best practices for workload security: securing servers in modern data center and cloud

42
Best Practices For Workload Security: Securing Servers in Modern Datacenter and Cloud Sami Laine, Principal Technologist, CloudPassage Aaron McKeown, Lead Security Architect, Xero

Upload: cloudpassage

Post on 09-Jan-2017

290 views

Category:

Technology


0 download

TRANSCRIPT

BestPracticesForWorkloadSecurity:SecuringServersinModernDatacenterandCloud

SamiLaine,PrincipalTechnologist,CloudPassageAaronMcKeown,LeadSecurityArchitect,Xero

TransformationofEnterpriseITDelivery

Enablesbusinessagility,speedandefficiency

PrivateCloud,SDDC IT-as-a-Service Public,Hybrid&Multicloud

HolgerSchulze,CloudSecuritySpotlightReport/April2016

TransformationofEnterpriseITDelivery

TraditionalITDelivery AgileITDelivery

TransformationofEnterpriseITDelivery

DataCenter

DataCenter,SDDCorPrivateCloud

Public,HybridorMulti-Cloud

DataCenter,SDDCorPrivateCloud

Public,HybridorMulti-Cloud

TraditionalITDelivery AgileITDelivery

TransformationofEnterpriseITDelivery

DataCenter

• Cloudorientationdegradesperimeters• Sharedresponsibility,lessvisibility&control• Virtual,abstracted,transientworkloads• Workloadswidelydistributed• Large,flat,sharednetworks• Highrateofchange

• Datacenter&perimeterorientation• Totalownership,visibility&control• Applicationsondedicatedhardware• Hardwaresecurityappliances• Everything“behindthefirewall”• Lowrateofchange

PerformanceDataSource:Geekbench (PrimateLabs)

AWSEC2c4.largeScore:3,911

36nodes

AzureStandardA3Score:3,594

39nodes

DellPowerEdgeR930Score:141,129

1node

TransformationofEnterpriseITDelivery

PerformanceDataSource:Geekbench (PrimateLabs)

AWSEC2c4.largeScore:3,911

36nodes

AzureStandardA3Score:3,594

39nodes

DellPowerEdgeR930Score:141,129

1node

38xmoreenvironmentstosecure38xmoredatapointstomonitor38xmoreattackablesurfacearea38xmorehoursofeffort

Assumingoneupdateperdayvs.oneupdateperweek,add5xeffortduetochangeriskmanagement

TransformationofEnterpriseITDelivery

Transformation of Enterprise IT Delivery

Weeks MinutesHours

Howlongdoyourmosttransientworkloadslive?

J DF M A M J J A S O N

Analysisanddesign Coding&implementation Qualitytesting Stagingandrelease

R1

TransformationofApplicationDelivery

Quality testingStagingandrelease

J DF M A M J J A S O N

AnalysisanddesignCodingandimplementation

R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9

TransformationofApplicationDelivery

Quality testingStagingandrelease

J DF M A M J J A S O N

AnalysisanddesignCodingandimplementation

R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9

TransformationofApplicationDelivery

ModernArchitectureandAppDeliveryBreaksSecurity

Diversity,Scale,Rateofchange,Orchestration

DataCenter,SDDCorPrivateCloud

Public,HybridorMulti-Cloud

36nodes1node

ModernArchitectureandAppDeliveryBreaksSecurity

HolgerSchulze,CloudSecuritySpotlightReport/April2016

TraditionalSecurityIsTheSquareWheel

• Perimeter&networkcentric• Hardwareapplianceoriented• Heavyagentfootprints• BuiltforstaticIPaddressing• Notdesignedforautomation• LackscomprehensiveAPIs

15 |©2016CloudPassageConfidential15 |©2016CloudPassageConfidential

AgileITdeliveryrequiresanew,agilesecurity approach.

Re-alignSecurityDeliveryToITDelivery

• On-demand,self-service• Automated,rapidexpansion• Measuredormeteredservice• Ubiquitous,convenientaccess• Resourcepooledgrid• Highlyscalable• Design-patternbased

• On-demand,Security-as-a-Service• Automated,rapidexpansion• Measuredormeteredservice• Ubiquitous,convenientaccess• Resourcepooledgrid• Highlyscalable• Design-patternbased

AgileITDelivery AgileSecurityDelivery

Re-alignSecurityDeliveryToITDelivery

TraditionalSecurity AgileSecurity

WhereIsYourGreatestSecurityRisk?

UserAdministration

ApplicationCode&Data

ApplicationFramework

VMGuestOS

VirtualizationStack

Compute/StorageHW

NetworkInfrastructure

PhysicalEnvironment

Customer responsibility Providerresponsibility

DataCenter Colo IaaS

WhereIsYourGreatestSecurityRisk?

UserAdministration

ApplicationCode&Data

ApplicationFramework

VMGuestOS

VirtualizationStack

Compute/StorageHW

NetworkInfrastructure

PhysicalEnvironment

Customer responsibility Providerresponsibility

DataCenter Colo IaaS

VERYLOW

VERYLOW

VERYLOW

VERYLOW

HIGH

HIGH

MEDIUM-HIGH

MEDIUM

Risk

WhereIsYourGreatestSecurityRisk?

UserAdministration

ApplicationCode&Data

ApplicationFramework

VMGuestOS

VirtualizationStack

Compute/StorageHW

NetworkInfrastructure

PhysicalEnvironment

Customer responsibility Providerresponsibility

DataCenter Colo IaaS

VERYLOW

VERYLOW

VERYLOW

VERYLOW

HIGH

HIGH

MEDIUM-HIGH

MEDIUM

Risk

WorkloadSecurityPriority

OperationsHygieneNoarbitrarycodeAdminprivilegemanagementChangemanagementNoemail,webclientLogManagementAccesscontrol

Softwarevulnerability&configurationsecuritymanagement

Networksegmentationandtrafficvisibility

Integritymonitoring&management

Applicationcontrol/whitelisting

Exploitprevention/memoryprotection

Data-at-restencryption

Behavioraldetection

Vulnerabilityshielding

Deception

AV

Gartner/March2016

WorkloadSecurityPriority

OperationsHygieneNoarbitrarycodeAdminprivilegemanagementChangemanagementNoemail,webclientLogManagementAccesscontrol

Softwarevulnerability&configurationsecuritymanagement

Networksegmentationandtrafficvisibility

Integritymonitoring&management

Applicationcontrol/whitelisting

Exploitprevention/memoryprotection

Data-at-restencryption

Behavioraldetection

Vulnerabilityshielding

Deception

AV

FOUNDATIONAL

LESSCRITICAL

Gartner/March2016

WorkloadSecurityPriority

OperationsHygieneNoarbitrarycodeAdminprivilegemanagementChangemanagementNoemail,webclientLogManagementAccesscontrol

Softwarevulnerability&configurationsecuritymanagement

Networksegmentationandtrafficvisibility

Integritymonitoring&management

Applicationcontrol/whitelisting

Exploitprevention/memoryprotection

Data-at-restencryption

Behavioraldetection

Vulnerabilityshielding

Deception

AV

FOUNDATIONAL

LESSCRITICAL

Gartner/March2016

SecuringServersinModernDatacenterandCloud

1. Workload centric

2. Policydriven

3. Automated andintegratedwithtoolchains

4. Attacksurfacereductionfocus

5. Context-awareandworksanywhere

6. SecurityplatformswithdeepAPIs

Containers

Servers

Containers

PublicClouds DataCenters&PrivateClouds

Servers

InfrastructureOrchestration

SOC&GRCSystems

Aaron McKeown, Lead Security Architect

Cloud security at Xero

Beautiful cloud-based accounting softwareConnecting people with the right numbers anytime, anywhere, on any device

1,450+Staff globally

$474mraised in capital

$202msub revenue FY16

23m+

businesses have interacted on the Xero platform

$1trincoming and outgoing transactions in past 12 mths

450mincoming and outgoing transactions in past 12 mths

All figures shown are in NZD

2009 2010 2011 2012 2013 2014 2015 2016

700,000+Subscribers globally

Public cloud migration

Improving data protection

Eliminating scheduled downtime

Maintaining and improving security

Support the next wave of growth

Reducing our cost to serve

Key challenges

Skills are scarce

Regional representation and recommendations

Application architecture has to change

Automation is key

Need to focus on visibility

Third party commercial models need to change

Key principles

Repeatable and automated build

and management of security systems

Accelerated pace of security innovation

On-demand security infrastructure that works at any scale

Security as a service

VPN connectivity

Host Based

Security

Web Application Security and

DeliveryShared Key

Management Services

Security Operations

and Consulting

Services

Secure Bastion Access

Proxy Services

Multi-Factor Authentication

• Secure AWS with:• password + MFA or access key + MFA

• Secure ALL systems with MFA• Enable MFA enhanced features• Use multiple MFA systems

Configuration Drift Management

• CloudTrail, Config and the AWS Console provide a lot of great information

• Can be hard to find the needle in the haystack…

• Use Netflix Security Monkey to provide a “Single Pane of Glass”

Host Security Automation

• Monitor, Detect and Defend at the Host level• Elasticity and Automation are key• Integrate, visibility is important• Use “Defence in Depth” model, protect every layer• Use an agile approach from deployment through to

operations

Key learningsMeasure and Test, Monitor Everything

Welcome to the cloud -"Where's my span port"?

Security by Design -What's that?

Communication is Key -Who are your spokespeople?

Final takeaways

Repeatable and automated build

and management of security systems

Accelerated pace of security innovation

On-demand security infrastructure that works at any scale

Beautiful accounting software

www.xero.com