THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

Transcription

1 SESSION ID: STR-R14 THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES Doug Cahill Group Director and Senior Analyst Enterprise Strategy

2 WHO IS THIS GUY?

3 Topics The Composition of Hybrid Clouds Spotlight: Container Security Considerations Defining the Lack of Cloud Visibility Retooling for Multi-Dimensional Hybrid Clouds Spotlight: Automating Security via Integration with the CI/CD Pipeline Applying Best Practices Summary 3

4 THE COMPOSITION OF HYBRID CLOUDS

5 What is hybrid, anyway?

6 THE MANY DEFINITIONS OF A HYBRID CLOUD Primary Historical Use Case: Public cloud as a storage target for backup and archiving More Accurately: Cross-cloud Orchestration By app tier e.g. DB tier on-premise, web app tier in the cloud Burst-mode for scale, portability for best fit and price --> For this Discussion: Simply the combination of an on-premises + cloud footprint 6

7 Multi-Cloud Adoption 7

8 Workloads are Shifting to Public Clouds Of all the production workloads used by your organization, approximately what percentage is run on public cloud infrastructure services (i.e., IaaS and/or PaaS) today? How do you expect this to change if at all over the next 24 months? (Percent of respondents, N=450) Percent of production workloads run on public cloud infrastructure services today Percent of production workloads run on public cloud infrastructure services 24 months from now 25% 26% 24% 24% 16% 5% 15% 16% 10% 16% 15% 5% 1% 2% Less than 10% of workloads 10% to 20% of workloads 21% to 30% of workloads 31% to 40% of workloads 41% to 50% of workloads More than 50% of workloads Don t know 8

9 The Heterogeneous Mix of Workload Types 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Bare metal servers, 35% Virtual machines, 46% Containers, 19% Percent of Percent production of production workloads workloads run on each run server on each type server today type TODAY 9 Bare metal servers, 26% Virtual machines, 41% Containers, 33% Percent of Percent production of production workloads workloads run on each server type run 24 on months each server from type now 24 MONTHS FROM NOW

10 HYBRID CLOUDS ARE MULTI-DIMENSIONAL X 2+ MULTI-CLOUDS + = HETEROGENOUS SERVER TYPES 2017 by The Enterprise Strategy Group, Inc.

11 SPOTLIGHT: CONTAINER SECURITY CONSIDERATIONS

12 Containers are coming, en masse!

13 App Containers Are Moving Into Production Yes, we have already deployed an extensive number of containerized production applications 16% 4%1% 13% Yes, we have already deployed a few containerized production applications No, but we are testing it and plan to start deploying to production in the next 12 months No, but we intend to start testing it in our lab in the next 12 months No, and we have no plans to 24% 42% Don t know 56% already in production +24% in next 12 months 13

14 Legacy and New Apps are Being Containerized 4% 23% We use/will use containers for new applications only We use/will use containers for new applications and some pre-existing legacy applications We use/will use containers for pre-existing legacy applications only 73% 14

15 Application Container Portability Make Them Location Agnostic 27% 21% Our container-based applications are/will be deployed in a public cloud environment only Our container-based applications are/will be deployed in an on-premises data center or colocation facility managed by our organization only 52% Our container-based applications are/will be deployed in a combination of public cloud platforms and private data centers 15

16 Container Security Concerns = VM Sprawl Redux 16

17 Container Security Pre-Production Requirements Establish Trusted Images via Registry-resident Image Scanning Eliminate known software vulnerabilities Bonus: Contextual based on risk -- known exploit, criticality of the app and data Harden configurations against CIS benchmarks Remediate, rinse and repeat Secrets Management: Separate until runtime 17

18 Container Security Runtime Requirements Continuous Monitoring Inventory including discovery of untrusted/unsigned containers Topology mapping to view and verify relationships East-west inter-container traffic Auditing of access requests, system activity, and Docker API calls Integrity monitoring Baselining of normal behavior Threat Prevention Detection and prevention of anomalous activity Integrity and applications control to prevent drift Intrusion detection and prevention Access controls including segmentation Anti-malware detection and prevention 18

19 Container Security - Implementation Considerations CI/CD tool integration to enable automation (build-ship-run tools) Consider pros and cons of host vs. privileged container vs. sensor Registry aware public and private Heterogeneous server workload type support 19

20 DEFINING THE LACK OF CLOUD VISIBILITY

21 Where s the network tap?

22 Top Hybrid Cloud Security Challenges Maintaining strong and consistent security across our own data center and multiple public cloud Employees signing up for cloud applications without the approval and governance of our IT Keeping up with the rapid pace of change via DevOps automation makes it a challenge to Meeting prescribed best practices for the configuration of cloud-resident workloads and the use Our DevOps and application owners do not want to involve our security team in their cloud Inability for existing network security controls to provide visibility into cloud Lack of skills needed to align strong security with our hybrid cloud strategy Satisfying our security team that our public cloud infrastructure is secure Some of our business units are doing application development and deployment on public cloud My organization s existing security tools do not support cloud native conventions such as on- Aligning regulatory compliance requirements with my organization s cloud strategy Lack of visibility into the network related activity of our cloud-based workloads Inability to automate the application of security controls due to the lack of integration with We have not experienced any challenges 22 6% 25% 23% 20% 19% 19% 18% 18% 18% 17% 16% 16% 14% 13%

23 Top Areas for Improving Visibility Into Cloud-Resident Workloads Identifying software vulnerabilities Identifying workload configurations that are out of compliance An audit trail of all system level activity Alerts on the detection of anomalous system-level workload activity An audit trail of privileged user account activity An audit trail of the use of IaaS APIs The existence of any external facing server workloads which do not Inter-workload communication The communication between workloads and an externally facing Alerts on the anomalous use of cloud APIs 30% 30% 27% 26% 26% 24% 21% 19% 18% 18% 23

24 WHICH IS WHY SOME FEEL THIS WAY

25 RETOOLING FOR MULTI-DIMENSIONAL HYBRID CLOUDS

26 2017 by The Enterprise Strategy Group, Inc.

27 Highest Priorities for Hybrid Cloud Security Build a cloud security strategy that can be used across heterogeneous public and private clouds Implement a workload segmentation model to limit the lateral movement of an attack, i.e., segment test/dev from production workloads, segment regulated from non-regulated workloads, etc. Integrate security controls with cloud and/or container orchestration tools Work with other teams to align security requirements with cloud provisioning and management automation Create a self-service catalogue so that workloads can be classified and then assigned to different public and private cloud options based upon their sensitivity Explore and recommend new security technologies that are specifically designed for cloud computing Determine ways to accelerate security tasks to keep pace with cloud provisioning and DevOps Learn about the security controls, monitoring capabilities, and APIs associated with each cloud service provider offering Figure out how we can extend our current security technologies to protect/monitor cloud workloads Create new policies specifically for cloud workloads and containers 30% 28% 27% 24% 23% 22% 20% 20% 20% 20% 27

28 Retooling Across Skills and Processes General knowledge of cybersecurity threats that pose a risk to hybrid cloud infrastructure Lack of familiarity with the continuous integration and continuous delivery processes and orchestration tools of a DevOps methodology Working relationship between the IT Operations, DevOps, and cybersecurity teams Understanding the specifics of how our cloud service provider and our organization share responsibility for securing our cloud-resident assets 33% 31% 31% 28% We don t have an adequately sized staff to meet our cloud security needs We don t have the right level of cloud security skills 20% 19% None of the above 6% 28

29 The Rise of the Cloud Security Architect Yes, and this position(s) has been in place for a year or more 7% 4% 3% 1% 25% Yes, and this position(s) has been in place for less than one year Yes, and this position(s) was recently established 6% No, but we are actively hiring for this position 12% We have had difficulty filling this position 24% 18% No, but we plan to establish this type of position(s) within the next 12 to 24 months No, but we are interested in establishing this type of position(s) sometime in the future No, and we have no plans or interest in doing so in the future Don t know 29

30 AUTOMATING SECURITY VIA INTEGRATION WITH THE CI/CD PIPELINE

31

32 Strong Interest in Security + DevOps Use Cases 18% 6%1% 15% Extensively Automating security via DevOps was one of the main reasons we adopted DevOps Somewhat We plan to incorporate some level of security in of DevOps process 19% We are evaluating security use cases that leverage our DevOps processes We do not want to slow down our DevOps processes with security 41% We have not yet discussed how security fits with our DevOps plans Don t know 32

33 Drivers Behind DevSecOps Adoption 1. TIGHT INTEGRATION Allows us to improve our security posture by making sure cybersecurity controls and processes are tightly integrated at every stage of our continuous integration and continuous delivery (CI/CD) tool chain 2. COMPLIANCE Allows us to assure we meet and maintain compliance with applicable industry regulations 3. COLLABORATION Fosters a high level of collaboration between our development, infrastructure management, application owners, and cybersecurity stakeholders 4. OPERATIONAL EFFICIENCY Improves our operational efficiency by automating the deployment of cybersecurity controls 5. PROACTIVE APPROACH Makes us think about security proactively and as an immutable attribute of how we manage our infrastructure 33

34 DevSecOps and Cloud SecOps Use Cases Span Environments Identifying workload configuration vulnerabilities before deployment to production Applying controls which can detect anomalous activity 44% 46% Applying preventative controls 44% Identifying software vulnerabilities before deployment to production Identifying workload configurations that are out of compliance with a regulation before deployment to production Applying controls which capture system activity for incident response and forensics 39% 42% 41% Applying inter-workload communication access controls 34% 34

35 APPLYING BEST PRACTICES

36

37 Separate Environments and Duties By Environment Segment Dev, Test, and Production environments Further segment by compute and storage Tiny bubbles to reduce blast radius By Role with Least Privilege, MFA APIs, not user accounts to interact with services Least privilege model protects against credential harvesting MFA for commits, builds, and deploys

38 Gain Visibility via Discovery, Assessments, and Monitoring Inventory the attack surface area Instance and container sprawl = developer manifestation of Shadow IT On-premises and cloud resident workloads For all accounts, all clouds Assess Configurations The obvious: Externally facing workloads not routing via a bastion host Workload configs against CIS benchmarks Use of pre-hardened images Monitor the environment Enable auditing services for API and service usage; augment with on-board agent Host network flow traffic for east-west, in/outbound threat detection DVR activity for trust, but verify compliance and IR investigations

39 Employ Anomaly Detection for Auto Scaling Groups Premise: There should be no intra-group drift Anomalies of interest: New process and child processes File system changes Logins beyond ID - time, location, frequency Netflow to/from remote IPs (i.e. not via jumphost) User access behaviors Inter-entity deviations Rules by role to automate and reduce alerts storms

40 Automate Across All Environments (DevSecOps + Cloud SecOps) In Dev: SDLC integrated Static code analysis Composition analysis In Test: Reduce attack surface Because production is immutable Eliminate software vulnerabilities Assess and harden configs of services and workloads In Prod: Policy via tool chain integration By tag, and thus templates, for consistency Host firewalls, integrity monitoring, IDS/IPS, anomaly detection

41 Unify for Consistency Across the Dimensions Replicate policy by workload profile/tag CI/CD automation on-prem and in the cloud Centralized visibility of inter-workload traffic Cloud-delivered and single console lowers operational cost

42 Seek Purpose-Built Solutions Supports automated policy assignment by tag Operates in auto-scaling groups, transient instances Linux support not an after thought Support heterogeneous server workload types Server less security on the roadmap Cloud delivered for cloud scale APIs for integrations and instrumentation Metered utility-based pricing model

43

44 Appreciate this is a Team Sport Groups directly involved in hybrid cloud security policies (Evaluating, Purchasing, and Operating) Security team Networking team Data center infrastructure/operations team DevOps team Regulatory compliance team Application development team Line-of-business/application owner Legal team 41% 40% 35% 33% 29% 24% 19% 56%

45 SUMMARY

46 You may ask yourself How did I get here? 2018 by The Enterprise Strategy Group, Inc.

47 Summary Multi-dimensionality drives complexity, clouds visibility Siloed approaches should be an interim step Environment specifics need to be understood en route to a unified approach CI/CD integration is an opportunity to both automate for efficiencies and move security upstream/left Immutable production environments requires introducing security earlier I had the best pictures at RSA Conference

48