Best Practices for Securing the Hybrid Cloud

Best Practices for Securing Hybrid Clouds

Doug Cahill, Enterprise Strategy GroupCarric Dooley, Intel Security

Speakers

Doug CahillSenior Analyst Enterprise Strategy Group

Carric DooleyVP of Foundstone ServicesIntel Security

2

© 2016 by The Enterprise Strategy Group, Inc.

Too many security

presentations

start like this


Today is about

Why hybrid cloud security is an…


Because security

doesn't have to look like this.


Topics

• The Readiness Gap

• Defining Hybrid

• What’s Different

• Best Practices

• Solution Requirements


Gradients of the Cloud Adoption Journey

Cloud Native – “Friends don’t let friends build data centers”

Cloud First – When in doubt, to the cloud! The new normal.

Cloud Washed – Do you want cloud with that?

Cloud Neva! – Regulated, perhaps obtuse to ShadowIT use


Strong Adoption of Public Cloud Services


But Security Readiness Lags Behind Adoption

On-premises security is much more mature

than public cloud-based

infrastructure/application security, 42%

On-premises security is somewhat more mature than public cloud-based infrastructure/application security, …

On-premises security is about the same as public cloud-based

infrastructure/application …

Public cloud-based infrastructure/application

security is somewhat more …

Public cloud-based infrastructure/application security is much more mature than on-premises …

How would you compare the security (i.e., policies, processes, technologies and skills) associated with your organization’s on-premises IT infrastructure and


So Work is Required

A significant amount of work,

49%A moderate

amount of work, 49%

A small amount of work, 2%

Don’t know, 1%

In your opinion, how much work will it take to develop an appropriate security model that aligns with your organization’s future plans for cloud computing?


Which is Why Some Feel This Way


Defining Hybrid


Many Definitions of Hybrid Clouds

Oft cited to be:• Workloads in more than one location• Backing up to the cloud• Cloud First -- New apps in the cloud

Cross-cloud data and application tier location arbitration

• Automated and orchestrated use of on-demand resources• Database tier on-premise, web app tier in the cloud (CDN)


The Heterogeneous Public Cloud Dimension of Hybrid

• Multi-CSP strategy for pricing leverage

• Azure the Pepsi to AWS’s Coke position

Anyone remember Dr. Pepper?

• vCloud Air for DRaaS


The Private Cloud Dimension of Hybrid

Perception: Virtualization = private cloud

But Actually…• Agile software development methodology• DevOps (continuous) delivery methodology• Service oriented resource procurement• API-driven, software defined everything


OK, but …

What’s different about securinghybrid clouds?


Customers and CSPs Share Responsibility


The Network Perimeter is Shifting

Workloads communicate north-south across hybrid clouds as

well as east-west.

Workloads can be internally and externally facing.

Customers do have access to the physical egress

point

Workloads create their own perimeter


Cloud Environments are Highly Dynamic, API-Driven

Methodologies

• Highly iterative Agile software development

• DevOps for continuous dev, test, delivery, monitoring….and security

Technologies• Scripts call APIs to automate infrastructure lifecycle• Temporal due to elasticity and auto-scaling up and down• Immutable infrastructure for cutover deployments


Spotlight: Pets v. Cattle of Immutable Infrastructure

• Cute names• Fed tasty treats

• Treated as member of the family• Servers get similar care and feeding

• Assigned a #• Bred for harvest• Get sick, get shot• Blue green deployments



Gain Visibility via Continuous Monitoring

Inventory Everything• Workloads, VPCs, devices, cloud accounts, etc - physical and virtual• Instance sprawl = developer version of Shadow IT• Collectively represents the attack surface area

Monitor Continuously • System activity, netflow, API usage• AWS Cloud Trail, Azure Operational Insights for API and service usage• On-board agent for system activity• Record and retain activity for trust and compliance


Employ a Workload Centric Security ModelSpotlight: Anomaly Detection in Auto Scaling Groups

Premise: There should be no intra-group drift from a trusted configuration

Approach: Monitor the integrity of trusted configs for anomalous changes

Anomalies of Interest:

• New process and child processes

• File system changes

• Logins beyond ID - time, location, frequency

• Netflow to/from remote IPs

• Correlation of processes and netflow


Embrace Automation via SecDevOps

In Test\QA: Vulnerability scanning of entire stack• Assure currency pre-deployment to prod

In Prod: Policy assignment at time of instance instantiation• By tag, and thus templates, for consistency

e.g. Env:Prod App:WebApache Geo:East

• Host firewalls, integrity monitoring, anomaly detection• Virtual patching via exploit behavioral analysis


Map Controls to Assets

Workload Type Controls

Automation Servers

• Multi-Factor Authentication• Default Deny Application Control

Jump / Bastion Hosts• Netflow monitoring – IDS/IPS rules• Default Deny Application Control

Auto-Scaling Groups• System integrity monitoring• Anomaly detection


Extend Trust Across Hybrid Clouds

Objective: Cross-cloud security consistency

• Replicate policy by workload profile

• Cross pollinate DevSecOps to on-prem

• Centralized visibility of inter-workload traffic



32%

44%

56%

61%

63%

DevOps team

Application development team

Networking team

Data center…

Security team

Cloud Security is a Team Sport

Groups directly involved in cloud security (Evaluating, Purchasing, and Operating)


The Must Haves of a Hybrid Cloud Security Solution

Supports tags for automated policy assignment

Operates in auto-scaling groups – i.e. transient instances

Flexible delivery models, including native SaaS

APIs for integrations and instrumentation (script & extract)

Linux support not an after thought

Metered, utility-based pricing model

Cloud …

exactly the same, but different

30

Similarities

Big data glut

Access control! Becomes even more vital

Monitoring a must

Understanding of architecture also a must

Need for automation to scale

Critical asset identification

Baseline normal

Secure design and architecture still crucial

Data protection program

31

Differences

No hardware (firmware attacks not your problem)

No patching

Limited configuration management

Shifting perimeter (zero trust)

Digital forensics

Quality Assurance, might reflect production!!

Double-edged sword (remember SSO?)

32

Unsure/Depends

• Assessment

• Does it represent more risk?

• Threats and vulnerabilities

• Corruption, deny access, exfiltration

33

Questions?

34

For more information, please visit www.intelsecurity.com/hybridcloudsecurity

Doug Cahill, [email protected]

Foundstone Cloud Assessment [email protected]@Foundstone

http://www.twitter.com/esg-global

http://www.facebook.com/ESGglobal

https://www.linkedin.com/groups?gid=1295607&trk=myg_ugrp_ovr

http://www.youtube.com/user/ESGglobal

FOLLOW ESG

http://www.intelsecurity.com/hybridcloudsecurity

mailto:[email protected]

http://www.foundstone.com/

mailto:[email protected]

Technology

Best Practices for Securing the Hybrid Cloud