SECURITY AND COMPLIANCE IN

THE CLOUD

• Bart Falzarano

Director of Security & Compliance, RightScale

• Roberto Monge

Cloud Solutions Engineer, RightScale

Q&A

• Steve Kochenderfer

Sales Development Representative, RightScale

Please use the “Questions” window to ask questions at any time

Your Panel Today

• Data Breaches/Security Threats

• Evaluating Security of IaaS providers

• Addressing Security Gaps with Vanilla/Out-of-the-Box Cloud

Infrastructure

• Live Demo of the RightScale Approach

• Q & A

Agenda

Data Breaches Occur Everywhere

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

• Data Breaches -Misconfigurations/Improper Design

• Data Loss -Cloud Provider suffers Data loss or Customer loses encryption keys

• Account Hijacking -Phishing, Cross-Site Scripting XSS bugs

• Secret keys sniffed on the network or stored on Laptops/Desktops

• Denial of Service DoS & DDoS attacks

• Malicious Insiders

• Abuse of Cloud Services -Use array of servers to stage DDoS, crack encryption keys, distribute malware

Most Threats are Not Cloud Specific

Evaluating the Security of IaaS Cloud Providers

Cloud

Provider P

CI

DS

S1

HIP

AA

SSAE16

ISO

27

00

1

CS

A

Fe

dR

AM

P

Additional certifications, notes, and references

SOC1 SOC2 SOC

3

Amazon AWS ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

ITAR, FIPS140-2, DIACAP, FISMA

Amazon AWS GovCloud (US) environment

FedRAMP issued for both AWS GovCloud (US) and AWS US

East/West regions

For complete scope reference:

http://aws.amazon.com/compliance/

Microsoft

Windows

Azure

-

✔ ✔ ✔ -

✔ ✔ ✔ CSA CCM audit completed as part of their SOC2 assessment

For complete scope reference:

http://www.windowsazure.com/en-us/support/trust-center/compliance/

Rackspace ✔ -

✔ ✔ ✔ ✔ - - Safe Harbor Certified – EU Directive 95/46/EC on the protection of

personal data

SOC2 -Security and Availability Only

For complete scope reference:

http://www.rackspace.com/about/whyrackspace/

Google

Compute

Engine

-

✔ ✔ ✔ ✔ ✔ - - Data is encrypted on local ephemeral disk and persistent disk. All

data written to disk in Compute Engine is encrypted at rest using the

AES-128-CBC algorithm

For complete scope reference:

https://cloud.google.com/products/compute-engine/

Public Clouds Expand Security Capabilities

Network Security

• Secure access with SSL

• VPC and ingress/egress

firewalls

• Private subnets w/VPC &

IPSEC VPN

• Dedicated connections

(Direct Connect),

• Separate Regions

(GovCloud)

Data Security

• Advanced Encryption

Standard (AES) 256, a

secure symmetric-key

encryption standard using

256-bit encryption keys

• AWS: HSM to manage keys

• Google: Encrypts data at

rest

• Role-Based Access Control

& MFA

Process Security

• Strong physical security

controls

• Self-service provisioning and

automation to avoid human

errors

• Deep security expertise at

cloud providers

• Support for customer

penetration testing

• Network monitoring and

protection

Place Cloud Beginners Cloud Focused

#1 Security (31%) Compliance (18%)

#2 Compliance (30%) Cost (17%)

#3 Managing multiple cloud

services (28%)

Performance (15%)

#4 Integration to internal

systems (28%)

Managing multiple cloud

services (13%)

#5 Governance/Control (26%) Security (13%)

Experience in the Cloud Changes Issues

Top 5 Challenges Change with Cloud Maturity

Source: RightScale 2014 State of the Cloud Report

Enterprises Choosing Multi-Cloud

Single private 9%

Single public 13%

No plans 4% Multiple private

11%

Multiple public 15%

Hybrid cloud 48%

74%

Enterprise Cloud Strategy 1000+ employees

Multi-Cloud

74%

Source: RightScale 2014 State of the Cloud Report

Application

Portfolio Requirements

Filters Resource

Pools

App 1

App 2

App 3

Performance

Cost

Compliance

Geo-location

Security

Multi-Cloud is an Enterprise Reality

App N

…

Hosted Private

Public Cloud 2

Public Cloud 1

Vendors

Existing DC

App 4

App 5 Internal Private

Virtualized

App 1 App 2

App 3

App 4 App 5

App 6

App 7

• Cloud Management & API differences across cloud providers

• Identity & Access Management / Access Control

• Change & Configuration Management

• Network & Data Security

• Business Continuity Planning/ Disaster Recovery

• Monitoring/Alerting Incident Response and Assessment

• Audit and Compliance

Security Gaps Remain

How RightScale Addresses The Gaps

Standardize & Automate

Baseline Security / Standardized

configurations, track versions,

automate patching, monitoring,

alerting, etc.

Multi-Cloud

Govern many clouds with

a single pane of glass

Outage-Proof & DR

Ensure applications stay up

during cloud or data center

outages

Audit & Compliance

Maintain a complete audit trail

and comply with regulations

Network & Data Security

Manage cloud network

configurations and encrypt data

Access Control

Integrate to SSO and control

access to cloud credentials

Decentralized Cloud Management

Be Ready To Manage a Portfolio of Clouds

Your Cloud Portfolio

Self-Service Cloud Analytics Cloud Management

Manage Govern Optimize

RightScale Cloud Portfolio Management

Public

Clouds

Private

Clouds

Virtualized

Environments

Single pane of glass

o Deep integration to public

and private cloud

providers

o Elevates:

• Configurations

• APIs

• Automation behaviors

• Access control

• Billing and governance

o Deploy to clouds and

virtualized environment

o Move between clouds

and virtualized

Manage Public, Private and Virtualized

On-premises

Private

Clouds

RightScale Cloud Portfolio Management

Corporate Firewall

RightScale Cloud

Appliance for vSphere

vCenter Server™

ESXi

VMware® vSphere®

Public

Clouds

Egress only option

Robust Governance

• API or GUI account

provisioning

• Temporary users

• SSO integration

• SAML or OpenID

• Role based access control

• Hierarchical organization

of accounts

• Limit access to cloud

credentials

• Cloud resources isolated

per account

Control Enterprise Access

Enforce Policies

o Pre-defined stacks to

meet corporate standards

o Configured to your

security requirements

o Define which clouds can

be used

o Control user options and

choices

o Control costs through

quotas

From Rogue to Policy-Based Cloud Usage

Enforce standards

o Automate provisioning and

configuration across

clouds

o Version-controlled

o Follow standards for

versions, patches and

configuration

o Leverage a variety of

scripting languages

Standardize with ServerTemplates

http://www.rightscale.com/blog/cloud-management-best-practices/rightscale-servertemplates-explained

Enforce standards

o Modular building block

approach to managing and

securing server

configurations

o Automate baseline

security settings / system

hardening configurations

o Version-controlled / Anti-

tamper

o Perform system and

security configuration

audits

Enforce Security Configuration Baselines with ServerTemplates

Repeatability and Consistency

RightScale Solution

• Scalable campaigns on tight deadlines

• Clone-able, customizable environments

• Deliver SLAs during huge traffic spikes

• Control infrastructure costs for clients Increase Investment Flexibility

Reduce Risk

Improve IT Efficiency

Monitor, Alert, Automate

o Application, cluster and

server-level monitoring

o 80 built-in server, volume,

database, and application

monitors.

o Assign alerts to any

metric.

o Customize escalations

o Trigger automated scaling,

operational scripts, and

notifications

o Create self-healing

servers and deployments

Keep Tabs on All Cloud Resources in One Place

Ensure compliance

o See who changed what

and when

o Provide audit logs and

reports to satisfy

regulators

o Available via API to

integrate with other

systems

Gain Visibility with Audit Trails

Intimately Understand

your Cloud Spend

o Quickly identify &

diagnose spikes in activity

o Visibility by project & user

o Planning and forecasting

o Budgets and cost controls

o Allocations

o Chargeback and

showback

o Optimize spend

Maintain a Pulse on your Cloud Costs

Secure Cloud with Network Manager

Clouds

Networks

Instances

Subnets

IP Address Bindings

Security Groups

Network ACLs

Routing Tables

IP Addresses

Abstract Network Security

o Manage network

configuration across

clouds

• VPCs

• Subnets

• Security groups

• Network gateways

o Maintain ability to leverage

cloud-specific features

o Control permissions and

audit changes to network

configuration

o API and UI access

Visualize Security

o Visualize and audit

network configuration

parameters

o Understand which

deployments and security

groups have which ports

open to which IP

addresses

View Network Security in Context

Protect Confidential Information

RightScale Solution

• Protect PII

• Deliver visibility & governance

• Optimize lifecycle automation

“RightScale gives us visibility.

It helped us develop trust with

security, finance, development

and management.” -John Fitch

Accelerate Application Delivery

Reduce Risk

Data Residency with a Global Cloud Platform

Outage-Proof with Independent Control Plane

Replicate >

< Failover> < Failover>

Your Public

Cloud A

RightScale

Primary

RightScale

Backup

Your Public

Cloud B

Your Private

Cloud

RightScale UI RightScale API

User B User A User C

Globally Hosted

Scalable

Resilient

SaaS Platform

Your Cloud

Applications

Secure authentication

and communication

DEMO

Security Lifecycle

Assess/Design

Set Policies & Controls/ Implement

Monitor & Enforce/ Sustain

Measure / Evaluate

Security Development Life Cycle

oU.S.-EU Safe Harbor Framework

oU.S.-Swiss Safe Harbor Framework

oSSAE16 SOC1Type II & SOC2 Type II (in process)

RightScale Certifications

Next Steps and Q&A

• Talk to us today about your requirements:

+1 888-989-1856

• Learn more – request more info:

• RightScale Security White Paper

• ServerTemplates and HSM configuration

brief

• Try RightScale Today:

www.rightscale.com/free-trial