to network security, where hosts inside the perimeter are not considered inherently more trustworthy than hosts outside the perimeter. The ultimate Zero Trust model means that every host is capable of defending itself, and tools are needed to orchestrate that defense.

As various Next-Generation Host-Based Firewall solutions have come on the market, the market has begun to define itself around a few key features or characteristics that all of these products share:

Central Policy Management: Obviously a “table stakes” requirement for these solutions is the ability to create a policy for a large number of individual endpoints from a central policy management tool. These policies are managed in one place, but enforced in many places — by each individual endpoint system.

Network Visualization:Crafting a security policy for large numbers of endpoints can be challenging. Next-Generation Host-Based Firewalls typically collect logs of network traffic from each endpoint and can provide the user with the ability to see and explore their network and it’s interrelationships. This can be a powerful tool for investigating security incidents as well as building policies that can contain them.

Abstract Policy Making: Traditional Firewalls enforce policy based on IPs, ports, and protocols. This can be inadequate for dealing with the complex set of interactions that occur on an internal network where workloads and workstations can move around. Typically, Next-Generation Host-Based Firewalls allow policies to be defined based on the identity of a user or of a workload or application, regardless of what system, IP or port is involved. This makes policy definition much simpler by allowing the user to express rules in human terms.

In our view there are three main architectural approaches to building Next-Generation Host-Based Firewalls. In describing these architectures, we use the words “active” and “passive” to refer to the role that the central policy management system takes in making case-by-case enforcement decisions.

Passive: A Passive Next-Generation Host-Based Firewall system is capable of pushing traditional, static firewall policies out to endpoints, but the central policy management system takes no direct role in policy enforcement. When new connections are made or received by each endpoint, the endpoint evaluates them against the policy it has been given and chooses whether to allow or block them.

This architecture has the advantage of imposing minimal latency at connection establishment and being resilient against temporary loss of connectivity between endpoints and the central policy manager.

Active: Instead of pushing static policies out to endpoints, an Active Next-Generation Host-Based Firewall makes enforcement decisions at a central controller. When each new connection is made or received by each endpoint, the endpoint contacts the controller and the controller decides whether or not the endpoint should allow or block, on a case-by-case basis. In this sense the controller is playing an active role in making enforcement decisions.

This architecture has the advantage of being able to adapt policy enforcement decisions immediately to changing circumstances on the network, such as when a host moves to a different network segment, or when a decision has been made to quarantine a compromised host. This adaptability is necessary to enable micro-segmentation in traditional office environments where rapid changes are commonplace. While there is some cost associated with this architecture, the latency and availability impacts are comparable to those imposed by the use of DNS servers.

Hybrid: A hybrid solution combines the best of both architectural approaches, allowing for dynamic policies to be enforced in real time by a central controller, with static backups in place that can make rapid decisions when the controller cannot be reached.

The OPAQ Cloud delivers Active & Hybrid Next-Generation Host-Based Firewalls. We believe that these technologies play a key role in securing the hybrid networks of today, especially as workloads move to the cloud and networks de-perimeterize. They enable enterprises to pursue a true Zero Trust approach to network security — where hosts on the internal network are not inherently trusted. The Zero Trust model is a prerequisite for defense against sophisticated threat actors, and a step toward totally new kinds of enterprise network architectures where perimeter defenses are no longer required.

Gartner Hype Cycles: Why You Should Believe this Hype

Can there be any more security buzz flying around in the market today? With an estimated 1,600 security vendors each espousing their own rhetoric as to why you just can’t survive unless you have their latest doohickey, it’s no wonder that executives are confused about what’s a smart security investment.

Industry analysts are doing what they can to help executives navigate the complexities of the security market. The sheer number of security categories, sub-categories, and sub-sub-categories is simply astounding, and can further complicate things. And just when you think you have a handle on the latest security trends and you’re confident you know exactly what it is you need, a new threat, new trend, or new technology emerges and makes you re-think everything yet again.

451 Research keeps a close eye on the security market, producing a variety of insightful research including Impact Reports, which feature different companies and independent perspectives on the strengths, weaknesses, opportunities, and threats (SWOT) of those companies. In fact, you can see an Impact Report on OPAQ here.

Gartner also produces a variety of research reports. Some of the most popular reports are the Gartner Hype Cycles, which can be useful as visual guides in helping executives assess different types of security technologies. Two Gartner Hype Cycles that were released earlier this month were the Hype Cycle for Threat-Facing Technologies and Hype Cycle for Enterprise Networking and Communications (these reports are accessible only to Gartner subscribers). The former Hype Cycle features security technologies that aim to “prevent and protect IT systems and applications from attack, enabling fast and effective response.” The latter Hype Cycle features technologies that can help executives to “evolve their networks to support functional and strategic business requirements” and “support digital business initiatives and new business models while also providing flexible, resilient, and scalable connectivity.”

As different as these two Hype Cycles are, there is a common thread – Firewall-as-a-Service is a category represented in both, which features the need for tight integration of networking and security, as well as for automation and orchestration. It’s the first time that Firewall-as-a-Service (FWaaS) is represented in the Hype Cycle for Enterprise Networking and Communications. In both Hype Cycles, it’s defined as “a multifunction security gateway delivered as a cloud-based service or hybrid solution. The promise of FWaaS is to provide simpler and more flexible architecture by leveraging centralized policy management, multiple enterprise firewall features and traffic tunneling to partially or fully move security inspections to a cloud infrastructure.”

With a benefit rating of “High” the business impact of FWaaS “offers a significantly different architecture for branches or even single-site organizations. It also offers greater visibility through centralized policy, increased flexibility and potentially reduced cost by using a fully or partially hosted security workload.” OPAQ is referenced in both Gartner Hype Cycles as a sample vendor providing FWaaS, with serious enterprise-grade Next-Generation Firewall protection powered by Palo Alto Networks.

The as-a-service business model in security is not going away – it’s more than hype; it’s a mainstay. Integrating networking and security into a single cloud service that is simple to deploy and maintain eliminates cost, complexity, and much of the feature-focused security noise that plagues executives pondering smart security investments.

Why Gartner Named OPAQ a 2018 Cool Vendor

On June 1, after an in-depth evaluation, leading technology research firm Gartner named OPAQ one of only three Cool Vendors in Security for Midsize Enterprises (MSE) for 2018.

According to the report, “These vendors offer a compelling combination of innovation and midsize enterprise suitability. Midsize enterprise IT leaders responsible for security and risk management should familiarize themselves with these impactful approaches to improving security posture with finite resources.”

What makes a hot company a cool vendor? Gartner’s definition of a Cool Vendor is a small company offering a technology or service that is:

Innovative — Enables users to do things they couldn’t do before

Impactful — Has or will have a business impact, not just technology for its own sake

Intriguing — Has caught Gartner’s interest during the past six months

Gartner analysts stated: “Security-as-a-service vendor OPAQ is cool because it can provide MSE IT leaders with a caliber of managed network visibility and control — at a predictable operating expenditure price — that is typically out of their reach. MSEs that lack staff expertise to manage and monitor multiple network security appliances and consoles can benefit from the OPAQ Cloud.”

Gartner released the Cool Vendors report just prior to the start of its 2018 Security and Risk Management Summit. Several of us from OPAQ attended the event, which drew an increasingly larger audience of midsize enterprises who value Gartner’s insights on the technology landscape and emerging trends.

We were delighted to see OPAQ referenced in analyst sessions and in presentations. Moreover, we were excited to hear that OPAQ was being discussed by executive attendees to analysts during their one-on-one analyst meetings.

There is no doubt that the security-as-a-service solution OPAQ delivers will be a mainstay in a market that is embracing simplified, cost-effective enterprise-grade security from the cloud.

We’re extremely proud of this recognition from one of the most highly respected analyst firms.

Why FourV and OPAQ Joined Forces

I’m pleased to be writing this post as a member of OPAQ Networks, following the announcement today that FourV Systems has become part of the OPAQ family. Our two companies share a common focus — empowering MSPs and MSSPs with security automation to help them gain greater visibility and control while substantially simplifying the management of their customers’ network and security architecture.

FourV’s patented GreySpark solution provides continuous security metrics, compliance monitoring and reporting. And the OPAQ security-as-a-service platform integrates comprehensive enterprise-grade security capabilities with a private software-defined network backbone. Together, we’re delivering the single most effective and efficient tool that MSPs and MSSPs can use to:

  • Identify what security controls should be prioritized;
  • Manage and enforce best-of-breed network security controls; and
  • Demonstrate and communicate the value of security services to technical and non-technical decision makers

Beyond this natural technology “fit”, several other factors convinced FourV’s management that we could achieve goals more quickly as part of OPAQ.

OPAQ’s platform is built to address a market that we at FourV also believed is both underserved and critically important – the midsize enterprise. These companies often find challenges in applying the personnel and financial resources needed to acquire, deploy, and manage the type of security infrastructure required to properly fend off today’s advanced threats. OPAQ’s cloud platform levels the playing field, packaging their best-of-breed security platform in a way that is accessible for midsize enterprises while also making it simple for service providers to manage.

OPAQ’s leadership team and support teams are also extremely experienced in our space. Glenn Hazard and Ken Ammon certainly ‘get it’ when it comes to the intersection of business and technology needs of service providers and the midsize enterprises they support.

The FourV solution serves as a complementary addition to the OPAQ cloud platform. An assessment of the security operations performance and compliance maturity is often the first step MSPs and MSSPs need to take with their clients in order to provide trusted recommendations to reduce risk and exposure. We could not be happier that we are now a part of an organization whose platform enables those MSPs and MSSPs to meet the needs of their clients by giving them the ability to instantly deploy and manage enterprise grade security.

Want to learn more? See how simple it is to get started with OPAQ.

Drawing a New Map of Enterprise Networking

Earlier this year I got to hear Tim O’Reilly speak at Grand Central Tech as part of their Authors @ GCT lecture series. Mr. O’Reilly is out promoting his new book, “WTF? What’s the Future and Why It’s Up To Us.” One of themes of his book is the process of innovation – how we go about creating technologies that completely change the way that we think, work, and live.

O’Reilly writes about drawing visual maps of the different elements within a company’s business plan, in order to understand how they interrelate with each other, a process that he learned about from a strategic consulting firm called BEAM. He then proceeds to draw such a map for an on-demand transportation company like Uber or Lyft.

There was a particular way that on-demand transportation worked a decade ago – you called a cab company, and a dispatcher announced your location on a radio network, and hopefully one of the cab drivers agreed to pick you up. Over time a particular set of technologies have become available, including the Internet, smart phones, and dispatching algorithms, that have enabled a completely different way of organizing this process. However, the new map for on-demand transportation didn’t draw itself – it was the job of innovators to realize that an opportunity existed to connect each of these ingredients in a new way, and to persuade the public that this new way is, in fact, a better way.

Of course, this got me thinking about what we’re doing at OPAQ Networks. IT organizations have been building enterprise networks in the same way ever since we started connecting businesses to the Internet in the early 1990’s. I usually credit Steven Bellovin and William Cheswick for drawing the original maps of this territory in their book “Firewalls and Internet Security.” This model is often called the “perimeter security model” – “We’ve got a bunch of sensitive computer systems here in our corporate headquarters, so we connected all of our satellite offices into that headquarters and we’ve built a stack of security solutions there to protect everything.”

Over time that model has started to show signs of strain. The sensitive systems that used to collect at headquarters are gone – they’ve moved into the cloud. However, the security stack is still there, and all kinds of traffic is still getting backhauled through headquarters for the sole purpose of sending it through the stack. Despite this approach, attackers are successfully getting inside by infecting end user workstations. Once their malware is running on the other side of the firewall, they have free range over the internal network and can get right to the data they want to steal.

At OPAQ Networks we are building a new map for this territory. First, we’re moving the security stack into the cloud, where the sensitive assets now live. This solves the backhaul problem, because satellite offices and remote VPN users can connect to cloud assets through our network instead of backhauling through a corporate headquarters. OPAQ has a nationwide network of points of presence and more than 200 peering relationships with major service providers that enable us to get traffic to it’s destination as efficiently and reliably as possible. Most small and medium sized enterprises don’t have the means to build this kind of infrastructure for themselves.

Second, we’re introducing software-defined network segmentation, a completely new technology that provides enterprises with unparalleled visibility and control over their internal networks. Using this tool, it’s possible to granularly segment internal networks so that end users only have access to the resources that they need, without having to reconfigure VLANs or wrestle with NAC solutions. Our partners’ midsize customers are able to adopt a better security posture, so that a single endpoint compromise does not imperil their entire business.

We are entering a time when the traditional way of building enterprise networks is being disrupted, and other maps are being drawn. Google’s BeyondCorp is one such map, along with the idea of Zero Trust Networks that was eloquently detailed in a recent O’Reilly publication. These approaches suggest doing away with the VPN and the security stack entirely, placing internal applications directly on the Internet and connecting users to them through authenticating proxy servers.

While I believe the BeyondCorp approach has merit, and there is a great deal that we can learn from it, it’s also very difficult for small and medium sized businesses to adopt. The traditional security stack delivered from the cloud has value, particularly for businesses where consistent patch and configuration management can be a challenge. The VPN has value, because it draws a clear line between the organization’s assets and the outside world. The problem is that these assets are often hosted in the wrong place today, and better segmentation is needed behind them.

This is what we’re doing at OPAQ Networks – we’re drawing a new map for the practice of enterprise networking in the cloud computing era. By leveraging network security-as-a-service, software-define network segmentation, and a modern, global network infrastructure, we’re enabling our customers to build networks that are more efficient, reliable, and secure than they have ever been before.

