Practical Cloud Security Lessons Learned from the Bleeding Edge

Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3

Background •  Production hybrid cloud security at scale

o  Deployed distributed, hybrid cloud WAF o  Co-developed CloudHSM for IaaS HW root of trust

•  Corporate IT “all-cloud” security strategy o  Cloud-first, mobile-first infrastructure model o  Mix of public cloud, best-of-breed SaaS o  This is the Future of corporate IT services

•  RSAC Program Committee, Startup Technical Advisory Boards, ISSA CISO Forum & Career Lifecycle

•  Netflix, AOL, Netscape, Accenture Research

Topics •  Cloud: Why now? What’s changed? •  Forcing functions and new perimeters •  Cloud Security Controls: What’s new? •  Third-Party Risks: InfoSec and The Business •  Herding Data: Getting Started •  Security startups

Forcing Functions on IT Security

Cloud Services

Network Access Ubiquity

Mobility Consumerization / BYOD

Work/Life Integration

Business Risk

Agile/ DevOps

Cloud Forcing Function - Mobility

Source: Mary Meeker, KPCB

Cloud Forcing Function - Consumerization •  58% / 42% of Americans now own a smartphone / tablet(1)

•  By 2017: 50% of employers will require employees to BYOD for work purposes(2)

(1) Pew Research, Jan 2014 (2) Gartner, May 2013

Forcing Function - Network Access Forcing Function - Network Access

•  Network connectivity & seamless roaming o  802.11ac – wireless networking now “just works”

§  Faster than typical wired ports, easier to provision o  Mobile 4G LTE is “fast enough”

§  Faster than home ISPs §  2018: 25% of corporate data will flow directly mobile-cloud(3)

•  Blending work/life integration o  Aruba’s “#GenMobile”initiative o  Starbucks wants to be your life’s “3rd Place”

(3) Gartner, Nov 2013

Old: Perimeter Firewalls

•  Castle and Moat defense •  Provisioning was serialized, expensive •  Place people, data behind datacenter firewalls •  “Behind firewalls” = Trusted

New Perimeters : Follow the Data •  Controls evolving to be more:

o  Proximal - Controls are close to the application/data o  Mobile - Move with the infrastructure/application o  Resilient - Emphasize recovery, response o  Holistic - Technical, legal, and business-level input o  Coordinated - Reliant on communications, automation o  Tiered - Nothing new here

New Perimeters : Follow the Data

What’s Your Cloud Comfort Level? •  Cloud Adoption / Maturity:

o  Naysayers: you can’t do that (but can’t articulate why) o  Pathfinders: here’s how to do it, lessons learned o  Optimizers: here’s how to do it well, what not to do

What’s Your Cloud Comfort Level? •  Cloud Adoption/Maturity

o  Naysayers o  Pathfinders o  Optimizers

o  Cloud is inevitable. Learn how to manage it. o  Example: “We have 10 years of legacy work to deal with,

we don’t have time to look at our cloud usage!” •  It’s about the business

o  Board-level discussion on results, competition, risk

Cloud Security: New(ish) tech controls •  Goal: Track movement, access to data

o  DRM/DLP-like controls, applied closer to the data o  Encrypt data, SoD for encryption keys o  Even though the data is not in your datacenter

•  Goal: Restrict access to data, applications o  Forward and Reverse proxy servers o  Old: Port/protocol-based network, subnets, host firewalls o  New: Tags, labels, data and host classification/sensitivity o  Log management, anomaly detection o  IAM - Risk-based authentication, SSO (for free)

Risks: InfoSec and The Business Q: Who owns the risk in a new business endeavor?

Risks: InfoSec and The Business •  Who owns the risk in a new business endeavors?

•  The business does •  InfoSec’s role:

•  Be a trusted advisor to the business •  Anticipate security risk/controls changes and needs •  Communicate technical risks in business terms •  Propose options, help the business take smart risks •  Implement guardrails based on risk, sensitivity •  Measure risk, managing remediation/response

•  Measure of success: Repeat business for your team!

Risks: InfoSec and The Business •  Legal, business perspectives •  Managing the risk – legal levers

o  Risk-based: Level of scrutiny based on data sensitivity o  Add boilerplate language in your contracts, MSAs, etc. o  Strive to require partners to have security

fundamentals in place: operational security basics, secure development, security incident notification, etc.

o  Right to audit, assess => partner with your partners

Risks: InfoSec and The Business •  Managing the risk – technical levers

o  Trust but verify their controls. It’s your data! o  Do an initial assessment, plus ongoing automated tests o  Partner with your partners on results you find o  Things to watch out for …

Risks: InfoSec and The Business •  Proving data security, good security hygiene

o  Service Providers should be more secure than SMBs §  Laser-focused, homogeneous environment, etc.

o  Doesn’t scale: Every customer pentesting their provider §  Open Item: Which standard should we trust?

•  Which controls are most relevant, important for your data? o  Encryption, incident response, audit, SoD, … o  Prioritize those during negotiations, evaluations

Lessons learned: Getting Started •  Start simple

o  Move least-risky workflows first o  Orchestrate, automate security controls o  Stage patches like other bugs and new features o  Datacenter-to-Cloud connectivity, WAN-like latency o  Wholesale migration vs. re-architecting apps

•  Migration phase o  Running “hybrid”, “dual stack” or “riding roman” o  Migrate workflows systematically o  Inter-service dependencies

Lessons learned: Getting Started •  Infrastructure Services

o  Plan: Pick 1-3 security metrics you’d like to improve in your cloud, compare them to legacy infrastructure o  Days to patch vulns, avg host uptime, fw ACLs used

o  Do: Start simple, fail fast on “uninteresting” workflows and transactions; test response protocols

o  Improve: Start codifying security policies, patches, automating provisioning and inventory controls o  Good security starts with solid operational hygiene

o  Repeat: review lessons learned often, make small course corrections.

Lessons learned: Getting Started •  Corporate Services & “Shadow IT”

o  Baseline: Get visibility into your cloud services §  You’re using more than you realize §  Meet and share with IT, legal, other stakeholders §  Facts lead to business-level conversations

o  Log: Start collecting/mining SaaS access, audit logs o  Protect and Observe:

§  Deploy SAML, 2FA, integrate with your directory §  Evaluate cloud service brokers, features

Evaluating Security Startups •  Investors:

o  Management team domain expertise, background o  Competitive advantages o  Market readiness, fit o  Product fit

•  Customers: o  Support fit, scalability o  Roadmap fit, ability to execute against it o  Risk fit, operational hygiene / best practices

Guidance for Security Startups o  Be 10x better - provide superior customer value

o  Look for disruptive technologies, approaches o  What else does the solution require? o  What can I turn off?

o  Think API first o  Defenders & DevOps: The future is automation, interoperability,

integration o  No cheating: Build your GUI on your API

o  Model, measure, provide insights o  A/B testing, modeling allows safe experimentation o  Provide insights of current risk state o  Manage my cloud risk better than my legacy infrastructure o  A good deployment strategy starts with a great migration strategy

Thank you

Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3