sam herath - six critical criteria for cloud workload security
TRANSCRIPT
1 | © 2015 CloudPassage Confidential
Six Critical Criteria forCloud Workload Security
Sam HerathCloud Security Evangelist
2 | © 2015 CloudPassage Confidential
Our Worldview
• Who is CloudPassage and who do we protect◦ Cloud infrastructure security and compliance◦ About 100 large enterprises including a number of Fortune 500s
• Enterprise IT delivery is undergoing massive transformation◦ Cloud-oriented, on-demand IT will be the norm, driven by business demands◦ Application business owners want speed, agility, efficiency
• Big challenges remain◦ SDDC, hybrid cloud, agile development drive new mode of IT operation◦ Existing applications don’t magically migrate to the new model◦ Deeply centralized functions (like security & compliance) are the most challenged
3 | © 2015 CloudPassage Confidential
Cloud Breaks Security
Sorry About That :(
4 | © 2015 CloudPassage Confidential
Application A Application B
Application C
Application D
Application E
Traditional DCHosting Model
5 | © 2015 CloudPassage Confidential
Web Servers
A A
A A
Databases
AA
Web App Appliance
Crypto Gateway
Network Firewall
Network IDS / IPS
Traditional DC Hosting Model
6 | © 2015 CloudPassage Confidential
A
A A A
A A A
A
A A
A
A A
A
A A
A A
A A
B
B
B
B
C C
C
C
C
C C
D
D D
D
D
D
D D
D D
D
E
E E
E E E
E E E E
E E E
E E
E
E
E
E
E
E E
E E
Private Cloud Hosting
Model
7 | © 2015 CloudPassage Confidential
Public Cloud Hosting
ModelDC
8 | © 2015 CloudPassage Confidential
Public Cloud Hosting
ModelDC
9 | © 2015 CloudPassage Confidential
Cloud Workload Security must…
1. …be right at the workload
2. …cover broad set of controls
3. …be automated and orchestrate with DevOps
4. …work everywhere
5. …scale vertically and horizontally
6. …deal with the reality of business and IT!
10 | © 2015 CloudPassage Confidential
1. Security At The Workload
• “Cause that’s where the compute is.”
• Workload is layer of abstraction (answers to “What” and not “How”)
• Not reliant on specific network, perimeter, hypervisor, security appliances
• Policy driven
• Logically grouped
• Applied automatically
• Portable, scalable, transparent, universal
11 | © 2015 CloudPassage Confidential
1. Security At The Workload
User Administration
Application Code
Application Stack
VM Guest OS
Virtualization Stack
Compute/Storage HW
Network Infrastructure
Physical Environment
IaaS
Customer controlled
Provider controlled
12 | © 2015 CloudPassage Confidential
2. Cover Broad Set of Controls
Operational Automation
Compromise Management
Vulnerability Management
Data Protection
Visibility & Awareness
Strong Access Controls
13 | © 2015 CloudPassage Confidential
2. Cover Broad Set Of Controls
• Software Vulnerability Assessment
• Configuration Security Monitoring
• Traffic Discovery
• Firewall Management and Orchestration
• Server Account Management
• Multi-factor Authentication
• Intrusion Detection
• File Integrity Monitoring
• …
14 | © 2015 CloudPassage Confidential
3. Automated and Orchestrated
15 | © 2015 CloudPassage Confidential
Quality testing
Staging and release
J DF M A M J J A S O N
Analysis and design
Coding and implementation
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
3. Automated and Orchestrated
16 | © 2015 CloudPassage Confidential
Quality testing
Staging and release
J DF M A M J J A S O N
Analysis and design
Coding and implementation
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
3. Automated and Orchestrated
17 | © 2015 CloudPassage Confidential
Core security policies already implemented, regardless of environment
Security unit-testing cases required, or code is rejected (yes, really)
Code & infrastructure policies ensured using devops-style automation
Staging smoke tests include automated pen-testing, vulnerability assessment, policy validation, security baselines (against gold master)
J DF M A M J J A S O N
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
All of this feeds into SIEM and GRC tools via API
3. Automated and Orchestrated
18 | © 2015 CloudPassage Confidential
IaaS 2
4. Work Everywhere
User Administration
Application Code
Application Stack
VM Guest OS
Virtualization Stack
Compute/Storage HW
Network Infrastructure
Physical Environment
IaaS
Customer controlled Provider controlled
ColoDC
19 | © 2015 CloudPassage Confidential
5. Scale Vertically and Horizontally
• Is 200MB of RAM a lot? 10MB? Times how many different tools?
• Is 100 systems a lot? 1,000? 60,000?
• One Big Factory → Servers, Instances, Microservices & Containers
20 | © 2015 CloudPassage Confidential
6. Deal with Reality of IT
21 | © 2015 CloudPassage Confidential
ModernLegacy
Experiments
Innovation
GreenfieldApplications
Any NewApplication
Low-Risk Migrations
High-RiskMigrations
Core BusinessApplications
“BUSINESS AS USUAL”
Last LegacyProject
6. Deal with Reality of IT
22 | © 2015 CloudPassage Confidential
6. Deal with Reality of ITTraditional
Data Center
Bare Metal
Basic Virtualization
Basic Virtualization
23 | © 2015 CloudPassage Confidential
6. Deal with Reality of IT
UCS Director
24 | © 2015 CloudPassage Confidential
6. Deal with Reality of IT
UCS Director
25 | © 2015 CloudPassage Confidential
Cloud Workload Security must…
1. …be right at the workload
2. …cover broad set of controls
3. …be automated and orchestrate with DevOps
4. …work everywhere
5. …scale vertically and horizontally
6. …deal with the reality of business and IT!
26 | © 2015 CloudPassage Confidential
UCS Director
From Chaos…
27 | © 2015 CloudPassage Confidential
UCS Director
… To Control
Security Automation and Orchestration
28 | © 2015 CloudPassage Confidential
www.cloudpassage.com