Using Aruba Dynamic Segmentation will help keep the Boogeyman away

 

One reality terrifying most business owners is the thought of someone compromising their network and their data.  Companies spend gratuitous amounts of money and time to protect themselves from cyber threats. They configure edge firewalls and multi-factor authentication mechanisms to protect their most sensitive data in the cloud. The thing that is often left untouched and overlooked are the data ports which are physically accessible to the public.

 

If the business operates in a public or shared office space, the risk of intrusion from an unprotected or unmanaged port is astounding.  Aruba Networks have developed a technology that can now extend the same role-based firewall policies that are applied to the enterprise wireless to the wired ports.  By enforcing the same role-based policies, administrators can simplify the deployment and management while also staying consistent across the network.

 

Is this a new threat?

 

In truth, the threat has always existed.  The difference is that now more than ever, IOT devices require a hard-wired connection to function. This is because many of them do not support the same security and encryption standards we enforce on the wireless network.  Some devices simply require the low voltage power supplied from the switch port to function.  These devices include security cameras, lighting controllers, intelligent HVAC devices and some printers or scanners.

 

Another common scenario is when there is a need for a wired port for a special event. The port is configured for one purpose but then it is forgotten about. Then, anyone who plugs into that port has whatever access it was originally configured for.  The reality is that these devices and circumstances are not going away any time soon. The best way to protect the network and the switch ports is to secure and isolate the clients and the devices from your sensitive networks and services.

 

What have engineers and administrators done about this attack vector?

 

From a management perspective, port security has always been the bane of network engineers and administrators. It has never been very practical or scalable to deploy.  One must define clear attributes to distinguish each device from another. Then, you tell the switch port to change the network the device it is connected to or to simply block the port all together.

 

Often the unique attributes used to distinguish these devices are easy to counterfeit. Deploying the configuration on only the public facing ports takes planning and insight. This often falls through the cracks after the initial deployment. Furthermore, the deployment of these settings must be done on each switch in the environment that may be connected to from a public facing port.  Aruba’s Dynamic Segmentation takes a different approach.  It unifies policy enforcement and delivers the same seamless experience that people come to expect of wireless connectivity.

 

How does it work?

 

The technology leverages many of the same security and profiling mechanisms that exists in the Aruba wireless world. It applies them to the switch port adding a scalable security solution without the complexities of deploying another costly security product.  It works by treating an Aruba network switch like an access point.  The switch tunnels the switch port traffic to the Aruba mobility controllers. It profiles the connected devices in the same manner it would a wireless client.

 

If the device passes certain authentication criteria, then it is granted the same access as if it were on the wireless network.  If the device has certain attributes but does not pass specific authentication criteria, than it is treated differently. It will be assigned the same role and given the same privileges as it would on the wireless network.  In isolating these devices or unknown users, we can better protect the environment at large while not limiting the connectivity some users may need.

 

 

What else can Aruba Dynamic Segmentation do?

 

By tunneling the traffic to the mobility controllers, Dynamic Segmentation provides greater visibility of the traffic from IOT devices and guests users on your network.  You can enforce a captive portal with email registration for guest users. This can add some accountability to a visiting contractor or guest speaker.

 

If an employee brings in a consumer device from home and plugs it in, you can distinguish what the device is, where it is plugged in and what it is communicating with.  The most valuable use-case for this technology lies in the constant struggle of BYOD and onboarding of employee devices.  If an employee chooses to use their own computing device and company policy allows it, you can check the security posture of the device before granting it access to any resources on your network.  Ideally those users would have a policy enforced that would allow them to reach only the least sensitive resources and the internet.

 

 

Why should network/security engineers and administrators be excited about Dynamic Segmentation?

 

Unlike traditional port security which normally rely on 802.1x and radius authentication to authorize access on a single VLAN, Dynamic Segmentation does not require unique network segments to be defined to physically separate users.  Aruba uses the term VLAN sprawl to describe the never-ending creation of new VLANs and subnets to create new layer 2 boundaries to physically segment user and device traffic.

 

With this solution, all the unknown devices and users could reside on the same network segment. Because the traffic is tunneled, all the traffic is subject to deep packet inspection, stateful firewall policies, layer 7 application visibility including web content filtering.   Most IT professionals usually wouldn’t believe that their wireless controllers are capable firewalls.  They would be wrong where Aruba is concerned.

 

What Aruba components are necessary to make it all work?

 

If you are already an Aruba wireless customer, you may already have what it takes to start leveraging this technology today.  Listed below are the solution ingredients directly from the Aruba Solution Overview.

