@NTXISSA #NTXISSACSC3
Critical Criteria For (Cloud) Workload Security
Steve Armendariz
Enterprise Sales Director
CloudPassage
October 3, 2015
@NTXISSA #NTXISSACSC3
Does anyone remember when server security was EASY?
NTX ISSA Cyber Security Conference – October 2-3, 2015 2
@NTXISSA #NTXISSACSC3
Times have changed…!
NTX ISSA Cyber Security Conference – October 2-3, 2015 3
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015 4
Classic Data Center Architecture
@NTXISSA #NTXISSACSC3
Act 1 - Tenants of Traditional Server Security
NTX ISSA Cyber Security Conference – October 2-3, 2015 5
• Servers in a trusted network
• Segmentation for added protection
• Anti-malware (virus) for all servers, added security capability for critical servers
• Security had time to plan, test & deploy for each new application
• Provisioned with plentiful overhead
Servers viewed as “investments”
@NTXISSA #NTXISSACSC3
Act 2 - Server Virtualization – A New Dawn
• Economic benefit to adoption
• Combatting data center sprawl
• Physical servers more powerful
• Pressure applied on Security to be:
• Faster
• More efficient
• More accurate
• Traditional tools proved adequate
NTX ISSA Cyber Security Conference – October 2-3, 2015 6
@NTXISSA #NTXISSACSC3
Virtualization Impacts Traditional Security
• Servers in a trusted network
• Segmentation for added protection (shared hardware = segmentation challenges)
• Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing)
• Security had time to test & deploy for each new application (policies and images became more powerful)
• Provision with plentiful overhead (at odds with VM density)
NTX ISSA Cyber Security Conference – October 2-3, 2015 7
@NTXISSA #NTXISSACSC3
Act 3 - Server Workloads - The Next Wave
• Utility Computing• Cloud servers or “Cloud server workloads in the data center, public cloud,
private cloud or any combination
• These server workloads are:• On-demand, Elastic and Agile
• Cloned, Orchestrated and Automated
• Often short-lived
• Can be “containers” (i.e. Docker)
• Possibly never patched
• Part of an overall movement of deploying and updating faster (DevOps)
NTX ISSA Cyber Security Conference – October 2-3, 2015 8
@NTXISSA #NTXISSACSC3
Critical Server Instances
Data Center Architecture Changes
NTX ISSA Cyber Security Conference – October 2-3, 2015 9
Non-Critical Server Instances- Anti-Malware
Semi-criticalServer Instances
On-server security:- Anti-Malware- Vulnerability Scan
CriticalServer Instances
On-server security:- Anti-Malware- Vulnerability Scan- Config. Monitor- HIPS/HIDS- FIM
Internet
Data CenterPublic Cloud
Some Semi-criticalServer Instances
On-server security:- Anti-Malware- Vulnerability Scan
@NTXISSA #NTXISSACSC3
Server Workloads Break Security
• Servers in a trusted network (Cloud viewed as non-trusted)
• Segmentation for added protection (shared hardware = segmentation challenges)
• Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing)
• Security had time to test & deploy for each new application (Security must move faster often with little lead time)
• Provision with plentiful overhead (at odds with VM density)
NTX ISSA Cyber Security Conference – October 2-3, 2015 10
Servers viewed as “application building blocks”
@NTXISSA #NTXISSACSC3
• Public Cloud servers only accessible from inside the data center’s trusted network
• Positioned by many cloud providers to resolve “Tenant #1”
• “Servers in a trusted network…”
• Issues• Can be cost prohibitive
• May impact performance
• Does not mitigate security issues
NTX ISSA Cyber Security Conference – October 2-3, 2015 11
Cloud VPC = Bringing The Trusted Network Back?
@NTXISSA #NTXISSACSC3
Are Data Center Networks Really Secure?
NTX ISSA Cyber Security Conference – October 2-3, 2015 12
@NTXISSA #NTXISSACSC3
Workload Security – The New Tenants
• Embrace the “Workload as an Application Building Block” philosophy
• Take advantage of automation and orchestration
• Small footprints matter
• Minimize staff overhead
• Total visibility
• Limit server communication
• Integrate versus manage stand-alone
NTX ISSA Cyber Security Conference – October 2-3, 2015 13
@NTXISSA #NTXISSACSC3
The Basics Still Apply
• Use server (host) firewalls• Reduce attack surface
• Manage East-West traffic
• Require multi-factor authentication for server logins
• Monitor configurations for “drift”
• Discover & address vulnerabilities
• Monitor system file integrity
• Monitor security logs
Dump anti-malware (if you can)
NTX ISSA Cyber Security Conference – October 2-3, 2015 14
Radical Thought!!!!
@NTXISSA #NTXISSACSC3
Approaches to Workload Security
• Do it manually with multiple security tools
• Too time consuming
• Many consoles, difficult integration
• Use orchestration tools with multiple security tools
• Many consoles, difficult integration
• Set of security tools can consume more resources than what they’re protecting
• Use CloudPassage® Halo®
NTX ISSA Cyber Security Conference – October 2-3, 2015 15
@NTXISSA #NTXISSACSC3
CloudPassage Halo: Instant Layered Security for Every Server Workload
• One tool providing 8 layers of visibility & enforcement
• Using less compute resources than a single-layer point product
• Highly automated; “set and forget” security
• Add to gold images, protects servers at instantiation
NTX ISSA Cyber Security Conference – October 2-3, 2015 16
@NTXISSA #NTXISSACSC3
CloudPassage Halo
• A Security Orchestration Framework• Integrated and layered security• Automated into your workflow
• Visibility• See vulnerabilities, configuration
errors, file integrity, access – no matter where the workload is
• Apply controls – even quarantine workloads
• Compliance• Drive automation to audits• Continuous vs. point-in-time
NTX ISSA Cyber Security Conference – October 2-3, 2015 17
@NTXISSA #NTXISSACSC3
CloudPassage Halo Architecture
NTX ISSA Cyber Security Conference – October 2-3, 2015 18
@NTXISSA #NTXISSACSC3
Questions
NTX ISSA Cyber Security Conference – October 2-3, 2015 19
@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 20
Thank you