Upload
bill-burns
View
557
Download
1
Embed Size (px)
DESCRIPTION
Cloud Security trends, practical tips and lessons learned. Implementing holistic security controls to protect business data, Trends that will affect data security, and advice to security startups and companies evaluating them.
Citation preview
Practical Cloud Security Lessons Learned from the Bleeding Edge
Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3
Background • Production hybrid cloud security at scale
o Deployed distributed, hybrid cloud WAF o Co-developed CloudHSM for IaaS HW root of trust
• Corporate IT “all-cloud” security strategy o Cloud-first, mobile-first infrastructure model o Mix of public cloud, best-of-breed SaaS o This is the Future of corporate IT services
• RSAC Program Committee, Startup Technical Advisory Boards, ISSA CISO Forum & Career Lifecycle
• Netflix, AOL, Netscape, Accenture Research
Topics • Cloud: Why now? What’s changed? • Forcing functions and new perimeters • Cloud Security Controls: What’s new? • Third-Party Risks: InfoSec and The Business • Herding Data: Getting Started • Security startups
Forcing Functions on IT Security
Cloud Services
Network Access Ubiquity
Mobility Consumerization / BYOD
Work/Life Integration
Business Risk
Agile/ DevOps
Cloud Forcing Function - Mobility
Source: Mary Meeker, KPCB
Cloud Forcing Function - Consumerization • 58% / 42% of Americans now own a smartphone / tablet(1)
• By 2017: 50% of employers will require employees to BYOD for work purposes(2)
(1) Pew Research, Jan 2014 (2) Gartner, May 2013
Forcing Function - Network Access Forcing Function - Network Access
• Network connectivity & seamless roaming o 802.11ac – wireless networking now “just works”
§ Faster than typical wired ports, easier to provision o Mobile 4G LTE is “fast enough”
§ Faster than home ISPs § 2018: 25% of corporate data will flow directly mobile-cloud(3)
• Blending work/life integration o Aruba’s “#GenMobile”initiative o Starbucks wants to be your life’s “3rd Place”
(3) Gartner, Nov 2013
Old: Perimeter Firewalls
• Castle and Moat defense • Provisioning was serialized, expensive • Place people, data behind datacenter firewalls • “Behind firewalls” = Trusted
New Perimeters : Follow the Data • Controls evolving to be more:
o Proximal - Controls are close to the application/data o Mobile - Move with the infrastructure/application o Resilient - Emphasize recovery, response o Holistic - Technical, legal, and business-level input o Coordinated - Reliant on communications, automation o Tiered - Nothing new here
New Perimeters : Follow the Data
What’s Your Cloud Comfort Level? • Cloud Adoption / Maturity:
o Naysayers: you can’t do that (but can’t articulate why) o Pathfinders: here’s how to do it, lessons learned o Optimizers: here’s how to do it well, what not to do
What’s Your Cloud Comfort Level? • Cloud Adoption/Maturity
o Naysayers o Pathfinders o Optimizers
o Cloud is inevitable. Learn how to manage it. o Example: “We have 10 years of legacy work to deal with,
we don’t have time to look at our cloud usage!” • It’s about the business
o Board-level discussion on results, competition, risk
Cloud Security: New(ish) tech controls • Goal: Track movement, access to data
o DRM/DLP-like controls, applied closer to the data o Encrypt data, SoD for encryption keys o Even though the data is not in your datacenter
• Goal: Restrict access to data, applications o Forward and Reverse proxy servers o Old: Port/protocol-based network, subnets, host firewalls o New: Tags, labels, data and host classification/sensitivity o Log management, anomaly detection o IAM - Risk-based authentication, SSO (for free)
Risks: InfoSec and The Business Q: Who owns the risk in a new business endeavor?
Risks: InfoSec and The Business • Who owns the risk in a new business endeavors?
• The business does • InfoSec’s role:
• Be a trusted advisor to the business • Anticipate security risk/controls changes and needs • Communicate technical risks in business terms • Propose options, help the business take smart risks • Implement guardrails based on risk, sensitivity • Measure risk, managing remediation/response
• Measure of success: Repeat business for your team!
Risks: InfoSec and The Business • Legal, business perspectives • Managing the risk – legal levers
o Risk-based: Level of scrutiny based on data sensitivity o Add boilerplate language in your contracts, MSAs, etc. o Strive to require partners to have security
fundamentals in place: operational security basics, secure development, security incident notification, etc.
o Right to audit, assess => partner with your partners
Risks: InfoSec and The Business • Managing the risk – technical levers
o Trust but verify their controls. It’s your data! o Do an initial assessment, plus ongoing automated tests o Partner with your partners on results you find o Things to watch out for …
Risks: InfoSec and The Business • Proving data security, good security hygiene
o Service Providers should be more secure than SMBs § Laser-focused, homogeneous environment, etc.
o Doesn’t scale: Every customer pentesting their provider § Open Item: Which standard should we trust?
• Which controls are most relevant, important for your data? o Encryption, incident response, audit, SoD, … o Prioritize those during negotiations, evaluations
Lessons learned: Getting Started • Start simple
o Move least-risky workflows first o Orchestrate, automate security controls o Stage patches like other bugs and new features o Datacenter-to-Cloud connectivity, WAN-like latency o Wholesale migration vs. re-architecting apps
• Migration phase o Running “hybrid”, “dual stack” or “riding roman” o Migrate workflows systematically o Inter-service dependencies
Lessons learned: Getting Started • Infrastructure Services
o Plan: Pick 1-3 security metrics you’d like to improve in your cloud, compare them to legacy infrastructure o Days to patch vulns, avg host uptime, fw ACLs used
o Do: Start simple, fail fast on “uninteresting” workflows and transactions; test response protocols
o Improve: Start codifying security policies, patches, automating provisioning and inventory controls o Good security starts with solid operational hygiene
o Repeat: review lessons learned often, make small course corrections.
Lessons learned: Getting Started • Corporate Services & “Shadow IT”
o Baseline: Get visibility into your cloud services § You’re using more than you realize § Meet and share with IT, legal, other stakeholders § Facts lead to business-level conversations
o Log: Start collecting/mining SaaS access, audit logs o Protect and Observe:
§ Deploy SAML, 2FA, integrate with your directory § Evaluate cloud service brokers, features
Evaluating Security Startups • Investors:
o Management team domain expertise, background o Competitive advantages o Market readiness, fit o Product fit
• Customers: o Support fit, scalability o Roadmap fit, ability to execute against it o Risk fit, operational hygiene / best practices
Guidance for Security Startups o Be 10x better - provide superior customer value
o Look for disruptive technologies, approaches o What else does the solution require? o What can I turn off?
o Think API first o Defenders & DevOps: The future is automation, interoperability,
integration o No cheating: Build your GUI on your API
o Model, measure, provide insights o A/B testing, modeling allows safe experimentation o Provide insights of current risk state o Manage my cloud risk better than my legacy infrastructure o A good deployment strategy starts with a great migration strategy
Thank you
Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3