Simplified Microsegmentation — From the Cloud

It is time to change the way that organizations approach network segmentation. In the past few years we have seen a mounting collection of threats target the wide open nature of most organizations’ internal computer networks. Although security pros have been harping on this for some time, most networks remain crunchy on the outside and chewy in the middle – once attackers get past the perimeter, they often have access to any and everything inside the organization.

We’ve seen repeated threats recently exploit this exposure. We’ve seen incidents where entire organizations are crippled from ransomware spreading internally within their networks. We’ve seen the return of internet worms like WannaCry and NotPetya. We’ve seen more automated attacks that pivot from an initial point of compromise within a Windows network to Domain Admin access. In fact, experts are predicting significant increases in the volume of these attacks because of developments in attack automation.

Almost every organization needs to improve their network segmentation strategy in their internal network to cut down on these threats. What is preventing organizations from taking action?

Traditional Network Segmentation is Complex and Difficult to Manage

Unfortunately, the traditional approach to implementing network segmentation poses significant challenges. Configuring and managing internal firewalls and VLANs is both labor intensive and relatively inflexible. Network architecture is usually driven by the need to provide connectivity rather than security. Organizing machines with different security requirements onto separate VLANs is complex, and as soon as the work is done, users demand changes. Deploying multi-factor authentication for internal applications and services can also be a daunting project as each application must be separately integrated.

It’s no wonder organizations — particularly midsize enterprises — continue to struggle with implementing a smart, sustainable network segmentation strategy. What are midsize enterprises — and the service providers supporting them — supposed to do?

Zero Trust Software-Defined Network Segmentation from the Cloud

The term “microsegmentation” has recently become a buzzword in the IT world. These solutions provide a manageable way to lock down east/west traffic policies for cloud workloads. However, many of the threats we’re seeing – ransomware, worms, and domain lateralization – target end user workstations instead. What organizations need is a technology that provides easy-to-deploy software-defined microsegmentation capability that is flexible enough to support the entire enterprise network.

Since the acquisition of Drawbridge Networks in May 2017, we have embarked on integrating unique intellectual property into the OPAQ Cloud that allows users to manage software-defined microsegmentation for the entire enterprise, from a single pane of glass. The OPAQ PathProtect™ capability dramatically simplifies network segmentation, enhances network visibility and control, and enforces policy locally at each device, whether it’s a cloud workload or an employee laptop.

OPAQ PathProtect™ works by connecting software agents running on endpoints with a central controller hosted in the OPAQ Cloud. This architecture provides visibility and control from the cloud into every network interaction happening on every endpoint. This capability gives you the power to investigate incidents, protect against insider and external attacks, and prevent certain devices, such as compromised endpoints, from talking to other workstations on the network.

Microsegmentation with OPAQ PathProtect™ can be used to define granular access segments for users that operate independently from the network’s hardware and physical topology. It also can be easily updated when business needs change. Segments can be defined based on user identity, group membership and job function, and they will follow users as their laptops move throughout the network. OPAQ PathProtect™ can be used to enforce multi-factor authentication for access to any resource or service on the network, without any need to integrate with individual applications. This is possible because the central controller oversees all communication within the network and can authenticate users before allowing traffic to flow.

These capabilities allow organizations to adopt a security posture that is more aligned with Zero Trust security principles, in which users only have access to the specific applications required by their job function. Cutting down on unnecessary access closes the avenues that malware and network attackers use to spread laterally within an organization.

Microsegmentation for Endpoints, Not Just Data Centers

OPAQ PathProtect™ is a microsegmentation solution that can protect the whole network, including workstations, servers, datacenters, and cloud workloads, supporting the following capabilities and use cases:

  • Network Visibility provides detailed topological views of the interactions between hosts on the internal network. It is possible to drill down into different timeframes, hosts, users, process names, ports, and protocols for complete insight into network activity.
  • Network Access Control (NAC) to assign which resources, hosts and users can access services on the network. For example, unmanaged hosts can be prevented from accessing sensitive servers, and are identified and cataloged when they send traffic.
  • Multi -Factor Authentication (MFA) integration enables step-up authentication to tighten security for VPN access and within the internal network.
  • Granular Segmentation which is completely separate from the physical network architecture or network addressing, can be used to segment specific devices, applications, and data, and can keep track of hosts as they move around the network.
  • Quarantine allows organizations to quickly isolate infected hosts from sensitive resources at the touch of a button.

To find out more, view the press announcement, sign up for our upcoming webcast and schedule a demo to see how simple microsegmentation can be from the cloud.