best practices for workload security: securing servers in modern data center and cloud
TRANSCRIPT
BestPracticesForWorkloadSecurity:SecuringServersinModernDatacenterandCloud
SamiLaine,PrincipalTechnologist,CloudPassageAaronMcKeown,LeadSecurityArchitect,Xero
TransformationofEnterpriseITDelivery
Enablesbusinessagility,speedandefficiency
PrivateCloud,SDDC IT-as-a-Service Public,Hybrid&Multicloud
TraditionalITDelivery AgileITDelivery
TransformationofEnterpriseITDelivery
DataCenter
DataCenter,SDDCorPrivateCloud
Public,HybridorMulti-Cloud
DataCenter,SDDCorPrivateCloud
Public,HybridorMulti-Cloud
TraditionalITDelivery AgileITDelivery
TransformationofEnterpriseITDelivery
DataCenter
• Cloudorientationdegradesperimeters• Sharedresponsibility,lessvisibility&control• Virtual,abstracted,transientworkloads• Workloadswidelydistributed• Large,flat,sharednetworks• Highrateofchange
• Datacenter&perimeterorientation• Totalownership,visibility&control• Applicationsondedicatedhardware• Hardwaresecurityappliances• Everything“behindthefirewall”• Lowrateofchange
PerformanceDataSource:Geekbench (PrimateLabs)
AWSEC2c4.largeScore:3,911
36nodes
AzureStandardA3Score:3,594
39nodes
DellPowerEdgeR930Score:141,129
1node
TransformationofEnterpriseITDelivery
PerformanceDataSource:Geekbench (PrimateLabs)
AWSEC2c4.largeScore:3,911
36nodes
AzureStandardA3Score:3,594
39nodes
DellPowerEdgeR930Score:141,129
1node
38xmoreenvironmentstosecure38xmoredatapointstomonitor38xmoreattackablesurfacearea38xmorehoursofeffort
Assumingoneupdateperdayvs.oneupdateperweek,add5xeffortduetochangeriskmanagement
TransformationofEnterpriseITDelivery
Transformation of Enterprise IT Delivery
Weeks MinutesHours
Howlongdoyourmosttransientworkloadslive?
J DF M A M J J A S O N
Analysisanddesign Coding&implementation Qualitytesting Stagingandrelease
R1
TransformationofApplicationDelivery
Quality testingStagingandrelease
J DF M A M J J A S O N
AnalysisanddesignCodingandimplementation
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
TransformationofApplicationDelivery
Quality testingStagingandrelease
J DF M A M J J A S O N
AnalysisanddesignCodingandimplementation
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
TransformationofApplicationDelivery
ModernArchitectureandAppDeliveryBreaksSecurity
Diversity,Scale,Rateofchange,Orchestration
DataCenter,SDDCorPrivateCloud
Public,HybridorMulti-Cloud
36nodes1node
TraditionalSecurityIsTheSquareWheel
• Perimeter&networkcentric• Hardwareapplianceoriented• Heavyagentfootprints• BuiltforstaticIPaddressing• Notdesignedforautomation• LackscomprehensiveAPIs
15 |©2016CloudPassageConfidential15 |©2016CloudPassageConfidential
AgileITdeliveryrequiresanew,agilesecurity approach.
Re-alignSecurityDeliveryToITDelivery
• On-demand,self-service• Automated,rapidexpansion• Measuredormeteredservice• Ubiquitous,convenientaccess• Resourcepooledgrid• Highlyscalable• Design-patternbased
• On-demand,Security-as-a-Service• Automated,rapidexpansion• Measuredormeteredservice• Ubiquitous,convenientaccess• Resourcepooledgrid• Highlyscalable• Design-patternbased
AgileITDelivery AgileSecurityDelivery
WhereIsYourGreatestSecurityRisk?
UserAdministration
ApplicationCode&Data
ApplicationFramework
VMGuestOS
VirtualizationStack
Compute/StorageHW
NetworkInfrastructure
PhysicalEnvironment
Customer responsibility Providerresponsibility
DataCenter Colo IaaS
WhereIsYourGreatestSecurityRisk?
UserAdministration
ApplicationCode&Data
ApplicationFramework
VMGuestOS
VirtualizationStack
Compute/StorageHW
NetworkInfrastructure
PhysicalEnvironment
Customer responsibility Providerresponsibility
DataCenter Colo IaaS
VERYLOW
VERYLOW
VERYLOW
VERYLOW
HIGH
HIGH
MEDIUM-HIGH
MEDIUM
Risk
WhereIsYourGreatestSecurityRisk?
