Valtix Cloud Security Service provides a born-in-the-cloud approach to securing your workloads in public clouds. As a security-as-a-service (SaaS), Valtix gives you the ability to discover your cloud assets, deploy Valtix Gateways and defend them with dynamic security policies that match elastic cloud environments on AWS, Azure and Google Cloud. Valtix is built on the principle of automating everything we can, so you can focus on what can’t be automated.
This guide is written for practitioners who have a good understanding of networking and security concepts in public clouds:
- Cloud operations teams
- DevSecOps teams
- Security teams
Valtix uses a common principle in public clouds and software defined networking (SDN):
Valtix Controller - a highly reliable and scalable centralized Controller that provides the management plane. This runs as the main SaaS. Customers can login to the web portal for the Valtix Controller, or use the Valtix provider for Terraform to bake security into your DevOps processes. Customers primarily interact only with the Controller for all activities.
Valtix Gateway - an auto-scaling fleet of Valtix software that is deployed by customers from the Valtix Controller into their public cloud accounts. This provides all the inline protections to defend against attacks, prevent exfiltration and stop lateral movement of attacks. Valtix Gateway includes functionality for TLS decryption, IDS/IPS, AntiiVirus, Data Loss Prevention (DLP), Web Application Firewall (WAF), and URL Filtering.
To get started you will need login credentials to your Valtix Controller also known as the SaaS portal from your sales representative or channel partner. Once you get access to the Controller, you can follow this documentation to secure your workloads. Here is a brief overview of the steps:
Onboarding your Cloud Accounts
To protect your public cloud accounts, you’ll provide IAM/authentication credentials of those cloud accounts to the Valtix Controller. You can use cloud-specific methods for onboarding, for example an AWS CloudFormation Template (CFT), or Azure Active Directory (AAD) application to grant the relevant permissions.
Once the accounts are onboarded, Valtix will start a discovery process to continuously, and in near real-time, maintain an inventory of your cloud assets (instances, load balancers, VPCs, asset tags etc). This is crucial to ensure that security policies are dynamically adapting to a changing cloud environment. You also get better visibility to how your cloud assets are configured - as example, how many Public IP’s are in-use, or, use pre-configured rules to find open, outbound security groups.
Using the discovered information, you can see where your workloads and applications are running, and deploy Valtix Gateways in the relevant VPCs/VNets. You can deploy Valtix Gateways to protect individual VPCs or VNETs, or create hub-and-spoke architectures that allow using a single set of Valtix Gateways to protect multiple Spoke VPCs. For example, you can build an architecture using a Valtix Service VPC, deploy an AWS Transit Gateway and secure multiple application VPCs. Valtix Gateways can be deployed in Ingress mode (traffic from the Internet), Egress (to Internet), and East-West mode (between VPCs/VNets).
Using the discovered asset information, customers can create dynamic security policies that defend their applications. These policies allow a simple way to write granular security policies. For example, an Egress policy can say: allow all instances tagged as “pci” and “production” to access github.com/myOrgRepo, while instances tagged “dev” can access anywhere on GitHub (github.com/*). These policies used the near real-time discovery information to create consistent, multi-cloud policies that can work across cloud providers - AWS, Azure and GCP.
For more information about Cloud Network Security solutions Valtix can deliver, please see our solutions page: