SD-WAN and SASE: Revolutionizing Cybersecurity

As the world has gone digital, more and more organizations are undergoing digital transformations to become digital enterprises. Digital transformation goes beyond business evolution—it prioritizes technology and harnesses innovation to drive business outcomes, deliver a better customer experience, and protect their most valuable assets. Here are 3 simple concepts to consider with Zero Trust.

The next generation of digital transformation will revolutionize how businesses operate, communicate, and secure their networks. And two crucial tenets that will drive digital transformation are Software-Defined Wide Area Network (SD-WAN) and Secure Access Service Edge (SASE) architectures. They can help you become a robust digital enterprise.

What is SD-WAN?

SD-WAN technology lets enterprises use any transport service combination—like MPLS, broadband, and LTE—to connect branch offices, data centers, and cloud applications securely. It simplifies network management, reduces costs, and improves application performance.

SD-WAN also provides network resources orchestration and centralized control. It can dynamically route traffic based on business policies and network conditions to reduce ‘traffic jams’ in the network.

What is SASE?

SASE is a cloud-native architecture that combines network security and access control into a single platform. It brings multiple security functions—firewall, web filtering, intrusion prevention, and zero-trust access—into a single service to provide secure access to cloud applications and data from anywhere, on any device. And it’s all secure.

The Cybersecurity Dream Duo

In 2019, Gartner proposed the SASE architecture as a converged SD-WAN and cybersecurity model to address security vulnerabilities introduced by SD-WAN. Since then, SASE has become the standard framework for bringing together security and networking, using:

  • SD-WAN
  • Secure web gateway (SWG)
  • Next-generation firewalls (NGFW)
  • Zero-trust network access (ZTNA)
  • Cloud security
  • Security orchestration and automation (SOAR) 

When they work together, SD-WAN and SASE allow organizations to create a secure digital enterprise. SD-WAN provides a flexible and resilient network optimized for cloud-based applications; SASE delivers secure access and protection against advanced threats.

These two technologies provide an agile, scalable, and secure solution essential for businesses to remain competitive in today’s digital economy. Here’s how:

  1. Improved application performance. SD-WAN lets enterprises prioritize critical applications and optimize their performance, resulting in a better user experience and increased productivity.
  2. Enhanced security. SASE offers advanced security features such as zero-trust access, web filtering, and malware protection—all are critical for securing the network against cyber threats.
  3. Reduced costs. SD-WAN can reduce network costs by leveraging less expensive transport services, while SASE eliminates the need for multiple security products, reducing overall security costs.
  4. Simplified network management. SD-WAN and SASE provide centralized management and orchestration of network resources, simplifying network management and reducing administrative overhead.

Why you should replace your WAN with SD-WAN

Historically, enterprise WAN was built using dedicated circuits like MPLS, which are expensive and rigid. But with the rise of cloud computing and the growing need for distributed applications, traditional WAN architectures simply aren’t cutting it anymore. 

SD-WAN, however, solves traditional WAN shortcomings. It allows businesses to build a more flexible, cost-effective WAN that you can optimize for cloud-based applications. There are many benefits‌:

  1. Improved application performance. SD-WAN helps businesses prioritize critical applications and route traffic over the most appropriate transport service based on real-time network conditions. This ensures optimal application performance, resulting in a better user experience and increased productivity.
  2. Increased flexibility. SD-WAN lets businesses leverage multiple transport services, including broadband and LTE, to build a more flexible and resilient network. The result? Reduced costs, increased availability, and a more scalable and adaptable network infrastructure.
  3. Simplified network management. SD-WAN provides a centralized management platform that allows businesses to easily configure and manage their network resources. It simplifies network management and reduces administrative overhead.
  4. Enhanced security. SD-WAN offers a range of security features, such as VPN encryption, next-generation firewalls, and intrusion detection and prevention systems. These layers of security create a more secure network infrastructure that better protects against cyber threats.

SD-WAN is essential for businesses requiring a more flexible and cost-effective WAN infrastructure optimized for cloud-based applications. It has a lot of benefits, including improved application performance and flexibility, simplified network management, and enhanced security. SD-WAN is a non-negotiable for digital enterprises.

Components of SD-WAN Networks

Several components work together in an SD-WAN network to provide a flexible, resilient, and secure network infrastructure. These components include: 

  1. SD-WAN edge devices are physical or virtual devices deployed at the network edge (like branch offices or data centers). They provide a range of functions, including traffic management, application optimization, security, and monitoring.
  2. SD-WAN controllers are centralized management platforms that allow for configuration, orchestration, and control of your SD-WAN network. They let administrators manage the network, create policies, and monitor traffic flow.
  3. Transport services. SD-WAN networks can use many transport services, including broadband, LTE, and MPLS. The SD-WAN network dynamically routes traffic over the most appropriate transport service based on real-time network conditions.
  4. Cloud services. SD-WAN networks can also leverage cloud services, such as cloud-based security or application delivery, to optimize network performance and security.
  5. Security services. SD-WAN networks have a range of security features, such as VPN encryption, next-generation firewalls, and intrusion detection and prevention systems. These features help secure the network against cyber threats and protect sensitive data.
  6. Analytics and monitoring. SD-WAN networks provide real-time analytics and network traffic monitoring, enabling administrators to identify and troubleshoot issues—ensuring the network operates at peak performance.

Each component of an SD-WAN network works together to provide a more flexible, resilient, and secure network infrastructure optimized for cloud-based applications. SD-WAN can help you build a more agile and cost-effective network that adapts to changing network conditions and application requirements, providing a competitive edge.

Top SD-WAN Providers

As SD-WAN has grown in popularity, more and more companies offer it. We’ve rounded up a few of the top providers.

  1. Palo Alto Networks offers an SD-WAN solution—Prisma Access—that features NGFW, cloud access security brokers, and advanced threat protection, all integrated with SD-WAN capabilities.
  2. VMware has a popular SD-WAN solution—VMware SD-WAN—that includes a range of features, from traffic steering and optimization to security. You can deploy VMware SD-WAN on-premises or in the cloud.
  3. Aruba (Silver Peak) is a specialized SD-WAN provider that offers a range of features, including WAN optimization, dynamic path control, and application visibility and control. Silver Peak is known for its ability to optimize performance for cloud-based applications.
  4. Fortinet is a provider of cybersecurity solutions. Its SD-WAN solution, Fortinet Secure SD-WAN, includes a suite of security features like next-generation firewalls, intrusion prevention, and web filtering.
  5. Cisco is a leading provider of networking solutions. Its SD-WAN solution—Cisco SD-WAN—offers comprehensive features and functions, including security, application optimization, and policy-based routing.

These are just a few of the many companies offering SD-WAN solutions. At Lightstream, we also provide SD-WAN and managed services to ensure you have a smooth transition to SD-WAN and create a fully secure environment. 

Ready to get started? Contact us.

Want Less Noise in Your AWS Security Hub Console? We’ve Got Good News!

AWS recently changed its underlying alert creation in Security Hub. If you enabled more than one control, you’re likely getting repeats of the same alert from the different controls. With AWS’s new feature, you’ll receive one standard alert—even if it violates multiple controls.

This new feature introduces a single control ID across all standards. For example, before the new feature you would get three different alerts:

  • The CIS standard will report “CIS 2.5”
  • The PCI will report “PCI.Config.1”
  • The AWS FSBP will report “Config.1”

And if you enable de-duplication, all standards will report a single consolidated finding of “Config.1”

De-duplication isn’t automatically enabled for existing implementations, and you’ll want to consider a few things before turning on the new feature. However, any new implementations will already have it enabled by default.

Here are a few things to watch out for before enabling de-duplication:

  • If you have an existing implementation and use any automation—either custom through CloudWatch or Automated Security Response— you’ll need to change your rules to reflect the new finding sID.
  • Automated Security Response doesn’t currently support the new finding IDs. Wait until it updates.
  • If you’re integrating into an SIEM, check with your SIEM team to ensure it supports the new finding IDs.

A few other things to note:

  1. If you’re running Security Hub (centralized in an organization), you’ll update it in the centralized account. It will roll out to existing accounts automatically.
  2. Creating a new account in an organization with an existing account? It will be configured the same as the master account.

AWS’s new de-duplication feature can help if you’re struggling with the number of alerts in Security Hub by reducing them and streamlining updates.

Should Your Cybersecurity Strategy Incorporate the Zero Trust Model?

Should Your Cybersecurity Strategy Incorporate the Zero-Trust Model?

Zero-trust has taken over the security world and become a popular buzzword, but what is it? Why is it so important? This popular security framework centers on the philosophy that organizations shouldn’t automatically trust users or devices—not even those inside the network perimeter.

Instead, zero-trust demands organizations verify the identity and trustworthiness of every user and every device before granting access to sensitive resources. As the say goes, “Never trust, always verify.”

Traditional Firewall Security Limitations

When companies based their security on the firewall approach to protecting the network perimeter, only trusted users and devices could access the network. While it worked well for a time, it had plenty of limitations. Zero-trust minimizes those limitations to create an even more secure network and cloud environment.

Let’s explore a few firewall security limitations.

1. Making assumptions of trustworthiness

The firewall approach assumed that all users and devices within the network perimeter were trustworthy. It was (and still is) a dangerous assumption because it leaves organizations vulnerable to attacks from malicious insiders who gained access to the network.

2. Assuming the perimeter’s secure

Firewalls relied on the network perimeter being secure—always. The problem with this assumption is that it doesn’t account for attackers who could still gain access through other means, like using stolen credentials or exploiting software and network infrastructure vulnerabilities.

Why Organizations Have Shifted to Zero-Trust

Making the above assumptions puts companies at risk, making the firewall approach to security an inadequate solution in today’s complex and interconnected world. The result? A new security strategy: zero-trust.

Zero-trust emphasizes the verification of both the identity and trustworthiness of every user and device. Then, and only then, can they access sensitive assets or resources.

The Zero-Trust Approach

Zero-trust’s security framework is built on the “never trust, always verify” philosophy, which means:

  • Continual monitoring of all users, devices, and applications
  • Activity, identity, and device verification before granting network access

This approach eliminates reliance on perimeter-based security measures, instead focusing on securing access to data and resources within the network.

Zero-trust also emphasizes the importance of authentication and access controls, including using multiple factors of authentication:

  • Passwords
  • Biometrics
  • Token-based authentication

These measures ensure that only authorized users gain access to resources.

Another tenet of zero-trust is constant monitoring (through tools like network and endpoint security) of both user and device activity, which can alert security teams the second these tools detect suspicious activity.

But you’ll also want to regularly test and update security controls, constantly checking for unknown vulnerabilities. Security assessments that use both internal and external expertise and resources can help protect your organization against unknown or future threats.

Zero-trust is crucial for protecting your enterprise organization. By implementing this security strategy, you can arm yourself against the increasingly sophisticated and persistent threats your face in today’s digital world.

Are You Ready to Implement Zero-Trust?

If you’re ready to up-level your security, Lightstream can help. We strongly believe zero-trust is essential to any security strategy that aims to protect your data, network, and organization—which is why we offer a full suite of zero-trust solutions:

  • Readiness assessments
  • Consulting
  • Managed services

We often act as extensions of our clients’ security teams, helping protect you 24/7. And we use a zero-trust framework to do so.

Adopting the zero-trust approach can drastically reduce the risk of data breaches and other security threats. It can also help protect your reputation and ensure your data and resources remain secure.

So, if you want to learn more or are ready to implement it, contact us today.

5 Reasons The Pentagon Implemented Zero Trust (And Why You Should Too)

3 Simple Concepts to Consider with Zero Trust

Never trust, always verify

According to the World Economic Forum, zero trust is the way forward—and the US government agrees. “The zero trust model has been widely recognized as an effective approach to prevent data breaches,” which is why the Department of Defense is working to advance toward zero trust architectures. The Pentagon recently announced its intention to implement an enterprise-wide zero-trust framework by 2027, which comprises over 100 activities and pillars, including users, devices, data, networks, workloads, visibility, and orchestration.

Pentagon Chief Information Officer (CIO) John Sherman explained the decision to move toward a zero-trust implementation:

It doesn’t represent a defeat, it doesn’t mean that we’re not strong cyber defenders. But it recognizes that we live in a very sophisticated threat environment. We’ve got to defend differently. We can’t just defend at the perimeter.

The Pentagon is committed to transitioning network defenses to a zero-trust architecture in just a few short years for several reasons:

  • Attackers are becoming more sophisticated and using advanced methods to steal sensitive data, attack the supply chain, and more

  • The threat environment is ever-evolving and we need to adapt to ensure we build products to operate securely

  • To establish baseline security standards

  • An increased ability to detect malicious cyber activity

It’s a proactive approach to ensuring data security in the cloud and beyond. Zero-trust is good enough for the Department of Defense—and it’s good enough for you too. Let’s explore why.


Want to Learn More About Zero-Trust?

Whether you’re ahead of the game and have already started on your zero-trust journey or are looking for a provider to help you implement the zero-trust framework, Lightstream can help. We’re experts in all things cloud security and partner with zero-trust specialists to strategize, build, and implement zero-trust architectures. 

We’re happy to answer any questions you have, but if you’re just getting started, review our articles on zero-trust:

  1. The 5-Step Model to Implementing Zero Trust
  2. 3 Simple Concepts to Consider with Zero Trust

Ready to get started? Contact us today for a consultation.

Secure Access Service Edge and Zero-Trust: The Ultimate Security Solution

Secure Access Service Edge and Zero-Trust: The Ultimate Security Solution

With more businesses going hybrid or fully remote and data breaches on the rise, organizations are scrambling to ensure data and application security at every level. As security has become even more paramount, more and more organizations are implementing a zero-trust security model, which has slowly become the standard for cloud security.

But savvy organizations are also deploying more advanced security principles, including secure access service edges (SASE). And despite occasionally being incorrectly positioned as either/or solutions, zero-trust is actually a foundational part of a SASE architecture.

Let’s explore how this dynamic duo works together to create even more secure networks and cloud environments.

What is SASE?

Gartner coined the term SASE just a few short years ago, in 2019, to explain an emerging cybersecurity principle, which integrates security into the network architecture to deliver consistent and secure access, no matter where users, applications, or data are.

It brings together wide area networking (WAN) and network security services, including cloud access security broker (CASB), zero-trust, secure web gateway (SWG), and firewall as a service (FWaaS) into a single, cloud-delivered service model.

What is Zero-Trust?

While zero-trust and SASE are newer philosophies, zero-trust is a bit more established. Forrester Research first coined the term in 2010 to sum up the principle of least privilege (POLP) to network access.

Zero-trust is a strategy based on the idea of “never trust, always verify” that requires continual authentication and verification before granting access to your network, data, and applications. A few tenets include:

  • Implementing a POLP strategy and strict access control
  • Ensuring secure access to resources from anywhere
  • Inspecting and logging all traffic

How do SASE and Zero-Trust Work Together?

When you think of SASE and zero-trust, think of them as parts of the same security vision. They both work to protect your data, applications, and assets in the cloud using dynamic perimeters and user verification.

SASE deploys security via the cloud, whereas zero-trust uses the POLP principle to ensure security. But instead of working separately, zero-trust is part of the SASE framework. SASE is what establishes and enables zero-trust network access (ZTNA).

SASE combines network and network security components in a single cloud-based service—one such component is ZTNA. Without ZTNA, there’s no point in deploying SASE. But once you implement ZTNA and build it into your SASE architecture, you can consistently enforce your security policies throughout your entire network, providing much stronger network security.

Together, SASE and ZTNA allow for the decentralized network distributed teams need while providing high levels of security. Users get the access they need—from any location or device—and organizations get the security they need to protect assets and data.

Ready for SASE and Zero-Trust?

Whether you’re looking to ramp up your security efforts or have implemented parts of your SASE architecture but need help rolling everything out, Lightstream is here to help. Our team of experts has decades of experience with cloud security and partner with industry leaders to deploy zero-trust and SASE solutions.

If you’re ready to get started or have questions, reach out to Lightstream.

The 5-Step Model to Implementing Zero Trust

The 5-Step Model to Implementing Zero Trust

As data breaches and cyberattacks have become commonplace, organizations are finding themselves doing more and more to defend themselves and improve their network and cloud security. One such effort includes developing and deploying a zero trust strategy, which, at its core, follows the “never trust, always verify” principle. Implementing a zero trust strategy and architecture can prevent cybersecurity attacks, including data breaches.

Zero trust is an augmentation of your existing architecture, making it simple to deploy, regardless of your technology. Implementing zero trust takes an iterative approach that allows you to learn and reflect before adding any improvements to new iterations—all of which help build a more resilient and secure environment, made up of people,  processes, and systems..

Ready to get started? Follow the 5-step method outlined below to deploy a zero trust network within your organization.

Step 1: Define the Protect Surface

As attack surfaces continue to expand, it’s no longer feasible to work endlessly to reduce them. It’s hard to define or defend against, which is why zero trust focuses on a protect surface instead. Identify the data, applications, assets, and services (DAAS) elements you want to protect and encompass them in your protect surface. Each protect surface contains a single DAAS element, and every zero trust environment has multiple protect surfaces.

Your DAAS elements help define the sensitive resources that should go into individual protect surfaces. This includes:

  1. Data. The sensitive data that can wreak havoc if it’s misused or exfiltrated. Examples include payment card information (PCI), protected health information (PHI), personally identifiable information (PII), and intellectual property (IP).
  2. Applications. The off-the-shelf or custom software applications that interact with sensitive data or control critical assets and business processes.
  3. Assets. Often, these include information technology (IT), operational technology (OT), or internet of things (IoT) devices such as point of sale terminals, SCADA controls, manufacturing systems, and networked medical devices.
  4. Services. Sensitive services that are exceptionally fragile. Examples include DNS, DHCP, ActiveDirectory®, and NTP.

Step 2: Map the Transaction Flows


Mapping the transaction flows to and from the protect surface shows how various DAAS components interact with other resources on your network, helping you determine where to place the proper controls and how to protect data. How traffic moves across the network, specific to the data in the protect surface, determines the design.

As you map your transaction flows, ask yourself:

  1. Can I do this on my own?
  2. Do I have the capabilities and technologies to extract the flow of information from my environment?
  3. Do I have the technology in place that can do data discovery or flow identification?

Next, identify users’ density and privileges, applications, and services and map the transaction flows between your protect surfaces to document which traffic or transaction flows are active between the protect surfaces.

Step 3: Build a Zero Trust Architecture

Because zero trust frameworks are decoupled from technology, they can be completely customized—they are built around protect surfaces. The next step is to define and build a zero trust architecture, including associated security measures. Start with a next-generation firewall that acts as a segmentation gateway, creating a micro-perimeter around your protect surface.

According to Palo Alto Networks, you can enforce additional layers (all the way to Layer 7) of inspection and access control for anyone or anything trying to access the resources defined within your protect surface.

Step 4: Create a Zero Trust Policy

The next step in implementing your zero trust strategy is to create a zero trust policy. You need to instantiate zero trust as a Layer 7 policy statement, which requires Layer 7 controls. Use the Kipling Method of zero trust policy writing to determine who and what can access your protect surface.

The Kipling Method answers the who, what, when, where, why, and how questions, allowing you to define:

  1. Who should be allowed to access a resource?
  2. What application is used to access a resource within the protect surface?
  3. When is the asserted identity allowed to access a resource?
  4. Where is the resource located?
  5. Why is the user allowed to access the resource within the protect surface?
  6. How can a user get access and through which application?

Step 5: Monitor and Maintain the Network

The final step of the 5-step methodology is to monitor and maintain the network. It involves inspecting and logging all traffic, including through Layer 7. The telemetry this process provides doesn’t just help prevent data breaches and other significant cybersecurity events, but also provides valuable security improvement insights. Each protect surface becomes more robust and better protected over time.

Remember, zero trust takes an iterative approach, so inspecting and logging all traffic will provide insights that can help you improve your network, iteration over iteration.

Implement, Learn, and Repeat

After you’ve worked your way through this methodology, you can expand and iterate to fully move your DAAS elements from your existing network to a zero trust architecture that can better protect your data. Use this approach and the Kipling Method to get started and take your learnings from each iteration to improve. And if you need help getting started or maintaining your zero trust strategy and architecture, we’re here to help. Contact us today to get started.

3 Simple Concepts to Consider with Zero Trust

3 Simple Concepts to Consider with Zero Trust

Every Zero Trust strategy follows this simple principle: never trust, always verify. Building a Zero Trust architecture prevents cybersecurity attacks and data breaches using protect surfaces. Organizations build many of these protect surfaces around their most valuable data, assets, applications, and services (DAAS), significantly reducing the overall attack surface to better protect their businesses.

These 3 Simple Concepts to Consider with Zero Trust  have remained the same since John Kindervag coined the term “zero trust” in 2010. They are:

  1. Trust
  2. Access control
  3. Logging and inspection

Let’s first explore the concept of trust.

Concept 1: Trust

The “never trust, always verify” concept centers on Kindervag’s claim that removing trust from a network makes it natural to ensure secure access to all DAAS elements, regardless of who creates traffic or where it comes from. Eliminating trust means assuming that all traffic is a threat until it has been verified that it is authorized, inspected, and secured. Kindervag suggests starting with the protect surfaces that need protection and working your way outward.

Concept 2: Access Control

The second concept, access control, should help determine who needs access to a specific resource to do their job. Many organizations give too many users access to sensitive data instead of implementing the Principle of Least Privilege. This principle states that a user should only be granted access to those privileges necessary to complete a task. If they don’t need access, they shouldn’t be given access.

In a Zero Trust architecture, a user asserts their identity and will then be granted access to a particular resource based on that assertion. They’re restricted to the resources they need to perform their job only. Kindervag suggests using the Kipling Method to create easily understandable access policies.

Concept 3: Logging and Inspection

The third concept dives into the “always verify” part of zero trust. Instead of inherently trusting users to do the right thing, you must verify they are doing the right thing. You can do this by logging and inspecting all traffic coming to and from protect surfaces for malicious content and unauthorized activity (through Layer 7).

Instead of taking a reactive approach, logging and inspection in a Zero Trust environment is proactive, acting as a foundation for real-time protection and ensuring you deploy all your protect surface policies correctly.

Ready to Deploy Zero Trust?

Are you ready to implement a Zero Trust environment in your organization? We work with partners like On2It to walk through these three concepts, the Kipling Method, and implementation to ensure your business is as secure as possible. So, if you’re ready to move to a Zero Trust architecture, contact us today to get started.

Cut Data Transfer Costs With CloudFront & Lightstream

Cut Data Transfer Costs With CloudFront & Lightstream

With a global pandemic, record-high inflation, and the Great Resignation all contributing to economic uncertainty, many businesses have put hiring freezes in place, laid off hundreds of staff, and delayed projects indefinitely. Everyone is trying to manage costs and cut where possible.  One solution is to cut data transfer costs with CloudFront & Lightstream.

And while many organizations are already using a Content Delivery Network (CDN) to manage data transfer costs and provide customers with a seamless experience. But did you know you could save up to 85 percent more each month by working with an AWS partner?

Why Lightstream?

As an AWS partner, we’re not only knowledgeable about all things AWS, but we also keep up-to-date on best practices and are well-versed in optimizing AWS services for our clients. We help them find solutions that save money, provide the most security, and allow them to innovate faster than ever before. We also pass significant savings onto our clients–up to 85 percent, to be exact–with volume purchasing.

So, before you lay off members of your IT team or bring projects to a halt, consider working with Lightstream and potentially save tens of thousands every month.

Why AWS CloudFront? 

Consumers expect lightning-fast websites, quick downloads, and seamless video streaming–they won’t wait for your site to load or for the buffering screen to go away. Delivering a great user experience quickly is paramount. Most organizations already use a global CDN like CloudFront to deliver this experience. Using a network of over 200 Points of Presence (PoP) that cache and deliver content to its users, CloudFront is a common solution for businesses looking to balance a great user experience with data cost savings.

CloudFront leverages Amazon’s resilient, fully redundant, global backbone network for superior performance and availability–all of which give the user a great experience. And by moving the content physically closer to the user, companies can save significantly on data transfer costs.

Another way businesses have become more cost-efficient is by keeping everything in-house. AWS doesn’t charge transfer fees for origin fetches from an AWS server, which helps organizations realize even more savings. Some businesses are even taking advantage of the CloudFront Security Savings Bundle, which offers up to 30 percent savings if they commit to a monthly spend commitment.

Security is another reason businesses are choosing CloudFront. Security has always been at the forefront of the cloud, so it’s not surprising that CloudFront adds an extra layer of protection. The CDN adds security features at the edge location, using application- and network-level security assets to protect data against network and transport layer DDoS attacks. By integrating CloudFront with other AWS services like Web Application Firewall (WAF), you can protect against even more complex attacks.

Calculate Your Savings

Want to see how much you could save by partnering with Lightstream for your CloudFront services? Use our cost savings calculator and then get in touch to explore a partnership to cut data transfer costs with CloudFront & Lightstream.

Cut Data Transfer Costs With CloudFront and Lightstream