 

• Aruba wireless access points
• Aruba network switches
  • Models 2930F/M, 3810M, 5400zl2
• Aruba Gateways or Mobility Controllers
  • Running AOS 8.1 or later
• Aruba Clearpass Policy Manager with profiling

 

Overall, the solution will simplify your efforts at securing the network edge and unifying security into one manageable platform.   Why spend time configuring and deploying a solution that you would have to duplicate with the wireless infrastructure?  Save yourself from that spooky nightmare.

 

To learn more, contact your local Zunesis sales representative.

 

Additional Resources

Dynamic Segmentation Solution Brief

Aruba Learning Video

Technical Whitepaper

 

Data Protection

 

As we get closer to Halloween, I’m sure most IT professionals have a few things that spook them. One of them being – ransomware and securing their data. In fact, it has been reported that new organizations will fall victim to ransomware every 14 seconds in 2019 and every 11 seconds in 2021. There will be an estimated $6 trillion in damages to business by 2021.

 

New organizations will fall victim to ransomware every 14 seconds in 2019 and every 11 seconds in 2021.

 

As we move to more IoT devices, studies have been found that it takes just 5 minutes to hack into an IoT device.

I could share more stats, but I’m sure you get the point that security of an organization’s data is a big concern now and will be going forward.

So, what can organizations do to help prepare for an attack and save their data? First, let’s talk about what intelligent data protection is and why you need it.

 

Why Intelligent Data Protection

 

In today’s digital world, protecting data is becoming more complex every day. More formats, more sources, more access points and longer shelf life for data are just a few of the areas impacting this complexity. Data always needs to be available. Many organizations cannot afford to be off-line.

Intelligent Data Protection is a comprehensive approach to data protection and copy data management that focuses on how the business protects and uses its data (now and in the future).

An organization needs to find the right solution that will integrate the data protection with copy data management technologies with an automated data protection platform.

 

Benefits to Intelligent Data Protection:

• Eliminates complexity
• Automatically moves data without manual intervention
• Enforces optimal backup policy per data store
• Puts your backup to work
• Protects more data, faster and at a lower cost
• Leverages predictive analytics
• Ensures data recoverability
• Minimizes cost and maximizes investment
• Aligns cost with usage
• Flexible deployment options

 

Things to consider when Looking for An Intelligent Data Protection Solution

• Self-managing platform- automates data protection infrastructure management
• Delivers on backup and recovery needs: Deliver Recovery Tim Objective (RTO) and Recovery Point Objective (RPO) you need on a per-application basis
• Cloud-Scale infrastructure: manage data growth with scale-out capability and intelligent deduplication
• Threat Mitigation
• Optimizes use of backup copies
• Optimizes cloud investment
• Secures Cloud Backup and Recovery
• Choice of deployment models and pricing
• Support for a hybrid environment

 

3-2-1 Backup Rule

 

What may sound like something that you would learn on Sesame Street is the 3-2-1 backup rule.  (Imagine the Count counting backups. One backup, two backups, three backups. Ha! Ha! Ha!).  The United States Computer Emergency Readiness Team (US-CERT) highly recommends this practice.

This is a common approach to keeping your data safe in almost any failure scenario. The hope is to maximize application uptime and data availability.

 

 

The rule is:

• Keep at least 3 copies of your data
• Store 2 backup copies on different storage media
• Have one of them located offsite

How HPE and Veeam Can Help

 

When looking for an intelligent data protection solution, Veeam and HPE’s industry-leading solutions are fully equipped for businesses of all sizes to combat malicious attacks and protect their data. This solution is a fully integrated solution comprised of existing technology. It enables organizations to rapidly recover from ransomware attacks. It is both flexible and affordable. Another benefit is that it can be quickly deployed and into production.

 

HPE StoreOnce Catalyst

 

HPE StoreOnce purpose-built appliance and HPE StoreOnce Catalyst benefit organizations by offering space-efficient backup, deduplication, data lifecycle management and information assurance.  The most important benefit of this solution is its ability to isolate data from being tampered unintentionally.

 

 

StoreOnce Catalyst does not prevent the rest of the enterprise from being compromised by malware. It does protect the mission-critical data stored from being either targeted or affected. Ransomware cannot encrypt what it does not see. The Catalyst store does not use standard operating system command instructions for its operations so malware cannot become active while inside.

The best backup solution is useless if ransomware can access your backup repositories. StoreOnce Catalyst provides protection for backup repositories. The repository is only visible through the Catalyst API.

