Security in cloud and hybrid systems is a big challenge. There needs to be a way to secure assets in an environment where you have no control over the contents or behavior of the environment and where you must share hat environment with other organizations, some of which might be your competition. Additionally, there are adversaries who either live in the cloud, know how to compromises cloud-based systems, or both.
This year we address these challenges with two vendors, each of which take a somewhat different approach. This is more difficult than perimeter defense because the perimeter, if it exists at all, is very porous. What is needed is a security approach that has evolved in the cloud and is as comfortable in a virtualized environment as it is in the physical world. In other words, for this group the entire concept of the perimeter has been modified significantly.
Our vendors this year are born and bred in virtual environments. More important, they have unique ways of viewing the cloud. However, just understanding the cloud is not enough. In modern data centers there is a combination of hardware and software defined data centers and they need to interact seamlessly. That means that the security applied must be transparent across the two physically different environments. Added to the challenge is that a data center physically located in the organization might be hybrid – virtual and physical. The virtual part has unique requirements such as protecting the hypervisor.
All of these disparities define an entirely new breed of enterprise security. That is what this group – and our three winners – are focused upon. The one aspect that seems to be universal is that all of the included environments should show up on the same console. We looked at several of these over the course of the past couple of years and, whether or not they were what we considered to be innovators to the extent that they fit here, each product had pulled together the data that are available in any environment at which they were looking and displayed it in a single console. Moreover, the analytics that they apply are applied equally across monitored environments. <--
Guardicore Centra Security Platform
Last year we introduced this innovator by telling you that it “… was founded with the vision that security for the data center needs to not only be able to keep up with the rate of constant change, but also be able to close the gap between traditional security technology and a sophisticated threat actor's ingenuity.” This year GuardiCore is taking this notion to the next level by moving to the next generation of cloud application technology: micro-segmentation. This technique provides better detection because it provides better visibility.
GuardiCore puts an agent on the workload to enforce the policies present on the agent. This shows the entire network in a single view which allows enforcing policies consistently around the enterprise. This converged platform gives the customer the ability to deploy a single platform across the enterprise. It also improves scalability to very large network enterprises.
GuardiCore is driven by the rapid development of the industry itself as well as the growing sophistication of the adversary. They told us last year that their mantra was that there are no simple problems so there are no simple solutions. Marketing should be a challenge in a newly emerging marketspace but in this case the company sees competition as a good thing in that it helps educate the customer base. Clearly this attitude is working since the company is globalizing its market and is up to around 100 employees. There is staying power here. The technology is solid, the attitude is in the right place and the market – and the adversary – are moving at a speed that requires an effort to keep pace.
But they are keeping pace and, by our reckoning, pulling ahead. We attribute that, at least in part, to a solid adherence to a customer-driven roadmap that they follow, if not exactly slavishly, with a weather-eye on what the market tells them it needs. We certainly expect to see them next year at this time for another innovator award.
This is a neat piece of innovation. The technology was developed at a large university as a research project with two professors and a PhD student. It uses formal verification – the same technique used in verification of program code – that the researchers morphed into what they call “network verification.” After the built their first network verification system, they founded the company and, as far as we can tell, never looked back. They created their own algorithms to account for changes (the network is a dynamic beast… always changing). The treat the network as a program. While this is all very good – and works quite well – it's a bit challenging to explain to customers who likely are not familiar with formal methods of code and system verification.
What is interesting about this innovation is that the innovators do not monitor traffic or behavior on the network. They monitor for changes. Their position is that current technology catches problems after they become evident after, for example, a breach. These folks try to be predictive – hence the name – by building a predictive model of the network using formal verification. They end up with a rigorous model that sees the network as a state machine. Then they cause changes in the state of the network and, based upon the reactions to the state changes, they are able to predict what could happen to the network based upon its actual model.
They take the policies against which the network should be configured and verify against those policies when the network state changes in the model. This allows verification of both the policies and the behavior of the network against the policies – in other words, are the policies good and, if so, is the network configured in accordance with them? This is referred to as intent-based networking – is the network behaving as it is intended to?
Their early funding was from DoD and NSF along with some venture money. They are quite new – as are the techniques that they use – having been founded in 2016. The system is a hybrid – there is a virtual server called a collector on-premises and the verification engine either on-prem or in the cloud as a SaaS.