Valtix Solution Overview¶
Valtix is on a mission to enable organizations with security at the speed of the cloud. The first multi-cloud network security platform delivered as a service, Valtix was built to combine robust security with cloud-first simplicity and on-demand scale. Powered by a cloud-native architecture that is 10x faster, Valtix provides an innovative approach to cloud network security called Dynamic Multi-Cloud Policy™, which links continuous visibility with advanced security controls. The result: security that is more effective, adaptable to change, and aligned to cloud agility requirements. With Valtix, organizations don’t have to compromise in the cloud. They can meet critical security and compliance requirements without inhibiting the speed of the business.
This documentation has been prepared for practitioners who have a basic understanding of public cloud networking and security concepts, and participate in various functional teams, including:
- Cloud Network Security Operations (NetSecOps)
- Development Operations (DevOps and DevSecOps)
- Security Operation Centers (SOCs)
- Cloud Center of Excellence (CCoEs)
Valtix uses a common principle in public clouds and software defined networking (SDN) which decouples the control and data plane, translating to two (2) solution components - the Valtix Controller and the Valtix Gateway.
Valtix Controller - a highly reliable and scalable centralized Controller that provides the management and control plane. This runs as Software-as-a-Service (SaaS) and is fully managed and maintained by Valtix. Customers access a web portal to utilize the Valtix Controller, or they may choose to use the Valtix provider for Terraform to instantiate security into the DevOps/DevSecOps processes.
Valtix Gateway - an auto-scaling fleet of Valtix software deployed as Platform-as-a-Service (PaaS) into the customers public cloud account/s by the Valtix Controller. This provides advanced, inline security protections to defend against external attacks, prevent egress data exfiltration and prevent the lateral movement of attacks. Valtix Gateways include functionality for TLS decryption, Intrusion Detection and Prevention (IDS/IPS), Web Application Firewall (WAF), AntiVirus filtering, Data Loss Prevention (DLP) and FQDN/URL Filtering capabilities.
To get started, you will need login credentials to your Valtix Controller (also known as the SaaS web portal) from your Account Executive or Channel Partner. Once you obtain access to the Controller, you can follow this documentation to secure your cloud applications and workloads. Here is a brief overview of the steps:
Onboarding your Cloud Accounts
To protect your public cloud accounts, you’ll provide IAM/authentication credentials of those cloud accounts to the Valtix Controller. You can use cloud-specific methods for onboarding, for example an AWS CloudFormation Template (CFT), or Azure Active Directory (AAD) application to grant the relevant permissions.
Once the accounts are onboarded, Valtix will start a discovery process to continuously, and in near real-time, maintain an inventory of your cloud assets (instances, load balancers, VPCs, asset tags etc). This is crucial to ensure that security policies are dynamically adapting to a changing cloud environment. You also get better visibility to how your cloud assets are configured - as example, how many Public IP’s are in-use, or, use pre-configured rules to find open, outbound security groups.
Using the discovered information, you can see where your workloads and applications are running, and deploy Valtix Gateways in the relevant VPCs/VNets. You can deploy Valtix Gateways to protect individual VPCs or VNETs, or create hub-and-spoke architectures that allow using a single set of Valtix Gateways to protect multiple Spoke VPCs. For example, you can build an architecture using a Valtix Service VPC, deploy an AWS Transit Gateway and secure multiple application VPCs. Valtix Gateways can be deployed in Ingress mode (traffic from the Internet), Egress (to Internet), and East-West mode (between VPCs/VNets).
Using the discovered asset information, customers can create dynamic security policies that defend their applications. These policies allow a simple way to write granular security policies. For example, an Egress policy can say: allow all instances tagged as “pci” and “production” to access github.com/myOrgRepo, while instances tagged “dev” can access anywhere on GitHub (github.com/*). These policies used the near real-time discovery information to create consistent, multi-cloud policies that can work across cloud providers - AWS, Azure and GCP.
For more information about Cloud Network Security solutions Valtix can deliver, please see our solutions page: