©2024 Akamai Technologies
Securing a cloud infrastructure – and client confidence
Like many enterprise software providers, Openlink is undergoing an IT transformation from on-premise delivery and support of its products to a public cloud deployment. Its Openlink Cloud platform, the first of its kind in the industry, launched via Microsoft Azure.
“There were two main drivers for us to move to the public cloud,” explained Michael Lamberg, Vice President and Chief Information Security Officer with Openlink. “Because our software is processing intensive, clients typically build their computing environment for peak processing capacity, which carries an extremely high capital expenditure. By moving into the public cloud, we can auto-scale the application during times of peak demand, so the clients aren’t paying for capacity they’re not using.”
“Second, our clients typically maintain several Dev Test (development) environments for testing new versions of our software and client add-ons. By using the public cloud, it’s much easier for us to spin up an environment when they need it for their testing and remove it when they are done to minimize cost.”
Of course, moving to the cloud brings a host of new security concerns. Openlink becomes responsible for protecting its clients’ extremely sensitive and highly strategic data which could be targeted by malicious actors. Since cybersecurity in the public cloud operates under a shared responsibility model (where the cloud provider offers a finite spectrum of security measures subject to rigorous auditing and certification), the cloud customer (Openlink in this case) is ultimately responsible for securing its own data and processes.
“The major cloud providers have really come a long way in the last 5 years in terms of their ability to secure large infrastructures,” said Lamberg. “They are actually doing a much better job than many organizations managing their own data centers. But everyone operates on a shared trust model. Azure may have the highest level of security certifications globally right now, but they’re not going to protect us from our own implementations.”
Openlink recognized the need to enhance Azure’s security infrastructure with third-party solutions in order to provide the customized level of risk mitigation that Openlink and its clients require. “We have to be able to prove to our clients that, not only is Azure doing what they say they’re doing, but also that we are adding a security layer on top of them, further strengthening the overall defense-in-depth controls of our clients’ cloud-hosted data and environments.”
Akamai Guardicore Segmentation
Lamberg was introduced to Akamai Guardicore Segmentation, about a year prior to the Openlink Cloud launch and saw immediately how it could help augment the company’s cloud security infrastructure. Akamai Guardicore Segmentation is designed to fill a critical blind spot in multiple infrastructures, namely lateral movements of intruders that have managed to get past firewalls and intrusion prevention systems. Focusing on detecting suspicious anomalies in east-west traffic, the solution confirms and contains active breaches before they can do significant damage.
“A rude awakening moving to the public cloud is that everything you knew about networking and infrastructure might as well get thrown away,” explains Lamberg. “It no longer applies from two perspectives: one is that you no longer have control over or access to lower layers of the infrastructure stack that’s been virtualized by Azure. And the second is that the tools we used to rely on to analyze how an infrastructure operates have changed. So that’s something you have to get your head around. All of your traditional networking skills and experience are not as helpful as they used to be. It’s all new now.”
Consequently, Akamai Guardicore Segmentation has become one of Openlink’s key security technologies, according to Lamberg. “It provides assurances that we are locking down the environment properly while validating that Azure is doing its job in a very efficient and effective way.”
Enhanced visibility and diagnosis
With the move to a virtualized, cloud-based infrastructure, Openlink’s security team was challenged by the need to gain highly granular visibility into application activity. A key feature of the Platform is the ability to visualize all workloads, flows, and processes within a compute environment.
“Although we’re in the public cloud, we are not multi-tenant,” Lamberg explained. “We build a single-tenant environment for each of our clients. As a result, I need to have a full understanding of what’s going on horizontally within each client’s infrastructure.”
Lamberg cites two key use cases that leverage Akamai Guardicore Segmentation. The first involves DevTest which provides clients with a test environment that enables them to quickly and easily spin up virtual machines to test Openlink’s application in various configurations before moving into production. In the event of an anomaly, Akamai Guardicore Segmentation enables Lamberg’s team to quickly and clearly analyze the situation from a host perspective by providing visibility into all flow processes.
“It may not necessarily be a security issue,” says Lamberg. “It may be a case of a design or configuration flaw or perhaps the client accidentally loaded some malware and suddenly I’m seeing a command and control connection attempting to go out. The solution gives me the ability to immediately isolate this anomaly and view it with unprecedented clarity.”
The second use case involving Akamai Guardicore Segmentation is Openlink’s management of the clients’ supported production environment. “While our application is complex, it’s extremely deterministic,” said Lamberg. “So, I know all of the flows and processes that are supposed to be running on each of our servers supporting the client. This allows a baseline to be generated of their environment. In the event Akamai Guardicore Segmentation notes a process or flow outside of the baseline, I’m immediately alerted.”
This ability to “triage and diagnose” problems very quickly is a core benefit of Akamai Guardicore Segmentation, Lamberg points out. The appearance of an unknown process or flow — which would be exceedingly difficult, if not impossible, to isolate without a tool like Akamai Guardicore Segmentation – could simply signal a problem with the software or something far worse. “It’s highly unlikely that anyone can get into our environment, but I need assurance that we have a proactive mechanism in place to deal with that kind of situation. Akamai Guardicore Segmentation provides me with that.”
Akamai Guardicore Segmentation also caught Lamberg’s attention with its micro segmentation capabilities, which allow security operators to set security policies around individual or groups of applications and processes. “Attacks typically occur in a lateral fashion these days,” he noted. “They get a foothold in one machine and laterally jump to others. Having appropriate controls on all your machines, and being able to monitor the interaction of those machines, is the only way you’re going to get ahead of that problem.” Should Openlink decide to implement microsegmentation in the future, Lamberg believes the platform's capabilities could put the company in a better position to do so successfully.
Partners in protection
While Openlink is benefitting from Akamai Guardicore Segmentation's technology today, Lamberg also sees value in the ongoing working relationship with the people behind the solution. “I only do business with companies that are willing to partner,” he said. “I don’t just buy commoditized products. And they have been a terrific partner. They listen to our feedback and what we need, and they have continually refined the solution based on that.”
Because public clouds are by nature dynamic, Openlink counts on Akamai Guardicore Segmentation to help ensure that the company is optimizing its environments as the cloud infrastructure evolves. “They understand that to solve problems, they’re going to have to work very closely with the cloud provider as well. The team's steady communication with Azure ensures they are staying on top of any changes that may impact how their product operates.”
As a result, the company and the solution have become integral to Openlink’s mission to safeguard its clients’ critical assets in the public cloud. “I never want to get into a situation where I call a vendor about an issue, and they tell me, ‘Well, it’s another vendor's issue, go talk to them.’ I’ve never heard that from this team. They acknowledge that shared responsibility efforts are required to safeguard our clients’ most critical assets.”
About Openlink
Openlink, an ION Investment Group company, embraces the challenges presented by a hyperconnected world, where big data and information are always evolving and always growing. In a time when companies increasingly work across borders, disciplines, sectors and processes, Openlink solutions can take in terabytes of data from all corners and correlate all of it. And more importantly, make sense of it in real time.
ION provides mission-critical trading and workflow automation software solutions to financial institutions, central banks, governments, and corporates. For more information, visit www.iongroup.com.
About Akamai
Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world’s most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai’s security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.