enforza Solution Overview
enforza is on a mission to help SMEs and cost/resource conscious organisations secure their multi-cloud environments with streamlined, cost-effective security solutions. As the first multi-cloud network security platform designed specifically for this audience, enforza combines robust, open-source-based security with ease of deployment and management.
Powered by a cloud-native architecture, enforza delivers a highly secure and feature-optimised solution that focuses on the essential needs only. Unlike particularly feature-rich alternatives, enforza is streamlined to meet critical security and compliance requirements, reducing complexity and maximising the agility to operate at cloud speed.
enforza Architecture
enforza employs a modern, cloud-native approach by decoupling the control plane from the data plane, resulting in two primary components: the enforza Controller and the enforza Gateway.
enforza Controller: A highly reliable, scalable centralised control platform provided as Software-as-a-Service (SaaS), fully managed by enforza. It provides the control plane, where all security policies are defined and managed. Customers access the enforza Controller through a secure web portal or through automation platforms such as API integration/cloud provider’s native automation to integrate security into DevOps/DevSecOps processes.
enforza Gateway: The enforza Gateway provides advanced security controls to defend against external threats, prevent data exfiltration, and detect malicious activity within the cloud. Key features include stateful firewalling, NAT gateway, FQDN/URL filtering, Intrusion Prevention/Detection, with detailed logging and analytics on demand.
Getting Started
To begin using enforza, you can use various methods for deployment; from manual installation of gateways to using AWS Cloudformation that builds a pre-made landing zone.
1. Install Agent The first step in deploying enforza security is to install the enforza agent on your cloud instances or on-premise devices - it converts a vanilla linux instance into a secured enforza Gateway. The agent is lightweight and designed for minimal impact on system performance. Installation packages are available for a variety of platforms, including AWS, Azure, GCP, and on-premise environments. Installation is one command and takes less than 30 seconds.
2. Claim Device After the agent installation, simply claim the device in the enforza Controller - this is displayed once the agent is installed. This involves securely registering the enforza Gateway with the controller so that it becomes part of your managed inventory. The controller will assign unique identifiers and ensure that the device is properly authenticated. The enforza Gateway always establishes the session to the enforza Controller in the cloud, across the internet, for all control plane communications.
3. Push Policy Once your enforza Gateway(s) are claimed, you can define and push security policies through the enforza Controller. These policies are dynamic and adapt to the continuously evolving cloud environment, ensuring consistent security across all managed assets. Policies can be defined for ingress, egress, and lateral (East-West) traffic, and tailored to specific workloads or cloud environments.
Depending on the license level, you will be able to push the same policy to many enforza Gateways, across many clouds, simultaneously to ensure a consistent perimeter security policy.
Securing East-West, Egress, and Ingress Traffic
In a multi-cloud environment, securing traffic is essential to protect against both internal and external threats. enforza provides comprehensive protection for:
Egress traffic (outbound): Controls outbound connections to prevent unauthorised data exfiltration using stateful firewalling, FQDN/URL filtering and IPS/IDS.
Ingress traffic (inbound): Ensures only legitimate traffic enters your cloud environment, with built-in defenses like stateful firewall and IDS/IPS.
East-West traffic (internal): Monitors communication between resources within the same VPC/VNET or across subnets, preventing lateral movement of threats. This protection is optional and can be enabled and adjusted as your security needs evolve.