8 ELEMENTS OF

MULTI-CLOUD SECURITY

1

oBart Falzarano

• Director, Security and Compliance, RightScale

oRyan Geyer

• Cloud Solutions Architect, RightScale

Panelists

POLLING QUESTIONS

oThe State of Multi-Cloud Security

oHow to Think About Multi-Cloud Security

o8 Elements

• Visibility

• Identity and Access Control

• Workload Security

• Data Security

• Network Security

• Business Continuity/Disaster Recovery

• Audit

• Compliance

Agenda

82% of Enterprises Want Multi-Cloud

Single private 5%

Single public 10%

No plans 3%

Multiple private 14%

Multiple public 13%

Hybrid cloud 55%

82%

Enterprise Cloud Strategy 1000+ employees

Multi-Cloud

82%

Source: RightScale 2015 State of the Cloud Report

17%

21%

21%

18%

24%

17%

26%

17%

23%

24%

25%

25%

27%

28%

Performance

Governance/control

Managing costs

Managing multiple cloud services

Compliance

Lack of resources/expertise

Security

Cloud Challenges 2015 vs. 2014 % of Respondents Reporting These As Significant Challenges

2015

2014

Security Remains #1 Challenge

Source: RightScale 2015 State of the Cloud Report

Decentralized Cloud Management

7

Security Features Vary by Cloud

8

Security Features AWS Azure Google

IAM ✔ ✔ ✔

Encryption in DBaaS ✔ ✔ ✔

Key Management as a Service ✔ ✔

Hardware Key Management ✔

Security Assessment ✔ ✔

Configuration Governance ✔ ✔

Audit Trails ✔ ✔ ✔

9

Cloud Security Ecosystem

Cloud Provider

Enterprise

RightScale

3rd Party Vendors

Plan for a Cloud Security Ecosystem

• CMDB

• SIEM /Logging / Auditing

• IdP

• Configuration

Management

• Orchestration Workflows

• Web Application Firewalls

• File-Integrity Monitoring

• Continuous Integration

• Source Code

Repositories

Options Abound

1

0

o RightScale provides

visibility, governance,

auditing across clouds

o Cloud providers offer

cloud-specific security

options

o 3rd party vendors offer

multi-cloud options

o Ability for segregation of

duties: encryption provider

vs cloud storage provider

Capability Who?

Encrypt data in transit Vendor, Enterprise

Encrypt data at rest Vendor, Cloud, Enterprise

Secure communications RightScale, Cloud, Enterprise, Vendor

Systems Configuration

/Network segmentation

Cloud, Enterprise, RightScale

Integrate with IAM RightScale, Cloud, Enterprise, Vendors

Privileged identity

management

RightScale, Cloud, Enterprise

Backup/Replicate data RightScale, Cloud, Enterprise, Vendor

Coordinate BC & DR RightScale, Cloud, Enterprise, Vendor

Log cloud activity RightScale, Cloud, Enterprise, Vendor

Shared Responsibility for Cloud Security

#1: VISIBILITY

Visibility

• Can you see all your

cloud accounts and

instances?

• Connect to all your

clouds

• Gain visibility to all your

accounts

You Can’t Control What You Can’t See

12

Many Accounts Across Clouds

AWS Azure Google CloudStack OpenStack vSphere

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account Account

Single pane of glass

• Multi-cloud access

• Public clouds

• Private clouds

• Virtualized

• Control access

• Standardize

configuration

• Patch and update

• Audit trails

RightScale: Multi-Cloud Visibility

13

AWS Azure Google CloudStack OpenStack vSphere

#2: IAM

• Mostly the same

• Govern and enforce user access

• Configure Role Management

• Context Based Access Control

• Enable Audit reporting

• 3rd Party Identity Providers

• SSO SAML, MFA, Oauth, ADFS

• But…

• How do you handle multiple clouds and

accounts?

• So how do you control cloud credentials?

Considerations for IAM in Cloud

15

“Should this person (user) who

performs this job function and

therefore has these roles assigned

(role) be allowed to access this type

of data as it applies to this particular

account (context)?”

Current state

• CSPs follow proprietary

schemes to support

user provisioning and

lifecycle management

of user profiles

• IAM Integrations

accomplished through

grafts and tie-ins

• What’s the state of IAM for difference

cloud providers?

• Not all have IAM services for all features.

• How do you manage multiple clouds?

• Centralize control through your CMP

• Limit users that can go directly to cloud

accounts

• AD Agents/Connectors

• Okta, Ping Identity, OneLogin

• Enterprise Directory Services

• Active Directory Federation Services ADFS/

SAML integration

Multi-Cloud IAM

16

Challenges

• Difficult to implement,

manage, and support

• Difficult to scale and/ or

extend to other CSPs

• No direct coupling

between AD and AWS

IAM

Integrating IAM

17

ADFS AWS

STS

A

D

SQ

L

1

2 3

4

5

6

Your Environment

SAML

7

AWS

AWS account

123456789012

AWS account

111122223333

IAM roles=>

ADFS-Production

ADFS-DEV

IAM roles=>

ADFS-Production

ADFS-DEV

IAM role=>

ADFS-DEV

IAM role=>

ADFS-DEV

AWS account

777788889999

AWS account

444455556666

AD group memberships=>

AWS-Production

AWS-DEV

User object attribute

123456789012

111122223333

What you get:

• Aggregate accounts

across clouds

• Hierarchical organization

of accounts

• Security and access

controls

• SSO integration

RightScale Multi-Cloud Access Controls

18

User B User A User E User D User C

Enterprise Account

Cloud

Account

Cloud

Account

Cloud

Account

Cloud

Account

Cloud

Account

Cloud

Account

Account 2 Account 1

RightScale

Access

Control

Authenticate with

passwords or SSO

Authenticate with cloud

credentials

#3: WORKLOAD

SECURITY

Enforce Policies

• Catalog of templates that

meet corporate standards

• Configured to your

security requirements

• Define which clouds can

be used

• Control user options and

choices

• Orchestrate and automate

deployment and

operations

Workload Security: From Rogue to Policy-Based

20

Basic instances

Stacks for Dev or Prod Applications

Standardization

• Automate provisioning and

configuration

• Version-controlled

• Follow standards for

versions, patches and

configuration

• Leverage a variety of

scripting languages

• Modular and auditable

• Define Security

Configuration Baselines

Standardize Server Configurations

AWS Azure Google CloudStack OpenStack vSphere

Multi-Cloud Image

Configuration Scripts Containers

21

Standardize System Configurations

22

Load Balancers

App Servers

Master DB Slave DB

Replicate >

DNS

Configure a system: Cloud Application Template (CAT)

Configure a server: • ServerTemplates (portable)

• Docker container (portable)

• AMI

• CloudFormation

• VM template

Increase IT efficiency

o Bring your own

configuration management

o Clone existing

architectures

o Updates and patches

o Monitor and alert

o Auto-scale up and down

Patch and Update

• Asymmetric keys private/public

• Key Management

• NISTIR 7966 http://tinyurl.com/lhtujnv

• Key storage options

• Key Management-as-a-Service

• AWS, Azure

• Multi-tenant

• Hardware Security Modules

• On-premise

• Cloud services (AWS)

