Post on 10-Apr-2017
Best Practices for Securing Hybrid Clouds
Doug Cahill, Enterprise Strategy GroupCarric Dooley, Intel Security
Speakers
Doug CahillSenior Analyst Enterprise Strategy Group
Carric DooleyVP of Foundstone ServicesIntel Security
2
© 2016 by The Enterprise Strategy Group, Inc.
Too many security
presentations
start like this
© 2016 by The Enterprise Strategy Group, Inc.
Today is about
Why hybrid cloud security is an…
© 2016 by The Enterprise Strategy Group, Inc.
Because security
doesn't have to look like this.
© 2016 by The Enterprise Strategy Group, Inc.
Topics
• The Readiness Gap
• Defining Hybrid
• What’s Different
• Best Practices
• Solution Requirements
© 2016 by The Enterprise Strategy Group, Inc.
Gradients of the Cloud Adoption Journey
Cloud Native – “Friends don’t let friends build data centers”
Cloud First – When in doubt, to the cloud! The new normal.
Cloud Washed – Do you want cloud with that?
Cloud Neva! – Regulated, perhaps obtuse to ShadowIT use
© 2016 by The Enterprise Strategy Group, Inc.
Strong Adoption of Public Cloud Services
© 2016 by The Enterprise Strategy Group, Inc.
But Security Readiness Lags Behind Adoption
On-premises security is much more mature
than public cloud-based
infrastructure/application security, 42%
On-premises security is somewhat more mature than public cloud-based infrastructure/application security, …
On-premises security is about the same as public cloud-based
infrastructure/application …
Public cloud-based infrastructure/application
security is somewhat more …
Public cloud-based infrastructure/application security is much more mature than on-premises …
How would you compare the security (i.e., policies, processes, technologies and skills) associated with your organization’s on-premises IT infrastructure and
© 2016 by The Enterprise Strategy Group, Inc.
So Work is Required
A significant amount of work,
49%A moderate
amount of work, 49%
A small amount of work, 2%
Don’t know, 1%
In your opinion, how much work will it take to develop an appropriate security model that aligns with your organization’s future plans for cloud computing?
© 2016 by The Enterprise Strategy Group, Inc.
Which is Why Some Feel This Way
© 2016 by The Enterprise Strategy Group, Inc.
Defining Hybrid
© 2016 by The Enterprise Strategy Group, Inc.
Many Definitions of Hybrid Clouds
Oft cited to be:• Workloads in more than one location• Backing up to the cloud• Cloud First -- New apps in the cloud
Cross-cloud data and application tier location arbitration
• Automated and orchestrated use of on-demand resources• Database tier on-premise, web app tier in the cloud (CDN)
© 2016 by The Enterprise Strategy Group, Inc.
The Heterogeneous Public Cloud Dimension of Hybrid
• Multi-CSP strategy for pricing leverage
• Azure the Pepsi to AWS’s Coke position
Anyone remember Dr. Pepper?
• vCloud Air for DRaaS
© 2016 by The Enterprise Strategy Group, Inc.
The Private Cloud Dimension of Hybrid
Perception: Virtualization = private cloud
But Actually…• Agile software development methodology• DevOps (continuous) delivery methodology• Service oriented resource procurement• API-driven, software defined everything
© 2016 by The Enterprise Strategy Group, Inc.
OK, but …
What’s different about securinghybrid clouds?
© 2016 by The Enterprise Strategy Group, Inc.
Customers and CSPs Share Responsibility
© 2016 by The Enterprise Strategy Group, Inc.
The Network Perimeter is Shifting
Workloads communicate north-south across hybrid clouds as
well as east-west.
Workloads can be internally and externally facing.
Customers do have access to the physical egress
point
Workloads create their own perimeter
© 2016 by The Enterprise Strategy Group, Inc.
Cloud Environments are Highly Dynamic, API-Driven
Methodologies
• Highly iterative Agile software development
• DevOps for continuous dev, test, delivery, monitoring….and security
Technologies• Scripts call APIs to automate infrastructure lifecycle• Temporal due to elasticity and auto-scaling up and down• Immutable infrastructure for cutover deployments
© 2016 by The Enterprise Strategy Group, Inc.
Spotlight: Pets v. Cattle of Immutable Infrastructure
• Cute names• Fed tasty treats
• Treated as member of the family• Servers get similar care and feeding
• Assigned a #• Bred for harvest• Get sick, get shot• Blue green deployments
© 2016 by The Enterprise Strategy Group, Inc.
© 2015 by The Enterprise Strategy Group, Inc.
Gain Visibility via Continuous Monitoring
Inventory Everything• Workloads, VPCs, devices, cloud accounts, etc - physical and virtual• Instance sprawl = developer version of Shadow IT• Collectively represents the attack surface area
Monitor Continuously • System activity, netflow, API usage• AWS Cloud Trail, Azure Operational Insights for API and service usage• On-board agent for system activity• Record and retain activity for trust and compliance
© 2015 by The Enterprise Strategy Group, Inc.
Employ a Workload Centric Security ModelSpotlight: Anomaly Detection in Auto Scaling Groups
Premise: There should be no intra-group drift from a trusted configuration
Approach: Monitor the integrity of trusted configs for anomalous changes
Anomalies of Interest:
• New process and child processes
• File system changes
• Logins beyond ID - time, location, frequency
• Netflow to/from remote IPs
• Correlation of processes and netflow
© 2015 by The Enterprise Strategy Group, Inc.
Embrace Automation via SecDevOps
In Test\QA: Vulnerability scanning of entire stack• Assure currency pre-deployment to prod
In Prod: Policy assignment at time of instance instantiation• By tag, and thus templates, for consistency
e.g. Env:Prod App:WebApache Geo:East
• Host firewalls, integrity monitoring, anomaly detection• Virtual patching via exploit behavioral analysis
© 2015 by The Enterprise Strategy Group, Inc.
Map Controls to Assets
Workload Type Controls
Automation Servers
• Multi-Factor Authentication• Default Deny Application Control
Jump / Bastion Hosts• Netflow monitoring – IDS/IPS rules• Default Deny Application Control
Auto-Scaling Groups• System integrity monitoring• Anomaly detection
© 2016 by The Enterprise Strategy Group, Inc.
Extend Trust Across Hybrid Clouds
Objective: Cross-cloud security consistency
• Replicate policy by workload profile
• Cross pollinate DevSecOps to on-prem
• Centralized visibility of inter-workload traffic
© 2016 by The Enterprise Strategy Group, Inc.
© 2016 by The Enterprise Strategy Group, Inc.
32%
44%
56%
61%
63%
DevOps team
Application development team
Networking team
Data center…
Security team
Cloud Security is a Team Sport
Groups directly involved in cloud security (Evaluating, Purchasing, and Operating)
© 2016 by The Enterprise Strategy Group, Inc.
The Must Haves of a Hybrid Cloud Security Solution
Supports tags for automated policy assignment
Operates in auto-scaling groups – i.e. transient instances
Flexible delivery models, including native SaaS
APIs for integrations and instrumentation (script & extract)
Linux support not an after thought
Metered, utility-based pricing model
Cloud …
exactly the same, but different
30
Similarities
Big data glut
Access control! Becomes even more vital
Monitoring a must
Understanding of architecture also a must
Need for automation to scale
Critical asset identification
Baseline normal
Secure design and architecture still crucial
Data protection program
31
Differences
No hardware (firmware attacks not your problem)
No patching
Limited configuration management
Shifting perimeter (zero trust)
Digital forensics
Quality Assurance, might reflect production!!
Double-edged sword (remember SSO?)
32
Unsure/Depends
• Assessment
• Does it represent more risk?
• Threats and vulnerabilities
• Corruption, deny access, exfiltration
33
Questions?
34
For more information, please visit www.intelsecurity.com/hybridcloudsecurity
Doug Cahill, doug.cahill@esg-global.com
Foundstone Cloud Assessment Serviceswww.foundstone.comfoundstone@intel.com@Foundstone
http://www.twitter.com/esg-global
http://www.facebook.com/ESGglobal
https://www.linkedin.com/groups?gid=1295607&trk=myg_ugrp_ovr
http://www.youtube.com/user/ESGglobal
FOLLOW ESG