Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies

Similar documents
PRAGMATIC SECURITY AUTOMATION FOR CLOUD

CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Pragmatic Cloud Security

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Getting Started with AWS Security

Power Up/Level Up: Supercharging Your Security Program for Cloud and DevOps. Rich

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

AWS Well Architected Framework

Architecting Microsoft Azure Solutions (proposed exam 535)

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

AWS Reference Design Document

Migrating Enterprise Applications to the Cloud Session 672. Leighton L. Nelson

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

The Pathway to the Cloud Using Azure SQL Managed Instance

CLOUD SECURITY CRASH COURSE

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Minfy MS Workloads Use Case

Title: Planning AWS Platform Security Assessment?

Minfy MS Workloads Use Case

CLOUD WORKLOAD SECURITY

Microsoft Security Management

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

HCX SERVER PRODUCT BRIEF & TECHNICAL FEATURES SUMMARY

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Security Camp 2016 Cloud Security. August 18, 2016

Architecting for Greater Security in AWS

SIEMLESS THREAT DETECTION FOR AWS

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Launching a Highly-regulated Startup in the Cloud

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

How to master hybrid IT. Get the speed and agility you want, with the visibility and control you need

Access Governance in a Cloudy Environment. Nabeel Nizar VP Worldwide Solutions

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

SECURITY-AS-A-SERVICE BUILT FOR AWS

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Exploring Cloud Security, Operational Visibility & Elastic Datacenters. Kiran Mohandas Consulting Engineer

Security & Compliance in the AWS Cloud. Amazon Web Services

Securing Microservices Containerized Security in AWS

Tidal Forces: The Changes Ripping Apart Security as We Know It

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Deploying and Operating Cloud Native.NET apps

NEXT GENERATION CLOUD SECURITY

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Secure VFX in the Cloud. Microsoft Azure

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Alexandre Menezes Cloud Solution Architect

Cloud Security Strategy - Adapt to Changes with Security Automation -

Cloud Computing /AWS Course Content

Securing Your Cloud Introduction Presentation

Hackproof Your Cloud Responding to 2016 Threats

INTRODUCING CISCO SECURITY FOR AWS

Simple Tweaks to be Relevant in a Cloud World

Let s say that hosting a cloudbased application is like car ownership

Feature Comparison Summary

Minfy-Vara Migration Use Case

Migrating Enterprise BI to Azure

Best Practices for Securing Your AWS Cloud Network

Development. Architecture QA. Operations

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Dell EMC Cloud Data Protection Disaster Recovery as a Service. Efri Nattel-Shay, Director, Product Management Saar Cohen, DE, CTO

Security Readiness Assessment

Connect and Transform Your Digital Business with IBM

Why Microsoft Azure is the right choice for your Public Cloud, a Consultants view by Simon Conyard

PROTECT WORKLOADS IN THE HYBRID CLOUD

LINUX, WINDOWS(MCSE),

ArcGIS in the Cloud. Andrew Sakowicz & Alec Walker

Cybersecurity Roadmap: Global Healthcare Security Architecture

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Minfy-SREI Migration Use Case

Minfy-SREI Migration Use Case

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

OptiSol FinTech Platforms

VMware Cloud on AWS. A Closer Look. Frank Denneman Senior Staff Architect Cloud Platform BU

AWS 101. Patrick Pierson, IonChannel

Benefits of Extending your Datacenters with Amazon Web Services

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

Windows Server The operating system

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

DevOps Course Content

WHITEPAPER. Embracing Containers & Microservices for future-proof application modernization

Cloud Technologies. for Enterprise

Introduction to Cloud Computing

Getting started with AWS security

5 Steps to Government IT Modernization

The Data Explosion. A Guide to Oracle s Data-Management Cloud Services

IAM Recommended Practices

Agenda. This Session: Azure Networking Basics, On-prem connectivity options DEMO Create VNET/Gateway Cost-estimation for VNET/Gateways

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Government IT Modernization and the Adoption of Hybrid Cloud

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Transcription:

SESSION ID: STR-T08 Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies Rich Mogull Analyst/CEO Securosis VP of Product DisruptOps rmogull@securosis.com

Reality Bites There is relentless pressure to move to cloud Nearly all published best practices are designed for clean builds, not migrations Some of the best practices for migrations are really cloud antipatterns, but are pushed to make it look easy/fast 2

A Gilded Age of Lift and Shift The migration of all or some of an existing application stack(s) from an on-premise deployment to a public cloud provider. This does not include migration to a remote datacenter The application architecture itself is irrelevant (new/old/anything counts) 3

Why Lift and Shift? Leverage Existing Investments Pressure to Vacate Datacenters Limited Resources for New Builds 4

Perils Greater Costs Less Secure Can t optimize for cloud Little to no elasticity OpEx/manual management Little or no immutable Tied to legacy security model Often manual management (no automation) Less Reliable Fragile architectures Manual DR Can t leverage inherent cloud resiliency Less Agile Can t leverage many cloud capabilities Tied to manual processes for maintenance and 5 updates

Lift and Shift Options Rearchitect Refactor Rehost Start from scratch (or close to it) Modify what you can and improve over time Just move it 6

Lift and Shift Options Rearchitect Refactor (Lift and Pray) Start from scratch (or close to it) Modify what you can and improve over time Just move it 7

Constraints and Complexities COTS Resiliency Constraints Skills and Staffing Dependencies (e.g. databases, directory servers) Network Constraints Service Limits (Including hybrid) 8

Rearchitect Completely redesign the application stack Or cleave off part of it for a redesign Implement cloud-native from scratch (if needed) Often done in parallel with one of the other options Best in the long term, but often not an option Big Data Analytics 9

Rearchitect Serverless (mostly) Immutable Event-driven Small attack surface Cost-effective Leverages existing analytics code

Refactor Take the existing stack, change what you can, live with the rest Use a dedicated account/subscription/project Replace easy-to-swap components like load balancers Leverage autoscaling if possible, but config management if not (more to follow) You work within the existing application s constraints but go as cloud-native as possible COTS CMS/Website Frequently the most-balanced option 11

Refactor Added limited auto scaling 10X Cost Savings + Better Shimmed file system to object storage Use PaaS database Security and Much Better Segregated network Isolated account Resiliency securosis.com 12

Rehost Lift and shift in the purest sense No architectural changes Typically put into a network that replicates on-prem datacenter Security controls also lifted and shifted Most projects run into significant constraints within 2-3 years IAM and service limits the biggest culprits Results in anti patterns being used Recommended all too often Cloud providers just want the workloads as fast as possible Many consultants love the big projects 13

Lift and Pray Network materially harder to secure Security tool dependencies often expand attack surface IAM extremely difficult to constrain It s like giving everyone their own keys to the datacenter Brings all the old security problems Creates a large blast radius You will fail cloud-specific security audits Service limits will inhibit proper cloud security operations Incident Response harder and often not fully prepared before migration BCP/DR ugly and expensive 14

Lift and Pray Network materially harder to secure Security tool dependencies often expand attack surface IAM extremely difficult to constrain It s like giving everyone their own keys to the datacenter Brings all the old security problems Creates a large blast radius You will fail cloud-specific security audits Service limits will inhibit proper cloud security operations Incident Response harder and often not fully prepared before migration BCP/DR ugly and expensive 15

How to Choose Rearchitect Refactor Rehost When you have the time When you have the people and skills When you can use it to learn and rebuild your program Also a great option in parallel When you can t rearchitect right away When you have a mix of people and skills When you can balance security using isolation When you are able to iterate over time When you don t have a choice When you have a backup plan Or When you know you have a better job in <18 months when it crashes :) 16

How to securely lift and shift

The Roadmap 1. Analyze app dependencies and current security 2. Isolate/compartmentalize 3. Match infrastructure to the app 4. Implement true least privilege network 5. Lock down IAM 6. Turn on native security 7. Integrate PaaS/refactor 8. Build/integrate shared security services 9. Set guardrails 10.Codify into infrastructure as code 11.Determine your expiration date controls/tools 18

