Best Practices for Securing the Hybrid Cloud
-
Upload
mcafee -
Category
Technology
-
view
1.028 -
download
2
Transcript of Best Practices for Securing the Hybrid Cloud
![Page 1: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/1.jpg)
Best Practices for Securing Hybrid Clouds
Doug Cahill, Enterprise Strategy GroupCarric Dooley, Intel Security
![Page 2: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/2.jpg)
Speakers
Doug CahillSenior Analyst Enterprise Strategy Group
Carric DooleyVP of Foundstone ServicesIntel Security
2
![Page 3: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/3.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Too many security
presentations
start like this
![Page 4: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/4.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Today is about
Why hybrid cloud security is an…
![Page 5: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/5.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Because security
doesn't have to look like this.
![Page 6: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/6.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Topics
• The Readiness Gap
• Defining Hybrid
• What’s Different
• Best Practices
• Solution Requirements
![Page 7: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/7.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Gradients of the Cloud Adoption Journey
Cloud Native – “Friends don’t let friends build data centers”
Cloud First – When in doubt, to the cloud! The new normal.
Cloud Washed – Do you want cloud with that?
Cloud Neva! – Regulated, perhaps obtuse to ShadowIT use
![Page 8: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/8.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Strong Adoption of Public Cloud Services
![Page 9: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/9.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
But Security Readiness Lags Behind Adoption
On-premises security is much more mature
than public cloud-based
infrastructure/application security, 42%
On-premises security is somewhat more mature than public cloud-based infrastructure/application security, …
On-premises security is about the same as public cloud-based
infrastructure/application …
Public cloud-based infrastructure/application
security is somewhat more …
Public cloud-based infrastructure/application security is much more mature than on-premises …
How would you compare the security (i.e., policies, processes, technologies and skills) associated with your organization’s on-premises IT infrastructure and
![Page 10: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/10.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
So Work is Required
A significant amount of work,
49%A moderate
amount of work, 49%
A small amount of work, 2%
Don’t know, 1%
In your opinion, how much work will it take to develop an appropriate security model that aligns with your organization’s future plans for cloud computing?
![Page 11: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/11.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Which is Why Some Feel This Way
![Page 12: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/12.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Defining Hybrid
![Page 13: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/13.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Many Definitions of Hybrid Clouds
Oft cited to be:• Workloads in more than one location• Backing up to the cloud• Cloud First -- New apps in the cloud
Cross-cloud data and application tier location arbitration
• Automated and orchestrated use of on-demand resources• Database tier on-premise, web app tier in the cloud (CDN)
![Page 14: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/14.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
The Heterogeneous Public Cloud Dimension of Hybrid
• Multi-CSP strategy for pricing leverage
• Azure the Pepsi to AWS’s Coke position
Anyone remember Dr. Pepper?
• vCloud Air for DRaaS
![Page 15: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/15.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
The Private Cloud Dimension of Hybrid
Perception: Virtualization = private cloud
But Actually…• Agile software development methodology• DevOps (continuous) delivery methodology• Service oriented resource procurement• API-driven, software defined everything
![Page 16: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/16.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
OK, but …
What’s different about securinghybrid clouds?
![Page 17: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/17.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Customers and CSPs Share Responsibility
![Page 18: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/18.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
The Network Perimeter is Shifting
Workloads communicate north-south across hybrid clouds as
well as east-west.
Workloads can be internally and externally facing.
Customers do have access to the physical egress
point
Workloads create their own perimeter
![Page 19: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/19.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Cloud Environments are Highly Dynamic, API-Driven
Methodologies
• Highly iterative Agile software development
• DevOps for continuous dev, test, delivery, monitoring….and security
Technologies• Scripts call APIs to automate infrastructure lifecycle• Temporal due to elasticity and auto-scaling up and down• Immutable infrastructure for cutover deployments
![Page 20: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/20.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Spotlight: Pets v. Cattle of Immutable Infrastructure
• Cute names• Fed tasty treats
• Treated as member of the family• Servers get similar care and feeding
• Assigned a #• Bred for harvest• Get sick, get shot• Blue green deployments
![Page 21: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/21.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
![Page 22: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/22.jpg)
© 2015 by The Enterprise Strategy Group, Inc.
Gain Visibility via Continuous Monitoring
Inventory Everything• Workloads, VPCs, devices, cloud accounts, etc - physical and virtual• Instance sprawl = developer version of Shadow IT• Collectively represents the attack surface area
Monitor Continuously • System activity, netflow, API usage• AWS Cloud Trail, Azure Operational Insights for API and service usage• On-board agent for system activity• Record and retain activity for trust and compliance
![Page 23: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/23.jpg)
© 2015 by The Enterprise Strategy Group, Inc.
Employ a Workload Centric Security ModelSpotlight: Anomaly Detection in Auto Scaling Groups
Premise: There should be no intra-group drift from a trusted configuration
Approach: Monitor the integrity of trusted configs for anomalous changes
Anomalies of Interest:
• New process and child processes
• File system changes
• Logins beyond ID - time, location, frequency
• Netflow to/from remote IPs
• Correlation of processes and netflow
![Page 24: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/24.jpg)
© 2015 by The Enterprise Strategy Group, Inc.
Embrace Automation via SecDevOps
In Test\QA: Vulnerability scanning of entire stack• Assure currency pre-deployment to prod
In Prod: Policy assignment at time of instance instantiation• By tag, and thus templates, for consistency
e.g. Env:Prod App:WebApache Geo:East
• Host firewalls, integrity monitoring, anomaly detection• Virtual patching via exploit behavioral analysis
![Page 25: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/25.jpg)
© 2015 by The Enterprise Strategy Group, Inc.
Map Controls to Assets
Workload Type Controls
Automation Servers
• Multi-Factor Authentication• Default Deny Application Control
Jump / Bastion Hosts• Netflow monitoring – IDS/IPS rules• Default Deny Application Control
Auto-Scaling Groups• System integrity monitoring• Anomaly detection
![Page 26: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/26.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
Extend Trust Across Hybrid Clouds
Objective: Cross-cloud security consistency
• Replicate policy by workload profile
• Cross pollinate DevSecOps to on-prem
• Centralized visibility of inter-workload traffic
![Page 27: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/27.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
![Page 28: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/28.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
32%
44%
56%
61%
63%
DevOps team
Application development team
Networking team
Data center…
Security team
Cloud Security is a Team Sport
Groups directly involved in cloud security (Evaluating, Purchasing, and Operating)
![Page 29: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/29.jpg)
© 2016 by The Enterprise Strategy Group, Inc.
The Must Haves of a Hybrid Cloud Security Solution
Supports tags for automated policy assignment
Operates in auto-scaling groups – i.e. transient instances
Flexible delivery models, including native SaaS
APIs for integrations and instrumentation (script & extract)
Linux support not an after thought
Metered, utility-based pricing model
![Page 30: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/30.jpg)
Cloud …
exactly the same, but different
30
![Page 31: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/31.jpg)
Similarities
Big data glut
Access control! Becomes even more vital
Monitoring a must
Understanding of architecture also a must
Need for automation to scale
Critical asset identification
Baseline normal
Secure design and architecture still crucial
Data protection program
31
![Page 32: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/32.jpg)
Differences
No hardware (firmware attacks not your problem)
No patching
Limited configuration management
Shifting perimeter (zero trust)
Digital forensics
Quality Assurance, might reflect production!!
Double-edged sword (remember SSO?)
32
![Page 33: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/33.jpg)
Unsure/Depends
• Assessment
• Does it represent more risk?
• Threats and vulnerabilities
• Corruption, deny access, exfiltration
33
![Page 34: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/34.jpg)
Questions?
34
For more information, please visit www.intelsecurity.com/hybridcloudsecurity
Doug Cahill, [email protected]
Foundstone Cloud Assessment [email protected]@Foundstone
http://www.twitter.com/esg-global
http://www.facebook.com/ESGglobal
https://www.linkedin.com/groups?gid=1295607&trk=myg_ugrp_ovr
http://www.youtube.com/user/ESGglobal
FOLLOW ESG
![Page 35: Best Practices for Securing the Hybrid Cloud](https://reader030.fdocuments.in/reader030/viewer/2022020108/58ea77641a28ab0c0b8b4e1d/html5/thumbnails/35.jpg)