Cadence Uses CloudGuard Dome9 for Robust Security Across Its Multi-cloud Environment
“When deploying a multi-cloud environment, you need to have a consistent tool that plays across all the platforms. Using the cloud-agnostic CloudGuard Dome9 service, I only need to train an individual on one set of tools and he can manage our total cloud environment very effectively.”
Sreeni Kancharla, CIO & Sr. Group Director, Cadence
Headquartered in Silicon Valley, Cadence Design Systems, Inc., founded in 1988 is a global technology company that spans 40+ countries with over 8,000 employees worldwide. Cadence supplies electronic design technology and engineering services in electronic design automation (EDA) to much of the semiconductor industry including Fortune 100 companies. Cadence produces software, hardware and silicon structures that are used to design integrated circuits, systems on chips (SoCs) and printed circuit boards.
Cadence’s Journey to the Public Cloud
Originally, Cadence ran their own datacenters and found those to be sufficient for their computing needs. However, as the enterprise expanded, it began to outgrow the computing capacity of its on-premise system. Cadence needed a system that has scalability, elasticity and securely enabled cloud demand. Sreeni Kancharla, Chief Information Security Officer (CISO) and Sr. Group Director for Cadence, and his team of ten engineers, including his head Cloud Architect, Koji Kuramatsu, turned to Amazon Web Services (AWS) for help. With the resource capabilities supplied by AWS at their fingertips, Cadence was able to provide the computing power necessary to respond to customers’ requirements instantaneously as needed.
Cadence started their public cloud journey in 2014. Today Cadence primarily uses AWS, via 50+ accounts. Cadence has a presence in mainly three of AWS Regions worldwide which include the USA West and East Coasts, and Europe. It makes full use of the AWS cloud functionality for production utilizing services for compute, storage, networking, database, security, developer and management tools. Cadence’s AWS footprint covers more than 1,000 instances, 770 security groups, and 115 Amazon VPCs, with more than 4,000 different network security policies and rules, which leaves Kancharla and Kuramatsu with the challenge of securing a very dynamic cloud environment. In addition, while AWS is their primary cloud service, Azure is also represented with tens of compute and storage resources deployed in 29 security groups. They have also begun incorporating Google Cloud Platform(GCP) into their multicloud environment.
Cadence Tackles Cloud Challenges with New Solutions
From the get go, Kancharla knew that migrating to the cloud would bring challenges in the realm of network security, compliance and visibility. He needed to be sure that any cloud management integrated solutions would be compatible and effective across the major public cloud infrastructures-as-a-service (IaaS) providers, which included AWS, Azure, and GCP. Due to their anticipation of these security challenges, Cadence began using CloudGuard Dome9 as soon as they moved to the cloud.
Visibility into the cloud is vital in order to control security and minimize the infrastructure attack surface. With the highly dynamic nature of the public cloud and unlimited amount of resources it would afford its customers for scalability, the need arose to tightly monitor and track the various network configurations. According to Kancharla, “With several administrators adding to the cloud configuration, the occasional misconfiguration is inevitable. With thousands of constantly shifting rules across hundreds of security groups and VPCs, Cadence’s cloud presence is far too big and complex to be managed by humans. It’s impossible for an individual to manage it. We needed an automated tool that actually tracks all the changes.”
When a change occurred, Kancharla’s team needed to be able to peer into the system to see exactly what took place so that it could be corrected quickly. Cadence needed to automate repetitive tasks such as security group auditing, fix any misconfigurations with in-place remediation, and have built-in active protection to enforce established policies with the ability to track and revert unwanted changes consistently.
CloudGuard Dome9 Clarity for Granular Network Visualization
Cadence found their solution in CloudGuard Dome9 Clarity. As part of the CloudGuard Dome9 service, Clarity is a powerful visualization capability that provides a granular view of network topology and workflow traffic so Kancharla’s team can easily map all subnets and drill down to view reports of all AWS EC2 instances on a single, easy-to-use dashboard. In addition, Cadence uses CloudGuard Dome9 Clarity to check their AWS VPCs state and overall network exposure. This includes using CloudGuard Dome9 IP Lists for grouping and configuring permissions to specific public IPs. Using CloudGuard Dome9 Clarity, Cadence has centralized management of its network security posture and can efficiently whitelist those IPs that can be viewed coming to and leaving from their security groups, in order to define the internal and external network links.
One of Cadence’s most common uses for Clarity, is to find potential vulnerabilities that would create a security alert. Clarity gives Kuramatsu a quick view of a specific subnet or route going from A to B so he can quickly identify any unized changes to the network. In addition, the CloudGuard Dome9 VPC Flow Logs allow the team to quickly respond to events without the efforts of cumbersome investigation of the data logs.
Maintain Access Control While Providing User Flexibility
Enforcement of access and ization to ports and services are vital in a complex cloud network. One of the main concerns Cadence faced was protecting their customers’ data while providing multiple users access. Cadence needed a tool that could not only monitor, but protect the movement of resources both between the segregated subnets as well as on and off the public cloud networks. This tool would ensure that only ized individuals could access specific data, make changes, and enforce only ized changes.
At the same time as securing access, Kancharla had the added challenge of retaining flexibility. Cadence provides training sessions for their customers which requires the off-site trainer to enter the Cadence system remotely from the customer’s site. However, permitting such adhoc temporary entry naturally puts the network at risk and makes it vulnerable to outside threats. Kancharla’s team sought a solution which would bring the capability to add access without compromising strong security controls.
Active Protection for Security Enforcement with CloudGuard Dome9
Kancharla recognized that the cloud security solution he implemented needed to offer full security orchestration, going beyond monitoring and reporting to include enforcement. Automated control over the implemented and established baseline security posture was essential. Within the CloudGuard Dome9 service, Kancharla found the control he was looking for with the always on security enforcement of Active Protection with CloudGuard Dome9. With active protection, Cadence acquired the following three-pronged approach to the challenge of granting user access and providing flexibility and agility to its customers, while securing their multi-cloud environment with confidence.
CloudGuard Dome9 Dynamic Access Leases: “We use Dynamic Access Leases heavily,” says Kuramatsu. He and others on his team use CloudGuard Dome9’s Dynamic Access Leases to solve the challenge of individuals who need temporary remote access to the network. With Dynamic Access Leases, the person can get specific temporary access to only those parts of the networks that he needs for a limited time frame. The CloudGuard Dome9 tool opens up the ports automatically and closes access again at the end of the defined time frame, thus reverting to the original, defined network state, ensuring consistent protection across their clouds.
CloudGuard Dome9 Tamper Protection: Attempts to modify a security group from the multi-cloud environment will result in Tamper Protection detection and a message. Cadence’s predefined policy in CloudGuard Dome9 is always enforced, and any modification attempt will be overridden, forcing the policy to revert to its original definition. Kancharla’s team leverages this capability to make sure there are no port changes that result in configuration conflicts, especially in the case of network configuration updates.
CloudGuard Dome9 Region Lock: Since Cadence operates across three AWS regions, Kancharla and Kuramatsu rely heavily on Region Lock to enforce regulations which prohibit moving data between regions. Cadence uses Region Lock to ensure that information cannot be moved outside of the USA or Europe. Furthermore, with Region Lock, Cadence can make sure that user access is granted accordingly and employees cannot view data that they should not be seeing. With Region Lock, Cadence can make sure that user access is granted accordingly and employees can not view data that they should not be seeing.
Compliance Reporting for Customers
Cadence is a large public enterprise that serves leading industry vendors. As such, customer trust is key. With the migration to the cloud, Cadence had to be able to continue to demonstrate consistency with industry standards such as ISO 27001 and other cyber security frameworks’ best practices in order to reassure their customers that their applications and data are safe.
Compliance Automation and Reporting with CloudGuard Dome9
The Compliance Engine from CloudGuard Dome9, a part of the CloudGuard Dome9 service, delivers continuous end-to-end compliance testing and reporting against industry standards using automated data aggregation and an intelligent insights generation system. Cadence turned to the Compliance Engine from CloudGuard Dome9 to generate compliance reports for AWS and Azure.
Kuramatsu notes that CloudGuard Dome9 best practices reports are, “One of the best parts of the Compliance Engine from CloudGuard Dome9 and we use them quite often.” They also use CloudGuard Dome9 to validate their cloud security against CIS AWS Foundations Benchmark framework, which is a set of security configuration best practices to protect one’s footprint on AWS. Kuramatsu can prove how robust Cadence compliance truly is by producing compliance reports and quickly respond to Cadence management requests, with well structured and trusted information.
CloudGuard Dome9 Enables Lean, Agile, and Effective Operations
Without CloudGuard Dome9, Cadence would have to spend far more on both the salaries and the training of additional SecOps personnel. Kancharla estimates that CloudGuard Dome9 saves Cadence more than $450,000 annually in not needing to hire an additional three team members enabling his team to run lean. Kancharla states, “When deploying a multi-cloud environment, you need to have a consistent tool that plays across all the platforms. Using the cloud-agnostic CloudGuard Dome9 service, I only need to train an individual on one set of tools and he can manage our total cloud environment very effectively.”
CloudGuard Dome9 provides substantial cost savings by limiting training expenses and enabling Kancharla’s team to run leaner, which is a huge benefit as Cadence’s cloud environment continues to grow. CloudGuard Dome9 enables Cadence to remain efficient and agile, automating security and compliance management, allowing his team to focus on higher level tasks.
Cadence is eager to continue evolving and expanding their enterprise so they can provide their customers with the latest engineering design technology within shorter turnaround times. Cadence understands that improving the ability for a customer to innovate and accelerating a customer’s time-to-market is imperative. For 2018, Cadence plans to expand its cloud support for Azure, for its customers that rely on Microsoft technologies and are looking to begin their cloud journey. Cadence will continue to use CloudGuard Dome9 to grow securely in the cloud with confidence, knowing they are providing their customers with the most comprehensive and robust security and compliance solution available today.
For more information, visit: