Sam Herath - Six Critical Criteria for Cloud Workload Security

1 | © 2015 CloudPassage Confidential

Six Critical Criteria forCloud Workload Security

Sam HerathCloud Security Evangelist


Our Worldview

• Who is CloudPassage and who do we protect◦ Cloud infrastructure security and compliance◦ About 100 large enterprises including a number of Fortune 500s

• Enterprise IT delivery is undergoing massive transformation◦ Cloud-oriented, on-demand IT will be the norm, driven by business demands◦ Application business owners want speed, agility, efficiency

• Big challenges remain◦ SDDC, hybrid cloud, agile development drive new mode of IT operation◦ Existing applications don’t magically migrate to the new model◦ Deeply centralized functions (like security & compliance) are the most challenged


Cloud Breaks Security

Sorry About That :(


Application A Application B

Application C

Application D

Application E

Traditional DCHosting Model


Web Servers

A A

A A

Databases

AA

Web App Appliance

Crypto Gateway

Network Firewall

Network IDS / IPS

Traditional DC Hosting Model


A

A A A

A A A

A

A A

A

A A

A

A A

A A

A A

B

B

B

B

C C

C

C

C

C C

D

D D

D

D

D

D D

D D

D

E

E E

E E E

E E E E

E E E

E E

E

E

E

E

E

E E

E E

Private Cloud Hosting

Model


Public Cloud Hosting

ModelDC


Public Cloud Hosting

ModelDC


Cloud Workload Security must…

1. …be right at the workload

2. …cover broad set of controls

3. …be automated and orchestrate with DevOps

4. …work everywhere

5. …scale vertically and horizontally

6. …deal with the reality of business and IT!


1. Security At The Workload

• “Cause that’s where the compute is.”

• Workload is layer of abstraction (answers to “What” and not “How”)

• Not reliant on specific network, perimeter, hypervisor, security appliances

• Policy driven

• Logically grouped

• Applied automatically

• Portable, scalable, transparent, universal


1. Security At The Workload

User Administration

Application Code

Application Stack

VM Guest OS

Virtualization Stack

Compute/Storage HW

Network Infrastructure

Physical Environment

IaaS

Customer controlled

Provider controlled


2. Cover Broad Set of Controls

Operational Automation

Compromise Management

Vulnerability Management

Data Protection

Visibility & Awareness

Strong Access Controls


2. Cover Broad Set Of Controls

• Software Vulnerability Assessment

• Configuration Security Monitoring

• Traffic Discovery

• Firewall Management and Orchestration

• Server Account Management

• Multi-factor Authentication

• Intrusion Detection

• File Integrity Monitoring

• …


3. Automated and Orchestrated


Quality testing

Staging and release

J DF M A M J J A S O N

Analysis and design

Coding and implementation

R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9



Quality testing

Staging and release


Analysis and design

Coding and implementation

R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9



Core security policies already implemented, regardless of environment

Security unit-testing cases required, or code is rejected (yes, really)

Code & infrastructure policies ensured using devops-style automation

Staging smoke tests include automated pen-testing, vulnerability assessment, policy validation, security baselines (against gold master)


R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9

All of this feeds into SIEM and GRC tools via API



IaaS 2

4. Work Everywhere

User Administration

Application Code

Application Stack

VM Guest OS

Virtualization Stack

Compute/Storage HW

Network Infrastructure

Physical Environment

IaaS

Customer controlled Provider controlled

ColoDC


5. Scale Vertically and Horizontally

• Is 200MB of RAM a lot? 10MB? Times how many different tools?

• Is 100 systems a lot? 1,000? 60,000?

• One Big Factory → Servers, Instances, Microservices & Containers


6. Deal with Reality of IT


ModernLegacy

Experiments

Innovation

GreenfieldApplications

Any NewApplication

Low-Risk Migrations

High-RiskMigrations

Core BusinessApplications

“BUSINESS AS USUAL”

Last LegacyProject



6. Deal with Reality of ITTraditional

Data Center

Bare Metal

Basic Virtualization

Basic Virtualization



UCS Director



UCS Director


Cloud Workload Security must…

1. …be right at the workload

2. …cover broad set of controls

3. …be automated and orchestrate with DevOps

4. …work everywhere

5. …scale vertically and horizontally

6. …deal with the reality of business and IT!


UCS Director

From Chaos…


UCS Director

… To Control

Security Automation and Orchestration


www.cloudpassage.com

Technology

Sam Herath - Six Critical Criteria for Cloud Workload Security