Contenu connexe Similaire à Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS re:Invent 2018 (20) Plus de Amazon Web Services (20) Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Moving 400 Engineers to AWS;
Our Journey to Secure Adoption
Fleming Shi
SVP, Technology
Barracuda Networks
S E C 3 0 6 - 3
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where will your applications be in a few years?
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Apps
On Premises
HQ
Apps
Hybrid
HQ
Public Cloud
& SaaS
HQ
Public Cloud
& SaaS
Public Cloud
“All-in”
Apps are on the move
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Technology evolution at Barracuda
2004 – 2008
• Application-layer security appliances
• Hardened hardware appliances
• Unified platform
• IDC unit volume leader for purpose-built security appliance company
2009 – 2010
2011 - 2013
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Technology evolution at Barracuda
2004 – 2008
2009 – 2010
Breaking Deployment Barriers
• Added VM offerings for our appliance products
• Supporting all major Hypervisors
• Continue to win more awards
Network Layer Security Appliances
• Added Barracuda Next Generation Firewall
Storage and Data Protection
2011 - 2013
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Technology evolution at Barracuda
2004 – 2008
2009 – 2010
2011 - 2013
Added SaaS Offerings
• Remove the need to rack & stack, continue to simplify IT
• Email Security Service
• Web Security Service
• Mobile Device Management Service
• Centralized Management for dispersed IT organizations
• Barracuda Cloud Control
Mobile Security
Public Cloud Integrations
• AWS
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
2014 - Now
• Architectural Transformation
• Microservices with “API-First”
• Containerize for Portability
• Continuous Integration and Deployment
• We need to build FASTER!
Adoption of Microservices
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The days of building software and toss over the wall to the OPS team
are long gone
Operational efficiency are achieved from continuously:
build|integrate|deploy|protect|monitor|remediate
DevOps Mentality – Need for Speed
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
High Availability & Geographically Distributed
Zero-Trust which leads to “Rehydration” of Workloads
DevOps Mentality – SLA
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Need contracts in the continents where customers reside
Peering provider and upstream hiccups
Remote hands
Physical security
Just one more thing, “EPO (Emergency Power Off)” Button
Time Needed: Months
Data Center
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
We have a cage and a network drop, now what?
Need racks and plan for expansion
Time Needed: Weeks
Rack Space Allocation
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rack density depends on the hardware
Need to leave half of the racks empty unless you change your hypervisor
hardware
Time Needed: Weeks
Power Consumption
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hypervisor Agility
…6 months later…
We got everything running, awesome right? Wait…
Need more IO performance and space
Time to shuffle some guest VMs
Expansion takes time and planning…
Time Needed: Months
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Breaking Point
We actually ran out of cables
Question: Is this ever going to end?
Unfortunate answer I can anticipate: Probably not
Time Needed: Weeks
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security & Compliance Posture
A series of questions
• Where is everything and how are they related?
• Who has access to what?
• How do you handle incidents?
• What about data privacy issues?
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Low visibility on developer activity
How are we asset-tracking for each application?
Is there a concept of Dev, Staging then Production?
Why are we getting Abuse Reports?
Building fast has consequences …
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Abuse Reports
Productivity is way up for projects, but start to see security incidents. Yes,
I got 3 in 30-day span… embarrassed.
Conclusion: We need to watch over the builders via Management and
Control Plane natively in the platform.
“Governance with CIS Benchmark and provide auto-remediation”
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application Security
Workloads are easy to spin up, but flows in/out of your applications still
need protection.
Conclusion: We need application layer protection at the data plane.
“Secure Data in Transit”
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security for Data at Rest
Today, applications are built with UIs, APIs, Databases and Object Storage
How do I guarantee the data from my application in Amazon Simple Storage
Service (Amazon S3) buckets are clean?
Conclusion: We need to protect the Amazon S3 buckets from mis-
configuration and malware.
”Secure Data at Rest with Barracuda ATP, Amazon Macie”
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hybrid Cloud
I needed a strong mesh of service regions to support our customers. What
if we rely on AWS as the backbone, I can benefit from its SLA.
Conclusion: Let’s build our Transit VPC using Barracuda Cloud Gen FWs.
“AWS and Barracuda Better Together”
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
} “dev:sec:ops” // Information Security
Software engineer Risk professional
Cloud expertise, no security ‘Cloud challenged’, sec pros
API only interface GUI with centralized management
Open source tools Established ISVs
Hard to reach
Well established Marketing
channel
Self-consumption of products
(marketplace) open PO
POs through established channel
Metered-billing Licenses
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Different models
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
2 personas
Builders vs. IT Professionals
There is a natural friction between building fast and staying secure…
what can Barracuda do here?
42. Barracuda is ready to do this with our
security expertise in data plane and
working with the native controls on
AWS.
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
Demonstrate how Barracuda identifies threats at “Data at Rest” to protecting the
application itself.
Demonstrate how “continuous monitoring” is helping in the Build Fast motion and prevent
disasters.
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Embrace Native Controls
AWS is now providing more in-depth capabilities for security
professionals.
Conclusion: Barracuda can integrate and deploy AWS native controls and
services wherever possible.
Amazon GuardDuty
Macie
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Be prescriptive with advanced security controls
At the time of policy creation, we can identify the right solution for
enforcement. Only use what you need at the right place.
Conclusion: Security beyond what the platform provides are readily
available, we just need to API orchestrate them and remove deployment
complexities.
From management plane to data plane
OWASP top 10 for web applications
Advanced Threat Protection for Amazon S3
IPS/IDS in flows
50. Do you want to build fast and stay secure?
Checkout Barracuda’s booth #2029
51. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- Fleming Shi
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.