SlideShare une entreprise Scribd logo

Building and Adopting a Cloud-Native Security Program

Priyanka Aash
Priyanka Aash

The document discusses building a cloud-native security program. It recommends embracing principles like automation, immutability, and isolation. It covers securing applications, infrastructure, and operations in the cloud. For applications, it recommends secure design and deployment through DevOps practices. For infrastructure, it suggests starting with architecture, using infrastructure as code, and implementing immutable and baseline shared services. It also provides tips for monitoring, alerting, assessment, and automating security management in the cloud.

Technologie
1  sur  38
Télécharger pour lire hors ligne
SESSION ID: #RSAC CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM VP of Product/Analyst /Securosis @rmogull Bill Burns Chief Trust Officer, VP Business Transformation @x509v3 Rich Mogull
#RSAC Our Plan 2 Show you how to build your program from scratch And bridge existing capabilities Highlight fundamental differences of cloud Show you what’s real We’ve done this… all of it. None of this is theory From architecture and strategy to key controls areas
#RSAC STRATEGY
#RSAC Cloud Native == NOT.Legacy 4 You build it from scratch OR Redesign without compromise
#RSAC Building the cloud-native mindset 5 Cloud is: Abstracted Ephemeral Developer Driven Automated You should: Embrace Failure Kill the Past Volatile Massively Scalable Think Like a Developer Embrace Automation Isolate by Default Ephemeral
#RSAC Know the Lines, Use Them for Advantage 6 Risk & Compliance Declare and understand the shared responsibilities model What you are responsible for, what the provider is responsible for. Critical cloud provider security capabilities You interact via APIs, not projects Use the model to change attack surface Physical Infrastructure Virtualization/ Abstraction Application and PaaS Services Management Plan/Metastructure Host/Server Security Network, IAM, and Metastructure Configuration Security Data and Application Security ProviderConsumer Your customers and competitors are already getting comfortable with this
#RSAC Critical cloud provider security capabilities 7 ‣ API/admin activity logging ‣ Elasticity and autoscaling ‣ APIs for all security features ‣ Granular entitlements ‣ Good SAML support ‣ Multiple accounts/subscriptions/projects per customer ‣ Software defined networking
#RSAC Cloud Native Security Program Principles 8 APIs Automation Immutability & Isolation
#RSAC APPLICATION SECURITY App security before infrastructure
#RSAC Cloud Application Security Process 10 Secure architecture and design Secure deployment/DevOps External security controls Secure Operations
#RSAC Even infrastructure security starts with application design 11 Fit the infrastructure to the application Leverage architecture for security Automate deployment and management with DevOps Required for immutable, cloud disaster recovery, and portability anyway Good design can eliminate common traditional security issues Network attack paths, patch management
#RSAC Secure Application Development/ Deployment (Example) 12 Source Code GitCloudformation Templates Jenkins Functional Tests Chef Recipes NonFunctional Tests Test Prod Unit/regression tests Functional tests SAST DAST VA/Network/Infrastructure
#RSAC Architecture + DevOps is cloud security 13 ‣ Architecture allows you to leverage the shared responsibilities model to reduce your security management surface and push them onto a cloud provider that has stronger economic incentives to avoid incidents. ‣ You are paying for it anyway, might as well take advantage. ‣ DevOps provides a consistency and control impossible with manual application deployments. ‣ Security can easily embed and automate into the same toolchains as development and operations. ‣ Security can steal DevOps techniques to improve security operations.
#RSAC INFRASTRUCTURE Building your cloud infrastructure security
#RSAC Start with Architecture 15 Architecture == security; it’s a primary control not something to eval after the fact Intrinsically tied to applications: These are general principles and cross-project design patterns. Segregate with Accounts/Subscriptions/Projects first, virtual networks second Minimize blast radius Leverage immutable infrastructure Cut off network attack paths Wipe out classes of traditional security issues Accou nt Virtual Network Subn et Security Group Virtual Network Subn et Security Group Accou nt Virtual Network Subn et Security Group Virtual Network Subn et Security Group Accou nt Virtual Network Subn et Security Group Virtual Network Subn et Security Group Boom
#RSAC Own the Management Plane, Own the Cloud 16 Baseline shared services / management plane Use to enforce guardrails - let the cloud move fast but detect and respond quickly to things that stray too far Make this “more secure approach” the “easier approach” to adopt. Enforce as the pathway in / out. Secure the root account Manage Non- Root Users Enable Monitoring/Auditi ng Deploy Infrastructure, workloads
#RSAC Define infrastructure in code 17 Full Stack (Networks/IAM/etc) Servers (Instances) Containers
#RSAC Infrastructure As Code - Master Image Bakery 18 Packer configuration Git Jenkins Security Tests Test Ops/Server Engineering Requirements InfoSec Requirements Master Image Replace, Don’t Patch
#RSAC Immutable Infrastructure 19 Template A: Template B:
#RSAC Immutable Infrastructure 20 Template B:
#RSAC Baseline Shared Services 21 IAM Federated Identity Broker ABAC Security Access Multiple authorities Identity Provider Relying Party Federated Trust (e.g. SAML) ‣ Directory server holding identities ‣ Authenticates users ‣ Provides required attributes ‣ Maps identities and attributes to internal model ‣ Authorization ‣ Session management AuthN AuthZ
#RSAC Baseline Shared Services 22 Centralize But allow local access Leverage cloud events for real time alerts Use to trigger guardrails Cascade and filter to manage costs Monitoring/Alerting
#RSAC Example: Data Analytics Pattern 23 Attack surface? Network attack paths?
#RSAC Cloud Network Security 25 Fit to the app Insulate with load balancers, ASG, PaaS Architect with native security group and route patterns Supplement gaps Automate + guardrails
#RSAC Cloud Workload Security 26 Function as a Service (Lambda) Instances/VMs Containers Security Focus: Code and config Trad or Immutable Code + Hardening
#RSAC Workload Security Wins 27 Availability - embrace chaos engineering & immutability Abolish fragile points in the architecture; design auto-scale groups for all critical services Immutable and micro services Serverless and FaaS
#RSAC Instance (and container) security issues 28 Vulnerability and Patch Management Logs and Security Tools Other ‣ Limitations on scanning due to provider terms of service ‣ Or use a cloud-compatible host agent ‣ Can scan in deployment pipelines with immutable ‣ Patching on running instances only really used with standard/traditional instances ‣ Weakest security option ‣ Can’t rely on scans reflecting the actual system if they are IP based ‣ Logs can’t rely on hostnames or IP addresses ‣ More on logging later, but you need to build a cloud-native architecture ‣ Security tools also can’t rely on normal addresses due to the high rate of change in cloud ‣ Also they need to be lightweight since processors == cash ‣ Ideally deployable with CI/CD ‣ Need to auto-self-configure and connect to management systems ‣ EPP/AV often not needed ‣ Images can expose data if they aren’t created properly ‣ This is really easy to mess up ‣ Snapshots are ideal for data exfiltration ‣ Encryption knocks down this problem ‣ Encryption options generally built into the cloud platform, don’t need external tools ‣ Instances can access metadata on themselves which can be used for attacks if not properly managed
#RSAC Cloud Encryption 29 Encryption is the default. Focus on key management.
#RSAC Cloud encryption 30 Encryption is easy … key management is Hard Do NOT do this yourself or roll your own Focus on BYOK for integrated encryption Cloud HSMs and KSMs - your cloud keys can be more secure than in most data centers
#RSAC Encryption: App-Layer 31 For regulated data, app-level encryption is your friend Integrate with IAM and automation Know the lines where data is potentially exposed and if it matters Cloud HSMs and KSMs - your cloud keys can be more secure than in most data centers Key Management Service HSM/Other Workload StorageOption A: KMS encrypts the data Option B: App encrypts with KMS key Option C: KMS integrated with CSP Storage
#RSAC SECURITY OPERATIONS Monitoring/alerting, incident response, assessment, management
#RSAC Alerting tips 33 If your cloud provider offers a security threat service… use it! They see things you can’t, such as failed API calls In-cloud event-based alerts are fastest But also need to be configured and managed in each cloud deployment Use automation to build/support Feed alerts to central feed, or alert off a central feed We discussed earlier
#RSAC Alerting++ 34 Change a security group Event Recorded to CloudTrail Passed to CloudWatch Log Stream Triggers an CloudWatch Event Lambda Function analyzes and reverses AND/OR Notification
#RSAC Assessment 35 Cloud Configuration Instances/Cont ainers Application • Some providers have built-in tools • Third-party • Manual assessments for context • With immutable assess in the pipeline • Prefer agent over network based • Push most testing to CI/CD • Full web testing may require permission • Choose pen testers with cloud experience
#RSAC Incident Response 36
#RSAC Automate security management 37 Infrastructure templating should include security This is how you handle new account provisioning Use the hierarchical controls of your cloud provider Set a security role to gain account access Use automation for cross-account and multi-cloud management Guardrails Workflows Orchestrations (integrating 3rd party tools to operations)
#RSAC Automate security management 38
#RSAC Adopting and adapting to cloud security 39 First 30 days Find your cloud controller - Take owner to lunch; pain points Get a read-only account. Get comfortable with APIs for cloud inventory, drift detection, attack surface changes, image configs. Within 2 months Create a master image bakery Get good at pushing new images on demand, work with app teams to rely on your images for push Within 3 months Create guardrails to detect and alert on cloud config drift/violations Automate remediation for simple failure cases, more complex checks over time

Recommandé

Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondOffice 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Priyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Priyanka Aash
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Priyanka Aash
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 

Recommandé

Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondOffice 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
Priyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Priyanka Aash
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Priyanka Aash
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
Priyanka Aash
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
Teri Radichel
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
Priyanka Aash
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for Auditors
Teri Radichel
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
 
Hardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsHardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environments
Priyanka Aash
 

Contenu connexe

Tendances

Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
Priyanka Aash
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 

Tendances (20)

Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for Auditors
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 

Similaire à Building and Adopting a Cloud-Native Security Program

Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Amazon Web Services
 

Similaire à Building and Adopting a Cloud-Native Security Program (20)

Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
Hardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsHardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environments
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Introduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural PatternsIntroduction to Serverless through Architectural Patterns
Introduction to Serverless through Architectural Patterns
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS SummitUnified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
Unified Security through Armor and AWS - DEM05 - Atlanta AWS Summit
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 

Plus de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Plus de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Dernier

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Building and Adopting a Cloud-Native Security Program

  • 1. SESSION ID: #RSAC CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM VP of Product/Analyst /Securosis @rmogull Bill Burns Chief Trust Officer, VP Business Transformation @x509v3 Rich Mogull
  • 2. #RSAC Our Plan 2 Show you how to build your program from scratch And bridge existing capabilities Highlight fundamental differences of cloud Show you what’s real We’ve done this… all of it. None of this is theory From architecture and strategy to key controls areas
  • 4. #RSAC Cloud Native == NOT.Legacy 4 You build it from scratch OR Redesign without compromise
  • 5. #RSAC Building the cloud-native mindset 5 Cloud is: Abstracted Ephemeral Developer Driven Automated You should: Embrace Failure Kill the Past Volatile Massively Scalable Think Like a Developer Embrace Automation Isolate by Default Ephemeral
  • 6. #RSAC Know the Lines, Use Them for Advantage 6 Risk & Compliance Declare and understand the shared responsibilities model What you are responsible for, what the provider is responsible for. Critical cloud provider security capabilities You interact via APIs, not projects Use the model to change attack surface Physical Infrastructure Virtualization/ Abstraction Application and PaaS Services Management Plan/Metastructure Host/Server Security Network, IAM, and Metastructure Configuration Security Data and Application Security ProviderConsumer Your customers and competitors are already getting comfortable with this
  • 7. #RSAC Critical cloud provider security capabilities 7 ‣ API/admin activity logging ‣ Elasticity and autoscaling ‣ APIs for all security features ‣ Granular entitlements ‣ Good SAML support ‣ Multiple accounts/subscriptions/projects per customer ‣ Software defined networking
  • 8. #RSAC Cloud Native Security Program Principles 8 APIs Automation Immutability & Isolation
  • 10. #RSAC Cloud Application Security Process 10 Secure architecture and design Secure deployment/DevOps External security controls Secure Operations
  • 11. #RSAC Even infrastructure security starts with application design 11 Fit the infrastructure to the application Leverage architecture for security Automate deployment and management with DevOps Required for immutable, cloud disaster recovery, and portability anyway Good design can eliminate common traditional security issues Network attack paths, patch management
  • 12. #RSAC Secure Application Development/ Deployment (Example) 12 Source Code GitCloudformation Templates Jenkins Functional Tests Chef Recipes NonFunctional Tests Test Prod Unit/regression tests Functional tests SAST DAST VA/Network/Infrastructure
  • 13. #RSAC Architecture + DevOps is cloud security 13 ‣ Architecture allows you to leverage the shared responsibilities model to reduce your security management surface and push them onto a cloud provider that has stronger economic incentives to avoid incidents. ‣ You are paying for it anyway, might as well take advantage. ‣ DevOps provides a consistency and control impossible with manual application deployments. ‣ Security can easily embed and automate into the same toolchains as development and operations. ‣ Security can steal DevOps techniques to improve security operations.
  • 14. #RSAC INFRASTRUCTURE Building your cloud infrastructure security
  • 15. #RSAC Start with Architecture 15 Architecture == security; it’s a primary control not something to eval after the fact Intrinsically tied to applications: These are general principles and cross-project design patterns. Segregate with Accounts/Subscriptions/Projects first, virtual networks second Minimize blast radius Leverage immutable infrastructure Cut off network attack paths Wipe out classes of traditional security issues Accou nt Virtual Network Subn et Security Group Virtual Network Subn et Security Group Accou nt Virtual Network Subn et Security Group Virtual Network Subn et Security Group Accou nt Virtual Network Subn et Security Group Virtual Network Subn et Security Group Boom
  • 16. #RSAC Own the Management Plane, Own the Cloud 16 Baseline shared services / management plane Use to enforce guardrails - let the cloud move fast but detect and respond quickly to things that stray too far Make this “more secure approach” the “easier approach” to adopt. Enforce as the pathway in / out. Secure the root account Manage Non- Root Users Enable Monitoring/Auditi ng Deploy Infrastructure, workloads
  • 17. #RSAC Define infrastructure in code 17 Full Stack (Networks/IAM/etc) Servers (Instances) Containers
  • 18. #RSAC Infrastructure As Code - Master Image Bakery 18 Packer configuration Git Jenkins Security Tests Test Ops/Server Engineering Requirements InfoSec Requirements Master Image Replace, Don’t Patch
  • 21. #RSAC Baseline Shared Services 21 IAM Federated Identity Broker ABAC Security Access Multiple authorities Identity Provider Relying Party Federated Trust (e.g. SAML) ‣ Directory server holding identities ‣ Authenticates users ‣ Provides required attributes ‣ Maps identities and attributes to internal model ‣ Authorization ‣ Session management AuthN AuthZ
  • 22. #RSAC Baseline Shared Services 22 Centralize But allow local access Leverage cloud events for real time alerts Use to trigger guardrails Cascade and filter to manage costs Monitoring/Alerting
  • 23. #RSAC Example: Data Analytics Pattern 23 Attack surface? Network attack paths?
  • 24. #RSAC Cloud Network Security 25 Fit to the app Insulate with load balancers, ASG, PaaS Architect with native security group and route patterns Supplement gaps Automate + guardrails
  • 25. #RSAC Cloud Workload Security 26 Function as a Service (Lambda) Instances/VMs Containers Security Focus: Code and config Trad or Immutable Code + Hardening
