Back to Blog

Why Your NetFlow is Safe in the Cloud

Alex Henthorn-Iwane

Network Engineering
Cloud_safe-500w

Summary

Among Kentik Detect’s unique features is the fact that it’s a high-performance network visibility solution that’s available as a SaaS. Naturally, data security in the cloud can be an initial concern for many customers, but most end up opting for SaaS deployment. In this post we look at some of the top factors to consider in making that decision, and why most customers conclude that there’s no risk to taking advantage of Kentik Detect as a SaaS.


Five Reasons the Kentik Detect SaaS is Secure

Cloud_safe-500w.png

We spend a lot of time in this blog talking about the key capabilities that make Kentik Detect unique in the world of network management. We ingest flow records — augmented with goodies like BGP and GeoIP — at massive scale (currently a hundred billion daily). Data is available for querying in under three seconds from receipt. We respond to ad hoc queries across billions of rows in under two seconds (95th-percentile). And we retain network data unsummarized for 90 days (longer by arrangement). Enabled by a scale-out big data architecture that’s purpose-built for network operations, these capabilities are critical for effective visibility. But our architecture also makes possible another unique and valuable attribute of our product, which is that Kentik Detect is a SaaS.

Being a SaaS offers huge benefits to our customers, but it’s not a characteristic that every prospect initially finds attractive. (Full disclosure: we also offer Kentik Detect deployed on premises or on a private cloud.) In fact, depending on the type of organization, we often hear concern from the network operations team about whether the security team will let them export NetFlow to the cloud. In this post we’ll look at why so many of our customers who start with a “no NetFlow in cloud” stance ultimately realize how safe — and cost-effective — it is to use us as a SaaS.

We spend a lot of time in this blog talking about the key capabilities that make Kentik Detect unique in the world of network management. We ingest flow records — augmented with goodies like BGP and GeoIP — at massive scale (currently a hundred billion daily). Data is available for querying in under three seconds from receipt. We respond to ad hoc queries across billions of rows in under two seconds (95th-percentile). And we retain network data unsummarized for 90 days (longer by arrangement). Enabled by a scale-out big data architecture that’s purpose-built for network operations, these capabilities are critical for effective visibility. But our architecture also makes possible another unique and valuable attribute of our product, which is that Kentik Detect is a SaaS.

Being a SaaS offers huge benefits to our customers, but it’s not a characteristic that every prospect initially finds attractive. (Full disclosure: we also offer Kentik Detect deployed on premises or on a private cloud.) In fact, depending on the type of organization, we often hear concern from the network operations team about whether the security team will let them export NetFlow to the cloud. In this post we’ll look at why so many of our customers who start with a “no NetFlow in cloud” stance ultimately realize how safe — and cost-effective — it is to use us as a SaaS.

1. NetFlow data is only metadata.

NetFlow is derived only from packet headers, and is made up only of metadata about the packets that make up your traffic (in that sense it’s analogous to the call detail records retained by your telephony providers). There’s no way to determine from NetFlow the actual content of the packets themselves, which might include proprietary data or be subject to PII, PCI, or HIPAA restrictions. Further, if the flow data is being produced by Internet edge devices, all of the packet headers from which that data is derived have already traversed the public Internet in the clear.

2. NetFlow is less sensitive than your other data in the cloud.

Like most businesses these days, your organization probably already makes use of SaaS tools such as Salesforce, Office365, Google Apps, Slack, GitHub, Box, Dropbox, Evernote, Marketo, or Eloqua. If so, the information you’re already putting into the cloud is far more private and sensitive than anything in NetFlow. Sending NetFlow to the cloud effectively adds zero additional risk.

3. BGP peering tables are already publicly visible.

If you’re using BGP to peer with service providers, then you’re already sharing all of your routes with the Internet. There are many publicly available looking-glasses and route-view sites that can show the BGP routes you are advertising and to whom they are being advertised. Peering with Kentik is safer than the peering you’re already doing for Internet traffic delivery, and it allows our data engine to combine your NetFlow records with time-correlated BGP data, creating a unified datastore that enhances your ability to extract operational, security, and business insights.

4. Kentik accepts NetFlow via encrypted transit or PNI.

Kentik offers an easy-to-deploy agent that will encrypt NetFlow at your local premises and put it in a secure tunnel to Kentik Detect. And if you have connectivity into Equinix, you have another and even more private way to get us your NetFlow, which is via a Private Network Interconnect to our Equinix colocation site.

5. NetFlow can be stored securely and privately.

The Kentik Data Engine (KDE) was built from the ground up to keep each customer’s data completely separate, with no path that can be used to jump the fence. We also utilize many security safeguards such as regular vulnerability assessments, two-factor authentication, and automated source code security analyses. For more information on Kentik’s information security management program, check out the Kentik Security article in our Knowledge Base.

SaaS as a Safe Solution

Based on the points above, it’s easy to see why the vast majority of our customers deploy on our multi-tenant SaaS infrastructure. Most of those who have initial concerns about NetFlow in the cloud are able to address the issues to the satisfaction of their security stakeholders. Of course there are some very large organizations that deploy Kentik Detect on-premises, and we also offer the option of a single-tenant cloud deployment. But it’s hard to beat the simplicity and low total cost of ownership of SaaS. Among the hundreds of customers to date that use our public SaaS you’ll find large enterprises, banking and finance companies, and government agencies. Having laid their data security concerns to rest, these customers are able to take advantage of the advanced capabilities mentioned at the start of this post.

So now it’s your turn. If you’re ready for big data-powered network traffic intelligence, why wait? Learn more by digging into our product, seeing what our customers think, or reading our white paper about the Kentik Data Engine. Better yet, dive right in by requesting a demo or starting a free trial today.

Explore more from Kentik

View in Prod
We use cookies to deliver our services.
By using our website, you agree to the use of cookies as described in our Privacy Policy.