asd-f01 javier losa security as a service in a … · financial institution: reality or chimera?...
TRANSCRIPT
SESSION ID:
#RSAC
Iñigo Merchán
Security as a Service in a Financial Institution: Reality or Chimera?
ASD-F01
Security Architect BBVA@achemerchan
Javier LosaCybersecurity Product EngineeringInnovation 4 Security – BBVA Group@sealth
#RSAC
i4s – Our security product leverage
3
i4s is a BBVA Group Company
that creates cybersecurityproducts to support the
Digital Transformation
We promote innovation and teamwork
Our teams are small to avoid fragmentation
We are flexible and agile
We provide solutions to needs not covered by the market
#RSAC
We are living a digital revolution that affects society as a whole (transportation, healthcare, entertainment, etc.) and Financial Services are not a exception. Banks are part of the digital revolution now because clients expect them to be.
Banks must adapt to new landscape
4
#RSAC
5
Key success factors:1. Deliver & adapt fast
2. Client & customer satisfaction
3. Better performance
4. Lower costs
Huge changes for the industry: new customer needs, new industry players, new technologies.
Source: Versionone
New ecosystem, new rules
#RSAC
The new way of working
6
In order to meet the new paradigm, we need a different approach for security and the Digital Transformation (cloud, agile & full automation):
20+ Scrum teams
Public, Private and Hybrid Clouds
Security as a core for Knowledge Banking
SecDevOps is part of our culture now
SDx (Software Defined Everything)
#RSAC
How security in waterfall is addressed
7
Risk Assessment
Security Vulnerabilities
Security Requirements Code Review
Penetration Testing
Requirements Design Development Verification Maintenance
#RSAC
Converged infrastructure Full automation Resource pooling Agile & Flexible Low maintenance Cloud Operation team Self Service Automated & Repeatable Automated deployments
Siloes infrastructure Little automation Legacy IT Rigid High maintenance Separate teams Hierarchical approvals “Hand – made” Long time to deploy
Datacenter vs. Cloud
9
Traditional IT Datacenter Public/Hybrid/Private Cloud
Source: WikipediaSource: MVM
#RSAC
How Chimera was born…
11
Mar2013
Jun2015
First services in production,
focusing on automatically
deploying reverse proxies
and Technical Verification
services and hardening
instances.
Sep2014
Chimera is born as an i4s
platform: from SDLC security, to
deployment of security
architectures to use of security
products in production.
Innovation 4 Security is born to
leverage the Security knowledge of
their professionals in order to
support the Digital
Transformation.
Jun2014
« Cloud Security Foundation » as a
group of basic security services
needed to protect the IaaS.
Mar2014
« Agile Security Model » is
designed as a process to be
more agile in SDLC (Software
Development Life Cycle).
#RSAC
SECaaS (Security as a Service)
12
AG
ILE
BO
AR
D
New Project
DEP
LOY
/
PR
OV
ISIO
NIN
G
Deploy
Provisioning
BDD Security User Stories
SecurityProductOwner
Model DrivenSecurityPatterns
Patt
ern
sIG
L AutomaticCode
Review
Security API
Additional Security Services
Hardening Service
Technical Verification Service
AuthN and AuthZ Service
PlatformManagement
SecurityTeam
Cloud Security Set Up Service
Encryption Service
#RSAC
Agile Board – Security Patterns
13
Model Driven Security:Build security patterns to automatically apply security to new projects.
Customer
Secured data
Unknown Management
Secure channel
Plain channel
Bastion Plain data
Transport Data
Outsourced Management
BBVA DC
Hello World
SPP
Transactions repository
PoS Data
ELARA Services
BBVA BastionInternetOutsourced Private Cloud
Outsourced Private Cloud
Bastion
InternetUserEnvironment
#RSAC
Agile Board – Security Patterns
14
User environment Internet
Outsourced Private Cloud
Outsourced Private Cloud
Bastion
Internet
BBVA Bastion
BBVA DC
Customer
Secured data
Unknown Management
Secure channel
Plain channel
Bastion Plain data
Transport Data
Outsourced Management
Transactions Repository
PoS DataHel
lo W
orl
d
ELARA Services
Source: Roberto Ortiz (BBVA). A methodology to build secure information systems based on patterns
FW REV. PROXY FW REV. PROXY FW R. PROXY FW
POLICY REPO
LOG SERVER LOG SERVER LOG SERVER LOG SERVER
#RSAC
Agile Board – Security with BDD
15
Behaviour Driven Development: Automate Security acceptance tests and establish a common set of user stories depending on the project and its architecture
Source: Wakaleo
#RSAC
Agile Board – IGL
17
Code Repository (software, infrastructure and security)
Build and Unit Testing
Code ReviewEngine
Penetration Testing
Deployment & Configuration
Dev / Prod Environment
Security Tests Pass,including BDD
Recipe Syntax
OK OK OK
Verify
#RSAC
Deploy & Provisioning: IaaC
18
Hybrid cloud
Cloud Orchestration/Mana
gementPlatform
Public cloud Private cloud
#RSAC
Deploy & Provisioning: CMT
19
Access & Audit
Configuration Management Tools
(agnostic)
Reach server
New server from IaaS
#RSAC
Cloud Security Foundations
21
Technical security checking: Do the deployed services comply with the defined policies and regulations?
Hardening services: security configuration and basic security components installation.
Security events collection & analytics (Logs, IDS, integrity checks).
Network & traffic filtering: L7 sanity, IP reputation, network AV, etc.
Identity assurance: IAM (PEP, PDP, PIP, PAP…?).
Crypto as a Service: Secret vaulting, tokenization API, etc.
“Agile” self service: IGL, SDLC, Risk Management, BDD Security.
- INSERT ANY SECURITY SERVICE HERE -
#RSAC
BUY
OSS
BUILD
Cloud Security Foundations
22
AV
BigData
AuthN
MARKETADOPTION
Mass Market
NewSecurity
Solutions
Commodity StrategicSTRATEGIC RELEVANCE
SecuritySolution=
#RSAC
Takeaways - Apply
23
To secure the cloud, use the same technology the cloud is built upon (agile and DevOps are here to stay!), so embrace SecDevOps…the sooner, the better.
Start thinking about your security patterns, you will need them to support massive deployments and achieve SECaaS (Security as a Service).
Identify points of security interaction within your business processes and automate them.
Don’t be afraid of Open Source Software: it can be helpful in many ways…but don’t forget internal security development can have its use cases.
Digital Trust needs to be your long term value, use it as your compass.