 

Backup Applications: Veeam

 

Several software vendors have integrated StoreOnce Catalyst technology into their data protection applications.  One solution to consider is  Veeam Backup and Replication . Veeam has several solutions and applications that can assist with your data protection strategy.
The Veeam Mount Server enables the ability to immediately mount backed up virtual machine files for instant VM recovery and unparalleled RTO efficiency when combined with StoreOnce Catalyst. VMs recovered in this way will be mounted Read-Only by default. This further protects the environment should any malicious software remain within the backup data.

Veeam also offers testing environment where you test and remove ransomware item quickly before restoring VMs to production. This is done with Veeam Data Labs and Veeam SureBackup.

Ask Zunesis about other capabilities that Veeam has to help assess, monitor and more for your data backup needs.

 

Conclusion

 

Simply backing up data by making copies is not enough anymore. If an operating system can see your data so can ransomware. Ransomware cannot infect what it cannot see.

By practicing the industry best practices and leveraging the right tools, you can prepare for and avoid potential data loss and downtime from ransomware attacks. Contact Zunesis today for an assessment on your storage and backup plans.

 

Additional Resources:

Protecting Data from Ransomware with HPE StoreOnce Catalyst

Protect your data from malicious ransomware threats

Veeam Backup and Replication

Data Protection

 
As we get closer to Halloween, I’m sure most IT professionals have a few things that spook them. One of them being – ransomware and securing their data. In fact, it has been reported that new organizations will fall victim to ransomware every 14 seconds in 2019 and every 11 seconds in 2021. There will be an estimated $6 trillion in damages to business by 2021.
 

New organizations will fall victim to ransomware every 14 seconds in 2019 and every 11 seconds in 2021.

 
As we move to more IoT devices, studies have been found that it takes just 5 minutes to hack into an IoT device.
I could share more stats, but I’m sure you get the point that security of an organization’s data is a big concern now and will be going forward.
So, what can organizations do to help prepare for an attack and save their data? First, let’s talk about what intelligent data protection is and why you need it.
 

Why Intelligent Data Protection

 
In today’s digital world, protecting data is becoming more complex every day. More formats, more sources, more access points and longer shelf life for data are just a few of the areas impacting this complexity. Data always needs to be available. Many organizations cannot afford to be off-line.
Intelligent Data Protection is a comprehensive approach to data protection and copy data management that focuses on how the business protects and uses its data (now and in the future).
An organization needs to find the right solution that will integrate the data protection with copy data management technologies with an automated data protection platform.
 

Benefits to Intelligent Data Protection:

• Eliminates complexity
• Automatically moves data without manual intervention
• Enforces optimal backup policy per data store
• Puts your backup to work
• Protects more data, faster and at a lower cost
• Leverages predictive analytics
• Ensures data recoverability
• Minimizes cost and maximizes investment
• Aligns cost with usage
• Flexible deployment options

 

Things to consider when Looking for An Intelligent Data Protection Solution

• Self-managing platform- automates data protection infrastructure management
• Delivers on backup and recovery needs: Deliver Recovery Tim Objective (RTO) and Recovery Point Objective (RPO) you need on a per-application basis
• Cloud-Scale infrastructure: manage data growth with scale-out capability and intelligent deduplication
• Threat Mitigation
• Optimizes use of backup copies
• Optimizes cloud investment
• Secures Cloud Backup and Recovery
• Choice of deployment models and pricing
• Support for a hybrid environment

 

3-2-1 Backup Rule

 
What may sound like something that you would learn on Sesame Street is the 3-2-1 backup rule.  (Imagine the Count counting backups. One backup, two backups, three backups. Ha! Ha! Ha!).  The United States Computer Emergency Readiness Team (US-CERT) highly recommends this practice.
This is a common approach to keeping your data safe in almost any failure scenario. The hope is to maximize application uptime and data availability.
 

 
The rule is:

• Keep at least 3 copies of your data
• Store 2 backup copies on different storage media
• Have one of them located offsite

How HPE and Veeam Can Help

 
When looking for an intelligent data protection solution, Veeam and HPE’s industry-leading solutions are fully equipped for businesses of all sizes to combat malicious attacks and protect their data. This solution is a fully integrated solution comprised of existing technology. It enables organizations to rapidly recover from ransomware attacks. It is both flexible and affordable. Another benefit is that it can be quickly deployed and into production.
 

