THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

Similar documents
Closing the Hybrid Cloud Security Gap with Cavirin

Automating Security Practices for the DevOps Revolution

The Why, What, and How of Cisco Tetration

CLOUD WORKLOAD SECURITY

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Container Deployment and Security Best Practices

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

MEETING ISO STANDARDS

Best Practices in Securing a Multicloud World

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

AWS Reference Design Document

The threat landscape is constantly

Securing Your Cloud Introduction Presentation

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

Cisco Tetration Analytics

Automating the Software-Defined Data Center with vcloud Automation Center

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Data Sheet GigaSECURE Cloud

Development. Architecture QA. Operations

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SYMANTEC DATA CENTER SECURITY

Industrial Defender ASM. for Automation Systems Management

Cyber Resilience. Think18. Felicity March IBM Corporation

locuz.com SOC Services

Transforming Security from Defense in Depth to Comprehensive Security Assurance

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS

Unify DevOps and SecOps: Security Without Friction

Qualys Cloud Platform

Cloud Customer Architecture for Securing Workloads on Cloud Services

Exam C Foundations of IBM Cloud Reference Architecture V5

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Qualys Cloud Platform

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

Security Models for Cloud

Network Visibility and Segmentation

Cisco Cloud Application Centric Infrastructure

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Solution Overview Gigamon Visibility Platform for AWS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

McAfee Public Cloud Server Security Suite

Oracle Buys Palerra Extends Oracle Identity Cloud Service with Innovative Cloud Access Security Broker

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Five Essential Capabilities for Airtight Cloud Security

Vulnerability Management

2018 Report The State of Securing Cloud Workloads

Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies

Automating the Software-Defined Data Center with vcloud Automation Center

the SWIFT Customer Security

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

ALIENVAULT USM FOR AWS SOLUTION GUIDE

CyberPosture Intelligence for Your Hybrid Infrastructure

SIEMLESS THREAT DETECTION FOR AWS

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Designing and Building a Cybersecurity Program

Logging, Monitoring, and Alerting

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Cloud Going Mainstream All Are Trying, Some Are Benefiting; Few Are Maximizing Value

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Cloud Going Mainstream All Are Trying, Some Are Benefiting; Few Are Maximizing Value

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Automating the Software-Defined Data Center with vcloud Automation Center

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Enabling Hybrid Cloud Transformation

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Managing Microsoft 365 Identity and Access

Cloud Going Mainstream All Are Trying, Some Are Benefiting; Few Are Maximizing Value. An IDC InfoBrief, sponsored by Cisco September 2016

NEXT GENERATION SECURITY OPERATIONS CENTER

GDPR Update and ENISA guidelines

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Will your application be secure enough when Robots produce code for you?

Tripwire State of Container Security Report

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Government IT Modernization and the Adoption of Hybrid Cloud

Data Sheet Gigamon Visibility Platform for AWS

Carbon Black PCI Compliance Mapping Checklist

The intelligence of hyper-converged infrastructure. Your Right Mix Solution

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Marc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute

Going cloud-native with Kubernetes and Pivotal

WHITE PAPER. Applying Software-Defined Security to the Branch Office

WHY LEGACY SECURITY ARCHITECTURES ARE INADEQUATE IN A MULTI-CLOUD WORLD

Security Architecture

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY

vrealize Introducing VMware vrealize Suite Purpose Built for the Hybrid Cloud

ADC im Cloud - Zeitalter

Transcription:

SESSION ID: STR-R14 THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES Doug Cahill Group Director and Senior Analyst Enterprise Strategy Group @dougcahill

WHO IS THIS GUY?

Topics The Composition of Hybrid Clouds Spotlight: Container Security Considerations Defining the Lack of Cloud Visibility Retooling for Multi-Dimensional Hybrid Clouds Spotlight: Automating Security via Integration with the CI/CD Pipeline Applying Best Practices Summary 3

THE COMPOSITION OF HYBRID CLOUDS

What is hybrid, anyway?

THE MANY DEFINITIONS OF A HYBRID CLOUD Primary Historical Use Case: Public cloud as a storage target for backup and archiving More Accurately: Cross-cloud Orchestration By app tier e.g. DB tier on-premise, web app tier in the cloud Burst-mode for scale, portability for best fit and price --> For this Discussion: Simply the combination of an on-premises + cloud footprint 6

Multi-Cloud Adoption 7

Workloads are Shifting to Public Clouds Of all the production workloads used by your organization, approximately what percentage is run on public cloud infrastructure services (i.e., IaaS and/or PaaS) today? How do you expect this to change if at all over the next 24 months? (Percent of respondents, N=450) Percent of production workloads run on public cloud infrastructure services today Percent of production workloads run on public cloud infrastructure services 24 months from now 25% 26% 24% 24% 16% 5% 15% 16% 10% 16% 15% 5% 1% 2% Less than 10% of workloads 10% to 20% of workloads 21% to 30% of workloads 31% to 40% of workloads 41% to 50% of workloads More than 50% of workloads Don t know 8

The Heterogeneous Mix of Workload Types 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Bare metal servers, 35% Virtual machines, 46% Containers, 19% Percent of Percent production of production workloads workloads run on each run server on each type server today type TODAY 9 Bare metal servers, 26% Virtual machines, 41% Containers, 33% Percent of Percent production of production workloads workloads run on each server type run 24 on months each server from type now 24 MONTHS FROM NOW

HYBRID CLOUDS ARE MULTI-DIMENSIONAL X 2+ MULTI-CLOUDS + = HETEROGENOUS SERVER TYPES 2017 by The Enterprise Strategy Group, Inc.

SPOTLIGHT: CONTAINER SECURITY CONSIDERATIONS

Containers are coming, en masse!

App Containers Are Moving Into Production Yes, we have already deployed an extensive number of containerized production applications 16% 4%1% 13% Yes, we have already deployed a few containerized production applications No, but we are testing it and plan to start deploying to production in the next 12 months No, but we intend to start testing it in our lab in the next 12 months No, and we have no plans to 24% 42% Don t know 56% already in production +24% in next 12 months 13

Legacy and New Apps are Being Containerized 4% 23% We use/will use containers for new applications only We use/will use containers for new applications and some pre-existing legacy applications We use/will use containers for pre-existing legacy applications only 73% 14

Application Container Portability Make Them Location Agnostic 27% 21% Our container-based applications are/will be deployed in a public cloud environment only Our container-based applications are/will be deployed in an on-premises data center or colocation facility managed by our organization only 52% Our container-based applications are/will be deployed in a combination of public cloud platforms and private data centers 15

Container Security Concerns = VM Sprawl Redux 16

Container Security Pre-Production Requirements Establish Trusted Images via Registry-resident Image Scanning Eliminate known software vulnerabilities Bonus: Contextual based on risk -- known exploit, criticality of the app and data Harden configurations against CIS benchmarks Remediate, rinse and repeat Secrets Management: Separate until runtime 17

Container Security Runtime Requirements Continuous Monitoring Inventory including discovery of untrusted/unsigned containers Topology mapping to view and verify relationships East-west inter-container traffic Auditing of access requests, system activity, and Docker API calls Integrity monitoring Baselining of normal behavior Threat Prevention Detection and prevention of anomalous activity Integrity and applications control to prevent drift Intrusion detection and prevention Access controls including segmentation Anti-malware detection and prevention 18

Container Security - Implementation Considerations CI/CD tool integration to enable automation (build-ship-run tools) Consider pros and cons of host vs. privileged container vs. sensor Registry aware public and private Heterogeneous server workload type support 19

DEFINING THE LACK OF CLOUD VISIBILITY

Where s the network tap?

Top Hybrid Cloud Security Challenges Maintaining strong and consistent security across our own data center and multiple public cloud Employees signing up for cloud applications without the approval and governance of our IT Keeping up with the rapid pace of change via DevOps automation makes it a challenge to Meeting prescribed best practices for the configuration of cloud-resident workloads and the use Our DevOps and application owners do not want to involve our security team in their cloud Inability for existing network security controls to provide visibility into cloud Lack of skills needed to align strong security with our hybrid cloud strategy Satisfying our security team that our public cloud infrastructure is secure Some of our business units are doing application development and deployment on public cloud My organization s existing security tools do not support cloud native conventions such as on- Aligning regulatory compliance requirements with my organization s cloud strategy Lack of visibility into the network related activity of our cloud-based workloads Inability to automate the application of security controls due to the lack of integration with We have not experienced any challenges 22 6% 25% 23% 20% 19% 19% 18% 18% 18% 17% 16% 16% 14% 13%

Top Areas for Improving Visibility Into Cloud-Resident Workloads Identifying software vulnerabilities Identifying workload configurations that are out of compliance An audit trail of all system level activity Alerts on the detection of anomalous system-level workload activity An audit trail of privileged user account activity An audit trail of the use of IaaS APIs The existence of any external facing server workloads which do not Inter-workload communication The communication between workloads and an externally facing Alerts on the anomalous use of cloud APIs 30% 30% 27% 26% 26% 24% 21% 19% 18% 18% 23

WHICH IS WHY SOME FEEL THIS WAY

RETOOLING FOR MULTI-DIMENSIONAL HYBRID CLOUDS

2017 by The Enterprise Strategy Group, Inc.

Highest Priorities for Hybrid Cloud Security Build a cloud security strategy that can be used across heterogeneous public and private clouds Implement a workload segmentation model to limit the lateral movement of an attack, i.e., segment test/dev from production workloads, segment regulated from non-regulated workloads, etc. Integrate security controls with cloud and/or container orchestration tools Work with other teams to align security requirements with cloud provisioning and management automation Create a self-service catalogue so that workloads can be classified and then assigned to different public and private cloud options based upon their sensitivity Explore and recommend new security technologies that are specifically designed for cloud computing Determine ways to accelerate security tasks to keep pace with cloud provisioning and DevOps Learn about the security controls, monitoring capabilities, and APIs associated with each cloud service provider offering Figure out how we can extend our current security technologies to protect/monitor cloud workloads Create new policies specifically for cloud workloads and containers 30% 28% 27% 24% 23% 22% 20% 20% 20% 20% 27

Retooling Across Skills and Processes General knowledge of cybersecurity threats that pose a risk to hybrid cloud infrastructure Lack of familiarity with the continuous integration and continuous delivery processes and orchestration tools of a DevOps methodology Working relationship between the IT Operations, DevOps, and cybersecurity teams Understanding the specifics of how our cloud service provider and our organization share responsibility for securing our cloud-resident assets 33% 31% 31% 28% We don t have an adequately sized staff to meet our cloud security needs We don t have the right level of cloud security skills 20% 19% None of the above 6% 28

The Rise of the Cloud Security Architect Yes, and this position(s) has been in place for a year or more 7% 4% 3% 1% 25% Yes, and this position(s) has been in place for less than one year Yes, and this position(s) was recently established 6% No, but we are actively hiring for this position 12% We have had difficulty filling this position 24% 18% No, but we plan to establish this type of position(s) within the next 12 to 24 months No, but we are interested in establishing this type of position(s) sometime in the future No, and we have no plans or interest in doing so in the future Don t know 29

AUTOMATING SECURITY VIA INTEGRATION WITH THE CI/CD PIPELINE

Strong Interest in Security + DevOps Use Cases 18% 6%1% 15% Extensively Automating security via DevOps was one of the main reasons we adopted DevOps Somewhat We plan to incorporate some level of security in of DevOps process 19% We are evaluating security use cases that leverage our DevOps processes We do not want to slow down our DevOps processes with security 41% We have not yet discussed how security fits with our DevOps plans Don t know 32

Drivers Behind DevSecOps Adoption 1. TIGHT INTEGRATION Allows us to improve our security posture by making sure cybersecurity controls and processes are tightly integrated at every stage of our continuous integration and continuous delivery (CI/CD) tool chain 2. COMPLIANCE Allows us to assure we meet and maintain compliance with applicable industry regulations 3. COLLABORATION Fosters a high level of collaboration between our development, infrastructure management, application owners, and cybersecurity stakeholders 4. OPERATIONAL EFFICIENCY Improves our operational efficiency by automating the deployment of cybersecurity controls 5. PROACTIVE APPROACH Makes us think about security proactively and as an immutable attribute of how we manage our infrastructure 33

DevSecOps and Cloud SecOps Use Cases Span Environments Identifying workload configuration vulnerabilities before deployment to production Applying controls which can detect anomalous activity 44% 46% Applying preventative controls 44% Identifying software vulnerabilities before deployment to production Identifying workload configurations that are out of compliance with a regulation before deployment to production Applying controls which capture system activity for incident response and forensics 39% 42% 41% Applying inter-workload communication access controls 34% 34

APPLYING BEST PRACTICES

Separate Environments and Duties By Environment Segment Dev, Test, and Production environments Further segment by compute and storage Tiny bubbles to reduce blast radius By Role with Least Privilege, MFA APIs, not user accounts to interact with services Least privilege model protects against credential harvesting MFA for commits, builds, and deploys

Gain Visibility via Discovery, Assessments, and Monitoring Inventory the attack surface area Instance and container sprawl = developer manifestation of Shadow IT On-premises and cloud resident workloads For all accounts, all clouds Assess Configurations The obvious: Externally facing workloads not routing via a bastion host Workload configs against CIS benchmarks Use of pre-hardened images Monitor the environment Enable auditing services for API and service usage; augment with on-board agent Host network flow traffic for east-west, in/outbound threat detection DVR activity for trust, but verify compliance and IR investigations

Employ Anomaly Detection for Auto Scaling Groups Premise: There should be no intra-group drift Anomalies of interest: New process and child processes File system changes Logins beyond ID - time, location, frequency Netflow to/from remote IPs (i.e. not via jumphost) User access behaviors Inter-entity deviations Rules by role to automate and reduce alerts storms

Automate Across All Environments (DevSecOps + Cloud SecOps) In Dev: SDLC integrated Static code analysis Composition analysis In Test: Reduce attack surface Because production is immutable Eliminate software vulnerabilities Assess and harden configs of services and workloads In Prod: Policy via tool chain integration By tag, and thus templates, for consistency Host firewalls, integrity monitoring, IDS/IPS, anomaly detection

Unify for Consistency Across the Dimensions Replicate policy by workload profile/tag CI/CD automation on-prem and in the cloud Centralized visibility of inter-workload traffic Cloud-delivered and single console lowers operational cost

Seek Purpose-Built Solutions Supports automated policy assignment by tag Operates in auto-scaling groups, transient instances Linux support not an after thought Support heterogeneous server workload types Server less security on the roadmap Cloud delivered for cloud scale APIs for integrations and instrumentation Metered utility-based pricing model

Appreciate this is a Team Sport Groups directly involved in hybrid cloud security policies (Evaluating, Purchasing, and Operating) Security team Networking team Data center infrastructure/operations team DevOps team Regulatory compliance team Application development team Line-of-business/application owner Legal team 41% 40% 35% 33% 29% 24% 19% 56%

SUMMARY

You may ask yourself How did I get here? 2018 by The Enterprise Strategy Group, Inc.

Summary Multi-dimensionality drives complexity, clouds visibility Siloed approaches should be an interim step Environment specifics need to be understood en route to a unified approach CI/CD integration is an opportunity to both automate for efficiencies and move security upstream/left Immutable production environments requires introducing security earlier I had the best pictures at RSA Conference 2018 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback