A Conversation with Roberto Sato

By Sherry Wei
Founder and CTO, Aviatrix
June 16, 2018

This is my second conversation with cloud architects. Click here for the first conversation.

Meet Roberto Sato, EVP of Technologies at Global Electronic Technology, a privately hold credit card processing service company.

Roberto is a dream customer, he is collaborative, patient and meticulous. Roberto is a VP, yet he is hands on, knowledgable and personally involved in evaluating new technologies.

Sherry: Tell us what you were looking for?

Roberto: Our primary motive was security. We are in the payment industry and we must be PCI compliant. We were about to launch a new product in AWS and our external security accessor informed us the limitations of the IP addresses based security groups by AWS for egress control, which were not sufficient as we need URL based policies. We needed to find a solution.

I read a blog on AWS that referred to 3 companies, Aviatrix, Sophos and Fortinet. I started with the latter two as I was already familiar with what they do. For Fortinet, it requires a AWS lambda script being managed by the customer which would be risky for the new mission critical product. Sophos deployment is quite complex, requiring queen node, worker node, etc., their Linux kernel version was older too.

So finally, I tried Aviatrix. Within 30 minutes I was able to bring up the Aviatrix Controller and test the user VPN and Egress FQDN features. It was very simple to use.

Sherry: That’s great. Do you not use an IDS/IPS appliance?

Roberto: We do use AlienVault for IDS service, they monitor servers for threats and events.

Sherry: Then why do you still need egress control policy?

Roberto: Egress control policy is a separate PCI measure. The purpose of this one is to control the outgoing and incoming traffic. For example, a hacker could get into a server and figure out a way to decrypt the payment data. However the hacker would not be able to send the data to a place he desires as the outgoing traffic is only opened to a specific whitelist.

Sherry: I see, thanks for the explanation. How did you decide on Aviatrix?

Roberto: I decided to go with Aviatrix because it is the easiest and most straightforward egress security solution in the marketplace, the support team is amazing and having great companies such as Netflix as your customer made me feel very comfortable.

Sherry: That’s right, Netflix was one of our earliest customers, our user VPN solution was initially developed in collaboration with the Netflix team.

What feedback do you have for us on the product?

Roberto: There are services in our infrastructure that use non HTTP/HTTPS protocols, for example Sysdig runs on TCP port 6666, and these services need to be URL whitelisted too. But Aviatrix FQDN filter only works for HTTP/HTTPS traffic, so we had to whitelist the IP addresses. Luckily for us, most of these services run on AWS, so we used your L4 stateful firewall to whitelist all AWS published public IP addresses taking advantage of the almost unlimited rules that it allows us to write, which would have been very difficult to accomplish by just using AWS Security Groups.

Sherry: Thank you. Since it is implemented in software, you can write as many rules as you like. And I have good news for you. In our next release 3.4, we will be adding support for URL filtering for non HTTP/HTTPS TCP/UDP traffic.

Roberto: That’s awesome. Do we have to change our current implementation?

Sherry: No, it’s an expansion to the existing feature, you do not need to remove what you have built.

Since you have moved significant amount of workloads to the cloud, did you have to reduce your workforce?

Roberto: No, we didn’t have to. We are retraining our server guys for the cloud. Instead of staring at the logs all day, they now learn to write scripts and use DevOps tools. You still need people to manage the infrastructure after all.

Sherry: Glad to hear that, I bet they are having fun doing it.

What is your next step with Aviatrix then?

Roberto: We have finished our performance tests and we have found that there is no degradation after adding the FQDN filter. We have deployed Aviatrix Controllers and Gateways in our production environment and now we are planning to expand to more AWS regions.

Sherry: Let us know how that goes. Last question, if you were to tell a colleague about Aviatrix, what would you say?

Roberto: I would say: Aviatrix is really making networking painless and easier. Today every company needs to focus on what really matters, how to deliver value to your customers, and it needs to be faster every time. With Aviatrix, you don’t need to spend days or weeks setting up a VPN and Egress security solution, you are just a couple of clicks away from it which saves you time and allows you to keep working on your customers.

Sherry: Thank you so much for your time!


Comments are closed for this post.

Latest Posts

Aviatrix Now Provides FIPS 140-2 Validated Encryption
By Sam Ghardashem, June 14, 2019

How Aviatrix’s intelligent orchestration and control eliminates unwanted tradeoffs encountered when deploying Palo Alto Networks VM-Series Firewalls with AWS Transit Gateway
By Sam Ghardashem, June 7, 2019

How to Use Aviatrix SD Cloud Routing to Build Azure Networks
By Karthik Balachandran, March 20, 2019

The Cloud in 2019 and Beyond: More of the Same, Only Better
By Steven Mih, December 6, 2018

Understanding AWS VPC Egress Filtering Methods
By Khash Nakhostin, November 14, 2018

Top Tags

Active Directory (AD)Amazon Partner Network (APN)Amazon Virtual Private Cloud (Amazon VPC)Amazon Web Services (AWS)Amazon WorkSpacesApplication VisibilityAviatrix Cloud InterconnectAviatrix ControllerAviatrix FireNetAviatrix Firewall Network ServiceAviatrix FlightPathAviatrix Hosted ServiceAWS Direct ConnectAWS Egress ControlAWS Transit Gateway (TGW)AWS VPNAzure ExpressRouteCasachekChefCiscoCisco Live 2018Cloud Architectscloud burstingCloud ComputingCloud Gatewaycloud governanceCloud MigrationCloud NetworkingCloudOpsCSRDevOpsEgress TrafficElon MuskEnterprise Strategy Group (ESG)FIPS 140-2GartnerGCP Next 16Google Cloud PlatformHub-and-Spoke NetworkHybrid CloudHyperFlex Multi-Cloud EcosystemInternational Data Corporation (IDC)Intrusion Detection System (IDS)Intrusion Preventions Systems (IPS)IPmotionJenkinsMalware DetectionMesh NetworkMicrosoft AzureMulticloudNetworking as a Servicenetworking infrastructureNext Generation Firewalls (NGFW)NiciraNoOpsNutanixNutanix CalmOpenVPN Access ServerPalo Alto NetworksPCI CompliancePci DssPublic CloudPublic Cloud NetworkingPuppetRemote AccessSafeLogicSD Cloud RouterSD-WANSoftware Defined Cloud RoutingSoftware-Defined Cloud RoutersSquidSSL VPN to AWSstorage and computeTransit DMZ Architecturetransit networkTransit VPCURL FilteringUse Casesvalidated encryptionVirtual Cloud NetworkVirtual Desktop Infrastructure (VDI)Virtual RoutersVMwareVNet ConnectivityVPCVPC PeeringVPN