Sam Herath - Six Critical Criteria for Cloud Workload Security

Sam Herath - Six Critical Criteria for Cloud Workload Security
1 | © 2015 CloudPassage Confidential Six Critical Criteria for Cloud Workload Security Sam Herath Cloud Security Evangelist
2 | © 2015 CloudPassage Confidential Our Worldview • Who is CloudPassage and who do we protect ◦ Cloud infrastructure security and compliance ◦ About 100 large enterprises including a number of Fortune 500s • Enterprise IT delivery is undergoing massive transformation ◦ Cloud-oriented, on-demand IT will be the norm, driven by business demands ◦ Application business owners want speed, agility, efficiency • Big challenges remain ◦ SDDC, hybrid cloud, agile development drive new mode of IT operation ◦ Existing applications don’t magically migrate to the new model ◦ Deeply centralized functions (like security & compliance) are the most challenged
3 | © 2015 CloudPassage Confidential Cloud Breaks Security Sorry About That :(
4 | © 2015 CloudPassage Confidential Application A Application B Application C Application D Application E Traditional DC Hosting Model
5 | © 2015 CloudPassage Confidential Web Servers A A A A Databases A A Web App Appliance Crypto Gateway Network Firewall Network IDS / IPS Traditional DC Hosting Model
6 | © 2015 CloudPassage Confidential A A A A A A A A A A A A A A A A A A A A B B B B C C C C C C C D D D D D D D D D D D E E E E E E E E E E E E E E E E E E E E E E E E Private Cloud Hosting Model
7 | © 2015 CloudPassage Confidential Public Cloud Hosting Model DC
8 | © 2015 CloudPassage Confidential Public Cloud Hosting Model DC
9 | © 2015 CloudPassage Confidential Cloud Workload Security must… 1. …be right at the workload 2. …cover broad set of controls 3. …be automated and orchestrate with DevOps 4. …work everywhere 5. …scale vertically and horizontally 6. …deal with the reality of business and IT!
10 | © 2015 CloudPassage Confidential 1. Security At The Workload • “Cause that’s where the compute is.” • Workload is layer of abstraction (answers to “What” and not “How”) • Not reliant on specific network, perimeter, hypervisor, security appliances • Policy driven • Logically grouped • Applied automatically • Portable, scalable, transparent, universal
11 | © 2015 CloudPassage Confidential 1. Security At The Workload User Administration Application Code Application Stack VM Guest OS Virtualization Stack Compute/Storage HW Network Infrastructure Physical Environment IaaS Customer controlled Provider controlled
12 | © 2015 CloudPassage Confidential 2. Cover Broad Set of Controls Operational Automation Compromise Management Vulnerability Management Data Protection Visibility & Awareness Strong Access Controls
13 | © 2015 CloudPassage Confidential 2. Cover Broad Set Of Controls • Software Vulnerability Assessment • Configuration Security Monitoring • Traffic Discovery • Firewall Management and Orchestration • Server Account Management • Multi-factor Authentication • Intrusion Detection • File Integrity Monitoring • …
14 | © 2015 CloudPassage Confidential 3. Automated and Orchestrated
15 | © 2015 CloudPassage Confidential Quality testing Staging and release J DF M A M J J A S O N Analysis and design Coding and implementation R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9 3. Automated and Orchestrated
16 | © 2015 CloudPassage Confidential Quality testing Staging and release J DF M A M J J A S O N Analysis and design Coding and implementation R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9 3. Automated and Orchestrated
17 | © 2015 CloudPassage Confidential Core security policies already implemented, regardless of environment Security unit-testing cases required, or code is rejected (yes, really) Code & infrastructure policies ensured using devops-style automation Staging smoke tests include automated pen-testing, vulnerability assessment, policy validation, security baselines (against gold master) J DF M A M J J A S O N R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9 All of this feeds into SIEM and GRC tools via API 3. Automated and Orchestrated
18 | © 2015 CloudPassage Confidential IaaS 2 4. Work Everywhere User Administration Application Code Application Stack VM Guest OS Virtualization Stack Compute/Storage HW Network Infrastructure Physical Environment IaaS Customer controlled Provider controlled ColoDC
19 | © 2015 CloudPassage Confidential 5. Scale Vertically and Horizontally • Is 200MB of RAM a lot? 10MB? Times how many different tools? • Is 100 systems a lot? 1,000? 60,000? • One Big Factory → Servers, Instances, Microservices & Containers
20 | © 2015 CloudPassage Confidential 6. Deal with Reality of IT
21 | © 2015 CloudPassage Confidential Modern Legacy Experiments Innovation Greenfield Applications Any New Application Low-Risk Migrations High-Risk Migrations Core Business Applications “BUSINESS AS USUAL” Last Legacy Project 6. Deal with Reality of IT
22 | © 2015 CloudPassage Confidential 6. Deal with Reality of IT Traditional Data Center Bare Metal Basic Virtualization Basic Virtualization
23 | © 2015 CloudPassage Confidential 6. Deal with Reality of IT UCS Director
24 | © 2015 CloudPassage Confidential 6. Deal with Reality of IT UCS Director
25 | © 2015 CloudPassage Confidential Cloud Workload Security must… 1. …be right at the workload 2. …cover broad set of controls 3. …be automated and orchestrate with DevOps 4. …work everywhere 5. …scale vertically and horizontally 6. …deal with the reality of business and IT!
26 | © 2015 CloudPassage Confidential UCS Director From Chaos…
27 | © 2015 CloudPassage Confidential UCS Director … To Control Security Automation and Orchestration
28 | © 2015 CloudPassage Confidential www.cloudpassage.com

Sam Herath - Six Critical Criteria for Cloud Workload Security

Check these out next

Sam Herath - Six Critical Criteria for Cloud Workload Security

Recommandé

Contenu connexe

Présentations pour vous(20)

Similaire à Sam Herath - Six Critical Criteria for Cloud Workload Security(20)

Plus de centralohioissa(20)

Dernier(20)

Sam Herath - Six Critical Criteria for Cloud Workload Security