CLOUD WORKLOAD SECURITY

Similar documents
HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

McAfee Public Cloud Server Security Suite

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Automating Security Practices for the DevOps Revolution

Qualys Cloud Platform

AWS Reference Design Document

CyberPosture Intelligence for Your Hybrid Infrastructure

Closing the Hybrid Cloud Security Gap with Cavirin

Qualys Cloud Platform

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

SIEMLESS THREAT DETECTION FOR AWS

The threat landscape is constantly

Vulnerability Management

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

DevOps Tooling from AWS

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Securing the Software-Defined Data Center

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

DevOps and Continuous Delivery USE CASE

DEVOPSIFYING NETWORK SECURITY. An AlgoSec Technical Whitepaper

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

Unify DevOps and SecOps: Security Without Friction

CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

SYMANTEC DATA CENTER SECURITY

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Tripwire State of Cyber Hygiene Report

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Securing Your Amazon Web Services Virtual Networks

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

Best Practices in Securing a Multicloud World

Getting Started with AWS Security

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Exam C Foundations of IBM Cloud Reference Architecture V5

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Orchestrating the Continuous Delivery Process

Hybrid Cloud Management: Transforming hybrid cloud delivery

Hackproof Your Cloud Responding to 2016 Threats

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

YOUR APPLICATION S JOURNEY TO THE CLOUD. What s the best way to get cloud native capabilities for your existing applications?

Security Camp 2016 Cloud Security. August 18, 2016

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Securing Your Microsoft Azure Virtual Networks

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

A10 HARMONY CONTROLLER

Popular SIEM vs aisiem

The Why, What, and How of Cisco Tetration

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

2018 Cisco and/or its affiliates. All rights reserved.

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Build an open hybrid cloud and paint it red and blue

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Privileged Account Security: A Balanced Approach to Securing Unix Environments

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Cisco CloudCenter Use Case Summary

8 Must Have. Features for Risk-Based Vulnerability Management and More

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Development. Architecture QA. Operations

STATE OF MODERN APPLICATIONS IN THE CLOUD

PCI DSS Compliance. White Paper Parallels Remote Application Server

CyberArk Privileged Threat Analytics

Day One Success for DevSecOps and Automation on Azure

Supporting the Cloud Transformation of Agencies across the Public Sector

RED HAT CLOUDFORMS. Chris Saunders Cloud Solutions

CASE STUDY Application Migration and optimization on AWS

Deploy Symantec Cloud Workload Protection for Storage

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Powerful Insights with Every Click. FixStream. Agentless Infrastructure Auto-Discovery for Modern IT Operations

Datacenter Security: Protection Beyond OS LifeCycle

Cisco Cloud Application Centric Infrastructure

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

McAfee epolicy Orchestrator

VMWARE PIVOTAL CONTAINER SERVICE

COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Eyes Everywhere: Monitoring Today's Borderless Landscape

Five Essential Capabilities for Airtight Cloud Security

A Risk Management Platform

Microsoft Security Management

Deep Security Integration with Sumo Logic

The Evolution of Data Center Security, Risk and Compliance

Overcoming the Challenges of Automating Security in a DevOps Environment

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Everything visible. Everything secure.

Architecting Microsoft Azure Solutions (proposed exam 535)

Digital Renewable Ecosystem on Predix Platform from GE Renewable Energy

Carbon Black PCI Compliance Mapping Checklist

ForeScout ControlFabric TM Architecture

Agile CI/CD with Jenkins and/at ZeroStack. Kiran Bondalapati CTO, Co-Founder & Jenkins Admin ZeroStack, Inc. (

SUSE s vision for agile software development and deployment in the Software Defined Datacenter

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

21ST century enterprise. HCL Technologies Presents. Roadmap for Data Center Transformation

Symantec Endpoint Protection Family Feature Comparison

Transcription:

SOLUTION OVERVIEW CLOUD WORKLOAD SECURITY Bottom line: If you re in IT today, you re already in the cloud.

As technology becomes an increasingly important element of business success, the adoption of highly elastic, highly scalable, and highly performant application stacks is no longer a choice it s a necessity. The majority of new applications built for today s enterprises are typically developed and deployed on public clouds such as Amazon Web Services (AWS) and Microsoft Azure. These apps are predominantly new web apps or analytics apps designed for direct-to-customer interactions, big data analytics, or for rapidly opening new lines of business/new ways to market IoT, mobile, etc. And if you re not there yet you will be For many enterprises, the cloud is a more aspirational goal. Rather than starting fresh with new apps, they are focused on migrating existing apps from their on-prem data center (could be virtualized infrastructure, colo or any dedicated infrastructure) or from a shared service environment to the public cloud. This has significant cost savings benefits in terms of facilities, personnel, and energy not to mention the convenience of adding new resources on-demand. These cloud-native, modern applications have some foundational characteristics: Unlike your legacy apps, these applications are assembled from stateless microservices packaged in ephemeral virtual machines or containers and a combination of data, messaging and/or notification services The application is deployed through an automated CI/CD pipeline. They utilize infrastructure automation and orchestration tools to speed deployment without manual intervention - think Infrastructure-as-code/automated everything. Unlike your legacy apps which were released once in few months these modern applications change several times a week if not daily. The application is often hosted on modern but shared infrastructure like public clouds. KEY SECURITY & COMPLIANCE CHALLENGES The attack surface has expanded Until now, the standard approach for protecting an enterprise s most prominent applications has been to host them in a siloed (virtualized) infrastructure with network perimeter security around it. This is a flawed approach even when applied to relatively static and predictable private data center environments. In the public cloud this approach is suicidal. In a shared infrastructure, besides securing your perimeter, you have to secure each host, cloud resource for your application. Security can t keep up Unlike legacy apps, a cloud-hosted application is designed for higher rates of change. The application scales up and down automatically based on load; new features and functionality is delivered weekly if not daily; and the app itself is typically deployed automatically. A manual security approach that is bolted on at the end of the deployment cycle, while appropriate for legacy apps in data center, will not be able to keep up with modern applications running on modern infrastructure or the DevOps teams charged with their creation, care, and feeding. - 2 -

Compliance is even more complex The combination of a new and expanded attack surface, the change rate inherent in the application development, deployment, and environment, and the lack of a dedicated and parameterized infrastructure causes new compliance challenges that you will have to adapt to. Define policies for hardened and secure configurations and ensure your applications are compliant with these policies. Leverage CIS benchmarks (industry standard or your own internally developed rules). Access control: Lock down access control privileges for your application systems. Follow the principle of least privilege. Discourage root or sudo access for any personnel. MFA is highly recommended THE 4 KEY STEPS FOR MASTERING THESE CHALLENGES There are 4 key steps for properly securing your cloud workloads without sacrificing speed, flexibility, or overall manageability. 1. Secure the core Go from a perimeter-security-and-soft-core approach to a harden-the-core approach: Secure your applications by hardening every single node of your application. Broadly speaking, the attack surface of an application is largely composed of its data and the commands in and out as well as the code that actually processes the data and its associated commands. Here are some practical guidelines for reducing the attack surface for your applications: Vulnerability scanning: Make sure your application nodes are free of known vulnerabilities. More than 80% of cyberattacks can be prevented by good cybersecurity hygiene and the first step towards that is keeping your servers free from any critical vulnerabilities. Secure configuration: Poorly configured applications or operating system controls allow attackers to take control of your system and propagate to other systems and environments. 2. Continuously monitor for IoCs and policy violations It s no longer appropriate to set policies, controls, and checks and then move on. In the cloud, you must continuously monitor your systems, since vulnerabilities can be introduced and exploited within seconds with potentially disastrous results. In the public cloud you now must continuously scan for: New vulnerabilities announced since your servers were initially deployed. Critical vulnerabilities that are still not patched Configuration policy violations File system integrity violations Monitor load balancer logs, applications logs, database transaction logs, network flow logs for any unwanted or non-compliant activity Unauthorized access to root level accounts 3. Shift left Move your control implementation and security audits to be as early as possible in your development/deployment cycles. In a public cloud infrastructure it takes minutes if not seconds for a poorly secured server to become compromised. Therefore, it is definitely best practice for your application nodes to be secured prior to deployment in production environments. You wouldn t - 3 - - 3 -

deploy your application without completing your functional, integration, and user acceptance testing (UAT). Add security and compliance assessment to you test matrix early and prevent huge problems later. 4. Automate Everything Especially Security Business and development teams are both moving fast. They have automated deployments for the full application stack, including the underlying infrastructure. The build and testing of these applications have also been automated. In this automated world, security testing, implementation, and monitoring, have to all be automated. In the absence of security automation, businesses have to face a trade off between security vs time to market. Which is really not a trade off at all when you consider the risk and damage to a business s reputation and customer trust that a security breach can cause. HALO: MASTERING THE 3 CHALLENGES AUTOMATICALLY Halo is the industry-leading solution for cloud workload security. It not only offers the most comprehensive set of automated security and compliance monitoring capabilities, but also enables them from a highly automated, scalable, and mature cloud-scale platform. 1. Halo assesses your workload attack surface Halo automatically identifies vulnerable packages in both your Linux and Windows servers. Halo enables you to define and monitor your configuration hardening standards. Halo comes with several policy templates that you can clone and customize to your specific organization s needs. Leverage our out of the box integration with industry leading configuration management tools for automated remediation of policy violations. Halo manages and monitors your local access controls on each server. 2. Halo detects policy violations and undesirable activities Halo employs a continuous monitoring model and will detect any configuration drift or changes in your workload attack surface. Halo also includes a comprehensive set of host based intrusion detection capabilities, watching as well as alerting on several critical aspects of your server workloads including: File system integrity Investigating and auditing various log file for security-related events of interest. Privileged access auditing and monitoring Network traffic flow monitoring 3. Halo automates security Halo s security automation capabilities allow you to: Automate security assessment as part of infrastructure provisioning. A thin micro-agent inserted into a gold image or deployed in servers using a client s existing deployment processes will deliver a comprehensive assessment in less than 90 seconds. - 4 -

Automate security workflows and implement a closed-loop security model. Halo comes with full REST APIs, which can be used to integrate security events and alerts into your existing SIEM or orchestration workflows. Halo implements a continuous monitoring model and automatically resolves issues that have been successfully remediated. Now application owners do not have to chose between speed and security. They can have both. WHAT S UNIQUE ABOUT HALO S SOLUTION? Comprehensive security capabilities while many vendors claim to provide a full stack of security monitoring and alerting tools, only Halo delivers fully integrated functionality across the development and deployment stack. Rather than purchasing and integrating multiple modules Halo delivers single agent/single console visibility to the critical security functionality that enables you detect, protect, and remediate threats and vulnerabilities to your cloud infrastructure at speed and at scale. Infrastructure agnostic Halo supports the full cloud application stack. This is critical as today s modern cloud applications are assembled from multiple services orchestrated and managed by multiple services running in a multiplicity of environments. Halo delivers visibility across all levels of the stack. More importantly Halo is the only cloud security solution in the market that can be used both for virtualized - 5 -

and container/microservices environments. As containers become an increasingly popular way to develop, package, and deploy apps, proper security hygiene is as critical for those environments as it is for virtualized ones. While many vendors can claim to support different public cloud vendors such as AWS or Azure, only Halo can deliver visibility and control across the entire cloud application stack including containers and microservices. Halo was built for DevSecOps. Halo offers one of the industry s most complete REST API enabling enterprise security, IT, and DevOps teams to seamlessly integrate security into their DevOps processes, CI/CD toolchains, and infrastructure automation solutions. Halo also features a Python SDK that acts as a wrapper to the REST API. It handles authentication, pagination and decreased snowflakes by promoting reusable code. The API itself is fully bi-directional. It can use data from Halo to integrate with third-party products (e.g. open a ticket in Jira or ServiceNow, export data to common SIEMs or create an Ansible playbook to remediate vulnerable packages). Halo is also used by DevOps teams to automate configuration security monitoring scans in their build pipeline. Finally, the API can pull data into Halo such as security policies, e.g. a file integrity or configuration security policy. ABOUT CLOUDPASSAGE Founded in 2011, CloudPassage was the first company to obtain a U.S. patent for universal cloud infrastructure security and has continued to innovate cloud security automation and compliance monitoring for application development and deployment. CloudPassage Halo is an award-winning workload security automation platform, delivered as a service, that provides universal visibility and continuous protection for data centers, private/public clouds and containers. Halo deploys in minutes and scales effortlessly. The platform integrates with automation and orchestration tools such as Puppet and Chef, as well as CI/CD tools such as Jenkins. Today, CloudPassage Halo secures the infrastructure of leading global finance, insurance, media, ecommerce, high-tech service providers, transportation and hospitality companies. www.cloudpassage.com 800.215.7404 2017 CloudPassage. All rights reserved. CloudPassage and Halo are registered trademarks of CloudPassage, Inc. SO_DevOps_10312017-6 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback