Enterprises today cannot get by without a clear strategy for cloud security. Whether the organization’s adoption of cloud environments (private, public or hybrid) is mandated by business strategy or by unsanctioned employee use, CISOs and their security teams need to be prepared for this inevitable infrastructure shift.
Attend and learn how to build a cloud security strategy that makes your CISO successful. Join Rich Mogull, lead analyst at Securosis, and Nick Piagentini, Solution Architect at CloudPassage as they discuss the following topics:
-Cloud is Different, But Not the Way You Think
-Adapting Security for Cloud Computing Principles
-Getting Started: Practical Applications
-CISO Cloud Security Checklist
3. Multitenancy Isn’t the Issue
AAAA BBBB CCCC
• We have always secured shared infrastructure.
• We have always trusted our data to others.
• Our existing processes and controls will still work.
• It is the abstraction and automation of cloud that
really impact security
5. Automation
VM VM
Hypervisor
VM VM
Hypervisor
VM VM
Hypervisor
VM VM
Hypervisor
Compute Pool
Management and Orchestration
Storage Pool
Management and Orchestration
Compute
Controller
Storage/Vo
lume
ControllerManagement Network
(Using APIs)
Outside
World
Cloud computing resources change in minutes and seconds.
Scans, static settings, and caches can’t keep up.
6. DevOps, SecOps, and
Cloud
• DevOps is an operational
framework.
• It is a natural outcome of cloud
computing, not some weird over-
hyped trend.
• Traditional silos condense, then
operate with higher agility (and,
ideally, resiliency).
• Security most resistant to change
(for good reasons). Security relies
on manual operational model.
8. Adapting Security for the
Cloud
• Don’t rely on boxes and wires.
• Be as elastic and agile as the cloud.
• Rely more on policy-based automation.
• Understand and adjust for cloud
characteristics (e.g. security groups vs.
firewalls).
• Integrate with DevOps.
http://the4faces.com/2011/09/29/stages-of-evolution/
9. Control the Management
Plane
HardenHarden
Web andWeb and
API ServersAPI Servers
HardenHarden
Web andWeb and
API ServersAPI Servers
LeverageLeverage
Cloud IAMCloud IAM
LeverageLeverage
Cloud IAMCloud IAM
CompartmentCompartment
with IAMwith IAM
CompartmentCompartment
with IAMwith IAM
Audit, Log,Audit, Log,
and Alertand Alert
Audit, Log,Audit, Log,
and Alertand Alert
Use a ManagenentUse a Managenent
Plane ProxyPlane Proxy
Use a ManagenentUse a Managenent
Plane ProxyPlane Proxy
10. Automate Host
Security
• Embed agents in images and at launch.
• Integrate with configuration
management.
• Dynamically configure agents.
• Prefer lightweight and agile agents.
• Host tools should support REST APIs
13. Adapt Network Security
• Design a good security group baseline.
• Augment with host firewall that coordinates with
cloud.
• Push more security into the host.
• Prefer virtual network security appliances that
support cloud APIs.
• Take advantage of cloud APIs.
• Security policies must follow instances.
14. Leverage the Cloud
• Immutable servers
• Stateless security
• Security automation
• Software Defined
Security
16. Embedding and Validating
Security Agents
Build InBuild InBuild InBuild In InjectInjectInjectInject Config PushConfig PushConfig PushConfig Push
Tie to RunningTie to Running
ServicesServices
Tie to RunningTie to Running
ServicesServices
Tie to Cloud PlatformTie to Cloud PlatformTie to Cloud PlatformTie to Cloud Platform
20. What your CISO needs to know
Nicholai Piagentini
Sr. Solutions Architect
21. First an allegorical example
• Large enterprise, traditional physical
datacenter, traditional security.
• Growth by acquisitions introduces a widely
disparate set of new environments to secure.
• Most acquisitions are in the cloud already
and did not consider security as critical as
the parent company.
• Security had to find a solutions to fit all of it.
22. Key points for this example
• Cannot rely on boxes and wires
– Multiple clouds, multiple physical datacenters.
– Host based security the only option that scales
• Elastic and Agile Security
– New acquisitions on the horizon no real end in sight
– Baking security into the stack makes this easy
• Policy Based Automation
– Server Groups can link like servers across
deployments
23. How Halo helped
• Halo is a Security Automation Platform
• Halo agent is deployed onto the individual
virtual hosts
• Policy is defined on our cloud based
Security Analytics Engine
• Does not rely on and specific hypervisor
system
• Policy follows the image wherever it goes