HPE StoreOnce Catalyst

 
HPE StoreOnce purpose-built appliance and HPE StoreOnce Catalyst benefit organizations by offering space-efficient backup, deduplication, data lifecycle management and information assurance.  The most important benefit of this solution is its ability to isolate data from being tampered unintentionally.
 

 
StoreOnce Catalyst does not prevent the rest of the enterprise from being compromised by malware. It does protect the mission-critical data stored from being either targeted or affected. Ransomware cannot encrypt what it does not see. The Catalyst store does not use standard operating system command instructions for its operations so malware cannot become active while inside.
The best backup solution is useless if ransomware can access your backup repositories. StoreOnce Catalyst provides protection for backup repositories. The repository is only visible through the Catalyst API.
 

Backup Applications: Veeam

 
Several software vendors have integrated StoreOnce Catalyst technology into their data protection applications.  One solution to consider is  Veeam Backup and Replication . Veeam has several solutions and applications that can assist with your data protection strategy.
The Veeam Mount Server enables the ability to immediately mount backed up virtual machine files for instant VM recovery and unparalleled RTO efficiency when combined with StoreOnce Catalyst. VMs recovered in this way will be mounted Read-Only by default. This further protects the environment should any malicious software remain within the backup data.
Veeam also offers testing environment where you test and remove ransomware item quickly before restoring VMs to production. This is done with Veeam Data Labs and Veeam SureBackup.
Ask Zunesis about other capabilities that Veeam has to help assess, monitor and more for your data backup needs.
 

Conclusion

 
Simply backing up data by making copies is not enough anymore. If an operating system can see your data so can ransomware. Ransomware cannot infect what it cannot see.
By practicing the industry best practices and leveraging the right tools, you can prepare for and avoid potential data loss and downtime from ransomware attacks. Contact Zunesis today for an assessment on your storage and backup plans.
 
Additional Resources:
Protecting Data from Ransomware with HPE StoreOnce Catalyst
Protect your data from malicious ransomware threats
Veeam Backup and Replication

REST for the Weary – RESTful APIs

 

 

As the expression goes, “no rest for the weary.”  A lot of us in the IT industry can relate to that statement. We are often needing to work long hours with heavy workloads.

 

 

Why is it then, that at least in my observation, many systems and network engineers still have not jumped on the automation train?  We’re so busy being busy, that we don’t take the time to save time.  Some of us still think RESTful APIs are something that only “devs” use. Luckily for our sanity, many of us are picking up this much needed skill.

 

 

If you haven’t played with RESTful APIs yet, and are in IT operations, I highly encourage you to check out RESTful APIs and get some lab time.  By sharing some personal experience, I’d like to argue that there really can be “REST for the weary.”(Pun intended)

 

 

 

A slightly better way

 

 

I remember before RESTful APIs were something that more vendors were supporting. I had to do write Expect scripts in Linux to do my automation.  Really, this was just screen scraping terminal output and brute forcing automation.  It was messy at best, especially trying to automate devices that weren’t made for automation.

 

 

This wasn’t a whole lot of fun, but it was worth the pain involved since it still saved mountains of time.  There was quite a bit of pain with some vendors. They needed weird keystroke combinations before it would allow CLI access even after SSH’ing in.  Implementing “CTRL+Y” through an SSH session via script was way more of a headache than you’d think it should be.

 

 

Complaining aside, spending time writing Expect scripts was certainly MUCH easier than doing things manually.  As an example,  in a large environment I previously worked in, my co-workers spent time manually SSH’ing to literally hundreds of switch stacks.  They had to run some commands and capture output to save.

 

 

I was asked on a regular basis by management to get MAC address/switchport/dot1x info, and other data which could be queried for historical data in a database. This was in preparation for a forklift upgrade on the network.  The use case was to get a history of devices, interface information, and all other relevant historical data.  Pulling MACs from the cores via uplinks wouldn’t give necessary detail.

 

 

This wasn’t an option. We had to go to the switches as a source of truth.  The idea was also to compare to data from other sources (the IP-PBX system was one example) in preparation for the upgrade.  They wanted to make sure network cut-overs were un-noticed by end users, aside from the downtime to swap equipment of course.  I spent quite a bit of time writing and tuning Expect scripts, but still much less than doing things the old fashioned way.

 

 

The actual better way

 

Fast forward to my next job managing literally thousands of server nodes in a high uptime environment. I started getting asked to do things like update BIOS settings ON EVERY SERVER.  To make things worse, as software engineering changed their code, they’d ask me to change BIOS settings multiple times.  There was no way I was going to iLO into every one of those servers, reboot, wait, press F9 to access system utilities, select BIOS/Platform configuration(RBSU)… etc.  Thankfully, I didn’t have to draw a line in the sand and explain that I was unwilling to do this.

 

 

After some research, I learned that HPE makes a RESTful API available on their Gen9 and Gen10 servers.  Lucky for me, we were using Gen9 servers at the time.

 

 

Managing BIOS settings isn’t the only thing you can do by the way.  You could probably integrate this into your monitoring system if it allows, for non responsive devices as an example.  We’ve all seen servers where the lights are on but nobody is home.  They seem dead, but respond to pings…intermittently and with high latency.  You could use your monitoring system to poll services, and metrics like CPU and RAM utilization. Then, reboot the server via iLO RESTful API, if it is really locked up.  No more waiting for a human to notice alerts, escalate if needed, then reboot the server manually.

 

 

 

 

 

 

 

 

2020 IT Budget Forecast

 

 

Spiceworks recently released their 2020 Spiceworks State of IT Report. They surveyed more than 1,000 technology buyers in companies across North America and Europe. The study focused on how organizations will be spending their technology budgets for next year.

 

 

According to their report, replacing outdated infrastructure will be the biggest IT spend next year. Most businesses are anticipating top-line revenue growth.  As revenue grows, typically IT budgets increase as well.

 

What will be the key areas of focus in organizations’ 2020 IT Budget Forecast?

 

 

 

 

Other key findings include:

 

 

1. IT BUDGET GROWTH : IT budgets rise as businesses replace outdated technology. 44% of businesses plan to increase tech spend in 2020 which is up from 38% in 2019.
2. BUDGET DRIVERS: One in four enterprises (1,000+ employees) are increasing 2020 IT spend due to a recent security incident.
3. EMERGING TECH TRENDS: Business adoption of AI-powered technologies is expected to triple by 2021, while adoption of edge computing is expected to double. Large enterprises are adopting emerging technologies 5 times faster than small businesses.
4. FUTURE TECH IN THE WORKPLACE: Two-thirds of large enterprises (5,000+ employees) plan to deploy 5G technology by 2021.

 

88% of businesses expect IT budgets to either grow or stay steady over the next 12 months.  Compared to 2019, we’re seeing more upward acceleration.

 

44% of businesses plan to grow IT budgets in 2020. This is an increase from 38% in 2019.  Organizations that expect IT budget growth next year anticipate an 18% increase on average.  Only 8% of companies expect IT budgets to decline in 2020.

 

 

Key Categories for IT Spend

 

 

These categories represent more than half of the total IT Spend in businesses today.

 

 

1. Security: 7% of Total IT Budget Spend. Pain points include identifying the right solution for their needs and comparing multiple solutions.
2. Collaboration and Communication: 6% of Total IT Spend. Paint points include finding the right solution and quantifying the business problem that is trying to be solved.
3. End-User Hardware: 22% of Total IT Budget Spend.
4. Server Technology: 9% of Total IT Budget Spend. Pain points include identifying the right solution and seeing if the purchase will require other system upgrades.
5. Networking: 4% of Total IT Budget Spend.
6. Storage and Backup: 10% of Total IT Budget Spend.

 

 

 

Top 5 IT Challenges Expected in 2020

 

 

Businesses are looking for technology vendors and service providers to be an additional tool in their arsenal. They need additional help to navigate through all the pain points out there.

 

 

These challenges include:

1. Keeping IT infrastructure up to date
2. Balancing IT Tasks and Improvement Projects
3. Upgrading outdated software
4. Following security best practices
5. Convincing Business Leaders to Prioritize IT

 

 

Small businesses need more guidance than large enterprises when it comes to security best practices and maintaining disaster recovery policies. Whereas, enterprises will need more help with implementing new tech into their environment.

 

 

Future Tech

 

 

As for new tech adoptions, there are a few categories that are expected to be adopted by 2021. Enterprises with 5000+ employees will be the ones adopting these tech solutions first.

 

 

1. AI Technology
2. Hyperconverged Infrastructure
3. Edge Computing
4. 5G Technology
5. Serverless Computing
6. Blockchain Technology

 

 

In Conclusion

 

 

To summarize, the results show a healthy global economy. Aging technology in the workplace and more sophisticated security threats has IT spending up year-over-year.

 

We at Zunesis, are prepared to assist you with your 2020 technology initiatives. From assessments to support and more, schedule a meeting with Zunesis to discuss how we can help you reach your technology goals.