Upload
mcafee
View
912
Download
1
Embed Size (px)
Citation preview
Dissolving the Perimeter and Extending Security to the Cloud Edge
1 6 M a y 2 0 1 7
• Audio is streamed over your computer
• Dial in numbers and codes are on the left
To receive your CPE credit:
1. Complete 3 checkpoints
- or -
2. Watch the recorded version from the beginning to the very end
• Don’t forget to take the survey!
Use the Papers tab to find the following:
• PDF Copy of today’s presentation
• CPE job aid
• Have a question for the speaker? Access the Q&A tab
• Technical issues? Access the Help tab
• Questions or suggestions?Visit https://support.isaca.org
2
3
Michael Schneider, CISSP, CCSKProduct Management LeadWeb Protection Solutions
McAfee
Thomas BryantTechnical Director
McAfee
AGENDA
• The legacy approach
• Y2K and beyond
• Changes through cloud adoption
• Cloud as a security advantage
• Conclusion
4
The legacy approach
Software based ’security’
• SQUID
• IPChains/IPTables
• AV Scanners on Systems
• Regularexpression based blocks• *s?x*
No real data/content protection
• Cloud was not a problem
• Static Security as data was static• Data stored and processed mostly inside the local
network• Floppies as ‘transfer’ medium
The ear ly days o f ‘cloud’ secur i ty
Y2K and beyond
• Data moved to remote locations• Co-Locations• Needs additional defenses and protections
• Web becomes a business vehicle
• 1st integrated security products – so called CSM or SCM gateways
• CSM = Content Security Management• SCM = Secure Content Management• Integrates managed URL Filter with AV and other
security filters
Cloud adopt ion r ises
Practical Internet Security, John R. Vacca, Springer Science & Business Media, 10.01.2007ISBN 0387298444, 9780387298443Page 450
• Software-based technology found to be problematic due to not being able to combine strength of hardware with optimized software
• First firewall and web gateway appliances
• Hardware assisted SSL Scanning as standard to secure the “unreadable”
9
The r ise o f the appl iances
• Cloud computing enables cost savings to companies
• Outsourced data bases
• Outsourced applications and services• Salesforce CRM as pioneer• AMAZON EC2• Google G-suite• Microsoft Office 365• Countless others…
• Shift in security mandated
• The perimeter is pushed into the cloud
10
In to the cloud
Changes through cloud adoption
11
12
Dr ivers for cloud adopt ion
Lower TCO Global AccessHigher performance
• Removes the cost of hardware appliances
• No more resources used maintaining hw
• Removes entire process of patching and upgrading sw – you are always on the latest version
• Globally distributed datacenter locations
• Local web content per country
• Able to connect safely anywhere
• High availability with elastic capacity
• Immediate failover closest, fastest point of presence
• Peering with internet exchanges can outperforms direct connection
URL Filtering not enough anymore• Must control cloud applications in a more granular way• Application functionality can be used in web access and security policy• Web Application Control is born
New questions?• How to protect data in an app that I have limited control over?• How to secure data in motion in conjunction with DLP technology?• How to safely store data in remote locations without owning the service?• How do I secure web and cloud activity outside of the network perimeter?
13
Impact on Web Secur i ty
14
The d i lemma
Distance from Origin
Diff
icul
ty to
pro
tect
15
Today’s major cloud r isks
THREATPROTECTION
URL filtering and AV aren’t enough
CLOUD DATA AT RISK
Visibility into app use and data is limited
PROTECTIONEVERYWHERE
What about devices off-network?
.
Cloud as a security advantage
16
Gateways as a service
• Cloud-delivered Internet Access and Security solutions
• Used as standalone or together with Appliances as Hybrid
CASB/ Gateway/ Endpoint Integration
• CASB controls access to cloud apps
• Enforces policies via API connection to cloud apps
• Applies security features to data in rest, such as encryption, DLP
• Full data lifecycle is covered when connected to endpoint and web gateway
Policy enforcement points
• Data in motion over proxy
• Data at rest over API
• Data in use at endpoint
Common management
• CASB and cloud-delivered gateway live on the same platform = same management and reporting
• SOC integration
17
Moving secur i ty to the cloud edge
18
Apply ing secur i ty as a cloud p la t form
Cloud Management Framework
Endpoint base
Critical partners, applications and services
(amongst others)
19
Vis ib i l i ty and contro l are cr i t ica l
Challenge: Little visibility into risk and threat sources
Desired Outcome: Quickly identify risks
and respond to threats
20
Understanding Data Ex f i l t ra t ion
Who wants the data? How are thieves getting data out?
Where is data being taken from?
60%Electronic means
40%Physical means
2/3of breaches occur
on traditional networks
1/3occur in cloud infrastructures
57%External actors
43%Internal actors
21
Focusing on Data Pro tec t ion
Endpoint Data Protection§ PCs§ Macs§ Mobile devices§ Removable media
Network Data Protection§ File shares§ Databases§ Enforcement at
egress points (web & email gateways)
WebProtection§ Visibility into Shadow IT§ Enforce cloud application
control§ SSL Decryption§ AntiMalware
Cloud Data Protection§ Data stored in cloud-
based applications§ Discover and remediate
data in cloud storage§ Scan data uploaded and
downloaded to the cloud
22
Addressing Compl iance
Challenge: Keeping up with regulatory compliance and enable privacy
Desired Outcome: Help meet compliance
needs; pass audits with ease, and filter when
appropriate
23
Ut i l i z ing knowledge o f endpoint s ta tus
Each user is trying to get an encrypted file from their corporate cloud application
George
Tom
Dave
Cindy
Ben
Able to decrypt and store locally because AV is running.
No access, because of no, or nonstandard, AV running.
Able to decrypt and store locally because drive encryption is running.
Able to decrypt and store locally because endpoint DLP is running.
Gateway+CASB+Sandbox
Able to decrypt and store locally because gateway is inspecting the content and checking policies dynamically as it downloads.
24
Anchor ing a t the endpoint
On-network
Off-network
Proxy SW
Proxy SW
25
Ine f f ic ient ex tended edge
Main OfficeAppliance (vm/hw)
Remote OfficeAppliance (vm/hw)
Remote OfficeMPLS Circuit
Mobile UserVPN Tunnel
MPLS/VPN backhaul: all traffic
26
Cost-ef f ic ient cloud edge
Main OfficeAppliance
(vm/hw) or cloud
Remote OfficeAppliance (vm/hw)
or cloud
Remote OfficeMPLS+Cloud
Mobile UserVPN+Cloud
MPLS/VPN backhaul: internal traffic only
27
Transi t ion through hybr id cloud
Threat Defense |Visibility| Data Protection
Globally distributed, multi-tenant, SLA-driven
Security Cloud
Corp Boundary
On Prem
End Users
Endpoints
On-premdefense
Central visibility, understanding, and control Remote device
defense
28
Takeaways
• Basic traffic inspection isn’t enough – cloud has evolved requirements beyond URL filtering
• Threat, data, and ubiquitous protection are core to evolving with cloud
• Use a security cloud to your advantage • Protect your data in the cloud, and everywhere else• Manage security efficiently• Extend protection to off-network users• Gain network cost-efficiencies
• Transition is likely best handled through a hybrid rollout
• Start your security cloud build-out with secure web gateway technology as a foundation
• Visit https://www.mcafee.com/us/products/web-gateway-cloud-service.aspx for more information on McAfee Web Gateway Cloud Service and complementary cloud-delivered security solutions
29
Learn more
Questions?
THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.
Copyright © 2017 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR ATTENDING THIS WEBINAR
For more information, visit www.ISACA.org