• RightScale

• Encryption of keys -MUST

Key Management

24

#4: DATA SECURITY

Compliance

Requirements

• PCI E-Commerce

• HIPAA / PHI/ 21CFR11

• NPI / PII

• FTI IRS PUB1075

• MPAA

• Data Protection / Encryption

• In-transit: MUST

• At rest: MUST

• In process: DEPENDS

• Considerations in the Cloud

• Select the right cloud provider

• Some cloud providers encrypt by default

• Review their security documents

• Most Cloud Providers will sign BAA

• Segregate workloads

Data Security

26

Data Residency with a Global Cloud Platform

Amazon Web Services

Google Cloud Platform

IBM SoftLayer

Rackspace

Windows Azure

Public Clouds

Singapore

Hong Kong

Japan

Texas

DC Area SF Area

Seattle

Chicago

Dublin

London

Amsterdam

Oregon

São Paulo

Midwest

Beijing

Sydney

W Europe

Private Clouds

CloudStack

OpenStack

vSphere

Melbourne

Toronto

Mexico City

Taiwan

27

• Data privacy legislation differs around the world

• Evaluate encryption options where you manage the keys (a la

Amazon Aurora) so vendor can’t give data in case of

subpoena

• What is the CSP’s data retention period?

• What country is the CSP headquartered out of?

• Which jurisdiction covers the contract between you and the

CSP?

Data Residency: Impact of Safe Harbor

28

#5: NETWORK SECURITY

• HTTPS / TLS

• SSL?

• IP address Whitelisting

• VPN IPSEC

• VPC (AWS)

Securely Connecting to Cloud

• AWS DirectConnect

• Azure ExpressRoute

• Google Carrier Interconnect

• SoftLayer DirectLink

Direct Connection Options

31

AWS Cage

Customer Cage

AWS Direct

Connect

Azure Cage

Customer Cage

Azure

ExpressRoute

Comply with policies

• Quickly Audit Security

Groups

• Interactive Network

Visualization

• Maintain Security and

Compliance

Network Visibility

32

#6: BUSINESS

CONTINUITY & DISASTER

RECOVERY

34

SLAs by Cloud

Certification AWS Azure Google SoftLayer

Uptime SLA 99.95% 99.95% 99.95% 100%

Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes

downtime

Downtime Calculation Any minutes

downtime

Any minutes

downtime

5+ consecutive

minutes

downtime

30+ consecutive

minutes downtime

Architect for SLAs

• HA/DR reference

architectures

• Cross-region and cross-

cloud

• Auto-scale to meet

demand

• Hybrid cloudbursting

• Monitor and automate

failover

• Hot, warm, and cold DR

scenarios

Implement DR Architectures for your Apps

35

Load Balancers

App Servers

Slave DB Master DB

App Servers

Slave DB

< Replicate Replicate >

Load Balancers

PRIMARY WARM DR

DNS

Ensure availability

o Separate management

plane from cloud and

cloud applications

o RightScale platform is fully

redundant

o Automate failover

processes for hot, warm or

cold DR

Outage-Proof with Independent Control Plane

#7: AUDIT

38

oCloud Trails

oAzure Diagnostics

oGoogle Cloud Logging (beta)

oSoftLayer Audit Trails

What Audit Tools by Provider?

Approach:

• Feed audit trails from

individual clouds to SIEM

• Feed audit trails from CMP

to SIEM

Multi-Cloud Logging and Audit Trails

39

Cloud Management

Platform

Cloud

SIEM

Cloud Cloud Cloud Cloud Cloud

Ensure compliance

4

0

o See who changed what

and when

o Provide audit logs and

reports to satisfy

regulators

o Available via API to

integrate with other

systems

Gain Visibility with Audit Trails

#8: COMPLIANCE

Cloud Provider Certifications Matrix

42

Certification AWS Azure Google SoftLayer

PCI DSS1

HIPAA

SSAE16 SOC1 (Type II)

SSAE16 SOC2 (Type II)

SSAE16 SOC3 (Type II)

ISO 27001

ISO 27017

ISO 27018

CSA

FedRAMP In process

FISMA

• RightScale Certifications

• State of the Cloud Report

• www.rightscale.com/2015-cloud-report

• Private and Hybrid Cloud Whitepaper

• www.rightscale.com/private-hybrid-cloud-whitepaper

Questions?

43

SSAE16 SOC1 and

SOC2 Type II PCI DSS SAQ C Compliant U.S.-EU Safe Harbor Framework

and U.S.-Swiss Safe Harbor

Framework