UserAdministration
ApplicationCode&Data
ApplicationFramework
VMGuestOS
VirtualizationStack
Compute/StorageHW
NetworkInfrastructure
PhysicalEnvironment
Customer responsibility Providerresponsibility
DataCenter Colo IaaS
VERYLOW
VERYLOW
VERYLOW
VERYLOW
HIGH
HIGH
MEDIUM-HIGH
MEDIUM
Risk
WorkloadSecurityPriority
OperationsHygieneNoarbitrarycodeAdminprivilegemanagementChangemanagementNoemail,webclientLogManagementAccesscontrol
Softwarevulnerability&configurationsecuritymanagement
Networksegmentationandtrafficvisibility
Integritymonitoring&management
Applicationcontrol/whitelisting
Exploitprevention/memoryprotection
Data-at-restencryption
Behavioraldetection
Vulnerabilityshielding
Deception
AV
Gartner/March2016
WorkloadSecurityPriority
OperationsHygieneNoarbitrarycodeAdminprivilegemanagementChangemanagementNoemail,webclientLogManagementAccesscontrol
Softwarevulnerability&configurationsecuritymanagement
Networksegmentationandtrafficvisibility
Integritymonitoring&management
Applicationcontrol/whitelisting
Exploitprevention/memoryprotection
Data-at-restencryption
Behavioraldetection
Vulnerabilityshielding
Deception
AV
FOUNDATIONAL
LESSCRITICAL
Gartner/March2016
WorkloadSecurityPriority
OperationsHygieneNoarbitrarycodeAdminprivilegemanagementChangemanagementNoemail,webclientLogManagementAccesscontrol
Softwarevulnerability&configurationsecuritymanagement
Networksegmentationandtrafficvisibility
Integritymonitoring&management
Applicationcontrol/whitelisting
Exploitprevention/memoryprotection
Data-at-restencryption
Behavioraldetection
Vulnerabilityshielding
Deception
AV
FOUNDATIONAL
LESSCRITICAL
Gartner/March2016
SecuringServersinModernDatacenterandCloud
1. Workload centric
2. Policydriven
3. Automated andintegratedwithtoolchains
4. Attacksurfacereductionfocus
5. Context-awareandworksanywhere
6. SecurityplatformswithdeepAPIs
Containers
Servers
Containers
PublicClouds DataCenters&PrivateClouds
Servers
InfrastructureOrchestration
SOC&GRCSystems
Beautiful cloud-based accounting softwareConnecting people with the right numbers anytime, anywhere, on any device
1,450+Staff globally
$474mraised in capital
$202msub revenue FY16
23m+
businesses have interacted on the Xero platform
$1trincoming and outgoing transactions in past 12 mths
450mincoming and outgoing transactions in past 12 mths
All figures shown are in NZD
Public cloud migration
Improving data protection
Eliminating scheduled downtime
Maintaining and improving security
Support the next wave of growth
Reducing our cost to serve
Key challenges
Skills are scarce
Regional representation and recommendations
Application architecture has to change
Automation is key
Need to focus on visibility
Third party commercial models need to change
Key principles
Repeatable and automated build
and management of security systems
Accelerated pace of security innovation
On-demand security infrastructure that works at any scale
Security as a service
VPN connectivity
Host Based
Security
Web Application Security and
DeliveryShared Key
Management Services
Security Operations
and Consulting
Services
Secure Bastion Access
Proxy Services
Multi-Factor Authentication
• Secure AWS with:• password + MFA or access key + MFA
• Secure ALL systems with MFA• Enable MFA enhanced features• Use multiple MFA systems
Configuration Drift Management
• CloudTrail, Config and the AWS Console provide a lot of great information
• Can be hard to find the needle in the haystack…
• Use Netflix Security Monkey to provide a “Single Pane of Glass”
Host Security Automation
• Monitor, Detect and Defend at the Host level• Elasticity and Automation are key• Integrate, visibility is important• Use “Defence in Depth” model, protect every layer• Use an agile approach from deployment through to
operations
Key learningsMeasure and Test, Monitor Everything
Welcome to the cloud -"Where's my span port"?
Security by Design -What's that?
Communication is Key -Who are your spokespeople?
Final takeaways
Repeatable and automated build
and management of security systems
Accelerated pace of security innovation
On-demand security infrastructure that works at any scale