  • 26. #RSAC Workload Security Wins 27 Availability - embrace chaos engineering & immutability Abolish fragile points in the architecture; design auto-scale groups for all critical services Immutable and micro services Serverless and FaaS
  • 27. #RSAC Instance (and container) security issues 28 Vulnerability and Patch Management Logs and Security Tools Other ‣ Limitations on scanning due to provider terms of service ‣ Or use a cloud-compatible host agent ‣ Can scan in deployment pipelines with immutable ‣ Patching on running instances only really used with standard/traditional instances ‣ Weakest security option ‣ Can’t rely on scans reflecting the actual system if they are IP based ‣ Logs can’t rely on hostnames or IP addresses ‣ More on logging later, but you need to build a cloud-native architecture ‣ Security tools also can’t rely on normal addresses due to the high rate of change in cloud ‣ Also they need to be lightweight since processors == cash ‣ Ideally deployable with CI/CD ‣ Need to auto-self-configure and connect to management systems ‣ EPP/AV often not needed ‣ Images can expose data if they aren’t created properly ‣ This is really easy to mess up ‣ Snapshots are ideal for data exfiltration ‣ Encryption knocks down this problem ‣ Encryption options generally built into the cloud platform, don’t need external tools ‣ Instances can access metadata on themselves which can be used for attacks if not properly managed
  • 28. #RSAC Cloud Encryption 29 Encryption is the default. Focus on key management.
  • 29. #RSAC Cloud encryption 30 Encryption is easy … key management is Hard Do NOT do this yourself or roll your own Focus on BYOK for integrated encryption Cloud HSMs and KSMs - your cloud keys can be more secure than in most data centers
  • 30. #RSAC Encryption: App-Layer 31 For regulated data, app-level encryption is your friend Integrate with IAM and automation Know the lines where data is potentially exposed and if it matters Cloud HSMs and KSMs - your cloud keys can be more secure than in most data centers Key Management Service HSM/Other Workload StorageOption A: KMS encrypts the data Option B: App encrypts with KMS key Option C: KMS integrated with CSP Storage
  • 32. #RSAC Alerting tips 33 If your cloud provider offers a security threat service… use it! They see things you can’t, such as failed API calls In-cloud event-based alerts are fastest But also need to be configured and managed in each cloud deployment Use automation to build/support Feed alerts to central feed, or alert off a central feed We discussed earlier
  • 33. #RSAC Alerting++ 34 Change a security group Event Recorded to CloudTrail Passed to CloudWatch Log Stream Triggers an CloudWatch Event Lambda Function analyzes and reverses AND/OR Notification
  • 34. #RSAC Assessment 35 Cloud Configuration Instances/Cont ainers Application • Some providers have built-in tools • Third-party • Manual assessments for context • With immutable assess in the pipeline • Prefer agent over network based • Push most testing to CI/CD • Full web testing may require permission • Choose pen testers with cloud experience
  • 36. #RSAC Automate security management 37 Infrastructure templating should include security This is how you handle new account provisioning Use the hierarchical controls of your cloud provider Set a security role to gain account access Use automation for cross-account and multi-cloud management Guardrails Workflows Orchestrations (integrating 3rd party tools to operations)
  • 38. #RSAC Adopting and adapting to cloud security 39 First 30 days Find your cloud controller - Take owner to lunch; pain points Get a read-only account. Get comfortable with APIs for cloud inventory, drift detection, attack surface changes, image configs. Within 2 months Create a master image bakery Get good at pushing new images on demand, work with app teams to rely on your images for push Within 3 months Create guardrails to detect and alert on cloud config drift/violations Automate remediation for simple failure cases, more complex checks over time