Embed Size (px)
Citation preview
www.cloudsec.com | #cloudsec
Security in aHybrid Cloud world
Luke de Merindol | Principal Consultant
Macquarie Cloud Services
Security in a Hybrid Cloud world1. The Data explosion
2. Hybrid Cloud is here to stay
• Challenges with Hybrid cloud
• Workload Placement considerations
3. Security via the supply chain
• Risks and breaches
• A cast study
4. Security for Hybrid Cloud
• Network, Hosts, Control Visability
• Opportunities for Hybrid Cloud
1. The digital explosionExplosions of connected devices
• We have just surpassed the milestone of 51% of the worlds population being connected to the internet. There’s almost 10 billion mobile devices on the planet and we now average 3.6 hours of screen time per day.
• Instagram with 1 billion users is now an e-commerce platform.
• Use cases like IoT, Analytics & BI are exploding data requirements.
Explosion of Data
• The world will have surpassed180ZB in next 5 years. This is 200,000 DataCentres!
Future Requirements• Powerful and flexible infrastructure: both structure and unstructured• Software defined everything: fast deployment, security, workload
portability, automation• Hybrid Cloud : most businesses choose Public AND Private
2. Hybrid Cloud is here to stay
• More than 60% of APAC businesses describe their cloud strategy as Hybrid.
Year Dedicated VMs Containers Cloud Native SaaS
2019 20% 50% 2% 1% 27%
2022 10% 55% 5% 2% 38%
Security challenges with Hybrid Cloud
Develop a workload placement Pachinko !
Step 1: Application Profile Security Risk Assessment
Start Data
classification
Privacy
concerns
Identity
management
Need for
complianceMission
critical
What
else?
No No No No
Yes Yes Yes YesYes
Compensating
controls?
Step 2: Application Profile Technical Assessment (Add total and divide by 5)
Legacy Dependency
App MigrationStrategy
User Experience defined
Network connectivity performance
People and Support(skillset)
0 10 0 10 0 10 0 10 0 10
Step 3: Cost Assessment
Cost of transition
understood
Expected OPEX
savings modeled
Not a cloud
candidate
Value in private cloud
or SaaS, determine
must have requirements
Limited value in cloud,
defer migration
Definite cloud value,
define deployment plan
Score: 0 - 3.3 Score: 3.4 - 7.5 Score: 7.6 - 10
Colocation
options
Dedicated
infrastructure
Hosted Private Cloud
IaaS or SaaS
Public
cloudSavingsconfirmed
Hybrid Cloud Options
Yes
No
Yes
No
Vendor comparison
modeled
Usage charges
understood
No
Depreciation
considered
SLA Rebates
consideredApp charging model (pay to use)
considered and aligned with costs
Candidates for Private Cloud or On-prem
Items that:
• Are “always on”, i.e. base IT workloads
• Have high performance (for UX) requirements.
• Are legacy workloads- not suited to public cloud rearchitecture.
• Need Jurisdictional or “Sovereignty” certainty.
• Where Vendor S/W licences “misaligned” to Cloud.
• Are “chatty” in terms of networking.
• Need budget predictability.
3. Security and the supply chain
Businesses are all connected
• “Focus on your core business”
• Outsourcing provides specialised expertise, nimbleness and experience
Therefore risk permeates the supply chain
• The Landmark White breach 2019: brand damage upstream
• The Target (US) breach 2014: breach via a Supplier.
• Wipro / Avanade/ CapGemini breach 2019: the growing use of Service Management tools
www.cloudsec.com | #cloudsec
Compliance
• Highly regulated – APRA, ASIC, Banking industry,
Categorised as a ‘Material Supplier’
• Annual ISG audits, reviews and certifications,
Coordinated BCP testing, Penetration testing
• Data privacy and Breach reporting regulations
Security
• Encryption of data in transit & rest
• Physical firewalls with IPS and Dual factor
authentication, Host based anti malware and IDS
• 100% up time SLG
MSA Information Security requirements
10
Visibility
Control
Se
cu
re
Ne
two
rks S
ec
ure
Ho
sts
4. Defence in Depth for Hybrid Cloud
11
Visibility
Control
Se
cu
re
Ne
two
rks S
ec
ure
Ho
sts
Defence in Depth for Hybrid Cloud
12
Visibility
Control
Se
cu
re
Ne
two
rks S
ec
ure
Ho
sts
Defence in Depth for Hybrid Cloud
13
Visibility
Control
Se
cu
re
Ne
two
rks S
ec
ure
Ho
sts
Defence in Depth for Hybrid Cloud
14
Visibility
Control
Se
cu
re
Ne
two
rks S
ec
ure
Ho
sts
Defence in Depth for Hybrid Cloud
Hybrid products and servicesChallenges = Opportunity
• Private Cloud → Public Cloud DR and Backup solutions
• Applications architected across Public and Private Cloud
• Common security solutions across Public and Private Cloud, eg Host security, WAF, Firewalls etc.
• Standardisation of OS provisioning, patching and management across Hybrid Cloud platforms
• Identity management solutions.
• SIEM and SOC.
• Migration and Consulting services
-
Host based Security for Hybrid Cloud
• One comprehensive set of security controls across physical, virtual, and hybrid environments in LAUNCHTM
and Microsoft Azure;
• Containers or VMs; Managed or Self-Managed
Assists in meeting:
• 7 of 12 PCI DSS 3.2 requirements
• 10 of 10 SANS critical security controls
• 6 of 10 of the OWASP Top 10
Takeaway: We all have a role to play
1. Vendors, like many who are here today, provide the deep technical expertise and specialised protection for different areas and use cases.
2. As an IaaS/Cloud Provider, we can orchestrate a range of vendor and partner products into a Defence in Depth strategy to match customers compliance requirements. As a Data Centre provider we can provide a physically secure environment to host customer data.
3. The MSPs provide the skilled security personnel who can provide the eyes on glass to sort out the wheat from the chaff when it comes to log reviews and correlation, Incident response, Pen Testing, consulting and often training.
4. And lastly the role of the customer business, to allocate budget, set IT and Security policy, to understand their compliance responsibilities through the supply chain
#cloudsec www.cloudsec.com
THANK YOULuke de Merindol | Macquarie Cloud Services
