Security for Cloud Networking

New digital transformation initiatives driven by IoT, cybersecurity, cloud native applications, hybrid cloud, and service delivery are driving IT organizations everywhere to reinvent their architectures. The new framework is blurring the known trust perimeters currently defined by InfoSec. Protecting distributed assets on-prem and in the cloud from cyber attacks as well as conforming to new regulations, requires a fresh approach to security - Zero Trust Framework - using open, software defined framework, across network, compute and security domains. In addition to enforcement framework, real time visibility into the workflows, detecting threats within the trusted zones and acting on them is essential to the new framework.

Patterned on the NIST guidance framework, Arista’s zero trust security is based on three guiding pillars and principles:

  1. Network-based multi domain segmentation
  2. Situational awareness and broad visibility for all network resources
  3. AI-Driven Network Detection and Response

These pillars provide IT security operations, the breath of solutions from software-driven control, observability, detection and response that encompasses:

  • Multi-Domain Macro-Segmentation Services: The Arista Multi-Domain segmentation for zero trust solution provides a suite of capabilities for integrating security policy with the network through an open and consistent segmentation approach across domains - campus to data center to cloud.
  • High Performance Secure Connectivity: The Arista R series portfolio delivers cost effective and high performance bulk data encryption at scale for today’s cloud datacenters and interconnect providers
  • Cognitive Management Plane: Leveraging complete and real time network state data, CloudVision® analytics engine can help administrators automate the provisioning of security policy and the auditing of operational compliance
  • Pervasive, organization-wide visibility & multi-tenant monitoring: DANZ Monitoring Fabric (DMF) enables IT operators to pervasively monitor all user, device/IOT and application traffic (north-south and east-west) by gaining complete visibility into physical, virtual and container environments
  • Advanced Network Detection and Response (NDR): Awake Security is the only advanced network detection and response (NDR) solution that delivers answers, not alerts. By combining artificial intelligence with human expertise, Awake autonomously hunts for both insider and external attacker behaviors, while providing triage, digital forensics and incident response across the new network—campus, data center, Internet of Things (IoT) / operational technology (OT) and cloud networks.

Featured Video: Arista Multi-Domain Segmentation Overview

Securing the Places-In-the-Cloud

Multi-Domain MSS® delivers a comprehensive segmentation solution for enterprise-wide use cases - which is open, standards based, best-of-breed partner integrations and well defined APIs. MSS Firewall - providing security service insertion, allowing flexible placement of firewall policy across DMZ edge, data center and campus networks. MSS Host - a data center focused solution where the security policies are extended from the virtualized host to the baremetal workloads and MSS-Group - a new network segmentation service for controlling authorized network communication between groups.

Arista Zone Segmentation Security is a key security feature of CloudEOSTM Router. ZSS simplifies access-control by leveraging stateful inspection mechanisms and logical zone groupings. And this feature is cloud-agnostics, working consistently across any cloud network including Amazon Web Services, Microsoft Azure and Google Cloud Platform. 

Arista’s Cognitive Management Plane (CMP) delivers cognitive controls needed to secure PICs (Place In the Cloud). Powered by Arista CloudVision, an enterprise can implement network-based segmentation, anomaly and audit controls, and zone segmentation in the cloud as well as modern approach to telemetry & analytics with real time state streaming from EOS to give customers an unprecedented level of visibility into their network operations.

For security monitoring and traffic analysis Arista has pioneered the integration of DANZ, for out of band monitoring of any cloud workflow. DANZ allows the datacenter security team to cost effectively scan for vulnerabilities while watching for signs of attack at up to 100 Gbps per link and is widely used in sensitive cloud computing environments today.

DANZ Monitoring Fabric (DMF), powered by software defined networking (SDN) controls and leveraging cloud principles, delivers a new class of Network Packet Brokers (NPBs) for pervasive hybrid-cloud visibility. DMF provides packet recording intelligence, deep hop-by-hop visibility, predictive analytics and scale-out packet capture — integrated through a single dashboard — enables simplified network performance monitoring (NPM) and SecMon workflows for real-time and historical context, for on-premise data centers, enterprise campus/branch and 4G/5G mobile networks.

The Awake AI-Driven Security Platform is built on a foundation of deep network analysis from Awake Sensors that span data center, perimeter, core, IoT and operational technology networks as well as cloud workload networks and SaaS applications. The AI-driven security platform deeply analyzes billions of network communications to autonomously discover, profile and classify every device, user and application across any network. Using a multi-dimensional ensemble machine learning approach, it then models complex adversarial behaviors and detects threats by connecting the dots across entities, time, protocols and attack stages. Awake’s Adversarial Modeling™ capability enables the uncovering of even the most complex attacker tactics, techniques, and procedures (TTPs), by connecting dots across entities, time, protocols and attack stages. Awake’s Ava is the world’s first privacy-aware security expert system that can perform autonomous threat hunting and incident triage.