Resources - NetFoundry

Zero Trust API Security: Securing B2B APIs with NetFoundry

Tod Burtchell — Sat, 15 Nov 2025 13:30:46 +0000

Zero Trust API Security: Securing B2B APIs with NetFoundry

Executive Summary

In today’s interconnected digital world, Application Programming Interfaces (APIs) play a crucial role in enabling data exchange and service integration across organizations. As their usage expands, APIs are increasingly becoming targets for cyberattacks, especially when they are publicly exposed. Traditional security solutions like firewalls and VPNs struggle to effectively secure APIs, leaving companies vulnerable to breaches that can result in costly data losses and compliance issues.

NetFoundry’s Zero Trust API solution addresses these challenges by removing APIs from public internet exposure. This innovative approach leverages a software-based overlay network, embedding zero trust principles without relying on traditional security models. This white paper explores the nature of API vulnerabilities, the limitations of current solutions, and how NetFoundry’s solution enables centralized, secure, and high-performance API connectivity. By eliminating the need for VPNs, firewalls, and manual security management, businesses can better protect their API traffic and streamline their security infrastructure.

Secure API Connections

Protect your APIs with NetFoundry’s Zero Trust solution, eliminating public exposure and securing data exchanges across networks.

API Security Evolution

Stay ahead of API threats with NetFoundry’s Zero Trust solution—securing your APIs beyond traditional methods for seamless and safe digital transformation.

Why We Need Zero Trust API Security

B2B VPNs have served as the backbone of secure access for MSPs. Yet, as digital demands grow, VPNs present challenges that impede their ability to support the modern security needs of MSPs:

Security Vulnerabilities

VPNs operate on perimeter-based models, often granting broad network access. This allows lateral movement, increasing exposure to cyber threats. NetFoundry’s AppNets revolutionize this by eliminating the network connection entirely—attackers can’t exploit what they can’t reach.

Operational Complexity

Configuring VPNs across multiple clients requires managing IP allow lists, firewall rules, and individual VPN connections. AppNets replace these with outbound-only, zero-trust microsegmentation, significantly reducing administrative burden by simplifying connectivity across environments.

Performance Bottlenecks

VPNs use point-to-point connections that can become bottlenecks, impacting performance and user experience. AppNets, by contrast, provide a full-mesh overlay network with end-to-end control, minimizing latency and maintaining high-performance connectivity, even under heavy loads.

Compliance and Audit Limitations

Regulatory demands like GDPR and HIPAA require granular access control and audit trails. B2B VPNs fall short here, as they lack session-specific controls. AppNets provide session-level permissions and detailed logging, enhancing MSPs’ ability to maintain compliance.

Problem Statement

Modern APIs are particularly vulnerable due to a combination of factors:

Public Exposure: APIs are often publicly accessible, making them easy targets for attacks. Traditional security methods leave open doors that attackers can exploit, such as exposed IPs or endpoints.
Unique Configurations: APIs are often customized, creating unique “snowflake” configurations that require specific protections. This uniqueness makes it challenging to apply a one-size-fits-all security approach, increasing the likelihood of vulnerabilities.
Rapid Updates: APIs evolve quickly, and development teams constantly push new updates to maintain functionality or add features. This rapid pace makes it difficult for security teams to keep up, often resulting in unpatched vulnerabilities.
Operational Complexity: Traditional security measures for APIs require extensive patching, monitoring, and configuration management. This complexity drains IT resources and increases the risk of human error.

Real-world examples reveal the impact of API vulnerabilities (See OWASO Top 10 API Security Risks). In recent years, several high-profile breaches have exposed sensitive data through poorly secured APIs, resulting in significant financial and reputational damages (8 Significant Recent API Breaches). These incidents underscore the need for a new approach to API security.

API Vulnerabilities

Protect your APIs from exposure, complexity, and rapid updates. NetFoundry’s Zero Trust solution offers adaptive security for today’s evolving API challenges.

Zero Trust Protection

Secure your B2B APIs with NetFoundry’s Zero Trust solution—private overlay network, Ziti architecture, and mTLS encryption keep your data hidden and safe.

Solution Overview

NetFoundry’s Zero Trust API solution is purpose-built to secure B2B APIs by removing their exposure to the internet entirely. Rather than relying on VPNs, firewalls, or other traditional security tools, NetFoundry’s solution leverages a software-based overlay network to create private, secure connectivity. This Zero Trust approach ensures that only authorized and authenticated endpoints can access APIs, shielding them from potential attackers.

Key Components:

Dedicated Software-Based Overlay Network: NetFoundry’s overlay network privatizes API traffic without the need for a traditional private network, hiding APIs from the public internet.
Embedded Ziti Architecture: The Ziti framework, embedded in NetFoundry’s solution, enables zero trust by allowing only pre-authorized entities to access APIs. Ziti prevents unauthorized access and hides API endpoints from potential attackers.
End-to-End Encryption: All API data is encrypted in transit, ensuring that sensitive information remains secure from interception or tampering. NetFoundry employs end-to-end encryption using mutual TLS (mTLS) to secure data transmitted across its network. This ensures that data is encrypted at the source, securely transmitted, and decrypted only at the destination, maintaining confidentiality and integrity throughout the communication process.
Centralized Control and Compliance: NetFoundry’s management interface, NetFoundry Console, provides administrators with centralized control, making it easier to enforce compliance, manage access, and monitor API activity.

Technical Details

Dedicated Overlay Network

At the heart of NetFoundry’s Zero Trust API solution is a software-based overlay network. This network operates independently of the public internet, meaning that APIs are not visible or accessible to unauthorized users. The overlay network routes traffic directly from authenticated endpoints to the API, ensuring secure data exchange.

Ziti Architecture

Ziti is an open-source framework, OpenZiti, that integrates zero trust security directly into the connectivity layer. By embedding Ziti in NetFoundry’s solution, APIs become invisible to the internet. Access is granted only to devices and users authenticated through the network, effectively “darkening” the API from potential attackers.

End-to-End Encryption

Every packet of data within the overlay network is encrypted, making it nearly impossible for attackers to intercept or alter the information. This encryption is applied automatically, requiring minimal configuration.

Granular Access Control

The centralized control interface enables administrators to define access policies at a granular level, allowing only specific users or applications to access certain APIs. This reduces the attack surface and enforces compliance with regulatory standards.

Invisible API Security

NetFoundry’s overlay network with Ziti integration makes APIs invisible to attackers. Ensure secure, encrypted, and controlled access with Zero Trust protection.

Benefits and Advantages

NetFoundry’s Zero Trust API solution provides significant advantages over traditional approaches:

Improved Security

By removing APIs from public exposure, NetFoundry dramatically reduces the likelihood of an API being targeted in an attack.

Scalability

The software-based nature of the overlay network allows organizations to scale API access as needed without the limitations of physical infrastructure.

Reduced Complexity

This solution eliminates the need for VPNs, firewalls, and other complex configurations. With centralized management, IT teams can control API access without extensive configuration or monitoring.

Cost Efficiency

Lower operational complexity translates into reduced costs for organizations, as fewer resources are required to maintain API security.

Compared to traditional VPN or firewall solutions, NetFoundry’s Zero Trust API approach delivers more robust security and operational simplicity, making it ideal for modern business environments.

Easy Deployment

Deploy NetFoundry’s Zero Trust API solution seamlessly—minimal hardware, quick integration, and full support for smooth, secure implementation.

Implementation Considerations

To deploy NetFoundry’s Zero Trust API solution, businesses should be aware of the following:

System Prerequisites: Compatible with most network and application environments, the overlay network can be deployed quickly, requiring minimal hardware.
Integration Steps: The solution integrates seamlessly with existing APIs, allowing businesses to implement Zero Trust without extensive reconfiguration.
Challenges and Mitigations: While Zero Trust may be a new approach for some teams, NetFoundry provides resources and support for quick adoption and training.

Zero Trust API Security

The rapid adoption of APIs in various industries underscores the need for robust API security that traditional methods cannot provide. NetFoundry’s Zero Trust API solution offers a transformative approach by removing APIs from internet exposure, privatizing access through an overlay network, and embedding zero trust principles. By protecting APIs without compromising performance, NetFoundry empowers businesses to operate securely, efficiently, and in compliance with industry standards. Organizations ready to enhance their API security should consider exploring NetFoundry’s solution for a scalable, cost-effective path to zero trust.

Transform API Security

Upgrade to NetFoundry’s Zero Trust solution—secure APIs without internet exposure or performance trade-offs, ensuring compliance and efficiency at scale.

FAQs

Can NetFoundry’s Zero Trust API solution work alongside existing security protocols? Yes, it can complement existing protocols, offering an additional layer of security without requiring changes to current configurations or changes to the underlay network.
What is required to scale the network as API demand grows? NetFoundry’s solution is inherently scalable due to its software-defined nature, allowing businesses to expand API access without costly hardware upgrades. The NetFoundry Cloud offers an Internet-overlay network using over 150 Points of Presence around the world.
How does NetFoundry’s solution support compliance requirements?
NetFoundry’s centralized control allows businesses to enforce granular access policies, making it easier to meet regulatory standards and audit requirements.
What impact does the Zero Trust API solution have on performance?
NetFoundry’s solution is designed for low latency and high performance, ensuring secure connections without compromising speed or user experience.
What type of encryption does NetFoundry use? NetFoundry employs end-to-end encryption using mutual TLS (mTLS) to secure data transmitted across its network. This ensures that data is encrypted at the source, securely transmitted, and decrypted only at the destination, maintaining confidentiality and integrity throughout the communication process.
How does NetFoundry’s solution differ from traditional VPNs? NetFoundry’s solution privatizes API traffic through an overlay network, eliminating the need for VPNs, which can introduce vulnerabilities and complexity.

The post Zero Trust API Security: Securing B2B APIs with NetFoundry appeared first on NetFoundry.

KEO Replaces VPNs with NetFoundry’s Zero Trust Network

Surendran Naidu — Fri, 14 Nov 2025 18:10:43 +0000

NetFoundry

Resources

Solution Brief

KEO Replaces VPNs with NetFoundry’s Zero Trust Network

KEO

KEO International Consultants, a global leader in architecture, engineering, and project management, has been at the forefront of delivering iconic projects for over 57 years. Ranked among the top international firms by ENR and World Architecture, KEO’s mission is to drive innovation and create remarkable experiences.

To support its global operations and diverse workforce, KEO recognized the need to overhaul its network infrastructure and find a VPN replacement, ensuring seamless connectivity across project sites, branch offices, and remote locations.

KEO International Consultants transformed its network by partnering with NetFoundry to replace outdated MPLS and VPN technology, achieving over 50% cost savings and a 60% improvement in operational efficiency. This cloud-native, Zero Trust model enhances connectivity and security for KEO’s global workforce, supporting its innovation and digital transformation initiatives.

Case Study Highlights

Cost Reduction

Reduced network costs by over 50% with zero trust connectivity.

Global VPN Replacement

Enabled global workforce support with secure, agile cloud-native networking.

Rapid Deployment

Deployed secure networks in minutes, boosting operational efficiency by 60%.

Scaling Challenges Ahead

KEO needed a secure, cost-effective solution to replace inefficient MPLS circuits.

Obstacle

KEO faced numerous challenges in maintaining and scaling its global network. The reliance on MPLS private circuits and VPNs for secure access proved expensive, inefficient, and unable to support the organization’s growing connectivity needs. The existing VPN technology lacked modern security features and could not provide the robust, agile connectivity required to support their workforce efficiently. As KEO expanded its cloud presence through Azure in Europe, they needed a solution that could securely connect employees across branches, project sites, and remote locations, while reducing costs and improving performance. The firm planned to decommission their outdated MPLS circuits, but the lack of a scalable, secure alternative presented a significant hurdle. They also need a VPN replacement that is less of a burden to manage and maintain for all its customers, 3rd parties, vendors and partners.

Opportunity

KEO partnered with NetFoundry to leverage NetFoundry Cloud, its Zero Trust Network-as-a-Service (NaaS) platform. The solution provided a software-defined, cloud-native alternative to traditional networking models, allowing KEO to implement secure, micro-segmented connections from endpoints, branches, and cloud environments like Azure. The private secure network segments called AppNets were the perfect replacement for VPNs. The benefits of NetFoundry’s platform included:

Agility: Enabled secure and reliable connectivity, resulting in a 60% improvement in operational efficiency.
Software-Defined Networking: Eliminated the need for physical circuits and complex hardware, simplifying management and deployment.
NaaS Model: A fully managed, operational expense model with all infrastructure maintained by NetFoundry.
Cost Savings: Achieved more than a 50% reduction in costs compared to traditional MPLS circuits.
Simplification: Unified a single, global, zero trust and SASE (Secure Access Service Edge) environment.
Future-Proof Flexibility: A scalable solution that adapts to any use case and supports additional cloud and digital transformation initiatives.

Agile Secure Connectivity

NetFoundry’s AppNets deliver cost-effective, scalable, and software-defined networking.

“NetFoundy presented us with the opportunity to reset the old clichés and to disrupt long-standing operating models, creating a far more agile workforce and work itself. By collaborating with NetFoundry we are changing the game and building a highly agile digital organization to deliver unmatched innovation to our clients."

Damir Jaksic, Chief Information Officer, KEO International Consultants

Rapid Network Deployment

KEO swiftly builds secure, global networks, enhancing efficiency and operational flexibility.

Outcome

With the NetFoundry Cloud platform and AppNets, KEO transformed its global network into a fully programmable, cloud-native fabric. The firm can now deploy secure networks in minutes, allowing them to scale quickly and efficiently. By adopting NetFoundry’s NaaS model, KEO eliminated the need for dedicated IT resources to manage hardware and instead shifted their focus to delivering value to clients.

As a result, KEO achieved the following:

Reduced network costs by over 50% while maintaining high throughput performance.
Deployed secure networks rapidly, minimizing setup time from weeks to mere minutes.
Supported a globally dispersed workforce and implemented “Work from Anywhere” initiatives seamlessly.
Leveraged zero trust architecture and AppNets to provide military-grade security and secure web access, enhancing protection against cyber threats.
Improved operational efficiency by approximately 60% through simplified network management.
Reduced the risk of security breaches and vulnerabilities with a robust, end-to-end zero trust solution.

KEO’s network transformation exemplifies the power of cloud-native orchestration, allowing the company to manage zero trust, high-performance networks across the globe efficiently and securely.

VPN Replacement with NetFoundry AppNets

KEO International Consultants successfully transformed its networking infrastructure with NetFoundry’s Zero Trust NaaS platform. By replacing outdated MPLS circuits and VPN technology, KEO achieved significant cost savings, improved network performance, and enabled secure, agile connectivity for its global workforce. The collaboration between KEO and NetFoundry laid the foundation for further cloud-first initiatives and digital transformation, enhancing KEO’s ability to deliver innovative solutions to its clients.

Secure Connectivity Redefined

KEO replaces MPLS and VPN, achieving cost savings and enhanced performance.

About NetFoundry

Networking once limited application innovation and automation, with security and performance improvements often added as an afterthought. NetFoundry is transforming cybersecurity by embedding zero trust networking directly into code. Our NetFoundry Cloud solution integrates zero trust networking as software within apps, APIs, IoT devices, and critical infrastructure—rendering these assets invisible and unreachable to attackers.

As the world’s first programmable, cloud-native, zero trust network, NetFoundry Cloud delivers unmatched scale, concurrency, and performance. It empowers developers, network engineers, DevOps, and cloud teams to programmatically manage private, high-performance, zero trust networking with ease.

Built on the NetFoundry Platform and the Ziti architecture, our solution is available as open-source via the OpenZiti project, the world’s most widely integrated and trusted open-source networking platform. With NetFoundry, secure, zero trust networking is no longer an afterthought—it’s engineered directly into the core of digital infrastructure.

The post KEO Replaces VPNs with NetFoundry’s Zero Trust Network appeared first on NetFoundry.

Demo: Business-to-Business Connectivity

Natalie Pearl — Mon, 18 Aug 2025 15:20:33 +0000

NetFoundry

Resources

Demo: Business-to-Business Connectivity

Solution Brief

Fill out our form to see the demo.

About NetFoundry

Networking was once a barrier to app innovation and automation with dependencies on after-the-fact security and performance engineering. NetFoundry is shifting the paradigm in cybersecurity by embedding zero trust networking and security as code. Our NetFoundry Cloud solution embeds zero trust as software into apps, APIs, IoT devices, and other valuable assets rendering critical infrastructure invisible to the internet – and unreachable by potential attackers. It is the world’s first programmable, cloud native, zero trust network with near unlimited scale concurrency, and performance. NetFoundry Cloud represents a new art of the impossible by enabling developers, network engineers, DevOps, and cloud teams to programmatically control private, zero trust, high performance networking. NetFoundry Cloud is built on NetFoundry’s Ziti platform which is part of the OpenZiti project, the world’s most used and widely integrated open source networking platform.

The post Demo: Business-to-Business Connectivity appeared first on NetFoundry.

Transitioning from B2B VPNs to AppNets – The Modern MSP Approach to Secure Access

Michael Kochanik — Thu, 14 Nov 2024 02:19:21 +0000

NetFoundry

Resources

Transitioning from B2B VPNs to AppNets – The Modern MSP Approach to Secure Access

Solution Brief

Introduction: The State of the Managed Services Industry

As digital transformation reshapes industries, managed service providers (MSPs) are increasingly tasked with securing access across diverse customer environments. With the rapid adoption of cloud and hybrid infrastructures, MSPs face the challenge of protecting client data while managing a variety of IT resources, from on-premises systems to multi-cloud setups. Traditionally, MSPs have relied on B2B VPNs (Business-to-Business Virtual Private Networks) as the go-to solution for secure remote access. However, the cybersecurity landscape demands a more advanced approach—one that supports zero-trust principles, increases scalability, and reduces operational complexity.

With NetFoundry’s AppNets, MSPs can transition from traditional B2B VPNs to a modern, session-specific zero trust connectivity model. AppNets eliminate network connections, removing traditional attack pathways and embedding security directly into each session. This white paper explores how AppNets provide a robust alternative to B2B VPNs for MSPs managing complex, multi-network environments.

Secure Access Revolution

Discover how NetFoundry’s AppNets empower MSPs to embrace zero-trust connectivity, enhancing data protection while simplifying multi-cloud and hybrid IT management.

VPNs: The Limits

Explore how traditional B2B VPNs struggle to meet the evolving security demands of MSPs.

Challenges with B2B VPNs in Managed Services

B2B VPNs have served as the backbone of secure access for MSPs. Yet, as digital demands grow, VPNs present challenges that impede their ability to support the modern security needs of MSPs:

Security Vulnerabilities: VPNs operate on perimeter-based models, often granting broad network access. This allows lateral movement, increasing exposure to cyber threats. NetFoundry’s AppNets revolutionize this by eliminating the network connection entirely—attackers can’t exploit what they can’t reach.
Operational Complexity: Configuring VPNs across multiple clients requires managing IP allow lists, firewall rules, and individual VPN connections. AppNets replace these with outbound-only, zero-trust microsegmentation, significantly reducing administrative burden by simplifying connectivity across environments.
Performance Bottlenecks: VPNs use point-to-point connections that can become bottlenecks, impacting performance and user experience. AppNets, by contrast, provide a full-mesh overlay network with end-to-end control, minimizing latency and maintaining high-performance connectivity, even under heavy loads.
Compliance and Audit Limitations: Regulatory demands like GDPR and HIPAA require granular access control and audit trails. B2B VPNs fall short here, as they lack session-specific controls. AppNets provide session-level permissions and detailed logging, enhancing MSPs’ ability to maintain compliance.

What NetFoundry’s AppNets Offer

NetFoundry’s AppNets offer an advanced, zero-trust approach to secure connectivity that eliminates network connections, enabling MSPs to provide secure, reliable access in multi-cloud and on-premises client environments. An AppNet is a software-defined segment of a NetFoundry overlay network dedicated to a specific application with access defined by a unique set of Identities, Services, and Policies. In the zero trust realm, this is called microsegmentation. AppNets fundamentally rethink network security by connecting specific sessions, not networks, effectively shielding client assets.

Zero Trust Microsegmentation

AppNets use identity-based, session-specific access, ensuring only authorized users or devices can connect. This zero-trust microsegmentation drastically reduces the attack surface by eliminating inbound network ports.

Software-Defined Connectivity

AppNets require no hardware dependencies, making them scalable and easily manageable as software. This software-only model lets MSPs deploy secure networking without physical infrastructure, cutting costs and simplifying operations.

One-Way Network Architecture

AppNet endpoints initiate outbound-only connections, which keeps inbound ports closed. This one-way model acts like a data diode, allowing secure bidirectional data flows without exposing the network.

Programmable and Flexible

With APIs and SDKs, AppNets fit seamlessly into DevOps and CI/CD workflows, giving MSPs the flexibility to customize connectivity and meet unique client requirements.

How NetFoundry Works

Identity-First Connectivity™ with a secure Overlay Network and End-to-End Encryption

MSP Advantage Unlocked

Discover how NetFoundry’s AppNets outpace B2B VPNs with enhanced security, streamlined operations, and unmatched scalability.

Why MSPs Should Replace Traditional B2B VPNs with AppNets

For MSPs, NetFoundry’s AppNets provide a clear advantage over B2B VPNs in terms of security, efficiency, and scalability:

Eliminated Security Risks: Unlike VPNs, which grant broad network access, AppNets use session-specific connectivity. This prevents lateral movement and protects sensitive data, even if credentials are compromised. By removing traditional network connections, AppNets address the root cause of many cyberattacks.
Reduced Operational Complexity and Cost: With AppNets, MSPs avoid complex configurations associated with VPNs. AppNets are easy to manage via software, reducing overhead and freeing resources. By replacing hardware and bolted-on security measures with secure, software-defined connectivity, MSPs improve efficiency and lower costs.
Improved Performance and Scalability: Built for high-performance applications, AppNets provide dedicated overlay networks that can adapt to multi-cloud and on-premises environments. With a full-mesh, self-healing design, AppNets ensure optimal data routing, performance, and availability.
Flexibility and Rapid Deployment: AppNets are versatile, supporting a variety of endpoints—IoT devices, servers, OT systems, firewalls, and more. They can be spun up in minutes and managed centrally, providing MSPs with the agility to quickly address client needs without network dependencies.

How AppNets Work – Design Principles

NetFoundry’s AppNets are built on three core principles that address MSPs’ needs for simplicity, security, and reliability:

Simplicity: AppNets are designed to be easy for authorized users to access and simple for administrators to manage. Users range from people to OT devices, and AppNets integrate seamlessly into diverse IT ecosystems.
Security by Design: AppNets eliminate network connections, embedding security into each session rather than trying to secure the network perimeter. This approach supports granular controls and ensures only authorized sessions gain access.
Reliability and Performance: AppNets operate on NetFoundry’s zero-trust overlay mesh, providing end-to-end encryption, self-healing capabilities, and optimal routing. This network control enables AppNets to deliver high-performance connectivity while minimizing latency.

Core Principles Empowered

NetFoundry’s AppNets prioritize simplicity, security, and reliability.

AppNets Are Reliable, Resilient, and Performant

AppNets provide a dedicated overlay network that connects authorized sessions directly, bypassing the limitations of B2B VPNs. This architecture offers several advantages for MSPs:

Self-Healing

The NetFoundry Fabric dynamically routes data through optimal paths, leveraging the world’s best tier-one backbones for high-speed, resilient connectivity.

Comprehensive Visibility and Control

By combining SD-WAN and ZTNA principles, AppNets give MSPs deep visibility into application- and network-level telemetry. This holistic view improves diagnostics, monitoring, and compliance tracking.

Identity-First Overlay Networks

Centrally Manage All Your Client Networks

NetFoundry empowers MSPs to centrally manage all client networks and AppNets seamlessly through the NetFoundry Console. This unified interface allows MSPs to control connectivity, enforce security policies, and monitor network performance across diverse client environments from a single, centralized platform. With real-time visibility and detailed telemetry, MSPs can proactively manage network configurations, ensure compliance, and instantly scale secure connections without needing complex VPN configurations or hardware. The console’s intuitive design and automation capabilities streamline operations, enabling MSPs to deliver secure, zero-trust connectivity efficiently and flexibly for each client’s unique needs.

The NetFoundry Console is a comprehensive management and orchestration platform designed to simplify the deployment and administration of secure, high-performance overlay networks. Key features include:

Network Configuration: Set up and manage NetFoundry networks, including the creation and oversight of endpoints, edge routers, and AppNets.
Identity Management: Administer identities and access policies to enforce zero-trust security principles, encompassing the creation of identities, role assignments, and multi-factor authentication (MFA) configurations.
Service Policies: Define and manage service policies that dictate how services are accessed within the network, ensuring secure and controlled connectivity.
Monitoring and Visibility: Monitor network performance and health through real-time metrics and status updates, providing insights into network activity and facilitating issue troubleshooting.
Automated Deployment: Rapidly deploy secure, application-specific networks (AppNets) across cloud environments using pre-built integrations with platforms like AWS, Azure, and Google Cloud.
Customization and Branding: Tailor the console with organizational branding, including vanity URLs and logos, to maintain a consistent brand identity within the management interface.
Security and Compliance: Implement zero-trust principles with features like identity-based microsegmentation, end-to-end encryption, and continuous authentication to enhance security and compliance.
Integration with DevOps Tools: Support integration with DevOps tools such as Jenkins, Ansible, Terraform, and CloudFormation, enabling automated deployment and management of network resources within CI/CD pipelines.

Centralized Network Control

Empower your MSP operations with the NetFoundry Console—a unified platform for managing AppNets and client networks.

Elevate Your Network

Transition from outdated B2B VPNs to NetFoundry’s AppNets for a secure, efficient, and high-performance networking solution.

Conclusion: Embracing a New Standard for MSP Security and Connectivity

For MSPs managing complex client environments, traditional B2B VPNs struggle to meet today’s security, performance, and compliance demands. NetFoundry’s AppNets offer a future-proof alternative, replacing network connections with session-specific connectivity that reduces the attack surface and improves operational efficiency. AppNets enable MSPs to deliver secure, flexible, and high-performance connectivity, positioning them to lead in a perimeterless future where secure, resilient data flow is paramount.

By adopting AppNets, MSPs can elevate their security posture, simplify management, and deliver a seamless client experience, paving the way for a new era of secure, software-defined networking.

The post Transitioning from B2B VPNs to AppNets – The Modern MSP Approach to Secure Access appeared first on NetFoundry.

Zero Trust for IoT: The Essential Strategy for Securing Industrial, Consumer, and Smart Technologies

Bill Zujewski — Tue, 12 Nov 2024 13:22:01 +0000

NetFoundry

Resources

Zero Trust for IoT: The Essential Strategy for Securing Industrial, Consumer, and Smart Technologies

Solution Brief

Zero Trust IoT

The Internet of Things (IoT) has transformed both industrial and consumer landscapes by enabling interconnected devices to communicate and share data seamlessly. However, as IoT connectivity expands, so do the security risks, highlighting the limitations of traditional perimeter-based security models in protecting dynamic, distributed IoT environments. Adopting a Zero Trust for IoT security framework is essential for safeguarding IoT networks and maximizing the potential of IoT-driven solutions.

Understanding Zero Trust in IoT

Zero Trust is a security paradigm that operates on the principle of “never trust, always verify.” In IoT, this approach requires every device, user, and network component to be authenticated and authorized before access is granted. By restricting network access to only verified entities, Zero Trust reduces the risk of unauthorized access, data breaches, and unintended interference, making it an ideal framework for securing IoT ecosystems.

Securing IoT with Zero Trust

Protect IoT networks with Zero Trust—authenticate every device, user, and connection for safe, reliable, and breach-resistant IoT environments.

Zero Trust IoT Applications

Enhance IoT security across industries with Zero Trust—protect smart factories, critical infrastructure, healthcare, and even smart homes by restricting access to verified devices only.

Use Cases

Industrial

Implementing Zero Trust in IoT is particularly beneficial in industrial settings. For example:

Smart Manufacturing: In a factory equipped with IoT sensors and machinery, NetFoundry’s Zero Trust solution ensures that only authorized devices and users can access critical systems, preventing unauthorized interventions that could disrupt operations.
Remote Monitoring: Industrial equipment often requires remote monitoring and maintenance. Zero Trust enables secure remote access without relying on traditional VPNs, which can be complex and less secure.
Energy and Utilities Management: Zero Trust secures IoT devices within power grids and water systems, preventing unauthorized access and service disruptions, protecting critical infrastructure, and ensuring safe delivery of essential resources like electricity, water, and gas.
Warehouse and Distribution with Robotics: In automated warehouses, Zero Trust secures IoT-connected robots and RFID scanners, restricting access to authorized systems. This prevents disruptions, protects inventory data, and ensures safe, uninterrupted operation, optimizing inventory management, picking, and packing processes in distribution centers.

Non-industrial

Zero Trust isn’t just for industrial environments. Many consumer-oriented IoT products, from smart homes to connected vehicles, also benefit from Zero Trust security, addressing unique security and privacy needs.

Smart Homes: Home automation devices like smart speakers, security systems, and appliances provide convenience but also expose households to vulnerabilities. A Zero Trust approach for smart homes ensures that only authorized users and devices can access critical functions, like unlocking doors or accessing cameras, safeguarding personal privacy and security.
Connected Vehicles: IoT in automotive technology enables features such as remote diagnostics, over-the-air updates, and autonomous driving functions. However, this connectivity poses risks if vehicle systems are compromised. Zero Trust limits vehicle access to authenticated systems and users, ensuring that critical functions like braking or steering cannot be manipulated by unauthorized parties.
Smart Cities: IoT is essential for managing urban infrastructure such as traffic lights, water distribution, and energy grids. By implementing Zero Trust, cities can protect these critical assets from tampering, ensuring that services remain reliable and safe, and minimizing the impact of cyber threats on public safety.
Healthcare Devices: From wearable fitness trackers to remote health monitoring systems, IoT is prevalent in healthcare. By adopting Zero Trust for these devices, healthcare providers can maintain patient privacy, prevent unauthorized data access, and ensure that devices operate securely, especially in sensitive environments like hospitals.

Challenges in IoT Security

IoT devices often lack robust security features, making them vulnerable to various threats. Common challenges include:

Device Vulnerabilities: Many IoT devices are designed with minimal security considerations, leading to exploitable weaknesses.
Unsecured Networks: IoT devices frequently operate over unsecured networks, exposing data to interception and tampering.
Lack of Centralized Control: The decentralized nature of IoT makes it difficult to implement consistent security policies across all devices.

Overcome IoT Security Gaps

Address device vulnerabilities, unsecured networks, and decentralized control with NetFoundry’s Zero Trust solution for comprehensive IoT protection.

NetFoundry’s Zero Trust Solution for IoT

NetFoundry offers a comprehensive Zero Trust solution tailored for IoT environments. Key features include:

Identity-Based Access

Each IoT device is assigned a unique identity, ensuring that only authenticated devices can communicate within the network.

Secure Communication Channels

Data transmitted between devices and applications is encrypted end-to-end, protecting it from interception and tampering.

Centralized Management

Administrators can define and enforce security policies across all IoT devices from a single platform, simplifying management and ensuring consistency.

IoT-Driven Manufacturing

Gain a competitive edge with IoT and Zero Trust security—enhance product value, customer experience, compliance, and operational efficiency in manufacturing.

IoT as a Competitive Advantage for Manufacturers

For manufacturers, embracing IoT is more than a technological upgrade—it’s a pathway to gaining a competitive edge. By integrating IoT capabilities with Zero Trust security, manufacturers can boost productivity, enhance operational efficiency, and deliver higher-value products with built-in security.

Enhanced Product Value: Connected devices provide added value through features like predictive maintenance, remote diagnostics, and performance optimization. By embedding secure connectivity from the outset, manufacturers offer products that not only operate efficiently but also reassure customers with resilient, safe solutions.
Improved Customer Experience: With secure IoT devices, manufacturers can deliver seamless remote support and updates, resulting in better customer satisfaction and reduced downtime. A Zero Trust IoT approach guarantees that these services remain reliable and free from tampering or unauthorized access.
Streamlined Compliance and Reduced Liability: Manufacturers producing IoT-enabled equipment must comply with industry regulations, including data protection and safety standards. Zero Trust frameworks provide an easy route to regulatory compliance by enforcing consistent security policies and reducing the risk of breaches, thus lowering liability and enhancing brand trust.
Optimized Operational Efficiency: Securely interconnected machinery and sensors can optimize production lines and supply chains through real-time data sharing and analysis. By protecting these connections with Zero Trust, manufacturers ensure that critical systems remain resilient, tamper-proof, and constantly operational, even under potential cyber threats.

Technical Implementation

NetFoundry’s Zero Trust framework integrates seamlessly with existing IoT infrastructures. The implementation involves:

Embedding Security: NetFoundry’s solution can be embedded directly into IoT devices or applications, providing inherent security without the need for additional hardware.
Microsegmentation: The network is divided into smaller segments, each with its own security policies, limiting the potential impact of a compromised device.
Continuous Monitoring: The system continuously monitors device behavior and network traffic, allowing for real-time detection and response to anomalies.

Seamless IoT Security

Embed NetFoundry’s Zero Trust—integrate security, microsegmentation, and continuous monitoring for resilient and protected IoT infrastructures.

Zero Trust IoT Advantages

Achieve robust security, compliance, and scalability—protect IoT networks with enhanced visibility, breach containment, and trusted IT infrastructure.

Benefits of Zero Trust for IoT

Adopting a Zero Trust approach in IoT environments offers several advantages:

Enhanced Security: By verifying every access request, Zero Trust minimizes the attack surface and reduces the risk of both external attacks and insider threats.
Improved Compliance: Zero Trust helps organizations meet stringent regulatory requirements for data protection by implementing strict access controls and data security measures.
Reduced Data Breach Impact: By segmenting the network and applying least-privilege access controls, Zero Trust limits how much damage a potential breach can cause, as attackers can’t easily move laterally across the network.
Greater Visibility and Control: Continuous monitoring and logging of all network and user activities enhance visibility into network traffic and user behavior, enabling more effective detection and response to anomalies.
Scalability and Flexibility: Zero Trust architectures are adaptable to varying network environments, including cloud and hybrid systems, making them suitable for modern, dynamic IT ecosystems.
Increased Trust in IT Environment: With robust security measures in place, stakeholders can have greater confidence in the IT environment’s ability to protect sensitive data and systems.

Conclusion

As IoT becomes integral to modern life across industrial and consumer landscapes, protecting these networks becomes increasingly critical. NetFoundry’s Zero Trust solution provides a robust framework to protect IoT environments from evolving cyber threats, ensuring secure, reliable, and efficient operations. Embracing Zero Trust is not just a security measure but a strategic imperative for organizations and manufacturers aiming to leverage the full potential of IoT.

Zero Trust for IoT

Secure and maximize IoT potential with NetFoundry’s Zero Trust solution—protect against evolving threats for reliable and efficient operations across all environments.

The post Zero Trust for IoT: The Essential Strategy for Securing Industrial, Consumer, and Smart Technologies appeared first on NetFoundry.

Streamlined DevOps with Zero Trust: Boost Speed and Simplify with NetFoundry

Mike Guthrie — Tue, 12 Nov 2024 00:08:48 +0000

NetFoundry, Developers of OpenZiti

Resources

Streamlined DevOps with Zero Trust: Boost Speed and Simplify with NetFoundry

Solution Brief

Introduction

In today’s rapidly evolving digital landscape, DevOps teams face mounting challenges to balance speed, agility, and security. Traditional network security methods fall short when applied to modern multi-cloud and Kubernetes environments, creating vulnerabilities that can compromise operations. NetFoundry offers a cutting-edge zero trust DevOps solution tailored to address these challenges, empowering DevOps teams to enhance security and efficiency.

Description of the Problem

DevOps practices have transformed software development, but they also introduce unique security concerns:

Complex Security Requirements: Traditional, IP-based security models and VPNs expand the attack surface and increase vulnerabilities in dynamic, multi-cloud environments. The reliance on network perimeter defenses creates blind spots that can be exploited by attackers.
Tooling Vulnerabilities: CI/CD pipelines, monitoring tools, ETL processes, and data warehouses can be potential entry points for attackers, often exposed by misconfigurations. These tools, integral to DevOps workflows, are often not designed with built-in security, making them susceptible to breaches.
Access Management Issues: Granting developers broad access to production environments risks exposing sensitive data and critical systems to potential threats. Traditional methods for managing permissions can be cumbersome, leading to overly permissive access or delays in operations.
Multi-Cloud Complexity: Managing security across diverse cloud platforms and services complicates standardization and consistency, increasing the risk of configuration errors.

Empower DevOps Security

NetFoundry’s zero trust solution integrates seamlessly into DevOps workflows, providing identity-based access, eliminating network vulnerabilities, and empowering teams to deploy faster—without compromising security

DevOps Security Gaps

NetFoundry offers a zero trust approach that eliminates open ports, reduces attack surfaces, and enhances scalability, agility, and security.

Traditional DevOps Security Challenges

Before diving into NetFoundry’s solutions, it’s important to understand why traditional DevOps security tools fall short:

VPNs (Virtual Private Networks): While VPNs create secure tunnels between networks, they expose entire private networks, require open ports, and introduce latency. This not only expands the attack surface but also complicates scaling and increases configuration management overhead.
VPC Peering and Private Networking: VPC (Virtual Private Cloud) peering enables communication within specific regions but involves manual configuration, lacks scalability, and requires extensive IP address planning. This limits agility and adds significant administrative burden.
Direct Connect and ExpressRoute: While offering dedicated connections, these services are costly, rely on physical infrastructure, and still adhere to traditional IP-based security models, limiting flexibility and responsiveness.
Mesh Networking Solutions: While these can simplify multi-cluster connectivity, they introduce additional layers of complexity and may not inherently provide zero trust security, leaving potential gaps in the security model.

Specific Use Cases and NetFoundry Solutions

Continuous Integration and Continuous Deployment (CI/CD)

- Challenge: Automated CI/CD processes can expose critical systems, increasing the risk of unauthorized access through code repositories, build servers, and deployment tools.
- NetFoundry Solution: Integrates zero trust security into CI/CD pipelines, ensuring that only verified identities can access each stage. This prevents unauthorized interactions and maintains the integrity of the deployment process. By enforcing identity-based access controls, DevOps teams can manage who and what interacts with their CI/CD systems without relying on traditional perimeter security.
- Advantages: Enhanced protection for source code, deployment automation, and data integrity without slowing down the development cycle.

Monitoring Systems

- Challenge: Monitoring platforms have broad access to production environments to ensure uptime and performance. If not properly secured, they become attractive targets for attackers.
- NetFoundry Solution: Provides identity-based access that eliminates exposed IPs and ports, ensuring that only authorized components can interact with monitoring systems. This prevents unauthorized access and secures telemetry data, protecting the integrity of performance and incident management.
- Advantages: Reduces the risk of compromised monitoring tools leading to full-scale breaches, while maintaining visibility and control over system health.

Extract, Transform, Load (ETL) Processes

- Challenge: ETL jobs are often designed to handle business-critical data and must interact with various data sources. Misconfigurations or exposed connections can lead to data leaks.
- NetFoundry Solution: Uses zero trust connectivity to secure ETL processes by eliminating exposed ports and ensuring only authenticated identities can interact with data sources. The system’s identity-based security framework ensures that data interactions remain protected and confidential.
- Advantages: Maintains data privacy and integrity, protecting sensitive information during data aggregation and processing.

Data Warehouses

- Challenge: Central repositories of business data are high-value targets for attackers, as unauthorized access can result in substantial data breaches and operational disruption.
- NetFoundry Solution: Enforces strict access policies that only permit authenticated users and services to interact with data warehouses. The zero trust model ensures that data warehouses are protected from unauthorized extraction and interactions, maintaining compliance with data protection regulations.
- Advantages: Reduces the risk of breaches, enhances data governance, and ensures continuous protection against insider and external threats.

Configuration Management

- Challenge: Tools for configuration management have the power to modify, scale, or disable infrastructure, making them high-risk if not secured properly.
- NetFoundry Solution: By applying zero trust principles, NetFoundry secures these tools by allowing only verified identities to interact with them. Centralized policy-based access controls enable DevOps teams to manage permissions effectively and adapt them as necessary.
- Advantages: Prevents unauthorized configuration changes that could lead to operational disruptions or vulnerabilities.

Developer Access Management

- Challenge: Developers need access to production environments for troubleshooting, but broad permissions can expose critical systems to potential human errors or malicious intent.
- NetFoundry Solution: Implements least-privilege access policies that grant developers only the permissions they need for their tasks. This is managed through centralized policy enforcement, making it easier to adjust access based on project needs or security updates.
- Advantages: Balances the need for developer agility with robust security, ensuring production systems remain secure while supporting rapid incident response.

Zero Trust DevOps Security

NetFoundry’s zero trust framework secures every stage of DevOps—protecting CI/CD, monitoring, ETL, data warehouses, configuration management, and developer access.

Advantages of Using NetFoundry Zero Trust for DevOps Operations

Enhanced Security Posture

Minimizes attack surfaces by making resources invisible, leveraging identity-based, encrypted connections to reduce the risk of exposure.

Operational Efficiency

Integrates seamlessly with CI/CD and Kubernetes workflows, reducing setup and maintenance time by automating connectivity processes.

Cost Savings

Reduces dependency on VPNs, firewall configurations, and complex networking solutions, cutting infrastructure and operational expenses.

Scalability

Facilitates secure expansion across multi-cloud and hybrid environments without the limitations of traditional networking models.

Improved Compliance

Policy-driven controls support adherence to industry standards, ensuring sensitive data is protected and compliance requirements are met.

Faster Time-to-Market

Streamlines secure connectivity for rapid deployment without network reconfiguration delays, enhancing overall productivity.

Better Collaboration

Provides developers and teams with secure, direct access to resources and production environments without compromising security or agility.

Future-Proof Security

As DevOps practices and technologies evolve, NetFoundry’s zero trust architecture adapts to support new tools and processes without significant restructuring.

Empower DevOps with Zero Trust

NetFoundry delivers a zero trust networking solution tailored for DevOps, enhancing security in CI/CD pipelines, Kubernetes, and essential tools.

Zero Trust DevOps from NetFoundry

NetFoundry’s zero trust networking solution empowers DevOps teams to achieve secure, scalable, and efficient operations. By embedding security into CI/CD pipelines, Kubernetes clusters, and critical DevOps tools, NetFoundry ensures robust protection without sacrificing agility. DevOps teams can confidently innovate and deploy high-performance systems, knowing that their operations are safeguarded by a future-ready security model.

The post Streamlined DevOps with Zero Trust: Boost Speed and Simplify with NetFoundry appeared first on NetFoundry.

NetFoundry Cloud: Simplifying Zero Trust Networking Deployments

Bill Zujewski — Sat, 09 Nov 2024 14:26:34 +0000

NetFoundry

Resources

NetFoundry Cloud: Simplifying Zero Trust Networking Deployments

Solution Brief

NetFoundry Cloud is a comprehensive, enterprise-grade Network-as-a-Service (NaaS) solution designed for seamless deployment, configuration, and management of zero trust overlay networks powered by the NetFoundry Ziti platform and architecture. Widely adopted by the open source OpenZiti community, NetFoundry Cloud supports development, prototyping, and production deployment of OpenZiti solutions, even in highly secure and mission-critical environments.

Harnessing the global innovation of OpenZiti, NetFoundry Cloud provides a robust NaaS designed for IT and OT applications with stringent security demands. As a fully managed service, NetFoundry handles all hosting, updates, maintenance, and security, allowing organizations to deploy secure, high-performance overlay networks instantly across the programmable NetFoundry Fabric—without the need for additional infrastructure or hardware.

This resilient, scalable service significantly reduces the cost, time, and complexity of implementing zero trust internet overlays, enabling businesses to focus on their core objectives while benefiting from enhanced security, streamlined scalability, optimized performance, and complete network visibility.

Instant Secure Networks

Unlock secure, high-performance connectivity with NetFoundry Cloud, the enterprise-grade NaaS solution that deploys zero trust overlay networks effortlessly.

NetFoundry vs DIY

Forget the complexities of DIY: NetFoundry Cloud simplifies deployment, management, and compliance with zero trust principles and global reach, while cutting costs and reducing risk.

NetFoundry Cloud Advantages

NetFoundry Cloud drastically simplifies secure networking compared to traditional private self-managed networks. Companies must carefully consider the challenges of building and operating their own infrastructure and networks given the complexity of today’s hyper-connected world and constant exposure to security risks. Here are some advantages of using NetFoundry Cloud over traditional DIY (Do It Yourself) in-house approaches:

Ease of Deployment

DIY: Requires significant time and expertise to manually configure and deploy network components across multiple cloud environments.

Multi-Tenant and OEM/White label

NetFoundry Cloud: The NetFoundry platform is designed to be EOMed and embedded in physical and software products. It is geared toward MSPs, software companies and smart connected product manufacturers who want to build zero trust connectivity into their products and services to deliver to clients. This includes providing a multi-tenant platform with a multi-account structure and RBAC, per customer PKI with the ability to integrate individual customer identity and 3rd party tools seamlessly, extensive logging and auditing, centralized consumption, reporting and billing, high automation and APIs, as well as the ability to white label and brand the product with flexible pricing to fit your commercial Go-To-Market strategy.

DIY: Requires custom solutions for multi-tenancy, RBAC, PKI/integrations, logging, billing, APIs, and white labeling.

Cost Efficiency

NetFoundry Cloud: Reduces costs with a managed service model, eliminating the need for extensive in-house resources and ongoing maintenance. NetFoundry provisions, configures, manages, and upgrades the infrastructure, including OS, Ziti software installations, and NetFoundry-hosted controllers and routers.

DIY: High initial setup costs and ongoing expenses for infrastructure, maintenance, and skilled personnel.

Scalability

NetFoundry Cloud: Seamlessly scales with automatic resource adjustments based on demand, ensuring optimal performance and cost-efficiency. It supports over 150 million fabric sessions weekly.

DIY: Manual scaling is complex and resource-intensive, requiring careful planning and execution.

High Availability

NetFoundry Cloud: Built-in redundancy, load balancing, and multi-region replication ensure high availability and reliability, with daily backups and disaster recovery (DR) across sites for high SLAs.

DIY: Ensuring high availability requires significant expertise and resources to implement and maintain redundancy and failover mechanisms.

Security

NetFoundry Cloud: Comprehensive security services including IAM, encryption, DDoS protection, and zero trust principles are built-in and managed. Production and development systems run in ‘dark networks’ with no inbound ports, with administrative access ephemeral based on JIT/JEA policy.

DIY: Implementing and maintaining robust security measures requires extensive knowledge and continuous effort.

Global Reach

NetFoundry Cloud: Utilizes a global network of data centers for low-latency routing and edge computing, enhancing performance and user experience. Controllers and edge routers can be deployed in several cloud providers’ data centers or self-hosted. Networks can also be geographically constrained and deployed locally for sovereignty.

DIY: Establishing a global presence requires significant investment in infrastructure and expertise in managing distributed networks.

Simplified Management, Visibility, and Analytics

NetFoundry Cloud: Centralized management of multi-tenant zero trust networks via a web console and APIs, with built-in telemetry, monitoring, patching, upgrades, and detailed dashboards for connection health checks, network flows, path latency, and more. Each network is dedicated to the customer and isolated from other customer networks.

DIY: Requires custom solutions for management, monitoring, and maintaining visibility across the network.

Expert Support and Proactive Monitoring

NetFoundry Cloud: Access to NetFoundry’s team of experts ensures your network runs smoothly and efficiently. NetFoundry provides 24/7 support, including technical engineering and pre-sales assistance, along with built systems and tooling to monitor networks and act on alerts.

DIY: Requires in-house expertise to troubleshoot and resolve issues, adding to operational complexity.

Self-Healing Network

NetFoundry Cloud: Configures the network to properly utilize OpenZiti self-healing capabilities, providing the least latency paths within the fabric for your traffic based on “smart routing”.

DIY: Setting up and operating a self-healing network properly requires advanced knowledge, expertise, and experience.

Accelerated Software Updates

NetFoundry Cloud: Customers can request and receive priority paths for feature requests, sometimes delivered within days, providing rapid software fixes and enhancements. This access to NetFoundry’s product and engineering teams accelerates development and ensures critical capabilities are available when needed.

DIY: Requires internal development resources to create and implement new features, which can be time-consuming and costly.

Compliance and Integration

NetFoundry Cloud: SOC2 Type 2 certified, with a legal framework and SLAs in place. Offers pre-built integrations with leading IdP/CAs, IAM, directories, SIEM/SOC/SOAR, EDR, SSO, and more, simplifying compliance and integration.

DIY: Achieving and maintaining compliance and integrating with various enterprise systems requires significant effort and expertise.

Liability Protection

NetFoundry Cloud: The Cyber Resilience Act (CRA) and the Product Liability Directive (PLD) are two cornerstone regulations designed to address security, safety, and accountability. NetFoundry’s zero-trust platform helps companies meet these by embedding secure, scalable networking into digital products, reducing vulnerabilities and ensuring compliance.

DIY: Without zero trust designed in, companies must bolt on software to comply. This leads to complex security management, higher operational costs, and increased risks.

NetFoundry Cloud Feature Summary

Aspect	NetFoundry Cloud	Unique Capabilities
Ease of Deployment	Quick with orchestration tools.	NetFoundry Console & Orchestration Platform
Cost Efficiency	Lower costs, managed service.	Rapid provisioning, volume purchase power of public cloud computing power, economies of scale
Scalability	Automatic scaling.	Proven, tuned, optimized NetFoundry Fabric
High Availability	Built-in redundancy and DR.	Over 140 POPs available
Security	Comprehensive, managed security.	Configured with no open inbound ports; Services including IAM, encryption, DDoS protection
Global Reach	Global data centers, low-latency.	Over 140 POPs available
Management and Analytics	Centralized with built-in tools.	NetFoundry Console & Telemetry; automated monitoring and alerts
Support and Monitoring	24/7 expert support.	Experienced team
Self-Healing Network	Utilizes self-healing capabilities.	Optimized set up of Ziti self-healing features
Software Updates	Rapid updates and fixes.	Automated processes
Compliance and Integration	SOC2 certified, pre-built integrations.	Hardened and compliant environments
Liability Protection	Secure by design, ideal for CRA and PLD compliance.	Zero Trust connectivity that can be embedded and designed into products.

Navigating EU Regulations

The EU has introduced the Cyber Resilience Act (CRA) and Product Liability Directive (PLD) to ensure digital product security, accountability, and safety. These regulations highlight secure product standards and hold companies accountable for harm due to security flaws, making compliance essential for regulatory adherence and customer trust.

Overview of the Cyber Resilience Act (CRA)

The CRA mandates that connected devices meet cybersecurity standards, covering design, lifecycle maintenance, and post-market updates. It applies to IoT devices and software applications, requiring regular testing and documentation. CRA also introduces penalties for non-compliance, pushing manufacturers to uphold strict security measures.

Overview of the Product Liability Directive (PLD)

The PLD holds companies liable for defects, expanding this to include cybersecurity flaws. It eases the burden of proof for consumers and extends liability across the supply chain, covering new types of damages like data loss. Non-compliance with PLD can lead to financial penalties for manufacturers.

How the CRA and PLD Work Together

CRA proactively requires cybersecurity integration from design, while PLD reactively addresses liability when security flaws cause harm. Together, they enforce cybersecurity as part of product safety, offer consumers protection, and incentivize compliance.

How NetFoundry Supports Compliance

NetFoundry’s zero-trust solution helps meet CRA and PLD requirements by embedding security into network operations. Key benefits include:

Zero Trust Security: Eliminates traditional network connections to reduce attack surfaces.
Microsegmentation: Independently authorizes each session, protecting against lateral movement.
Logging and Monitoring: Provides real-time telemetry to support compliance audits.
Flexible Deployment: Operates across multi-cloud, hybrid, and on-premises environments.

EU Cyber Compliance

Designed for the Cyber Resilience Act (CRA) and Product Liability Directive (PLD), NetFoundry embeds advanced security into your digital products, reducing vulnerabilities and ensuring accountability.

Real-World Success Stories

Discover how industry leaders leverage NetFoundry’s zero trust solutions to enhance security, scalability, and rapid deployment.

Case Studies

Leading Cybersecurity Software Provider (White Label): Within 90 days, this provider launched a white-labeled zero trust solution for their clients using NetFoundry. Instead of building, managing, and scaling their own infrastructure, they leveraged NetFoundry’s APIs, reducing time and complexity for rapid deployment at scale.
Global Cybersecurity OEM: During a proof-of-concept (PoC) with a major U.S. financial client, this OEM needed NetFoundry to support a specific proxy. NetFoundry quickly developed the solution, enabling a successful PoC and deal closure, demonstrating agile, client-focused support.
Marposs: Marposs used NetFoundry Cloud to develop and launch a secure, next-generation product for OT and mission critical environments. Within days, they had a working prototype, and in under a year, the full solution was deployed, transforming secure deployment in critical infrastructure.
TZ Smart Lockers: TZ implemented NetFoundry to secure its smart locker systems used by global logistics providers. Using zero trust principles, they achieved seamless, scalable, secure connectivity across facilities, allowing real-time access and improved security management for distributed systems.
NetFoundry’s Internal Scaling: As NetFoundry grew, manual patching became impractical. As we started developing a solution, the product (Saltstack) had a very bad CVE and with many massive vendor patching systems being publicly compromised as a result (including Cisco). Realizing we could not risk customer systems in future, we rebuilt our patching system using Ziti itself, to ensure the attack vector is impossible in future.

Summary

NetFoundry Cloud is an enterprise-grade turnkey NaaS solution that eliminates the complexities and costs associated with building and maintaining Ziti-based overlay networks in mission-critical, highly secure environments. The solution includes comprehensive support, advanced features, and seamless integration to ensure your cloud environment is protected, efficient, and future-ready. This managed service approach provides your business with speed, agility, and cost efficiency, allowing you to focus on your core business objectives while enjoying enhanced security, scalability, performance, and visibility.

Secure NaaS Solution

With a fully managed service approach, NetFoundry Cloud delivers agility, scalability, and cost savings—enabling you to focus on business growth while ensuring robust security and seamless performance.

NetFoundry Cloud vs Do-It-Yourself Comparison

Aspect	NetFoundry Cloud	DIY
Ease of Deployment	Quick deployment with orchestration software and APIs; automation tools or YAML/JSON.	Requires significant time and expertise for manual configuration and deployment.
Cost Efficiency	Managed service model reduces costs by eliminating in-house resources and maintenance.	High setup costs and ongoing expenses for infrastructure and skilled personnel.
Scalability	Automatic resource adjustments for optimal performance and cost-efficiency; supports high volume.	Manual scaling is complex and resource-intensive.
High Availability	Built-in redundancy, load balancing, multi-region replication, daily backups, and disaster recovery.	Requires significant expertise and resources for redundancy and failover.
Security	Comprehensive security services including IAM, encryption, DDoS protection, and zero trust principles.	Requires extensive knowledge and continuous effort for robust security measures.
Global Reach	Global network of data centers for low-latency routing and edge computing; local deployment for sovereignty.	Significant investment and expertise needed for managing distributed networks.
Simplified Management and Analytics	Centralized management with built-in telemetry, monitoring, patching, upgrades, and detailed dashboards.	Requires custom solutions for management and monitoring.
Expert Support and Monitoring	24/7 expert support, proactive network monitoring, and alert response.	In-house expertise needed for troubleshooting and resolving issues.
Self-Healing Network	Utilizes OpenZiti self-healing capabilities for optimal traffic routing.	Advanced knowledge and experience needed for setup and operation.
Compliance and Integration	SOC2 Type 2 certified with pre-built integrations for compliance and enterprise systems.	Significant effort required for achieving compliance and integration.
Accelerated Software Updates	Priority feature updates and rapid software fixes provided by NetFoundry.	Internal development resources needed for new features, which can be time-consuming and costly.

The post NetFoundry Cloud: Simplifying Zero Trust Networking Deployments appeared first on NetFoundry.

Solution Guide: Securing AWS Zero Trust Access to S3 Buckets with Python, VPC, and Ziti SDK

Surendran Naidu — Fri, 18 Oct 2024 13:49:04 +0000

NetFoundry

Resources

Solution Guide: Securing AWS Zero Trust Access to S3 Buckets with Python, VPC, and Ziti SDK

Solution Brief

NetFoundry AWS Zero Trust

NetFoundry AWS Zero Trust offers private, zero trust networking to S3 buckets for apps, devices, and users

In this NetFoundry solution guide, learn how to securely access your S3 buckets using VPC endpoints, the Boto3 S3 client, and NetFoundry’s Ziti SDK. This guide outlines the process to integrate NetFoundry’s secure cloud network for high performance and security in your AWS environment. You’ll learn how AWS Zero Trust principles enhance security by embedding zero trust connectivity, ensuring secure access and protection for modern cloud environments

The solution described in this guide uses NetFoundry Cloud which makes it easy to instantly spin up highly secure, performant, edge, app or device -to-cloud networks for workloads in AWS. Our secure private overlays on the internet offer private, zero trust networking to S3 bucket and objects for apps, devices and users.

With NetFoundry, you can extend secure zero trust connections to S3 buckets and objects that are not public, following least privilege access and micro segmentation principles. Smart fabric from NetFoundry provides you with optimal latency routes for your apps. This ensures you can build highly secure and performant connectivity in minutes using cloud-native tools without the burden of a direct connect solution.

This guide explores how to leverage NetFoundry to establish secure access for your private Amazon S3 buckets from a python log pusher program running a Boto3 Client for S3. We’ll establish the private overlay using a NetFoundry edge router in AWS and a NetFoundry Python SDK imported in the Py log pusher program. You can follow the approach for any Py based app or explore our SDKs for other programming languages. We would be exploring how to access the bucket and objects from a laptop that is running a NetFoundry Ziti Desktop Edge software client.

Secure Cloud Access

Discover how to implement private, zero trust networking for Amazon S3 buckets using NetFoundry’s AWS solution.

This guide provides step-by-step instructions for integrating VPC endpoints and the Boto3 S3 client, ensuring secure access and protection for cloud environments.

Getting Started Guide

Kick off your NetFoundry journey with a free trial account! Ensure you have a network set up with at least one public router and follow our guides to meet firewall policy requirements for secure outbound access.

AWS Zero Trust: Getting Started

What you need to get started:

A NetFoundry Cloud account
- Go through the steps to create a free trial account if you don’t have one.
A network in your account with at least one public router. The articles will guide you through this process.
- How to create a network
- Provision a public router ( NetFoundry hosted)
- Firewall policy requirements to provide outbound only access to the NetFoundry network

Solution Architecture:

Setting up S3 bucket, VPC interface endpoint and policies in AWS

A. S3 Bucket:

You can follow the steps outlined in the following document to create a S3 bucket.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html

Create the bucket that is not public.

B. Interface VPC endpoint:

Create a new VPC or use an existing VPC to provision your VPC endpoint.
Create an interface VPC endpoint to controls access to S3 bucket. The S3 bucket would be reached within the VPC via the interface VPC endpoint.
Refer the following document for details on using interface VPC endpoint to access a S3 bucket: https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html

Interface VPC endpoint are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC which will be used to configure NetFoundry service.

You can attach an endpoint policy to your VPC endpoint that controls access to Amazon S3. The policy in the snapshot below provides the interface VPCE access to all resources within the VPC.

C. S3 Bucket Policy:

Once the VPCe and S3 bucket are provisioned, the next step is to provision the S3 bucket policy. With Amazon S3 bucket policies, you can secure access to objects in your buckets, so that only services or users with the appropriate permissions can access them. For this demo, we’re using a bucket policy to restrict access by a VPC endpoint . Below is a bucket policy that allows access to the specific VPCe ” vpce-0db2ff4e77e2622ba” to perform actions on the S3 bucket “sdktestingwithboto3” and its objects.

Setting Up S3 Access

Securely set up your S3 bucket by creating it as private, configuring an interface VPC endpoint, and applying a bucket policy that restricts access to authorized services only.

Deploying NetFoundry Edge Router

Set up the NetFoundry edge router as your WAN gateway within the same VPC as your interface VPC endpoint, ensuring secure access to your S3 bucket.

Spin up a NetFoundry edge router in AWS

The NetFoundry edge router is the WAN gateway in the VPC that helps you to reach the S3 bucket via the VPC endpoint over a private and secure zero trust overlay. The ER is deployed on a EC2 instance. You can also deploy the ER in a container.

Follow the instructions to spin up the NetFoundry edge router in AWS from the AWS marketplace. The router has to be spun up in the same VPC as your interface VPC endpoint or have the reachability to the VPC endpoint if it is spun up in a different VPC.

The router should show registered and online once provisioned successfully.

Create your identity, service and service policy

You can access your S3 bucket via a NetFoundry endpoint software on your laptop or via ziti python SDK embedded into your application that requires access to S3 bucket.
- Create your identity each to access the S3 bucket from the NetFoundry Ziti Py SDK and the Ziti desktop edge
- Create your service for accessing S3 bucket via interface VPC endpoint.The following URL is used for private access to S3 buckets associated with the interface VPC endpoint from the boto3 client for S3 imported in the python program.

https://sdktestingwithboto3.vpce-0db2ff4e77e2622ba-uf7ato7f.s3.ap-southeast-1.vpce.amazonaws.com

From the laptop running ziti desktop edge, the following URL is used to access the object netfoundry.jpg

https://sdktestingwithboto3.s3.ap-southeast-1.amazonaws.com/netfoundry.jpg

The service configuration is configured with the “wildcard” domain name using the DNS name of the interface VPC endpoint and the private IP address attached to elastic network interface (ENI) .

The identity is that of the customer edge router that was provisioned in AWS from the marketplace.

Port 443 has been selected for private access within the VPC via the interface VPC endpoint.

- Create your service policy to allow your identity (or identities) to access the S3 Access service.

Create a service policy to allow the identities for devices or the router identity deployed in your factory or site to access the S3 bucket over the highly secure NetFoundry cloud network.

The service policy that allows identities to access the S3 bucket has been created as shown below:

Accessing S3 with NetFoundry

Access your S3 bucket securely using the NetFoundry Ziti SDK or the Ziti Desktop Edge.

Secure S3 Access

Easily access AWS S3 private buckets using Python with the Ziti SDK. Download the demo program to generate log files and upload them securely over the NetFoundry Cloud network. Start by enrolling your identity and running the provided commands.

Accessing S3 bucket and objects using a Boto3 client + Ziti Python SDK over the NetFoundry Cloud

Download demo python program that imports AWS’s boto3 and ziti SDK to access the private buckets via the Ziti. The Py program generates logfiles and uploads them to the S3 bucket, creating a folder and uploading the log files to the folder over the NetFoundry Cloud network.

https://github.com/openziti-test-kitchen/boto-demo/tree/main

Use the following commands to run the Py program. You can run export ZITI_LOG=4 to view the logs:

python boto-demo-main/s3z/s3z.py \

–ziti-identity-file “/d/S3/identityname.json” \

–bucket-name “sdktestingwithboto3” \

–bucket-endpoint “https://bucket.vpce-0db2ff4e77e2622ba-uf7ato7f.s3.ap-southeast-1.vpce.amazonaws.com” \

–push-log-dir “logs” \

–object-prefix “foldername”

The identityname.json is the json file of the identity that is registered with the NetFoundry network.

How to enroll the jwt obtained from the console and generate the json:

python -m openziti enroll –jwt identityname.jwt –identity identityname.json

https://github.com/openziti/ziti-sdk-py/blob/main/sample/README.md#get-and-enroll-an-identity

The bucket name is the name of your S3 bucket.

The bucket-endpoint is the DNS of the S3 VPC endpoint prefixed with your bucket name.

The object-prefix is the name of the folder you want to create in S3.

Once you execute the Py program, you will find the output like the one below:

The folder is created in your S3 bucket:

And the log files are uploaded in the folder:

Accessing S3 bucket and objects using a Ziti desktop edge over the NetFoundry Cloud

Install the desktop edge based on the OS of your device: https://netfoundry.io/downloads/

You’ll find the installation instructions for the endpoints in the respective sections.

With the required service policy in place, you should see the S3 service listed on your endpoint.

Access the S3 object from your device over the NetFoundry network:

Unlock S3 Connectivity

Install the desktop edge for your OS and gain seamless access to S3 objects via the NetFoundry network. Register your identity and follow the instructions to begin.

AWS Zero Trust Security

Adopt AWS Zero Trust to enhance your cloud security, prevent unauthorized access, and protect your applications and data in a complex digital landscape.

Conclusion: The Power of AWS Zero Trust

Incorporating AWS Zero Trust principles into your cloud infrastructure ensures that your systems are protected by advanced, modern security measures. By embedding zero trust connectivity, organizations can prevent unauthorized access and reduce the risk of security breaches, all while maintaining seamless operations. AWS Zero Trust empowers businesses to secure their applications, data, and users in an increasingly complex digital landscape.

The post Solution Guide: Securing AWS Zero Trust Access to S3 Buckets with Python, VPC, and Ziti SDK appeared first on NetFoundry.

NetFoundry and Zero Trust Outcomes in ISA/IEC 62443

Mike Gorman — Sat, 12 Oct 2024 19:36:23 +0000

NetFoundry

Resources

NetFoundry and Zero Trust Outcomes in ISA/IEC 62443

Solution Brief

Introduction to ISA/IEC 62443 Standards

ISAGCA has published a paper titled Zero Trust Outcomes Using ISA/IEC 62443 Standards. This paper investigates the intersection of IEC 62443 and Zero Trust principles and the benefits of various roles of the adoption of Zero Trust concepts to enhance ISA/IEC 62443-based security practices. Specifically, the paper identifies some of the direct overlap between Zero Trust and the requirements of the IEC 62443 specification. NetFoundry can enable these requirements at the network level as part of an overall security design, and we will explain how.

NetFoundry Cloud, powered by NetFoundry’s Ziti architecture and the OpenZiti open source, is a software-defined networking solution, designed to provide secure connectivity and enable Zero Trust architectures, providing full network operations capabilities. It is well suited for use in the OT/ICS space as it does not assume a human user-to-application use case, as many solutions do, though it can serve that need.

The network layer focus of the solution allows it to be used in much more resource-constrained environments and in a broad set of use cases, many of which are applicable to the industrial space. It also has a focus on availability which is critical for safety first, can run in air gapped networks, and can support L2 and real-time communications all of which are critical for running in OT environments which need to comply to 62443 and other regulations.

Zero Trust Framework

Explore how NetFoundry enhances IEC 62443 security through Zero Trust principles and architecture.

Secure OT Framework

Integrating NetFoundry’s Zero Trust with IEC 62443 standards for enhanced security.

ISA/IEC 62443 Overview

Exploring the integration of NetFoundry’s Zero Trust principles within ISA/IEC 62443 security standards.

SOURCE: Zero Trust Outcomes Using ISA/IEC 62443 Standards

Protect Surface, Network Flow / Zones, Conduits

The ISA/IEC 62443 concept of a zone is a grouping of 1 or more nodes that share a set of security requirements. Zero Trust refers to these as segments, network segments, that can be protected as a unit to enforce certain security requirements. As the number of hosts or applications approaches one, these are referred to as microsegments. A microsegmented network provides a more generally secure environment, limiting many attack vectors allowing for lateral movement within an environment.

NetFoundry has made their Ziti Platform available via open source in the OpenZiti project. OpenZiti software and the SDKs used to embed the solution into applications allows for many forms of segmentation, including application specific microsegmentation – or ‘AppNets’. There are 3 general architectures for deploying Ziti technology. It is important to note that these are not mutually exclusive, and all 3 can be deployed within the same network and even overlapping, depending on the requirements of the given situation. You can read more here.

ZTNA – Zero Trust Network Access: A common term in Zero Trust discussions, ZTNA deployments utilize the Ziti network for most of the path, with the first and/or last “mile” outside the actual Ziti network. This is also commonly referred to as a gateway model. While the least secure, this offers many benefits in terms of simplicity, and to deal with situations where being on host or embedded is simply not an option due to the nature of the connected devices. This model uses external security configuration, simple access control lists, to prevent access to any resources other than via the authorized Ziti network components – which we can refer to as having zero trust of the external WAN network.
ZTHA – Zero Trust Host Access:A more microsegmented approach, ZTHA provides a secure path from or to the host compute node. In many cases, embedding the software with Ziti technology is not an option, as it is owned by a third party or is not under active development. The use of host based access controls similar to network ACLs can prevent any unauthorized access to the node, while easily allowing the secured Ziti network connectivity. Blocking all inbound communications while allowing outbound enables the functionality while being simple to manage. In higher security requirement environments, the controls can whiltelist the Ziti network components specifically outbound. This, of course, brings additional operational requirements, and should be decided based on the risk analysis.- This model extends zero trust principles to the external WAN as well as internal LAN network.
ZTAA – Zero Trust Application Access:The most microsegmented deployment model is ZTAA. The software development kits (SDKs) provided by the OpenZiti project allows the secure connectivity to be built into the applications themselves. This can then be used as the sole network connectivity option for the application, ensuring it always initializes into a secure network state, or can be built as an option, based on configuration, like the Caddy project providing a configurable option for a Ziti interface. This model ensures the app has no listening ports on any underlay network, WAN, LAN, or host OS network, rendering all conventional network threats immediately useless.

Whether the zone is served as a subnet/VLAN in a ZTNA gateway model, a host, or an application, the connections between that zone and any others meet all the requirements of a secured conduit per IEC 62443. They are individually encrypted and routed, and only authenticated and authorized identities can dial the circuits (channels) within the conduit. As the entire path between identities is encrypted, it passes over the existing physical network infrastructure as a virtual conduit from initiating to the target zone.

Microsegmentation Strategies

Integrating ISA/IEC 62443 zones and NetFoundry’s Zero Trust for enhanced security solutions.

Trusted Authentication Framework

OpenZiti utilizes X.509 certificates for secure device authentication and identity management.

Strong Identity

OpenZiti uses X.509 certificates as the root of trust for authentication. Cryptographically signed by the Network Controller – see 5 part blog on ‘Bootstrapping Trust’ – or imported into the network instance for use cases involving external certificate authorities like those installed when the device is manufactured, the certificate can be protected in a number of ways. By default, the certificate is in the file system. The permissions applied to the file can be restricted as necessary, provided the Ziti application can read if for the necessary operations. For higher security applications, Ziti supports PKCS11 interfaces, so the certificate material and all necessary operations can use a hardware security module or similar device. The certificate authenticates the device’s identity, so by itself it is meaningless, the device must also have a configured identity in the network, which can be modified or removed.

Having a standardized cryptographically secured authenticator meets the highest level of strength for identities, and the protection model of that authenticator is an implementation choice, depending on the requirements of the environment. This identity only allows network access to those configured services, and does not provide any access to the applications themselves that are defined as services. Also, ensuring the identity is sovereign to the endpoint ensures that no one else has the ability to decrypt/inspect on the data plane, even if the data plane is hosted by a 3rd party.

Secure Comms

As noted previously, all communications across the Ziti network are encrypted, double encrypted “on the wire”, as the circuit is encrypted end to end, and the channels or links that carry them are independently encrypted as well. The use of device or host based options to protect the local physical connection is a design point of the overall system, as Ziti does not natively provide protection at that point. These decisions also affect whether or not the device allows any nonZiti access to the device, and should be taken into consideration. Appropriate to the risk level, Ziti can be used to allow low friction access to and from devices, while maintaining the necessary security, allowing only authenticated and authorized persons or processes to send or receive data to and from the device. OpenZiti encryption is built for extensibility which allows ‘crypto agility’ – e.g., towards quantum encryption – which are increasingly important topics in OT and critical infrastructure covered by 62443. It should also be noted that Ziti separately encrypts and routes each AppNet.

Enhanced Encryption Standards

Ziti employs double encryption for secure communications, ensuring robust protection across devices.

Dynamic Access Control

Ziti leverages policies for secure connectivity, enabling real-time management and monitoring.

Data Flow Policy

Ziti uses policy to allow connectivity between identities and services. A single service can be allowed to be hosted by a single identity, with another single identity accessing it, even in a large network. The use of attribute tags can allow for groups of identities to be allowed to access groups of services, or to host services via an addressing system. Built-in tools, such as the policy advisor, can be used to verify accessibility, taking into account all the applied policies, and the APIs can be utilized to extract the information for auditing or other external purposes.

The API and event driven nature of Ziti also allows for dynamic updates to the configuration. It is straightforward to create a solution for tying access to business and other rule sets in real time.

Beyond the ability to manage these policies, Ziti also provides detailed event and metric data to allow for the auditing of the connectivity, an important use case in forensics and incident response, as well as behavioral analysis and other monitoring. The access of any identity to a service is emitted, and the data volume transferred is emitted every minute (by default, configurable). The ingestion of these records by a UEBA or other system can allow for immediate actions to terminate connectivity. The removal of authorization to a service will result in the termination of current connections, as well as prevent any new ones. These changes are effective within seconds of the change being made.

As you can see, not only can Ziti create and enforce appropriate data flow policies, it enables the monitoring and appropriate response to anomalous behaviors, or changes in business rules with real time effect.

Least Privilege Access

Least privilege generally concerns privileges granted within an application. Ziti does not act above the data plane, so does not affect the permissions directly. However, the available specificity of network connections can enhance a least privilege model by controlling who can reach the application at all. Depending on the complete design, involving many of the concepts above, even individuals with physical access to a network port can be blocked from accessing the information or device without proper authentication and authorization. Individual network service on the same device can also be separately managed, allowing access to a UI, for example, to the appropriate personnel, while allowing access to a ssh port to administrators only.

While OpenZiti does not provide features for least privilege in the most common usage, it certainly can enforce least connectivity as a part of the overall strategy.

Enhanced Least Privilege

Ziti supports least privilege by controlling network access, enhancing application security strategies.

Continuous Monitoring Solutions

OpenZiti enables ongoing authentication and behavioral analysis for enhanced security oversight.

Continuous Monitoring

There are 2 current forms of continuous monitoring, depending on definition. Continuous authentication, verifying that the user’s session continues to be allowable based on the rules sets, and behavioral analysis.

Using the authentication policies defined in OpenZiti, the simplest form of continuous authentication is MFA via one-time tokens (with many other posture checks supported and being developed). These posture checks can be configured based on time, and/or events such as a laptop being “woken up”, or unlocked. This ensures that the authenticated user is still in control of the device prior to allowing access to any services.

As noted in the Data flow policy section above, OpenZiti can be configured to output a wide range of information. These events and metrics can indicate the operations of the network in general, as well as highly specific information about its usage. Every connection (circuit) within the network is logged at creation and deletion, giving the initiating identity, service, hosting identity, and the path through the network. Every circuit is authorized by a session created when the identity attaches to the network, and this session is also logged for creation and deletion. This record contains the Network Controller’s view of the IP address the device is attaching from, the time of the event, etc. Even when the deployment model is ZTNA, and an Edge Router is operating as a gateway to a nonZiti portion of the network, initiating or terminating, the socket information (IP:PORT) is collected and reported in the events. This allows for correlation of translated addresses or nonZiti clients with other systems in auditing or forensic investigations.

All changes made to the network model, services, identities, policies, and entities are also emitted as events, allowing the monitoring of changes made to the network in real time or as an audit function.

The post NetFoundry and Zero Trust Outcomes in ISA/IEC 62443 appeared first on NetFoundry.

NetFoundry Zero Trust for OT and IIoT

Bill Zujewski — Sun, 06 Oct 2024 13:03:47 +0000

NetFoundry

Resources

NetFoundry Zero Trust for OT and IIoT

Solution Brief

Protecting sensitive data and implementing access controls is complex. In terms of compliance, OT sectors must meet stringent regulations (e.g., NERC CIP, HIPAA, IEC 62443) and undergo regular audits, requiring costly and time-consuming certification processes to align with standards. Here’s a detailed look at the challenges that must be considered:

Highlight

Overcome OT and IIoT security and compliance challenges with robust Zero Trust solutions

Deploying products and solutions in Operational Technology (OT) environments involves significant security and compliance challenges, which are major company concerns. In terms of security concerns, integrating IT and OT systems increases the attack surface, exposing them to advanced threats like APTs and ransomware.

Security Concerns

Increased Attack Surface

Interconnected Networks: Integrating IT and OT systems increases the attack surface, providing more entry points for cyber attackers.
Sophisticated Threats: OT environments are targets for advanced persistent threats (APTs) and ransomware attacks, which can cause significant disruption and damage.

Data Security

Sensitive Information: OT systems often handle critical and sensitive data. Ensuring the confidentiality, integrity, and availability of this data is challenging.
Access Control: Implementing stringent access controls to prevent unauthorized access while allowing legitimate users to perform their tasks is complex.

Compliance Challenges

Regulatory Requirements

Industry Regulations: OT environments, particularly in sectors like energy, healthcare, and manufacturing, are subject to stringent regulatory standards such as NERC CIP, HIPAA, and IEC 62443.
Compliance Audits: Regular compliance audits require detailed documentation and evidence of adherence to security standards.

Certification and Standards

Certification Processes: Deploying new solutions often necessitates rigorous testing and certification to meet industry-specific standards, which can be time-consuming and costly.
Standards Alignment: Ensuring new technologies align with existing compliance standards without introducing vulnerabilities or gaps.

Concerns About Deploying Third-Party Solutions

Common challenges for 3rd party access to OT environments

Cyberattack Vulnerabilities
Integration Challenges
Loss of Control
Data Privacy Risks
Operational Disruption

Trust and Control

Vendor Trust: Companies may be hesitant to trust third-party vendors with access to critical OT systems due to concerns about the vendor’s security practices and the potential for introducing vulnerabilities.
Loss of Control: Integrating third-party solutions can lead to a perceived or actual loss of control over security and operational processes.

Integration Risks

Compatibility Issues: Ensuring third-party solutions are compatible with existing OT infrastructure can be challenging, risking operational disruptions.
Complex Integration: The integration process can introduce security risks if not managed carefully.

Data Privacy and Ownership

Data Exposure: Deploying third-party solutions might require sharing sensitive operational data, raising concerns about data privacy and ownership.
Data Breach Risks: There is a heightened risk of data breaches if the third-party solution is compromised.

Operational Disruption

Downtime: The deployment and integration of third-party solutions can cause downtime, which is often unacceptable in critical OT environments.
Performance Impact: Third-party solutions may affect the performance of existing systems, leading to operational inefficiencies.

NetFoundry Zero Trust

Simple, Secure Networking for Smart Connected Products and Solutions

NetFoundry’s zero trust platform and solutions enhance security, simplify management, and provide flexible, low-cost connectivity for OT, IIoT, and edge environments. Our platform supports self-hosted open-source options and managed SaaS solutions, ensuring seamless integration and robust protection against modern cyber threats.

Connect to Anything

Managing and securing IIoT devices is complex and often requires VPNs or bastions, which can be cumbersome and vulnerable to various cyber threats. NetFoundry simplifies this by offering a seamless, secure solution that eliminates these dependencies. With NetFoundry, you can:

Eliminate the need for VPNs or bastions.
Gain robust security against ransomware, data exfiltration, DDoS, and botnets.
Available as both self-hosted and managed SaaS

Traditional IIoT management often involves high latency and complex configurations. NetFoundry provides a straightforward, low-latency solution that supports various devices and setups, ensuring smooth operations.

Local-like Access: With native SSH and RDP support, you can experience low latency, smooth console sessions, and snappy database queries.
Unified Solution: Ziti endpoints extend your overlay anywhere and become your single solution for IIoT management and networking, including agentless setups, Nvidia Jetson, Raspberry Pi, OpenWRT, servers, and clouds.
Enhanced Security: Close all inbound firewall ports, eliminating dependencies on static public IPs and port forwarding. All sessions are authenticated in the background via X.509 certificates, removing the need for VPNs and bastions.

Minimize Risk Using Advanced Authentication and Encryption

Ensuring robust security in IIoT environments can be challenging due to diverse threats. NetFoundry integrates advanced security measures to protect IIoT networks comprehensively.

X.509 Certificate Authentication: Built-in authentication to a private IIoT network overlay with botnet and DDoS protection.
Minimized Attack Surface: No open inbound firewall ports and microsegmentation to protect against data exfiltration.
Advanced Security Protocols: Advanced Security Protocols include mutual TLS (mTLS), encryption, and least privileged access. Learn more about zero-trust networking here.

Minimize Latency and Improve Reliability

IIoT deployments often suffer from high latency due to inefficient routing. NetFoundry optimizes connectivity by routing sessions directly, improving performance and reducing costs.

Direct Routing: Route each session directly from the device to its destination, eliminating VPN backhaul and reducing cloud egress costs.
Optimized Connectivity: Optimized Connectivity is a full mesh with multipoint networking that provides dynamic routing across multiple tier-one networks for the best connections.
Network Flexibility: Use any network with the best latency, bandwidth, and throughput securely, even WiFi.

Leverage Software Defined Overlay Networks for Flexibility

Deploying and managing IIoT solutions across varied environments requires flexibility. NetFoundry offers a software-only solution that can adapt to any network or device, ensuring seamless integration.

Software-Only Solution: Cloud orchestrated with open source and SaaS options, including managed IIoT network overlays.
Versatile Endpoints: Zero trust endpoints for any app (SDK-embedded), device, edge, or cloud.
Broad Network Compatibility: Use public cellular (eliminate private APN) and WiFi, enabling third parties to connect IIoT devices to their networks securely.

Lower Your Connectivity and Security Costs

Implementing secure IIoT solutions can be expensive and time-consuming. NetFoundry reduces costs and accelerates deployment with a streamlined, software-only approach.

Cost-Effective: Software-only solution eliminates the need for extra security and networking hardware, VPNs, and bastions.
Rapid Deployment: Deploy in minutes across any set of edges and clouds.
Efficient Use of Public Networks: Use public cellular and WiFi to reduce costs and accelerate deployments, allowing customers and partners to securely enable IIoT devices on their networks.

Conclusion

NetFoundry’s zero trust solutions for OT, IIoT, and edge environments provide a robust, flexible, and cost-effective way to manage and secure your devices and networks. Embrace our platform to enhance security, simplify operations, and achieve rapid, low-cost deployments across diverse network environments.

The post NetFoundry Zero Trust for OT and IIoT appeared first on NetFoundry.

LiveView Technologies Case Study

Robert Caamano — Sat, 05 Oct 2024 16:19:40 +0000

NetFoundry

Resources

LiveView Technologies Case Study

Solution Brief

Distributed Video Surveillance Made Simple and Secure

LiviView Technologies, LVT, provides on demand, rapidly deployed surveillance to some of the largest companies in the world. Energy, law enforcement, DOTs, retail and construction rely on LVT’s leading security technology and surveillance solutions. LVT’s success resulted in a large, distributed network which became very expensive and difficult to manage using legacy networking. LVT partnered with NetFoundry to transform the networking from a rapidly growing cost center to a competitive advantage, including strengthening data security for LVT, LVT customers and the LVT ecosystem.

We are committed to making the world a safer place, and we are just as committed to protecting our clients’ data and information. Partnering with NetFoundry isn’t just a way to accomplish this, but the best way.

Steve Lindsey, CTO and CIO, LVT

Case Study Highlights

Transformative Security & Cost Efficiency

LVT partnered with NetFoundry to enhance data security through zero trust network overlays while significantly reducing cellular and cloud egress costs, turning networking into a competitive advantage.

Streamlined Operations & Innovation

The shift to a software-only architecture improved operational efficiency by centralizing controls and telemetry, enabling LVT to drive innovation in analytics, AI, and seamless partner integrations.

LVT's Network Management Obstacles

LVT struggled with security risks from private mobile APNs and VPNs, high egress costs from data backhauling, and operational complexity due to decentralized controls. Those challenges hindered automation and innovation, limiting effective customer data protection.

Obstacle

LVT had significant challenges with multiplying locations and networks for their surveillance cameras that are distributed globally, leveraging multiple cellular carriers, local networks (for example, a retailer’s local network) and increasingly private 5G.

The data is distributed across cameras, LVT sites, customers and partners. With the rise of edge compute and edge AI, the workloads are becoming even more distributed.

Finally, there is a management network – including monitoring, upgrades, remote management, APIs, telemetry and operations. As LVT is highly automated, this is a very dynamic network.

Challenges with large, distributed, dynamic networks

LVT’s growth and commitment to protecting their customers’ data presented several challenges:

Security vulnerabilities

The private mobile APN and local networks do not provide the zero-trust posture which LVT demanded for its customers. The VPNs from the private APN providers to the LVT sites were even worse.

Significant cellular and cloud egress costs

All data had to be backhauled to LVT sites. LVT distributed data from there, resulting in high cloud egress costs. Meanwhile, cellular costs were rising as choices like Wi-Fi were often not secure or reliable enough.

Velocity and operational obstacles

The lack of centralized telemetry, controls, identities and policies compromised many LVT automation initiatives. Dependencies on firewalls and ACLs, VPNs, hardware and IP addresses added operational overhead and complexity. Adding to the complexity was the need for bespoke solutions for different needs, e.g. needing to manage different solutions for inbound (e.g. secure remote access) and outbound data needs, as well as differences between different edges and clouds.

Lack of innovation

LVT innovation was one reason behind their success. Newer initiatives to leverage edge compute, integrate with partners, and use local networks including private 5G and Wi-Fi were made infeasible by dependencies on legacy networking, including the need to backhaul all data. Even using multiple clouds was problematic due to the VPN backhaul from the mobile carrier APNs.

Business Benefits of the NetFoundry-based Solution

Innovation

By replacing legacy networking and security with a pure software, network independent solution, LVT continues to shape the future of surveillance.

Cost savings

Eliminating the upfront costs and OpEx of cloud egress, private APNs, VPNs and hardware dependent solutions enabled LVT to invest more in building world class products.

Quality improvement

Despite multiple last mile bandwidth providers, LVT gained centralized telemetry, controls, identities and policies. This ultimately enabled high quality services and better customer visibility.

Strong security

LVT has always been proactive in protecting customer data, so LVT seized the opportunity to upgrade to a zero implicit trust architecture which exceeded guidelines from NIST and CISA, and meant LVT was continuing to be the leader.

Solution & Outcome

Optimizing large, distributed, dynamic networks

LVT partnered with NetFoundry to solve each of the challenges described on the previous page. It also enabled LVT to move to a software-only, network-independent architecture to get the future-proofed extensibility and flexibility LVT wanted to ensure they could continue to shape the future of surveillance:

Security

NetFoundry’ software-only, zero trust network overlays meant underlay networks no longer mattered. Private APNs and VPNs could be eliminated. Wi-Fi, public APN and private 5G could be used. LVT, customer and partner networks could receive LVT data without any network exposure – rather than host perimeter security devices or poke holes in their firewalls, they open outbound-only sessions to the private LVT network overlay. Their firewall rules are literally deny-all inbound!

Cost savings

Cellular and cloud egress costs were massively reduced. Some data can go directly from cameras and edge sites to destinations, without first backhauling to LVT sites, and then incurring cloud egress costs. The most cost-efficient local bandwidth could be used for each site. Unreliable (but cheap or free) networks could be used for operations like software upgrades because the NetFoundry software enables different networks to be used for different purposes.

Operations excellence

Gaining centralized, network- independent telemetry, controls, identities and policies fueled LVT’s quality control and automation initiatives. Velocity skyrocketed due to the elimination of dependencies on firewalls, ACLs, VPNs, hardware and IP addresses. The NetFoundry solution secured both inbound and outbound, and abstracted away differences in edges, networks, clouds and customer environments such that LVT simply manages centralized identities and policies.

Accelerated innovation

LVT unblocked initiatives in quality, analytics, AI and functionality. LVT was now able to leverage any network, edge compute and cloud. LVT was able to integrate with partners and APIs without any network engineering or security risks. The replacement of hardware, infrastructure and IP-address dependent solutions with NetFoundry’s 100% software solution meant that the entire LVT stack became one software system, with corresponding extensibility and flexibility.

A New Era in Surveillance Technology

LVT partnered with NetFoundry to create a software-only, network-independent architecture, enhancing security and cutting costs. This transformation improved operational efficiency and enabled greater innovation in quality and analytics, simplifying collaboration with partners.

About NetFoundry

The post LiveView Technologies Case Study appeared first on NetFoundry.

Unified Namespace and Secure Connectivity: Transforming Industrial Data Management

Mike Gorman — Sat, 28 Sep 2024 19:57:09 +0000

NetFoundry

Resources

Unified Namespace and Secure Connectivity: Transforming Industrial Data Management

Solution Brief

What Is A Unified Namespace

Unified Namespace, or UNS is a concept born primarily of the ANSI_ISA-95 standard’s Equipment Hierarchy Model and extended well beyond it to encompass the entire enterprise. The purpose of UNS is to provide a unified approach to the collection and distribution of the current state of industrial and manufacturing environments in an event driven system. To do this, information is collected from points throughout the environment, control systems, shipping systems, ordering, personnel, etc. This information is sent via broker agents to other subscribing systems, including other brokers, unifying the data set across the enterprise in near real time. Having this single architecture for information collection and distribution empowers decision making and planning in ways that have not been realized before, and simplifies the operations and response to events.

Secure UNS Connectivity

Unified Namespace combined with zero trust connectivity can be the transformative solution you are looking for to integrate your industrial data.

Unified Namespace (UNS) requires secure, agile connectivity like NetFoundry’s Ziti for success because it enables seamless, real-time data flow across diverse and often geographically dispersed industrial environments while ensuring data security, integrity, and compliance with standards like IEC 62443.

Streamlined UNS Deployment

Leverage NetFoundry for secure, agile connectivity in evolving Unified Namespace implementations.

Using an Overlay Network To Integrate Disparate Data

As the purpose of a UNS implementation is to collect information from, and distribute information to, disparate sources, an overlay network can assist in the evolution towards a full UNS system. Protocols, like Sparkplug B, and OPC UA have been created and evolved to provide a common format for delivering information, however, the transport of this data must still meet the needs and capabilities of the sources and the facilities.

We propose the use of the NetFoundry Platform (Also Available as A Service via NetFoundry Cloud) as a solution to serve UNS deployment and evolution, in a manner that meet the requirements of IEC 62443 and other standards, enabling the secure and rapid deployment of data sources and sinks and their connections to the brokers regardless of underlying network architectures. The agility, flexibility, high availability, and completeness of operations makes NetFoundry and Ziti an easy choice for UNS and other industrial connectivity needs.

Why Do We Need UNS?

UNS provides several benefits when implemented that can make enterprises more efficient in their business, while simplifying operations and the supporting processes. With a consistent approach, organizations can utilize their own data to make better decisions,normalize [DS3] the data access methods for dependent systems, scale up to meet demands, and streamline workflows. A properly designed and implemented UNS system will also offer easier security policy enforcement, compliance and reduce integration costs. These benefits have been realized within nonindustrial spaces for years, and while there are fundamental differences in the information systems of IT and OT, the benefits are attainable while maintaining the security and availability required of OT environments.

Transformative Benefits of UNS

Unlock efficiency and scalability with Unified Namespace, enhancing operations and security compliance.

Bridging Enterprise and Industrial Data

UNS simplifies integration across layers, enhancing security and agility in industrial networking.

Network Friction In Implementing UNS

UNS combines enterprise and industrial data. While this has always been true, the networking in manufacturing and industry has often been based around the Purdue model, with strict controls [DS4] per layer of the model to protect the safety and availability of the system. This makes the integration of devices at the edge of the process difficult, due to the complexities of the separation of each layer. However, the Purdue model is an information architecture not a networking model and standards such as IEC 62443 provide guidance that allows the communication to flow directly, or via appropriate brokers for those systems not capable of utilizing the protocols, wherever they might exist within the network, connecting zones via conduits. Of course, the communications of these systems must maintain the safety and security of the system as a whole. They also need to be agile and scale, as well as provide all the functions to be operated efficiently and resiliently.

The ISAGCA has written a recent paper on the application of IEC 62443 and cloud based systems,

“IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards” . While UNS does not require cloud assets, it is a good example of the appropriate way to analyze risk for these types of systems, and some UNS clients applications or enterprise level brokers may certainly exist in the cloud. The paper and accompanying webinar cover the various types of processes and the analysis of the risks deeply, with recommendations for implementation as well as future work for various working groups. The image below from the paper shows the various data usage models they investigated as part of the study.

Securing UNS with IEC 62443 Compliance via Virtual Conduits

The findings of the study identified those functions that, if placed in the cloud, would fall under the scope of IEC 62443 requirements. As one can see, the simple sending of data to a cloud based system for reasons outside the process being monitored, or to analyze and present data to a human operator who acts independently of the system are considered out of scope for the security requirements of the standard. When any information is sent from the cloud based system to the actual process, the cloud zones are in scope.

UNS, as a data collection and distribution model, is similar, and generally outside the scope of the existing standards. That said, the implementation of UNS must meet the overall security requirements of the environment it is in, and this will have large portions covered by the standard’s requirements. There is also a high likelihood that the UNS may become part of a larger solution in the examples to the right. While it would be up to the risk assessment to scope the components in or out, it makes sense to treat them as if they fall under the standard from the beginning.

The communications from the information sources to a UNS broker should be as direct as possible under the technical constraints. This simplifies the implementation and operation, as well as increasing timeliness. However, plant networks should also be architected as zones, interconnected by conduits, as noted in IEC 62443, which often causes issues ensuring that the communications are properly secured. However, IEC 62443 specifies virtual conduits. These connections can travel over the various physical network segments, directly connecting 2 zones largely separated, provided they are not accessible to systems in the zones they pass through. Virtual conduits are the key to ensuring compliance with standards such as IEC 62443, maintaining real security within the network, and realizing the benefits of UNS and other data driven initiatives, simultaneously.

Ensuring Compliance with IEC 62443

UNS integrates seamlessly with cloud and industrial systems while maintaining robust security standards.

Evolving OT Security Models

Increased focus on data integrity and confidentiality is vital for safeguarding industrial systems.

Why Do We Need To Secure UNS?

The OT security model places a lower inherent value on the integrity and confidentiality of data compared to the IT model, favoring safety first, and availability second. This is well understood and reasonable given the requirements and purposes of the two fields. However, in today’s cyber environment, it is important to note that integrity and confidentiality can cause safety and availability issues.

Examples of data integrity attacks have been seen in the wild, and research is being done to understand the potential ramifications. As seen in the IT world, one can only expect the attacks to become more sophisticated, and more disruptive over time. Within the critical infrastructure subset of ICS, it is important to note that nation state actors are directly involved in the development and deployment of cyber weapons; the risks associated with these actors are very significant. Manufacturing systems not deemed critical infrastructure may also be targeted, either as collateral damage, or as a weapon of economic terrorism.

Stuxnet: The Complex Malware That Exploited Industrial Control Systems

Perhaps the best known attack against industrial control systems, in this case targeting uranium enrichment, Stuxnet was a very complex malware program. It took many steps to mask itself, and to propagate, like other malware. However, the main function was to conduct a man-in-the-middle attack, intercepting the sensor signals, and preventing the safety systems from shutting down properly, leading to the destruction of the systems it infected.

For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behavior. Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems:

The Windows operating system,
Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
One or more Siemens S7 PLCs.

Source: Wikipedia

Lessons from Stuxnet

Stuxnet’s sophisticated man-in-the-middle attack highlights vulnerabilities in industrial control systems.

OT Malware in Warfare

FrostyGoop exemplifies the growing threat of malware targeting critical infrastructure in conflict.

FrostyGoop: Russia-Linked OT Malware Disrupts Critical Infrastructure in Ukraine

OT malware is also being used as a weapon of indirect warfare and terrorism. The Russia-Ukraine conflict has seen many examples over the last several years of attacks on power grids, and this one in particular, disrupting environmental controls during the winter.

Industrial cybersecurity firm Dragos on Tuesday revealed a newly discovered sample of Russia-linked malware that it believes was used in a cyberattack in late January to target a heating utility in Lviv, Ukraine, disabling service to 600 buildings for around 48 hours. The attack, in which the malware altered temperature readings to trick control systems into cooling the hot water running through buildings’ pipes, marks the first confirmed case in which hackers have directly sabotaged a heating utility

The malware, which Dragos is calling FrostyGoop, represents one of less than 10 specimens of code ever discovered in the wild that’s designed to interact directly with industrial control-system software with the aim of having physical effects. It’s also the first malware ever discovered that attempts to carry out those effects by sending commands via Modbus, a commonly used and relatively insecure protocol designed for communicating with industrial technology.

Source: Wired.com

False Data Injection: A Critical Threat to Smart Cities and Industrial Control Systems

A group of Turkish researchers published a paper on false data injection, considering industrial control systems and the growing movement of smart cities.

ICS are one of the most critical components used in smart grid and smart city infrastructures. The vulnerabilities of the ICS and infrastructure architectures built on them affect the entire system. There are several attack methods that can be done through these vulnerabilities, but the FDI attack is one of the most damaging. Because with FDI (False Data Injection) attacks, it is possible to change the data in a controlled way and to change the firmware codes. When the impact of the FDI attack on the system is evaluated, it will take a long time especially to bring the system back to its current working state and great damage may occur. In addition, with this attack, it is possible to obtain data by manipulating the data in a controlled manner. For this reason, it is critical to take countermeasures by revealing the procedures of the FDI attack.

Source: ScienceDirect.com

Threats of False Data Injection

FDI attacks can manipulate critical ICS data, posing severe risks to smart city infrastructures.

Risks Beyond Nation States

A young hacker’s tram manipulation highlights vulnerabilities in urban transport systems and oversight.

Lodz, Poland Tram Hack: Another Real-World Example of Cyber Vulnerabilities

Lastly, so we don’t get the impression that these sorts of risks are only coming from nation state actors, theoretically or actually. In 2008 a 14 year old Polish boy built a device that allowed him to “play” with the city trams like a model train set.

“He treated it like any other schoolboy might treat a giant train set, but it was lucky nobody was killed. Four trams were derailed, and others had to make emergency stops that left passengers hurt. He clearly did not think about the consequences of his actions,” Micor added.

Source: theRegi ster.com

Securing Connected Industrial Systems: The Critical Role of Risk Management

As industrial systems become more and more connected, these risks will continue to increase. The potential ramifications of all cyberattacks must be taken into account in proper risk management programs. While the priority on safety is paramount, one must understand the threat landscape of how safety may be compromised, which may be in ways that are not commonly considered in the OT space.

Industrial systems continue to evolve into more data driven architectures.I It is critical that we learn from the mistakes of the IT events that have happened over the last decades; true security by design should be implemented in every step. As UNS is a major step forward in the collection and dissemination of data across entire enterprises, special care must be taken to ensure the security of the system as a whole.

Navigating Cyber Risks in Connected Systems

As industrial systems evolve, robust risk management and security by design are essential.

Ziti: Simplifying Secure Connectivity

NetFoundry’s Ziti offers a lightweight, open-source solution for seamless industrial and enterprise networking.

How NetFoundry’s Ziti Platform Can Enable UNS and Beyond

Ziti, the core architecture and technology of NetFoundry, is a software defined and implemented secure network. It operates at the communication layer, offering security and simplicity, while maintaining the features and functionality of a production class network. Options are available for embedding the functions directly into software via software development kits (SDKs) in a multitude of languages, and the C-SDK is built to be lightweight, suitable for resource limited environments. The software is open source, and is fully available for integration into products and solutions. This allows vendors and operators to utilize the software as a primary communication method, or an available option, without licensing costs.

The challenge of networking across both industrial and enterprise systems is real. The security requirements of both can be very different, and implementing common systems is difficult. However, Ziti provides the opportunity to deploy UNS data senders and brokers wherever needed without complexity. Ziti endpoints use outbound only connectivity, from an underly perspective, even when used to host services that others initiate towards. The configuration of the identity provides the Network Controller address, and this allows the endpoint to attach to the network instance. Once authenticated and authorized, the endpoint receives additional configuration information, and connects to Edge Routers as appropriate.

Dynamic, Policy-Driven Connectivity: Simplifying Network Operations with Ziti for UNS and Beyond

From an underlay networking perspective, this allows the various firewalls, access control lists, and other systems to simply block all inbound traffic to the device, allowing outbound only. This simplifies network configurations, because the system as a whole does not have to record and allow the various connections, forcing rule updates per device additional or change or the resulting audits and other ongoing work associated with network operations. Instead, the Ziti network instance allows or disallows connectivity by policy, and is dynamic. A policy change to allow or disallow connections between identities and services is applied within seconds, either to allow, or to disallow and break current connections. To view or audit the connectivity, a central location across the entire enterprise can be used, with built in tools.

The same connectivity can be applied to systems within the enterprise network that need to connect to the UNS to publish or extract data. Prebuilt software is available for all major operating systems, or the SDKs can be used to embed. Other deployment models to utilize Edge Routers or tunnelers as gateways are also available, and all models can coexist, depending on need.

Once a Ziti network exists, it is a resource to be used for connectivity, UNS is just one use case. Remote access and other uses are easily deployed using the same models, and the availability of APIs to integrate with existing software can provide flexibility far beyond legacy networks, enabling models like just-in-time access (JIT) integrated with existing processes.

Dynamic Secure Networking with Ziti

Ziti streamlines outbound-only connectivity, enhancing security and simplifying network management across systems

Ziti: Simplifying Secure Connectivity

NetFoundry’s Ziti offers a lightweight, open-source solution for seamless industrial and enterprise networking.

Implementing UNS in Industry 4.0: Simplifying Secure Data Integration with Ziti

UNS is an evolution, tied to the Industry 4.0 movement that enables businesses with manufacturing and other industrial processes to collect and distribute data to more effectively monitor and manage the state of the business, increasing efficiency, reducing costs, and enabling higher profitability As an information system, UNS has some potential to be difficult to fully implement in OT environments, due to more stringent requirements to meet safety and availability needs. Ziti enables organizations to implement UNS simply and efficiently, regardless of the network configuration or node types, and to be secure in the design, protecting the business, and meeting the requirements of relevant standards, such as ANSI_IEC 62443.

The post Unified Namespace and Secure Connectivity: Transforming Industrial Data Management appeared first on NetFoundry.

Top 5 U.S. MilGov Contractor Private 5G Case Study

Michael Kochanik — Fri, 27 Sep 2024 01:22:18 +0000

Military Group Deploys Zero Trust Connectivity On Any Device, Any OS, Anywhere

How a Leading Contractor Embedded Secure Zero Trust Communication in Military Field Devices

Military groups needed secure communication between 5G handsets, reconnaissance drones, and databases, requiring session-level microsegmentation with specific session permissions.

Top 5 U.S. MilGov Contractor
Private 5G.MIL™ Communications

5G.MIL is a secure, 5G-enabled “network of networks” integrating military and commercial telecommunication infrastructures. It supports seamless, resilient communication across air, land, sea, space, and cyber domains, enhancing interoperability between 5G, NextG, and DoD networks for effective military operations.

Obstacle

The primary obstacle for the military contractor was ensuring the secure and efficient transmission of highly sensitive mapping data captured by drones over a private 5G network, overcoming challenges posed by traditional VPN solutions in deployment, management, scalability, and access control granularity

Opportunity

The opportunity lay in leveraging NetFoundry’s Ziti’s Zero Trust architecture to provide secure, application-layer communications with fine-grained access control, seamlessly integrating with the private 5G network to protect data transmissions between drones, virtualized databases, and mobile devices used by ground troops.

Outcome

The integration of NetFoundry’s Ziti networking into the military contractor’s project ensured secure, real-time communication within the private 5G network, protecting sensitive mapping data from drones and enabling ground troops to efficiently access and interact with this information, thereby enhancing operational effectiveness and mission success.

Securing Drone Data

The primary obstacle faced by the military contractor was ensuring the secure and efficient transmission of highly sensitive mapping data captured by drones. This data needed to be transmitted over a private 5G wireless network to a cluster of virtualized databases. The challenges included:

Traditional VPN Limitations:
- Cumbersome to deploy, manage, and scale.
- Insufficient granularity in access control.
Dynamic and Mobile Nature of Ground Troops:
- Required a secure yet flexible means of accessing and interacting with data in real-time using mobile devices.
Existing Security Measures:
- Inadequate to address the high stakes of potential data breaches, compromising mission success and troop safety.

This created an urgent need for a more robust, scalable, and fine-grained access control solution.

Applying Zero Trust

NetFoundry and the Ziti Platform presented a compelling solution to these challenges due to its Zero Trust architecture and open-source nature:

Application Layer Security:
- Provides end-to-end encryption.
- Ensures only authenticated and authorized entities can access the data.
Fine-Grained Access Control:
- Each ground troop can access only the data necessary for their specific role and mission.
Flexibility and Scalability:
- Seamlessly integrates with the private 5G wireless network.
- Facilitates secure communication between drones, virtualized databases, and mobile devices.
Protection Against Interception:
- Ensures data transmitted and received is protected against unauthorized access.
- Maintains confidentiality and integrity of mission-critical information.

Mission Accomplished

The integration of Netfoundry Ziti Platform into the military contractor’s project was a decisive success, ensuring secure communications across the private 5G wireless network:

Zero Trust Architecture:
- Secured all communications from drones to ground troops’ mobile devices.
- Real-time encryption and authentication prevented unauthorized access and data breaches.
Enhanced Operational Effectiveness:
- Enabled ground troops to securely and efficiently retrieve and interact with up-to-date mapping data.
- Improved situational awareness and operational effectiveness.
Demonstrated Feasibility:
- Showcased the feasibility and effectiveness of using drones and private 5G technology for secure battlefield intelligence.
Validated Technology:
- Positioned the military contractor as a leader in innovative and secure communication solutions for defense applications.

Lives depend on this solution.

Solution Overview: Embedded Zero Trust Communication in Military Field Devices

Achieve Secure 5G with NetFoundry

Session-Level Microsegmentation for Military Applications

Learn how Ziti enabled secure, session-specific communication for military applications,

ensuring robust security and operational efficiency.

The post Top 5 U.S. MilGov Contractor Private 5G Case Study appeared first on NetFoundry.

VPN Alternative: Tata Sons’ Shift to NetFoundry’s Zero Trust AppNets

Surendran Naidu — Wed, 25 Sep 2024 18:03:26 +0000

NetFoundry

Resources

VPN Alternative: Tata Sons’ Shift to NetFoundry’s Zero Trust AppNets

Solution Brief

Tata Sons is the principal investment holding company and promoter of Tata companies, India’s only value-based corporation – a visionary, a pioneer, a leader, since 1868. Tata group is a global enterprise comprising 13 companies across ten verticals. The group operates in 100 countries across six continents. 66% of the equity share capital of Tata Sons is held by philanthropic trusts, which support education, health, livelihood generation, and art and culture.

We wanted a VPN alternative to have an easy-to-use, seamless and secure solution for our users to connect to apps hosted across clouds from anywhere.

Royen Fernandes, Tata Sons IT

Case Study Highlights

Software-only, Zero Trust NetFoundry Cloud replaces multiple point solutions

The NetFoundry Cloud has enabled Tata Sons to replace SSL VPNs, jumpshots, MPLS VPNs and SDWANs with a single Zero Trust overlay network and application-specific AppNets without the need for any hardware. NetFoundry Cloud is a Network As A Service offering of the NetFoundry Ziti Platform hosted and managed by NetFoundry experts.

Global, Secure Network with Distributed Users and Applications

Tata Sons employees, along with other users, seamlessly access applications hosted across private and public clouds, as well as hosted data centers, from any location. Leveraging a zero trust network overlay, they achieve the highest levels of security, control, and visibility, with full adherence to zero trust principles. Whether on Windows or Mac devices, users assigned to NetFoundry AppNets are granted least-privilege, microsegmented network access to specific resources, ensuring secure connectivity to essential systems from any location.

Tata Sons needed a VPN alternative to improve its security across distributed environments. It required a zero trust architecture and transitioned from VPNs to NetFoundry AppNets.

Challenge

Overcoming security concerns and optimizing network design

Tata Sons wanted to improve the IT security posture, moving away from vulnerable VPN technology and multiple point solutions that hampered performance. The goals were to find a VPN alternative that provided seamless and secure access for apps to users from the office or anywhere with consistent application performance. Tata Sons had deployed, SSL VPN for remote access, IPSEC or MPLS VPN and P2P links to connect offices and employees working from anywhere to apps hosted in private DC, Azure public cloud and hosted DC. Tata Sons wanted to improve security posture and overcome performance bottlenecks due to VPNs and point solutions. With the advent of zero trust architecture and software defined networks, Tata Sons wanted to explore alternative solutions that would help meet the security, performance, agility and visibility goals and be ready for future growth

VPN alternative and network for the future: Distributed apps and users with complete visibility and control

Tata Sons had moved apps to Azure and a hosted cloud provider while some apps are hosted at the private DC. Tata Sons employees access apps from the branch locations or anywhere. There was also a requirement to connect the clouds viz Azure cloud / DC / hosted cloud. With COVID 19 changing the future of work culture, Tata Sons wanted to provide a seamless and productive experience to the users; wherever they were located. The new solution is required to support users connecting with a variety of devices including personal (BYOD) laptops and desktop PCs along with corporate supplied laptops. The existing internet connections and infrastructure at offices, private data centers, and hosted clouds had to be utilized for the new solution, while remote users could connect using any available home internet service. The old approach would not be secure enough. Tata Sons need a VPN alternative.

With NetFoundry Cloud implementation, Tata Sons experienced the following gains:

3 solutions replaced by NetFoundry Cloud

SSL VPNs for remote users, MPLS VPN for branches, DC and cloud & SDWAN

99.999%

uptime in the last 4 years

70%

reduced cost compared to point solutions

NetFoundry Cloud Zero Trust Architecture

Inherent Features By Design

1. Secure by default private, Zero trust fabric overlay renders all Apps and resources invisible to the Internet with no listening or open firewall ports or IPs

2. Routers on HA with automated load sharing of traffic ensure highest availability at Azure Cloud and private DC

3. Communication is outbound only requiring no listening IPs or ports and no firewall holes. Service binding via reverse communication is only permitted by AppNet association

4. Least privileged micro-segmented app connections for users and admin to access each application hosted across multiple cloud / DCs

5. Exceeds guidelines provided by NIST for zero trust architecture. Implemented with mutual TLS (mTLS), Poly 1305 cha cha 20 encryption and bi-directional X.509 certificate-based identity and authentication

6. Authenticate before connect: If a registered endpoint is not permitted to access a resource, it will never communicate to, or have awareness of, the provider of the resource unless provisioned to it

Solution

Achieving critical security across the organization with AppNets, a VPN alternative

The integration of NetFoundry Cloud into Tata Son’s infrastructure and apps allowed the company to immediately remove its complex dependencies on VPNs, mitigate issues with multiple point solutions and achieve deep insights into metrics such as application and endpoint utilization, dial logs, etc. With little to no friction, users and apps were migrated to the NetFoundry Cloud platform from the existing set up. The ability to embed zero trust networking for various use cases such as: (1) Remote access for employees to distributed apps, (2) Connectivity from branches to distributed apps, and (3) Hybrid cloud connect for data center and public cloud interconnect enabled the company to achieve unparalleled security and optimal performance.

The Tata Sons IT security architecture now exceeds the NIST framework on zero trust architectures for the network layer. NetFoundry Cloud authorizes each end-to-end encrypted session for least privileged access – creating microsegmented networks for each user group that prevents lateral movement of attacks between AppNets (microsegmented networks). Unlike the former complexities associated with the use of VPNs that exposed the vulnerabilities of the public internet, NetFoundry’s solution closes all inbound ports at the customer edge. The apps and endpoints are dark to the internet. This approach by itself keeps most internet originated attacks at bay.

Simple, efficient and performant

NetFoundry Cloud eliminated Tata Son’s complex and expensive “bolted-on” infrastructure and reduced the wait times to onboard apps and users. The smart routing fabric provides the least latency path over the Internet between any two communicating endpoints. The network can be globally extended to anywhere in the world on demand. The routers are deployed with high availability at Azure cloud and hosted cloud. The NetFoundry Cloud HA routers provide default load sharing of traffic so that the resources are optimally utilized while providing redundancy.

Operational simplifications and consistently high uptime

Tata Sons has been using the NetFoundry Cloud platform for 4 years since 2020 and over the years, there has been a proven track record of > 99.999% uptime. User friendly UI for admins, use of attributes for identities and services in the service policies has greatly simplified operations for the admins in the IT team. The user group and role level controls with specific micro-segmented AppNets (service policies) and least privilege access helps the security team with all the required control and exceeds any audit and compliance requirements of any globally recognized security control or standard. The NetFoundry Cloud metrics provides deep insights to the Tata Sons IT team. With the NetFoundry Cloud zero trust mesh network available across all DC, branch, user device / Cloud and hosted cloud locations, Tata Sons has complete reach of a military grade zero trust network that can scale on demand, expand globally and available across any new edge or cloud. NetFoundry Cloud has made Tata Son’s network security, “Future Ready”.

“We made the right choice by selecting NetFoundry. The platform is user-friendly, allowing our users with swift connections to accomplish tasks. Also, the solution works well with least overheads, enabling our users to connect seamlessly even with low bandwidth networks.” – Royen Fernandes, Tata Sons IT

Tata Sons achieved enhanced security by replacing VPNs with NetFoundry’s zero trust platform and AppNets, enabling seamless management and performance.

About NetFoundry

The post VPN Alternative: Tata Sons’ Shift to NetFoundry’s Zero Trust AppNets appeared first on NetFoundry.

Revolutionizing iPaaS Security – Digibee’s Zero Trust Implementation

Mike Guthrie — Fri, 20 Sep 2024 15:56:13 +0000

NetFoundry

Resources

Solution Brief

Revolutionizing iPaaS Security – Digibee’s Zero Trust Implementation

Digibee

Digibee iPaaS enables software engineers to build and maintain even the most complex data and systems integrations with unprecendented speed and simplicity. It serves some of the world’s largest banks, and is the prefereed iPaaS solution for 250-plus businesses, including Assai, B3, Barkley, Bauducco, GoPro, Oobe, and Payless. Digibee has embedded NetFoundry’s zero trust connectivity into their solutions for their iPaaS security.

Integrating NetFoundry Cloud into ur platform helps us obtain a competitive advantage in our ability to digitally transform our customers' business with a faster time to market a future-proofed IT infrastructure, the strongest security, and a reduced investment in operational costs.

Rodrigo Bernardinelli, CEO & Co-Founder, Digibee

Case Study Highlights

Accelerate innovation with faster deployments

Integrations between the iPaaS customer infrastructure are days to weeks faster, because they are no longer dependent on nailing up VPNs, managing IP address overlap problems, or deploying bastion hosts.

Provide customers with the strongest API security

APIs are unreachable from the Internet, only accessible from Digibee’s private NetFoundry Cloud zero trust overlay, while also making the APIs just as simple to consume.

Better customer results without security tradeoffs

Customers no longer need to open up inbound ports, VPNs or bastions in order to consume Digibee services. Digibee uses the NetFoundry Cloud platform for all networking, including APIs and remote management.

Streamlining Enterprise Integrations by Overcoming Security and Scalability Challenges

Digibee re-engineered its integration architecture to eliminate complex VPN dependencies and security vulnerabilities, enabling scalable, cost-effective connections between their infrastructure and customer pipelines while supporting exponential growth and operational agility.

Challenge

Overcoming Operational Complexities and Security Concerns

Digibee’s integration architecture is designed to enable enterprise integrations of any scale and size, unlocking organizational agility and supporting exponential growth. The platform offered a built-in API gateway, protected by cloud provider security features to avoid attacks such as DDos. In this model, Digibee utilized a bespoke solution for point-to-point, device-centric tunnels and a trust model with coarse-grained access controls, resulting in a highly manual and configuration heavy architecture.

Due to the attack surface created by open ports required by VPNS, Digibee’s leadership and technology teams began exploring alternatives to mitigate issues with IP overlap and reduce management time to simplify the connection between their infrastructure and their customers’ pipeline. The existing architecture simply had too many limitations to scale faster, safer, or more cost-effectively. Given the fact the company had different customers utilizing the same internal and overlapping IPs, the use of site-to-site VPNs made it hard to increase the customer base easily. And multiple providers further complicated VPN management and increased the cost of doing business.

Removing these interdependencies required the company to build a more robust infrastructure as its existing architecture was operationally burdensome to administer and difficult to scale. Customers scrutinized the security threat of open inbound ports required to access local interfaces and shift data to the Digibee platform in real-time. As a result, costs continued to rise due to ongoing operations and management of multiple types of customer endpoints, leaving Digibee struggling to optimize for performance and cost.

When integrating NetFoundry Cloud into its iPaaS architecture, Digibee experienced the following gains:

22%

Increase in customer revenue

18%

Reduction in infrastructure costs

15%

Expansion of global footprint

32%

Decrease in maintenance hours

NetFoundry "Zero Trust Designed-In" Architecture

Inherit strengths

1 - Secure by Default

Secure by default private, zero trust fabric overlay renders all APIs and customer-side assets invisible to the internet, closing all open inbound firewall ports

2 - Embedded Zero Trust

SDKs enhance the ability to build zero trust access directly into apps or any edge instantly extending anywhere, instead of a host device or gateway

3 - Closed Inbound Ports

Communication is outbound only requiring no overlapping IPs, no port-forwarding, and no firewall holes. Service binding via reverse communication is only permitted by AppNet association

4 - Least Privileged Access

Least priviledged micro-segmented app connections for data collection from APIs and admin access to networks for each individual customer session

5 - mTLS and X.509

Exceeds US federal government zero trust mandates with mutual TLS (mTLS), encryption and bi-directional X.509 certificate-based identity and authentication

6 - Authentication Required

Authenticate before connect: If a registered endpoint is not permitted to access a resource, it will never communicate to, or have awareness of, the provider of the resource unless provisioned to it

Solution

Achieving critical security at scale using AppNets

The integration of NetFoundry Cloud into Digibee’s infrastructure and customer pipeline allowed the company to immediately remove its complex dependencies on VPNs, mitigate issues with overlapping IPs, and scale the onboarding of new clients and workloads (UVP) with little to no friction. Reliant upon secure and efficient customer data transport, the ability to embed zero trust networking as code enabled the company to achieve unparalleled protection and security.

The iPaaS platform now exceeds US Federal government zero trust mandates with mutual TLS, X.509 identities, and a private DNS. CloudZiti authorizes each end-to-end encrypted session for least privileged access – creating micro-segmented networks for each individual customer session. Unlike the former complexities associated with the use of VPNs that exposed the vulnerabilities of the public facing edge, NetFoundry Cloud allowed Digibee to take edges off the internet and available only to authorized endpoints without VPN clients or overlapping, whitelisted static IP addresses – and do it with code and control it all from the cloud.

Digibee’s new cutting-edge zero-trust networking architecture enabled secure L3 access to IP: PORT/PROTO or internal DNS names through AppNets. AppNets are essentially NetFoundry’s implementation of zero trust microsegmentation and includes the identities, services and policies that are configured for each NetFoundry AppNet. This allowed endpoints to exist in multiple environments, and with the help of SDKs, zero trust access could be seamlessly integrated into the iPaaS application with performant RDP and SSH. AppNets offered outbound-only communication and service binding via reverse communication. Endpoints had to authenticate before connecting, and administrators could effortlessly provision access to new servces and distribute them to other endpoints. Users could safely access high-performaing services like live video with this private network’sadded security and performance.

NetFoundry Cloud elimited Digibee’s complex and expensive “bolted-on” infrastructure and processes that their public-facing endpoints traditionally required. The same platform secured remote management of the company’s infrastructure, secured connections to its CI/CD and ops management and monitoring solutions, and secured networking between its servers and backend data stores with certificate-based security applied to the network layers (not just applied to the user level).

Transforming Security and Scalability with NetFoundry’s AppNets

By integrating NetFoundry Cloud and AppNets, Digibee eliminated VPN dependencies, enhanced zero trust security, and seamlessly scaled customer onboarding and data transport, achieving secure, efficient connectivity across diverse environments with automated, code-driven management.

We have significantly reduced our VPN complexity and mitigated issues related to NAT and FTP with overlapping IPs, which has enabled us to onboard new clients and workloads with as little friction as possible. NetFoundry has allowed us to scale faster, safe, and more cost-effectively, while NetFoundry Cloud's zero trust overlay mesh network provides secure provisioning, management, and networking into our solutions as pure software.

Rodrigo Bernardinelli, CEO & Co-Founder, Digibee

Streamlining Operations and Enhancing Security with NetFoundry Cloud

NetFoundry Cloud empowered Digibee to embed secure, cloud-native networking into its platform, simplifying customer onboarding, reducing dependencies on traditional infrastructure, and enabling agile, automated management with improved performance and reduced support costs.

Operational simplifications, automation, and maintenance

NetFoundry Cloud enabled Digibee to embed secure provisioning, management, and networking into its platform as pure software, and its cloud-native integration with every major cloud allowed the company to build and run scalable applications. This greatly reduced the time to onboard new customers and deploy workloads, while improving and simplifying the security posture of the enterprise.

The new architecture eliminated VPN and private mobile APN backhaul and the dependencies on static IPs or port forwarding. It also enabled simple remote provisioning and management for authenticated administrators, using any network, even third party WiFi. Now with private app-specific networking, Digibee can limit bespoke IT systems and extend zero trust security across many use cases to be future-ready and solve new security challenges over time.

The cloud orchestrated software improved app performance and productivity of the company, increasing agility and automation, and decreasing support costs. NetFoundry Cloud’s Smart Routing capabilities also ensured Digibee could automatically minimize latency as endpoints and routers dynamically choose the best path available on the private, zero trust fabric. The complete, integrated solution simplified customer deployments for the company and significantly reduced maintenance and support hours.

About NetFoundry

The post Revolutionizing iPaaS Security – Digibee’s Zero Trust Implementation appeared first on NetFoundry.

TZ Deploys NetFoundry Cloud To Remotely Manage Its Smart Locker Systems

Tod Burtchell — Wed, 18 Sep 2024 15:45:19 +0000

NetFoundry

Resources

TZ Deploys NetFoundry Cloud To Remotely Manage Its Smart Locker Systems

Solution Brief

TZ develops end-to-end integrated smart connected locker solutions that enable companies to manage secure access, streamline workflows, and utilize transactional data for enhanced productivity. Offering value-added services such as remote management capabilities, TZ allows businesses to manage, monitor and control their connected lockers from anywhere, improving efficiency and reducing operational overhead. As a leader in intelligent locker design, TZ supports agile workplaces with solutions for employee storage, package delivery, asset management, and tracking. Their notable clients include Bank of America, Apple, Microsoft, Adidas, and Schneider Electric.

Our customers don't even need to open a single inbound firewall port in order for TZ to remotely manage our software which is deployed on their networks. This greatly strengthens security for our customers, and streamlines their operations. For example, InfoSec reviews which historically can take weeks became single-meeting events.

JOHN WILSON, CEO, TZ Limited

Case Study Highlights

Zero trust third party customer access

Private, zero trust IoT fabric renders all smart locker systems and server side assets invisible to the internet, eliminating open inbound ports.

Operational excellence and satisfaction

Automated provisioning, remote management, and service delivery processes improves customer deployment speed and uptime.

Extensive and scalable outcomes

Leveraging a global, zero trust IoT overlay network ensures uniform deployments across customers, regardless of hardware, networks, geographies or clouds.

Revolutionizing Locker Management with Integrated Software Solutions

TZ’s fully integrated platform enhances Smart Locker systems with real-time monitoring, remote management, and seamless third-party integration, addressing security and operational challenges in IoT device management and streamlining data capture across distributed networks.

Challenge

Delivering a Fully Integrated Software Platform for Lockers

TZ made the strategic decision to reposition its Smart Locker management systems to leverage growing market demand for information management systems that capture and integrate data at important exchange points in geographically distributed networks where items are deposited or collected by people. “Our new solutions positioning more clearly reflects customer demand drivers, wider market growth potential, adjacent market opportunities, and core business capabilities,” TZ Limited CEO, John Wilson, said.

TZ’s software infrastructure represents a fully integrated and flexible platform that starts at the localized client application at the locker bank for workflow implementation, synchronizes with an enterprise level centralized server for remote system reporting, live locker unit monitoring and integration with third party systems. With sophisticated features such as remote locker bank control and management, real-time granular transactional reporting, locker reservation, smartphone app operation, and integration with third party back-end systems for streamlined operation.

Typically companies remotely managing IoT devices face the problem of on-premise deployments due to traditional security measures such as VPNs, static IP addresses, and port forwarding, which results in costly engineering truck rolls to update software. With this type of infrastructure, customers scrutinize security threats of open inbound ports required to access the on-premise IoT devices. Ultimately, costs continue to rise due t ongoing operations and management of multiple types of customer endpoints and infrastructure.

When integrating NetFoundry Cloud into their IoT architecture, NetFoundry customers on average experience the following gains:

25%

Increase in customer revenue

33%

Expansion of global footprint

50%

Reduction in deployment costs

85%

Reduction in customer downtime

Traditional Insecure IoT Architecture

Inherit Vulnerabilities:

Any software deployed on customer networks requires open inbound firewall ports, permitted IP addresses, VPNs or bastions

InfoSec reviews are long and unpredictable. Often these reviews would mandate that additional software be bolted-on to compensate for the vulnerabilities

Static IP addresses and portforwarding are required for identification and routing adding further complexity and security concerns for customers

TZ's Zero Trust Architecture With NetFoundry Cloud

Inherit Strengths:

Secure by default private, IoT fabric (software defined network) renders all lockers and server assets invisible to the internet, closing all openinbound firewall ports

Embeds zero trust into any app or any edge instantly extending anywhere, leveraging prebuilt solutions – connect “anything to anything”

Removes the need for split tunneling, static IP addresses, and port forwarding for each kiosk, eliminating the vulnerability of changes to the store network

Enables least privileged micro-segmented app connections for data collection from IoT smart locking devices and admin access to network devices across all customers

Exceeds federal government zero trust mandates with mutual TLS (mTLS),encryption and bi-directional X.509 certificate-based identity and authentication

Solution

Achieving critical security with less complexity and cost

Switching to NetFoundry Cloud further enabled TZ to increase its infrastructure security, deliverability, and scalability with less complexity. Ingesting and transferring customer data from smart locking devices across a private, zero trust IoT fabric eliminated open inbound ports with a secure by default solution. TZ now has a far simpler and faster operating model when scaling from tens of thousands of devices.

Most traditional IoT models have an operational burden associated with deploying and maintaining customer solutions with dependencies on IP addresses, port forwarding, and split tunneling for each device. TZ engineers can directly connect to kiosks independent of a connection to Azure, facilitate remote maintenance, and the pre- and post provisioning of kiosks.

The full-mesh, self-healing, global NetFoundry Fabric is more reliable and resilient than VPN tunnels, supporting more than 300 global cloud regions compared to OpenVPN’s 35, and enables simple and scalable remote management of TZ’s global admins and heavily distributed lockers. Where RDP and SSH over VPNs across long internet links can be painful and slow for remote admins, the NetFoundry Cloud fabric optimizes latency and reliability of these sessions.

Automation, accelerated deployments, and reduction in downtime also improved the company’s time to revenue.

Improving performance and product delivery experiences

NetFoundry Cloud improved TZ’s business speed and agility to respond to changing market dynamics, while enabling new innovation across operations and customer offerings. Its multi-cloud native technology and automation provides TZ with the simplicity and scalability to grow its business anywhere in the world regardless of customer volumes, geographies and use cases.

With multi-cloud native, embedded zero trust security, TZ can now easily extend into any cloud with centralized orchestration via API or web console, giving unparalleled visibility and control. NetFoundry Cloud’s private DNS and mesh network offers near real-time intelligent routing across clouds, so there are no single points of failure as the real-time performance of the internet is a constant factor in dynamic route selection. This battle tested performance allows TZ to automate and scale solution deployments across the globe with significantly reduced TCO, network response times, and business risk, supporting growth well beyond hundreds of thousands of kiosks and lockers.

Smart routing and closer proximity to infrastructure and customers by utilizing the constantly growing coverage and reach of cloud service providers’ expansion also improved QoE. This creates new addressable markets as TZ is now able to meet country specific regulations like data privacy concerns, and became a unique selling point in the company’s value proposition and customer acquisition strategy.

Achieving Scalable Security and Performance with NetFoundry Cloud

NetFoundry Cloud enhances TZ’s infrastructure security, scalability, and operational efficiency by eliminating traditional IoT complexities, enabling seamless global expansion with reduced costs, improved performance, and faster time to revenue across thousands of smart devices and kiosks.

Leveraging NetFoundry Cloud as a trusted partner to facilitate secure customer operations will further innovate the scalable adaptability of our core software modules to address our customer use case opportunities.

JOHN WILSON, CEO, TZ Limited

Enabling Secure IoT Data Management and Business Expansion with NetFoundry Cloud

NetFoundry Cloud empowers TZ Limited to securely manage IoT data across customers, reduce operational risks, and seamlessly transition to new revenue models and service offerings, supporting their evolution from hardware manufacturer to logistics software provider.

Streamlining remote management and operations with customer expansion

Securely ingesting and transferring data from IoT devices across all customers is a priority for TZ Limited. NetFoundry Cloud will enable innovative outcome delivery at the highest level of quality while substantially reducing the risks and costs associated with meeting or exceeding these secure outcome expectations. According to Wilson, “NetFoundry Cloud has been a main enabler in our shift from a smart locker hardware manufacturer to a supplier of logistics software solutions.”

NetFoundry Cloud will also make it easier for TZ to deploy new revenue models and service offerings without building additional security and networking infrastructure.

About NetFoundry

The post TZ Deploys NetFoundry Cloud To Remotely Manage Its Smart Locker Systems appeared first on NetFoundry.