SESSION ID:

#RSAC

Iñigo Merchán

Security as a Service in a Financial Institution: Reality or Chimera?

ASD-F01

Security Architect BBVA@achemerchan

Javier LosaCybersecurity Product EngineeringInnovation 4 Security – BBVA Group@sealth

#RSAC

Our use case

2

#RSAC

i4s – Our security product leverage

3

i4s is a BBVA Group Company

that creates cybersecurityproducts to support the

Digital Transformation

We promote innovation and teamwork

Our teams are small to avoid fragmentation

We are flexible and agile

We provide solutions to needs not covered by the market

#RSAC

We are living a digital revolution that affects society as a whole (transportation, healthcare, entertainment, etc.) and Financial Services are not a exception. Banks are part of the digital revolution now because clients expect them to be.

Banks must adapt to new landscape

4

#RSAC

5

Key success factors:1. Deliver & adapt fast

2. Client & customer satisfaction

3. Better performance

4. Lower costs

Huge changes for the industry: new customer needs, new industry players, new technologies.

Source: Versionone

New ecosystem, new rules

#RSAC

The new way of working

6

In order to meet the new paradigm, we need a different approach for security and the Digital Transformation (cloud, agile & full automation):

20+ Scrum teams

Public, Private and Hybrid Clouds

Security as a core for Knowledge Banking

SecDevOps is part of our culture now

SDx (Software Defined Everything)

#RSAC

How security in waterfall is addressed

7

Risk Assessment

Security Vulnerabilities

Security Requirements Code Review

Penetration Testing

Requirements Design Development Verification Maintenance

#RSAC

How to address Security in Agile?

8

Source: RightScale

#RSAC

Converged infrastructure Full automation Resource pooling Agile & Flexible Low maintenance Cloud Operation team Self Service Automated & Repeatable Automated deployments

Siloes infrastructure Little automation Legacy IT Rigid High maintenance Separate teams Hierarchical approvals “Hand – made” Long time to deploy

Datacenter vs. Cloud

9

Traditional IT Datacenter Public/Hybrid/Private Cloud

Source: WikipediaSource: MVM

#RSAC

Security as a Service process (Chimera platform)

#RSAC

How Chimera was born…

11

Mar2013

Jun2015

First services in production,

focusing on automatically

deploying reverse proxies

and Technical Verification

services and hardening

instances.

Sep2014

Chimera is born as an i4s

platform: from SDLC security, to

deployment of security

architectures to use of security

products in production.

Innovation 4 Security is born to

leverage the Security knowledge of

their professionals in order to

support the Digital

Transformation.

Jun2014

« Cloud Security Foundation » as a

group of basic security services

needed to protect the IaaS.

Mar2014

« Agile Security Model » is

designed as a process to be

more agile in SDLC (Software

Development Life Cycle).

#RSAC

SECaaS (Security as a Service)

12

AG

ILE

BO

AR

D

New Project

DEP

LOY

/

PR

OV

ISIO

NIN

G

Deploy

Provisioning

BDD Security User Stories

SecurityProductOwner

Model DrivenSecurityPatterns

Patt

ern

sIG

L AutomaticCode

Review

Security API

Additional Security Services

Hardening Service

Technical Verification Service

AuthN and AuthZ Service

PlatformManagement

SecurityTeam

Cloud Security Set Up Service

Encryption Service

#RSAC

Agile Board – Security Patterns

13

Model Driven Security:Build security patterns to automatically apply security to new projects.

Customer

Secured data

Unknown Management

Secure channel

Plain channel

Bastion Plain data

Transport Data

Outsourced Management

BBVA DC

Hello World

SPP

Transactions repository

PoS Data

ELARA Services

BBVA BastionInternetOutsourced Private Cloud

Outsourced Private Cloud

Bastion

InternetUserEnvironment

#RSAC

Agile Board – Security Patterns

14

User environment Internet

Outsourced Private Cloud

Outsourced Private Cloud

Bastion

Internet

BBVA Bastion

BBVA DC

Customer

Secured data

Unknown Management

Secure channel

Plain channel

Bastion Plain data

Transport Data

Outsourced Management

Transactions Repository

PoS DataHel

lo W

orl

d

ELARA Services

Source: Roberto Ortiz (BBVA). A methodology to build secure information systems based on patterns

FW REV. PROXY FW REV. PROXY FW R. PROXY FW

POLICY REPO

LOG SERVER LOG SERVER LOG SERVER LOG SERVER

#RSAC

Agile Board – Security with BDD

15

Behaviour Driven Development: Automate Security acceptance tests and establish a common set of user stories depending on the project and its architecture

Source: Wakaleo

#RSAC

Agile Board – Security with BDD

16

Example

Source: BDD Security - Continuum

#RSAC

Agile Board – IGL

17

Code Repository (software, infrastructure and security)

Build and Unit Testing

Code ReviewEngine

Penetration Testing

Deployment & Configuration

Dev / Prod Environment

Security Tests Pass,including BDD

Recipe Syntax

OK OK OK

Verify

#RSAC

Deploy & Provisioning: IaaC

18

Hybrid cloud

Cloud Orchestration/Mana

gementPlatform

Public cloud Private cloud

#RSAC

Deploy & Provisioning: CMT

19

Access & Audit

Configuration Management Tools

(agnostic)

Reach server

New server from IaaS

#RSAC

Deploy & Provisioning

20

RSA Conference Dummy Project 1

RSA Conference Dummy Project 2

#RSAC

Cloud Security Foundations

21

Technical security checking: Do the deployed services comply with the defined policies and regulations?

Hardening services: security configuration and basic security components installation.

Security events collection & analytics (Logs, IDS, integrity checks).

Network & traffic filtering: L7 sanity, IP reputation, network AV, etc.

Identity assurance: IAM (PEP, PDP, PIP, PAP…?).

Crypto as a Service: Secret vaulting, tokenization API, etc.

“Agile” self service: IGL, SDLC, Risk Management, BDD Security.

- INSERT ANY SECURITY SERVICE HERE -

#RSAC

BUY

OSS

BUILD

Cloud Security Foundations

22

AV

BigData

AuthN

MARKETADOPTION

Mass Market

NewSecurity

Solutions

Commodity StrategicSTRATEGIC RELEVANCE

SecuritySolution=

#RSAC

Takeaways - Apply

23

To secure the cloud, use the same technology the cloud is built upon (agile and DevOps are here to stay!), so embrace SecDevOps…the sooner, the better.

Start thinking about your security patterns, you will need them to support massive deployments and achieve SECaaS (Security as a Service).

Identify points of security interaction within your business processes and automate them.

Don’t be afraid of Open Source Software: it can be helpful in many ways…but don’t forget internal security development can have its use cases.

Digital Trust needs to be your long term value, use it as your compass.

SESSION ID:

#RSAC

Iñigo Merchán

Security as a Service in a Financial Institution: Reality or Chimera?

ASD-F01

Security Architect BBVA@achemerchan

Javier LosaCybersecurity Product EngineeringInnovation 4 Security – BBVA Group@sealth