ntxissacsc3 - critical criteria for (cloud) workload security by steve armendariz

@NTXISSA #NTXISSACSC3

Critical Criteria For (Cloud) Workload Security

Steve Armendariz

Enterprise Sales Director

CloudPassage

October 3, 2015

NTXISSA.org

NTXISSA.org


Does anyone remember when server security was EASY?

NTX ISSA Cyber Security Conference – October 2-3, 2015 2

NTXISSA.org

NTXISSA.org


Times have changed…!


NTXISSA.org

NTXISSA.org

@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015 4

Classic Data Center Architecture

NTXISSA.org

NTXISSA.org


Act 1 - Tenants of Traditional Server Security


• Servers in a trusted network

• Segmentation for added protection

• Anti-malware (virus) for all servers, added security capability for critical servers

• Security had time to plan, test & deploy for each new application

• Provisioned with plentiful overhead

Servers viewed as “investments”

NTXISSA.org

NTXISSA.org


Act 2 - Server Virtualization – A New Dawn

• Economic benefit to adoption

• Combatting data center sprawl

• Physical servers more powerful

• Pressure applied on Security to be:

• Faster

• More efficient

• More accurate

• Traditional tools proved adequate


NTXISSA.org

NTXISSA.org


Virtualization Impacts Traditional Security

• Servers in a trusted network

• Segmentation for added protection (shared hardware = segmentation challenges)

• Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing)

• Security had time to test & deploy for each new application (policies and images became more powerful)

• Provision with plentiful overhead (at odds with VM density)


NTXISSA.org

NTXISSA.org


Act 3 - Server Workloads - The Next Wave

• Utility Computing• Cloud servers or “Cloud server workloads in the data center, public cloud,

private cloud or any combination

• These server workloads are:• On-demand, Elastic and Agile

• Cloned, Orchestrated and Automated

• Often short-lived

• Can be “containers” (i.e. Docker)

• Possibly never patched

• Part of an overall movement of deploying and updating faster (DevOps)


NTXISSA.org

NTXISSA.org


Critical Server Instances

Data Center Architecture Changes


Non-Critical Server Instances- Anti-Malware

Semi-criticalServer Instances

On-server security:- Anti-Malware- Vulnerability Scan

CriticalServer Instances

On-server security:- Anti-Malware- Vulnerability Scan- Config. Monitor- HIPS/HIDS- FIM

Internet

Data CenterPublic Cloud

Some Semi-criticalServer Instances

On-server security:- Anti-Malware- Vulnerability Scan

NTXISSA.org

NTXISSA.org


Server Workloads Break Security

• Servers in a trusted network (Cloud viewed as non-trusted)

• Segmentation for added protection (shared hardware = segmentation challenges)

• Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing)

• Security had time to test & deploy for each new application (Security must move faster often with little lead time)

• Provision with plentiful overhead (at odds with VM density)


Servers viewed as “application building blocks”

NTXISSA.org

NTXISSA.org


• Public Cloud servers only accessible from inside the data center’s trusted network

• Positioned by many cloud providers to resolve “Tenant #1”

• “Servers in a trusted network…”

• Issues• Can be cost prohibitive

• May impact performance

• Does not mitigate security issues


Cloud VPC = Bringing The Trusted Network Back?

NTXISSA.org

NTXISSA.org


Are Data Center Networks Really Secure?


NTXISSA.org

NTXISSA.org


Workload Security – The New Tenants

• Embrace the “Workload as an Application Building Block” philosophy

• Take advantage of automation and orchestration

• Small footprints matter

• Minimize staff overhead

• Total visibility

• Limit server communication

• Integrate versus manage stand-alone


NTXISSA.org

NTXISSA.org


The Basics Still Apply

• Use server (host) firewalls• Reduce attack surface

• Manage East-West traffic

• Require multi-factor authentication for server logins

• Monitor configurations for “drift”

• Discover & address vulnerabilities

• Monitor system file integrity

• Monitor security logs

Dump anti-malware (if you can)


Radical Thought!!!!

NTXISSA.org

NTXISSA.org


Approaches to Workload Security

• Do it manually with multiple security tools

• Too time consuming

• Many consoles, difficult integration

• Use orchestration tools with multiple security tools

• Many consoles, difficult integration

• Set of security tools can consume more resources than what they’re protecting

• Use CloudPassage® Halo®


NTXISSA.org

NTXISSA.org


CloudPassage Halo: Instant Layered Security for Every Server Workload

• One tool providing 8 layers of visibility & enforcement

• Using less compute resources than a single-layer point product

• Highly automated; “set and forget” security

• Add to gold images, protects servers at instantiation


NTXISSA.org

NTXISSA.org


CloudPassage Halo

• A Security Orchestration Framework• Integrated and layered security• Automated into your workflow

• Visibility• See vulnerabilities, configuration

errors, file integrity, access – no matter where the workload is

• Apply controls – even quarantine workloads

• Compliance• Drive automation to audits• Continuous vs. point-in-time


NTXISSA.org

NTXISSA.org


CloudPassage Halo Architecture


NTXISSA.org

NTXISSA.org


Questions


NTXISSA.org

NTXISSA.org

@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)


Thank you

NTXISSA.org

NTXISSA.org

ntxissacsc3 - critical criteria for (cloud) workload security by steve armendariz

Technology