SESSION ID: CSV-F01 Hardening the Cloud: Assuring Agile Security in High-Growth Environments (Moving from span ports to virtual appliances) Aaron McKeown Lead Security Architect Xero
Fast or Secure Fast & Secure
Beautiful cloud-based accounting software Connecting people with the right numbers anytime, anywhere, on any device 1,450+ staff globally $474m raised in capital $202m sub revenue FY16 $1tr incoming and outgoing transactions in past 12 mths 450m incoming and outgoing transactions in past 12 mths All figures shown are in NZD 3
862,000+ Subscribers globally 2009 2010 2011 2012 2013 2014 2015 2016
Public Cloud Migration Supporting the next wave of growth Reducing our cost to serve Improving data protection Eliminating scheduled downtime Maintaining and improving security 5
Key Challenges Skills are scarce Automation is key Regional representation and recommendations Need to focus on visibility Application architecture has to change Third-party commercial models need to change 6
Challenge #1: Skills are scarce Challenge #1: Skills are scarce Make an initial investment in education Join industry groups and forums Selective engagement of contractors Promotion of industry wide cyber skills 7
Challenge #2: Regional representation Challenge #2: Regional representation and recommendations Build a strong relationship with AWS Reach out to your contacts Look at alternatives Build a communication path to remote organizations 8
Challenge #3: Application architecture changes Challenge #3: Application architecture has to change Work in cross-functional teams Deliver in short, frequent cycles Communicate quickly and effectively Build and deliver security as a service 9
Challenge #4: Automation is key Challenge #4: Automation is key Make automation a core principle Start with basic use of CloudFormation Use a code repository Build a Continuous Integration (CI) and Continuous Delivery (CD) system 10
Challenge #5: Focus on visibility Challenge #5: Need to focus on visibility CloudTrail is enabled by default for all accounts Track configuration drift Get the development teams invested Extended into a virtual team 11
Challenge #6: Third-party commercial models Challenge #6: Third-party commercial models need to change Do what we advise others to do, use the cloud Work with our technology partners and vendors Move from perpetual licenses, to core based licenses Address commercial and legal issues first 12
Key Principles Repeatable, automated build and management of security systems Accelerated pace of security innovation On-demand security infrastructure that works at any scale 13
Key Learnings Security by design - what s that? Communication is key Measure & Test, monitor everything Welcome to the cloud - Where s my span port? 14
Key Learnings: Security by design Build security into every layer Treat your infrastructure as code Iterate, iterate, iterate Security by design - what s that? Build security into the product lifecycle 15
Key Learnings: Communication is key Make everyone a spokesperson Evangelize and sell your service Communicate success (as well as failure) Communication is key Documentation is critical 16
Key Learnings: Measure everything How do you know what normal looks like? Continually track configuration drift Do a gap analysis Measure & test, monitor everything Perform internal and external testing 17
Key Learnings: Where s my span port? Change your way of thinking Expand your scope of responsibility It is a shared journey for all Welcome to the cloud - Where s my span port? Use cross-functional teams 18
The New Paradigm of Shared Responsibility Xero + Partner Xero Applications & Content Ecosystem Network Identity & Access Inventory Security Control & Config Data Encryption Security IN the Cloud AWS Foundation Services Compute Storage Database Networking Security OF the Cloud AWS Global Infrastructure Availability Zones Regions Edge Locations 19
Security as a Service VPN connectivity Host Based Security Proxy Services Security Operations and Consulting Services Web Application Security and Delivery Shared Key Management Services Secure Bastion Access 20
Multi-Factor Authentication The decision to utilize MFA was a core component of security design User awareness was initially an issue Some users refused to utilize the system Multiple MFA systems already in place Enable the MFA enhanced features 21
Configuration Drift Management Finding the needle in an automated and freedom-to-deploy haystack Used Netflix Security Monkey to track, monitor, and action key AWS resource changes Watchers configured across all AWS accounts Started as an internal Cloud Security tool Adoption was driven by the product teams Risk and compliance utilization for best practice review 22
Host Security Automation Next layer of defense at the host level Used to monitor, notify, and action instance-level configurations, vulnerabilities and integrity Automated roll-out and integration with all hosts Make use of the cloud Adopt elasticity and automation Accelerated pace of development 23
Apply What You Have Learned Today WEEK 1 MONTH 3 MONTH 6 Activate multi-factor authentication Enable CloudTrail Start your first automation! Define your principles Develop a security architecture Start to track your configuration drift Measure, test & monitor everything Build a culture of communication Automate more! 24
Aaron McKeown Lead Security Architect Xero www.xero.com @xero