Analyze app dependencies and security COTS Databases, storage, data warehouse OS/config Network connectivity Network filtering/ids/ips/waf EPP/host security agents Logging/monitoring DR/BCP Map out app + infrastructure Metastructure (e.g. directory servers, IP addresses, DNS, key management) Privileged user access/change management/deployment pipeline (or not) Sessions and load balancers 19

Isolate/compartmentalize Boom Security Group Security Group Security Group Security Group Security Group Security Group Subnet Subnet Subnet Subnet Subnet Subnet Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Account Account Account Dev Test Prod 2-3 accounts/projects/subscriptions per project/app stack 20

Transit Networks Not a panacea, use only when required 21

Match the infrastructure to the application Minimum required network Minimum required services Reduce external dependencies as much as possible Hybrid when required, not as a default 22

Real World Example Presenter s Company Logo replace or delete on master slide

Implement a least privilege network Web X X a b c When assessing lift and shift projects this is unfortunately usually the exception, not the rule 24

Lock down IAM Root Account Super-Admin EC2 Service Admin S3 Service Admin RDS Service Admin Dev App Admin After an overly-flat network this is the most common mistake I see in assessments 25

Turn on native security controls/tools Admin/API logs (CloudTrail, Audit Logs, Stackdriver) Threat intel/security center (e.g. GuardDuty, Azure Security Center) Assessment (Trusted Advisor, Azure Security Center, Cloud Security Command Center) Vulnerability assessment (Inspector) Other logs (service dependent, e.g. VPC Flow Logs, Stackdriver) DDoS/WAF Encryption Access controls Event-driven alerting etc 26

PaaS/Refactor Presenter s Company Logo replace or delete on master slide

Build Shared Security Services Logging/Monitoring/Alerting Federated IAM Incident Response Vulnerability management NOT Standard netsec (can use building blocks but should be specific to app needs) Standard host security controls See: Immutable 28

Set Guardrails Guardrails Workflows Orchestrations Continuously assess and enforce operational and security policies Streamline and accelerate IT operations and security through automated workflows Empower new capabilities through advanced orchestration of infrastructure, operations, and security Fix security group or S3 misconfigurations Incident response Automatic WAF insertion and configuration 29

Guardrails Define and set limits Can be allow or deny Find deviations Assessment or event based Find Evaluate the issue Fix/remediate Automatically or manually depending on rules Fix Eval 30

Examples If you find a public S3 bucket, restrict it to our known network addresses Unless it is approved or tagged Don t allow internal security groups with all ports and protocols open in Prod But allow in Dev Require MFA for API access for any user that needs MFA for console access Create our baseline IAM policies and roles for all new accounts Based on the environment Validate that monitoring and alerting is properly configured And fix if not Disable access keys that haven t been used in 90 days Find instances with an IAM role that allows power user or greater access via API Restrict the privileges Identify all cross-network peering from accounts we don t own Then check the security group permissions 31

Codify with infrastructure as code 32

Determine expiration date Most lift and shifted projects should not be considered permanent Refactoring is an ongoing process Rebuilding in parallel is often an excellent long term option 33

Antipatterns

Top design errors Single account Forcing the application into a standard or crowded network Using traditional security tools instead of native due to lack of trust or understanding Not planning for service limits Requiring hybrid and defaulting to transit networks. Every time. 35

Top implementation errors Flat networks Overly-open IAM Any-any rules Improper native tool configurations Treating security groups like firewalls 36

Top security program errors No cloud-specific IR No cloud-specific alerting (time delays) No guardrails Trying to fix after implementation Not monitoring the management plane Ineffective or untested DR 37

Apply Next week you should: Identify a self-constrained lift and shift project Or an existing project to update In the first three months following this presentation you should: Build your selection and strategy matrix for which pattern to use Identify at-risk projects that used antipatterns (e.g. a big cloud account with a lot of different projects inside) Within six months you should: Begin using isolated environments for all new migrations Build out shared services and operational plans to support new migrations Develop a strategy for reviewing and repairing previous at-risk projects 38

SESSION ID: STR-T08 Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies Rich Mogull Analyst/CEO Securosis VP of Product DisruptOps rmogull@securosis.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback