Best Practices for Securing the Hybrid Cloud

  • View
    1.024

  • Download
    2

Embed Size (px)

Text of Best Practices for Securing the Hybrid Cloud

  • Best Practices for Securing Hybrid Clouds

    Doug Cahill, Enterprise Strategy GroupCarric Dooley, Intel Security

  • Speakers

    Doug CahillSenior Analyst Enterprise Strategy Group

    Carric DooleyVP of Foundstone ServicesIntel Security

    2

  • 2016 by The Enterprise Strategy Group, Inc.

    Too many security

    presentations

    start like this

  • 2016 by The Enterprise Strategy Group, Inc.

    Today is about

    Why hybrid cloud security is an

  • 2016 by The Enterprise Strategy Group, Inc.

    Because security

    doesn't have to look like this.

  • 2016 by The Enterprise Strategy Group, Inc.

    Topics

    The Readiness Gap

    Defining Hybrid

    Whats Different

    Best Practices

    Solution Requirements

  • 2016 by The Enterprise Strategy Group, Inc.

    Gradients of the Cloud Adoption Journey

    Cloud Native Friends dont let friends build data centers

    Cloud First When in doubt, to the cloud! The new normal.

    Cloud Washed Do you want cloud with that?

    Cloud Neva! Regulated, perhaps obtuse to ShadowIT use

  • 2016 by The Enterprise Strategy Group, Inc.

    Strong Adoption of Public Cloud Services

  • 2016 by The Enterprise Strategy Group, Inc.

    But Security Readiness Lags Behind Adoption

    On-premises security is much more mature

    than public cloud-based

    infrastructure/application security, 42%

    On-premises security is somewhat more mature than public cloud-based infrastructure/application security,

    On-premises security is about the same as public cloud-based

    infrastructure/application

    Public cloud-based infrastructure/application

    security is somewhat more

    Public cloud-based infrastructure/application security is much more mature than on-premises

    How would you compare the security (i.e., policies, processes, technologies and skills) associated with your organizations on-premises IT infrastructure and

  • 2016 by The Enterprise Strategy Group, Inc.

    So Work is Required

    A significant amount of work,

    49%A moderate

    amount of work, 49%

    A small amount of work, 2%

    Dont know, 1%

    In your opinion, how much work will it take to develop an appropriate security model that aligns with your organizations future plans for cloud computing?

  • 2016 by The Enterprise Strategy Group, Inc.

    Which is Why Some Feel This Way

  • 2016 by The Enterprise Strategy Group, Inc.

    Defining Hybrid

  • 2016 by The Enterprise Strategy Group, Inc.

    Many Definitions of Hybrid Clouds

    Oft cited to be: Workloads in more than one location Backing up to the cloud Cloud First -- New apps in the cloud

    Cross-cloud data and application tier location arbitration

    Automated and orchestrated use of on-demand resources Database tier on-premise, web app tier in the cloud (CDN)

  • 2016 by The Enterprise Strategy Group, Inc.

    The Heterogeneous Public Cloud Dimension of Hybrid

    Multi-CSP strategy for pricing leverage

    Azure the Pepsi to AWSs Coke position

    Anyone remember Dr. Pepper?

    vCloud Air for DRaaS

  • 2016 by The Enterprise Strategy Group, Inc.

    The Private Cloud Dimension of Hybrid

    Perception: Virtualization = private cloud

    But Actually Agile software development methodology DevOps (continuous) delivery methodology Service oriented resource procurement API-driven, software defined everything

  • 2016 by The Enterprise Strategy Group, Inc.

    OK, but

    Whats different about securinghybrid clouds?

  • 2016 by The Enterprise Strategy Group, Inc.

    Customers and CSPs Share Responsibility

  • 2016 by The Enterprise Strategy Group, Inc.

    The Network Perimeter is Shifting

    Workloads communicate north-south across hybrid clouds as

    well as east-west.

    Workloads can be internally and externally facing.

    Customers do have access to the physical egress

    point

    Workloads create their own perimeter

  • 2016 by The Enterprise Strategy Group, Inc.

    Cloud Environments are Highly Dynamic, API-Driven

    Methodologies

    Highly iterative Agile software development

    DevOps for continuous dev, test, delivery, monitoring.and security

    Technologies Scripts call APIs to automate infrastructure lifecycle Temporal due to elasticity and auto-scaling up and down Immutable infrastructure for cutover deployments

  • 2016 by The Enterprise Strategy Group, Inc.

    Spotlight: Pets v. Cattle of Immutable Infrastructure

    Cute names Fed tasty treats

    Treated as member of the family Servers get similar care and feeding

    Assigned a # Bred for harvest Get sick, get shot Blue green deployments

  • 2016 by The Enterprise Strategy Group, Inc.

  • 2015 by The Enterprise Strategy Group, Inc.

    Gain Visibility via Continuous Monitoring

    Inventory Everything Workloads, VPCs, devices, cloud accounts, etc - physical and virtual Instance sprawl = developer version of Shadow IT Collectively represents the attack surface area

    Monitor Continuously System activity, netflow, API usage AWS Cloud Trail, Azure Operational Insights for API and service usage On-board agent for system activity Record and retain activity for trust and compliance

  • 2015 by The Enterprise Strategy Group, Inc.

    Employ a Workload Centric Security ModelSpotlight: Anomaly Detection in Auto Scaling Groups

    Premise: There should be no intra-group drift from a trusted configuration

    Approach: Monitor the integrity of trusted configs for anomalous changes

    Anomalies of Interest:

    New process and child processes

    File system changes

    Logins beyond ID - time, location, frequency

    Netflow to/from remote IPs

    Correlation of processes and netflow

  • 2015 by The Enterprise Strategy Group, Inc.

    Embrace Automation via SecDevOps

    In Test\QA: Vulnerability scanning of entire stack Assure currency pre-deployment to prod

    In Prod: Policy assignment at time of instance instantiation By tag, and thus templates, for consistency

    e.g. Env:Prod App:WebApache Geo:East

    Host firewalls, integrity monitoring, anomaly detection Virtual patching via exploit behavioral analysis

  • 2015 by The Enterprise Strategy Group, Inc.

    Map Controls to Assets

    Workload Type Controls

    Automation Servers

    Multi-Factor Authentication Default Deny Application Control

    Jump / Bastion Hosts Netflow monitoring IDS/IPS rules Default Deny Application Control

    Auto-Scaling Groups System integrity monitoring Anomaly detection

  • 2016 by The Enterprise Strategy Group, Inc.

    Extend Trust Across Hybrid Clouds

    Objective: Cross-cloud security consistency

    Replicate policy by workload profile

    Cross pollinate DevSecOps to on-prem

    Centralized visibility of inter-workload traffic

  • 2016 by The Enterprise Strategy Group, Inc.

  • 2016 by The Enterprise Strategy Group, Inc.

    32%

    44%

    56%

    61%

    63%

    DevOps team

    Application development team

    Networking team

    Data center

    Security team

    Cloud Security is a Team Sport

    Groups directly involved in cloud security (Evaluating, Purchasing, and Operating)

  • 2016 by The Enterprise Strategy Group, Inc.

    The Must Haves of a Hybrid Cloud Security Solution

    Supports tags for automated policy assignment

    Operates in auto-scaling groups i.e. transient instances

    Flexible delivery models, including native SaaS

    APIs for integrations and instrumentation (script & extract)

    Linux support not an after thought

    Metered, utility-based pricing model

  • Cloud

    exactly the same, but different

    30

  • Similarities

    Big data glut

    Access control! Becomes even more vital

    Monitoring a must

    Understanding of architecture also a must

    Need for automation to scale

    Critical asset identification

    Baseline normal

    Secure design and architecture still crucial

    Data protection program

    31

  • Differences

    No hardware (firmware attacks not your problem)

    No patching

    Limited configuration management

    Shifting perimeter (zero trust)

    Digital forensics

    Quality Assurance, might reflect production!!

    Double-edged sword (remember SSO?)

    32

  • Unsure/Depends

    Assessment

    Does it represent more risk?

    Threats and vulnerabilities

    Corruption, deny access, exfiltration

    33

  • Questions?

    34

    For more information, please visit www.intelsecurity.com/hybridcloudsecurity

    Doug Cahill, doug.cahill@esg-global.com

    Foundstone Cloud Assessment Serviceswww.foundstone.comfoundstone@intel.com@Foundstone

    http://www.twitter.com/esg-global

    http://www.facebook.com/ESGglobal

    https://www.linkedin.com/groups?gid=1295607&trk=myg_ugrp_ovr

    http://www.youtube.com/user/ESGglobal

    FOLLOW ESG

    http://www.intelsecurity.com/hybridcloudsecuritymailto:doug.cahill@esg-global.comhttp://www.foundstone.com/mailto:foundstone@intel.com