Upload
cloudpassage
View
501
Download
0
Tags:
Embed Size (px)
Citation preview
Comprehensive Cloud Security Requires an Automated Approach
Andras Cser, VP and Principal AnalystForrester Research
Carson Sweet, CEO and Co-founder
CloudPassage
November 12, 2013
Cloud Security: Automation and Centralization Matters
Andras Cser, VP and Principal Analyst
November 12, 2013
© 2013 Forrester Research, Inc. Reproduction Prohibited 3
Agenda
›Why is Cloud Security Important
›Challenges with Cloud Security
›Forrester’s Recommendations
© 2013 Forrester Research, Inc. Reproduction Prohibited 4
Agenda
›Why is Cloud Security Important
›Challenges with Cloud Security
›Recommendations
© 2013 Forrester Research, Inc. Reproduction Prohibited 5
Source: Forrsights Developer Survey, Q1 2013
“Which of the following cloud-based services have you employed on a regular basis?"
Other
Don't know
Nonrelational database
BPM
Mobile back end
Content delivery network
Application-level caching
Integration (e.g., Dell Boomi, IBM Cast Iron)
Message queuing
Content management
Messaging
Social (e.g., Salesforce Chatter)
Development tools/IDE (e.g. Cloud9, Cloud Foundry)
Relational database (e.g. SQL Azure)
Storage
Compute (e.g., Amazon EC2, Microsoft Azure VM Role)
2%
3%
14%
16%
18%
21%
23%
23%
26%
31%
33%
33%
37%
42%
49%
50%
Base = 175 software developers from companies with 1,000 or more employees
Cloud-based Services Employed Regularly
© 2013 Forrester Research, Inc. Reproduction Prohibited 6
Source: Forrester Software Survey, Q4 2012
“Which of the following initiatives are likely to be your IT organization's top project and organizational priorities over the next 12 months?”
Increase our use of software-as-a-service (cloud applications)
Base: 1,176 North American and European IT decision-makers at firms with 1,000 or more employees
Don't know
Not on our agenda
Low priority
Critical or High priority
1%
15%
35%
48%
© 2013 Forrester Research, Inc. Reproduction Prohibited 7
Why Cloud Security is like a two component glue, a unique blend:
A: The Cloud is not just a new delivery platform
B: Cloud Security is NOT just continuing security and extending it to the cloud
© 2013 Forrester Research, Inc. Reproduction Prohibited 8
Cloud Pulls the CISO in Many Directions
CISO and Security
Organization Changes, aka
Uneven Handshake
2. LOB procures
cloud services
1. Cloud Offers
Irresistible Benefits
5. Security Struggles to
Reduce Cloud Security Risks
4. Data Center Is Loosely Coupled
3. CISO Can’t Say No All the Time
© 2013 Forrester Research, Inc. Reproduction Prohibited 9
Cloud Security Means a Lot of Things to a Lot of People
› What interfaces our company has to have to work well with our Cloud Providers? (Security To the Cloud)
› How can a Cloud Provider (like Amazon Web Services or SalesForce.com) prove to us that they are secure? (Security In the Cloud)
› How can our company make its internal (and in some cases, Cloud Provider) security better? (Security From the Cloud)
› What are the organizational implications of Cloud and Cloud Security to our IT security organization?
Cloud Security Prepositions
© 2013 Forrester Research, Inc. Reproduction Prohibited 11
Agenda
›Why is Cloud Security Important
›Challenges with Cloud Security
›Recommendations
© 2013 Forrester Research, Inc. Reproduction Prohibited 12
General Challenges with Cloud Security› Ease of Use for End Users (you can’t control end users)
• Cloud security should not require users to change behaviors or tools
› Inconsistent Control (you don’t own everything)
• The only thing you can count on is guest VM ownership
› Elasticity (not all servers are steady-state)
• Cloudbursting, stale servers, dynamic provisioning
› Scalability (highly variable server counts)
• May have one dev server or 1,000 production web servers
› Portability (same controls work anywhere)
• Nobody wants multiple tools or IaaS provider lock-in
© 2013 Forrester Research, Inc. Reproduction Prohibited 13
Challenges with Cloud Security› Data protection
› Workload separation and multi tenancy
› Information Rights Management
› SaaS providers don’t help much with security related concerns
› Network Security
› Identity and Access Management (IAM) and Privileged Identity Management (PIM)
› Business Continuity and Disaster Recovery (BCDR)
› Log Management (SIEM)
© 2013 Forrester Research, Inc. Reproduction Prohibited 14
Cloud Does NOT Shift the Responsibility of Data Protection
› “When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data.”
Cloud Security Alliance, Guidance v3.0X
© 2013 Forrester Research, Inc. Reproduction Prohibited 15
Agenda
›Why is Cloud Security Important
›Challenges with Cloud Security
›Protecting Data In the Cloud
›Recommendations
How do we avoid this?
When it comes to responsibilities…
Who’s Responsible for IaaS Security?
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Cu
sto
mer R
esp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
“…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
AWS Shared Responsibility Model
Typical questions and
requirements:
• How can you source security
services from MSSPs?
• How can you protect security
and data at our cloud
providers?
• In general: How do we
integrate on existing on-
premise security with the
MSSPs security products?
Think Security From the Cloud
© 2013 Forrester Research, Inc. Reproduction Prohibited 19
Do your homework…› Get as much detail around security from your SaaS
provider as you can
› Set clear boundaries for security responsibilities between you and your IaaS/PaaS provider
› Data protection, data protection, data protection
› Don’t build your own tools
› Apply comprehensive approach to cloud security
› Centralize and scale security policy management for your cloud
› Automate your security (you can’t manually configure thousands of servers)
© 2013 Forrester Research, Inc. Reproduction Prohibited 20
Security automation for virtualized & cloud environments
Problem: Infrastructure Security Is Behind
› Infrastructure more distributed and dynamic than ever
› Current security models neither dynamic nor distributed
› Perimeters, appliances, hardware reliance, stable configurations, change control, endpoint security solutions… all marginalized to worthless in new models
› Without infrastructure security, all other security measures are weak (castle on sand, not bedrock)
Security teams can’t assure security or compliance, being dragged behind business
The Old Model: everything behind firewall, low rate of change, very few infrastructure stacks
The New Model: multiple stacks, broadly distributed, legacy approaches fail
Security Buyer Challenges
› Achieving compliance in cloud environments• PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST
› Disparate systems & high rate of change• “Dynamic” is core to cloud, new mode of operation
• Security orchestration & automation underserved needs
› Existing products don’t work well (if at all)• Technically designed for a different time
• Do not match up to dynamic cloud operational models
Why Do Existing Solutions Fail?
Network &hardware
dependencies
Lack of metered-usage licensing
Cannot handle elasticity or wide
distribution
Cannot operate across cloud
models
How we built high-scale security & compliance
automation
Objective: Consolidate & Automate Controls
Halo Security Automation Platform
Automation Needs To Work Anywhere
Automation Must Extend Current Tools
Security Automation Outcomes
› Massive reduction in security ops overhead
• Automated control deployment & orchestration
• Consolidation of otherwise disparate functions
• Single point of security & compliance management
› Security and compliance consistency
• Security & compliance that’s truly built-in
• Eliminates opportunities for human error
• Deploy once, certify many (complex compliance)
› Enables safe use of cloud models
• Security teams have confidence in controls
• Cloud projects don’t require manual intervention
Automating security enables saying “yes” to cloud, improves security, and
makes complex compliance achievable.
Key Takeaway:
Questions?