WHITE PAPER

Cybera ONE®— Secure SD-WAN as a Service

CybERA ONE®— SECuRE SD-WAN AS A SERvICE 2.

The Cybera ONE® Secure SD-WAN (Software-Defined Wide Area Network) as a Service offers customers predictable costs for securely scaling the number of remote locations as their business grows. Inserting Cybera’s cloud-based, Secure SD-WAN as a Service into customer remote networks eliminates the need for customers to purchase additional SD-WAN controllers, firewalls, and other networking and computing devices to securely connect remote locations.

These remote locations also benefit from reliable and trusted network and application security. Application security can be applied to many distinct types of applications with each application enjoying performance and security predictability.

Thanks to Cybera ONE’s zero-touch provisioning, customers can easily accelerate secure application deployment to remote locations without having to hire or send in full- or part-time IT, network, and security experts. If help is ever needed, Cybera’s SD-WAN as a Service includes these technical skills via subject matter experts available on a 24×7×365 basis. Overall, Cybera customers enjoy Total Cost of Ownership (TCO) savings of upwards to 90% when compared to hiring in-house expertise, and when compared to other vendor solutions offering comparable SD-WAN capabilities.

CybERA ONE SD-WAN vS. TRADITIONAl NETWORkINg

Cybera ONE is a private, cloud-based subscription service solution that marries two key functions, providing customers with peace of mind when it comes to securing the networks, applications and data that encompass their distributed network of remote business locations.

The SCA-325 Edge Platform provides a highly secure connection 1. between a customer’s remote location and Cybera’s private SD-WAN cloud.Cybera’s private SD-WAN cloud securely connects customer 2. applications to pre-identified destinations for processing payments and connecting mission critical applications.

Together, these two Cybera ONE functions provide industry leading security for the distributed enterprise; based upon the strong foundation of end-to-end network segmentation and business appropriate security levels on an application-specific basis.

As the “Traditional Networking vs. Cybera SD-WAN” diagram (following page) illustrates, applications deployed at the network edge (remote locations) in the “traditional networking” environment are largely independent of the network in the sense the network is unaware of

Overall, Cybera customers

enjoy total cost of ownership

(TCO) savings of upwards to 90%.

CybERA ONE®— SECurE SD-WAN AS A SErvICE 3.

Customer SiteData Center

Cybera SD-WANApp Experience is the Provider’s Burden

Customer SiteWide Area Network

Wide Area NetworkWith Segmentation

Data Center

Traditional NetworkingApp Experience is the Customer’s Burden

APP 1APP 1APP 1APP 1APP 1APP 1

APP 1APP 1APP 1APP 1

APP 1APP 1APP 1APP 1APP 1

APP 1APP 2APP 3APP 4APP 5APP 6

APP 1APP 1APP 1APP 1APP 1APP 1

APP 1APP 1APP 1APP 1

APP 1APP 1APP 1APP 1APP 1

APP 1APP 2APP 3APP 4APP 5APP 6

the application. Securing the network does not necessarily guarantee the applications traversing the network are isolated from other applications or secured between their end points – e.g. between the Point of Sale (POS) system at the remote location and the payment processing center located across the WAN.

Traditional network security methods rarely encompass full, discrete isolation of applications to avoid commingling of data. Network security is not entirely application-specific even though SSL/TLS (Secure Sockets Layer/Transport Layer Security) is most likely employed to establish an encrypted link between a web server and a browser. Professional security experts will agree that SSL/TLS is simply not enough, especially when multiple applications such as payment systems, mission critical applications, and guest apps are sharing the same WAN link connecting the remote location.

In contrast, Cybera’s encryption and segmentation capabilities complement traditional methods (e.g. SSL and TLS) for securing the network and minimizing risk and provide much more than encrypted end-to-end transport. With network segmentation, Cybera ONE creates an independent, virtual application network (vAN) for every application. The Cybera Service Insertion Framework then applies virtual security and performance functions for each vAN enabling each application to have its own customized set of policies and network functions.

Traditional Networking vs. Cybera SD-WAN

CybERA ONE®— SECurE SD-WAN AS A SErvICE 4.

INSERTINg CybERA ONE INTO A CuSTOmER NETWORk AND ENAblINg APPS

Simple Installation Inserts Cybera ONE into a Customer Network

Adopting the Cybera ONE architecture does not add to the workload and staffing costs of customer organizations responsible for IT, Networking, and Security. There are no costly and complex multi-box solutions to install, configure, and manage and no expensive truck rolls required for the customer installable SCA-325 Edge Platform.

From a customer’s perspective, enabling the Cybera ONE service involves two simple steps. Any employee staffing a customer’s remote location can easily follow the do-it-yourself, plug-and-play instructions for installing the single box, multi-function SCA-325 Edge Platform. Installation and automatic configuration typically takes only 15-30 minutes.

INTERNET

ConnectPower

& Internet

1.Connect

LAN Devices& Test Apps

2.

Simple Two-Step Cybera ONE Installation

Cybera ONE replaces costly multi-box solutions

Multi-box Solution Cybera ONE®

Installation and automatic configuration

typically takes only 15-30 minutes.

CybERA ONE®— SECurE SD-WAN AS A SErvICE 5.

Enabling a Diverse Set of Applications with High Availability

Once installation is complete, the customer can run authorized applications via the SCA-325 Edge Platform. At a bare minimum, a Cybera customer’s SD-WAN service will typically include a PCI DSS compliant network segment that transports payment data from the remote site Point of Sale (POS) system to Cybera’s Private Cloud. The data is then routed via a secure, encrypted connection to a customer-selected payment processor. No other application will share this network segment which is allocated to isolate payment data from all other applications and data.

Beyond the advantage of PCI DSS compliant network security, network segmentation provides another layer of protection that professional security experts confirm is an absolute requirement for elevating network security. Isolating POS payment transactions via network segmentation simplifies PCI DSS compliance audits because compliance only applies to that network segment.

A key reason customers choose Cybera ONE is that it allows them to securely deploy many diverse applications at their remote locations rather than just payment apps. Cybera’s application-centric approach supports a wide variety of applications including loyalty apps, branded (corporate) and non-branded (franchisee) apps, mobile POS, private and guest Wi-Fi, kiosks, beacon apps, IoT and many more.

Authorize / Authenticate

Orchestrate Apps & Services

Orchestrate Apps & Services

One-timeShipmentof CyberaAppliance

“Zero Touch”Deployment

Cybera SCA-325Remote Gateway

Appliance

Branchor Site

APP 1Orchestratethe Network

SmartView

APP nOrchestratethe Network

Support for a Highly Diverse Set of Apps• Payment Card Apps• Loyalty Apps• Branded (Corporate Apps)• Non-branded (Franchisee Apps)• IoT Apps• Guest Wi-Fi and More

Cybera ONE Secure Application-Centric SD-WAN as a Service

CybERA ONE®— SECurE SD-WAN AS A SErvICE 6.

In addition to providing industry-leading security, Cybera ONE addresses the critical importance of network availability. unpredictable and insecure network availability puts customer business at risk. Network downtime not only impacts payment sales, but also exposes the customer to fraud if “offline” payment card transactions are used.

As an example, too many retailers using satellite broadband communications as their primary WAN interface have experienced millions of dollars in fraudulent card payments by “tinfoil bandits.” These are criminals who climb on a retailer’s roof and cover the satellite dish feed horn with aluminum foil to disable the POS system network connection which forces payment cards to be processed in offline mode. The far-reaching scale of this fraudulent scheme led to the FBI issuing a warning to retailers using satellite broadband communications to watch out for fraudsters armed with aluminum foil climbing on their roofs.

It’s important to note that businesses confronted with offline payment card fraud are not limited to those using satellite as their primary broadband connection. Any business with a primary broadband connection (e.g. DSL, Cable, Fiber) that lacks network failover protection and permits processing payment cards in offline mode, risks imperiling its business to fraudulent transactions.

Prior to choosing Cybera, some security and fraud conscious customers paid a premium to connect remote sites using costly and complicated MPLS circuits. These customers were more than happy to replace their expensive MPLS connections with higher bandwidth, commodity broadband circuits like DSL, Cable, and Fiber while ensuring application availability via Cybera’s 3G/4G LTE wireless failover protection. Cybera customers realize TCO savings upwards to 90% when comparing the cost of MPLS circuits and IT labor required to support them.

Cybera ONE addresses the

critical importance of network

availability. Unpredictable and insecure network availability puts

customer business at risk.

CybERA ONE®— SECurE SD-WAN AS A SErvICE 7.

CybERA ONE ARCHITECTuRE

Three layers comprise the Cybera ONE architecture.

Cybera Security Overlay1. Cybera Software Defined Data Center2. Cybera Service Insertion Framework3.

These three layers interoperate to create a seamless and secure software-defined cloud fabric for defining operational and technical workflow relating to applications authorized to operate in the customer’s network. Application workflow begins by identifying the end-user application and how it is used. Then the Cybera platform applies virtualized network functions and automation based on operational characteristics unique to the application and customer requirements.

For example, a Point of Sale (POS) payment application will have virtualized advanced network security functions and resiliency rules applied based on the sensitivity and business criticality of the data traversing the application A video surveillance application would likely follow data processing and automation workflow rules in support of the application’s bandwidth and storage requirements.

Software-De ned Data Center MPLS

Smart Edge Gateways

Cloud Connect Gateway

Remote Cloud

Customer’s Remote Data Center

Service Insertion Framework

Spine

Virtual

Physical

Container

Leaf Public Cloud

Private Cloud

SaaS

Application Gateways

Cybera Security Overlay

3G-4G/LTE

Internet

MPLS

Medical Facility

Distributed Enterprise Large Branch

Smart Edge Gateways

Cloud Connect Gateway

Private Cloud

On-Premises Location

SmartEdgeGateways

=

Distributed Enterprise

Small Branch

Wireless Backup Retail

Cybera ONE Secure Architecture

CybERA ONE®— SECuRE SD-WAN AS A SERvICE 8.

Layer 1—Cybera Security Overlay

Installing Cybera’s SCA-325 Edge Platform at the remote location of a distributed enterprise customer creates a connection to Cybera’s private cloud to orchestrate a multi-layered security overlay onto any type of broadband connection including DSL, Cable, Fiber, 3G/4G LTE Wireless and other available IP-based broadband services.

Customers can choose to preserve and leverage existing broadband connectivity investments where it makes sense. Or, they can choose to invest in low cost, high bandwidth commodity broadband connections using Cybera’s 3G/4G LTE capabilities for wireless failover protection as backup.

Layer 2—Software-Defined Data Center

Cybera’s ISCA certified secure multi-function network edge platforms provide a single box solution for connecting remote locations at the edge of the network to the private cloud, software-defined data centers. The Edge Platforms support multiple virtual Application Network (vAN) instances enabling rapid deployment of new applications with no additional capital expenditure. A secure fabric overlay tunnels segmented application data traffic originating from the Edge Platforms to public and private clouds, enterprise data centers, and other Cybera Edge Platforms either directly or through the SCA-Cloud Connect Gateway.

Cybera Edge Platforms combine a broad range of security and other essential networking functions inside a single box solution. This eliminates the cost, complexity, and multiple points of failure related to deploying, integrating, and managing disparate solutions from multiple vendors at remote locations.

Cybera SCA-325 Edge Platform

CybERA ONE®— SECurE SD-WAN AS A SErvICE 9.

Dynamic Path Selection (DPS) enables high availability and resiliency for customer applications. DPS ensures continuous application availability by enabling the Cybera Edge Platform and Cybera’s Private Cloud to distribute network traffic based on network state without human intervention. If a vAN link between customer’s remote location and application server goes down, then the vAN is automatically switched to the next best link. Additionally, if an upstream connection experiences a degraded or unavailable path, the Cybera Private Cloud will automatically re-route the customer application traffic through a more optimal connection and path.

In other words, the vAN traffic can be re-routed dynamically to an alternate data center inside Cybera’s distributed, fully redundant private cloud. The switchover is achieved via the dynamic routing protocol and proprietary monitoring and automation algorithms. Examples of network states (status) triggering DPS routing switchover include both when a link goes down as well as when the health of the link, as determined by vAN policy, degrades.

Layer 3—Service Insertion Framework

Architecture Layer-3 of the Cybera ONE architecture represents a true multi-tenant, always available service insertion framework overlaying the fully redundant, software-defined data centers (Architecture Layer-2). The service insertion network is designed as an agile and resilient service delivery infrastructure to provide secure, end-to-end segmentation on an application-specific basis. It connects customer and customer-authorized third-party applications and services, by tenant, via the Cybera Edge Platforms to send and receive application data between customer remote locations and customer-authorized internal and external endpoints.

The key SD-WAN service-enabling components operating within the services insertion framework include, but are not limited to, the software defined network (SDN)-based universal policy controller (uPC), an application gateway, and virtualized network functions (vNFs) including IPsec/TLS virtual private network gateways, intrusion prevention and detection systems, and firewall protection consisting of the local, Cybera Edge Platform-based firewall and the Cybera ONE cloud-based next generation firewall. Centralized policy enforcement eliminates device-specific manual configuration and accelerates application deployment to remote locations by simplifying deployment of multiple, differing applications securely on the same network, regardless of where the applications reside.

Together, these three architecture layers amplify Cybera’s application-centric approach for providing industry leading security delivered as a fully managed, SD-WAN as a Service offering. Cybera ONE protects customer assets by instantiating and chaining together a set of

Centralized policy enforcement

eliminates device-specific manual

configuration and accelerates

application deployment to

remote locations.

CybERA ONE®— SECurE SD-WAN AS A SErvICE 10.

virtualized security functions. For example, a customer's payment application may require data leak prevention, anti-malware, web security, and behavioral analytics functions, whereas this customer's loyalty application will likely require a different set of security functions.

Cybera ONE determines which virtualized security functions to chain together based on the application metadata that describes unique characteristics and policies associated with the application. The service insertion framework allows Cybera to easily integrate 3rd-party, best-of-breed security solutions into its cloud or to connect to a 3rd-party vendor's cloud security solution.

CuSTOmER SuPPORT AND TOOlS

Cybera’s Solutions Management Center (SMC)

Cybera offers world class customer service support via its Solutions Management Center (SMC). The SMC operates 24 x 7 x 365 to ensure the operational efficacy of its network solutions, and all staff is located at the company’s corporate headquarters in Franklin, TN. Cybera does not outsource this function to third parties or overseas vendors.

The SMC orchestrates the operations and monitoring of all security features comprising the Cybera ONE Secure SD-WAN as a Service to fully protect the customers’ networks and their brands. Together, Cybera’s secure SD-WAN service and SMC team of security and network specialists provides 24×7×365 monitoring, alert notification, hardware & software troubleshooting, diagnostics, and issue resolution.

Cybera’s SMC, which has specific escalation criteria to resolve issues as quickly and effectively as possible, is structured as follows:

Command Center – Level 1 Diagnostic Support & Level 2 • TroubleshootingTechnical Assistance Center – Level 3 Troubleshooting• Customer Engineering – Level 4 Troubleshooting• Air Traffic Controller (ATC) and Shift Lead – Provides traffic control • and resource assignment during the support process

SmartView Customer Management Portal

Cybera’s customer management portal, Smartview, allows access for customer-appointed representatives to review the performance of the Cybera ONE Secure SD-WAN as a Service across their entire enterprise. There is no need for the customer to administer applications, Cybera Edge Platforms, the network, or security because Cybera’s SMC team provides 24×7×365 monitoring and troubleshooting for both network and security events.

Cybera’s SMC team provides

24×7×365 monitoring and

troubleshooting for both network and

security events.

CybERA ONE®— SECuRE SD-WAN AS A SERvICE 11.

Smartview provides a customer-centric view into the distributed network of remote locations connected to Cybera’s private cloud by the Cybera Edge Platforms. This view includes a network map of the remote sites with weather overlays and color indications of site status.

users easily drill down to site-level data to view the status of trouble tickets automatically opened in response to an incident. Smartview notification profiles alert users when security and network events are triggered, including disruptions to the primary WAN link at a remote location failing over to 4G LTE wireless backup. Clicking on the trouble ticket number will direct the user to the trouble ticket for its current status.

Aggregated and site-specific views and status are available across the following categories:

Service Orders• Operational State• Security reporting• Log Management and Archiving • Customer Care Tickets• 

In addition to offering user insight into orders, tickets, and events, Smartview’s Site Manager also monitors services such as:

Bandwidth utilization on the primary WAN interface• Network Connections• Wireless IDS (Intrusion Detection System) for Access Points, Clients, • and Sensors

SmartView Bandwidth Utilization Screen

CybERA ONE®— SECuRE SD-WAN AS A SERvICE 12.

DISTINCT ADvANTAGES OF CybERA ONE SD-WAN AS A SERvICE

Scalability at a Predictable CostCustomers adding new locations enjoy virtually unlimited scalability with a predictable cost for adding Cybera Edge Platforms.

VirtualizationDedicated logical networks are created between application enablers and application gateways.

Network SegmentationPhysical and logical network separation isolate applications to enhance enterprise security.

Equipment ConsolidationCybera aggregates routing, managed switching, advanced firewalls, Wi-Fi access, and WAN diversity management functions into a single Edge Platform device to eliminate cost, complexity, and multiple points of failure.

Cloud Services IntegrationCybera’s Edge Platform provides a dedicated secure private network connection between remote sites and Cybera’s fully redundant, multi-tenant Private Cloud.

Platform ExtensibilityCybera’s Edge Platforms support multiple virtual Application Networking (vAN) instances allowing rapid deployment of additional applications with no additional capital expenditure. SDN-based Universal Policy Controller (UPC)Centralized policy enforcement eliminates manual device-specific configuration and simplifies secure deployment of multiple, diverse applications on the same network, regardless of where the applications reside.

PCI DSS Compliance Scope ReductionEnd-to-end network segmentation on an application-specific basis narrows the scope for payment network card data environments (CDE) by reducing the number of network elements and the intermingling of application traffic.

Network TransparencyCybera vANs are facilitated without the need for public IP addressing to provide end-to-end network transparency to the public Internet.

Conflict and Problem ReductionCybera vANs reduce routing conflicts common in traditional site-to-site networks, by completely segregating network addressing. vANs also reduce the proliferation of network problems caused by a single application issue affecting other applications on the network.

Cybera invites the reader to reach out to learn more about how the benefits of Cybera’s cloud-based, Secure SD-WAN as a Service can apply to your business. Please visit www.cybera.com or contact us at sales@cybera.net.

CAll1-866-4CYBErA

EmAIlsolutions@cybera.net

vISITwww.cybera.com

Cybera Inc.9009 Carothers Parkway

Suite C5Franklin, TN 37067

WP-0004-1016-01

© 2016 Cybera, Inc. All rights reserved.

Cybera® and Cybera ONE® are registered

trademarks of Cybera