@NTXISSA #NTXISSACSC3
Critical Criteria For (Cloud)
Workload Security
Steve Armendariz
Enterprise Sales Director
CloudPassage
October 3, 2015
@NTXISSA #NTXISSACSC3
Does anyone remember when server security was EASY?
NTX ISSA Cyber Security Conference – October 2-3, 2015 2
@NTXISSA #NTXISSACSC3
Ti es ha e ha ged…!
NTX ISSA Cyber Security Conference – October 2-3, 2015 3
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015 4
Classic Data Center Architecture
@NTXISSA #NTXISSACSC3
Act 1 - Tenants of Traditional Server Security
NTX ISSA Cyber Security Conference – October 2-3, 2015 5
• Servers in a trusted network
• Segmentation for added protection
• Anti-malware (virus) for all servers,
added security capability for critical
servers
• Security had time to plan, test &
deploy for each new application
• Provisioned with plentiful overhead
“er ers ie ed as i est e ts
@NTXISSA #NTXISSACSC3
Act 2 - Server Virtualization – A New Dawn
• Economic benefit to adoption
• Combatting data center sprawl
• Physical servers more powerful
• Pressure applied on Security to be:
• Faster
• More efficient
• More accurate
• Traditional tools proved adequate
NTX ISSA Cyber Security Conference – October 2-3, 2015 6
@NTXISSA #NTXISSACSC3
Virtualization Impacts Traditional Security
• Servers in a trusted network
• Segmentation for added protection (shared hardware = segmentation challenges)
• Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing)
• Security had time to test & deploy for each new application (policies and images became more powerful)
• Provision with plentiful overhead (at odds with VM density)
NTX ISSA Cyber Security Conference – October 2-3, 2015 7
@NTXISSA #NTXISSACSC3
Act 3 - Server Workloads - The Next Wave
• Utility Computing• Cloud servers or Cloud server workloads in the data center, public cloud,
private cloud or any combination
• These server workloads are:• On-demand, Elastic and Agile
• Cloned, Orchestrated and Automated
• Often short-lived
• Ca e o tai ers (i.e. Do ker)
• Possibly never patched
• Part of an overall movement of deploying and updating faster (DevOps)
NTX ISSA Cyber Security Conference – October 2-3, 2015 8
@NTXISSA #NTXISSACSC3
Critical Server Instances
Data Center Architecture Changes
NTX ISSA Cyber Security Conference – October 2-3, 2015 9
Non-Critical Server Instances
- Anti-Malware
Semi-critical
Server Instances
On-server security:
- Anti-Malware
- Vulnerability Scan
Critical
Server Instances
On-server security:
- Anti-Malware
- Vulnerability Scan
- Config. Monitor
- HIPS/HIDS
- FIM
Internet
Data CenterPublic Cloud
Some Semi-critical
Server Instances
On-server security:
- Anti-Malware
- Vulnerability Scan
@NTXISSA #NTXISSACSC3
Server Workloads Break Security
• Servers in a trusted network (Cloud viewed as non-trusted)
• Segmentation for added protection (shared hardware = segmentation challenges)
• Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing)
• Security had time to test & deploy for each new application (Security must move faster often with little lead time)
• Provision with plentiful overhead (at odds with VM density)
NTX ISSA Cyber Security Conference – October 2-3, 2015 10
Servers viewed as
appli atio uildi g lo ks
@NTXISSA #NTXISSACSC3
• Pu li Cloud ser ers o ly a essi le fro i side the data e ter’s trusted network
• Positioned by many cloud providers to resolve Te a t #1• “er ers i a trusted et ork…
• Issues
• Can be cost prohibitive
• May impact performance
• Does not mitigate security issues
NTX ISSA Cyber Security Conference – October 2-3, 2015 11
Cloud VPC = Bringing The Trusted Network Back?
@NTXISSA #NTXISSACSC3
Are Data Center Networks Really
Secure?
NTX ISSA Cyber Security Conference – October 2-3, 2015 12
@NTXISSA #NTXISSACSC3
Workload Security – The New Tenants
• Embrace the “Workload as an Application Building Block” philosophy
• Take advantage of automation and orchestration
• Small footprints matter
• Minimize staff overhead
• Total visibility
• Limit server communication
• Integrate versus manage stand-alone
NTX ISSA Cyber Security Conference – October 2-3, 2015 13
@NTXISSA #NTXISSACSC3
The Basics Still Apply
• Use server (host) firewalls
• Reduce attack surface
• Manage East-West traffic
• Require multi-factor authentication
for server logins
• Monitor configurations for drift• Discover & address vulnerabilities
• Monitor system file integrity
• Monitor security logs
Dump anti-malware (if you can)
NTX ISSA Cyber Security Conference – October 2-3, 2015 14
Radical Thought!!!!
@NTXISSA #NTXISSACSC3
Approaches to Workload Security
• Do it manually with multiple security tools
• Too time consuming
• Many consoles, difficult integration
• Use orchestration tools with multiple security tools
• Many consoles, difficult integration
• Set of security tools can consume more resources than what
they’re prote ti g• Use CloudPassage® Halo®
NTX ISSA Cyber Security Conference – October 2-3, 2015 15
@NTXISSA #NTXISSACSC3
CloudPassage Halo: Instant Layered Security
for Every Server Workload
• One tool providing 8 layers of
visibility & enforcement
• Using less compute resources
than a single-layer point
product
• Highly auto ated; set and
forget se urity• Add to gold images, protects
servers at instantiation
NTX ISSA Cyber Security Conference – October 2-3, 2015 16
@NTXISSA #NTXISSACSC3
CloudPassage Halo
• A Security Orchestration Framework• Integrated and layered security
• Automated into your workflow
• Visibility• See vulnerabilities, configuration
errors, file integrity, access – no matter where the workload is
• Apply controls – even quarantine workloads
• Compliance• Drive automation to audits
• Continuous vs. point-in-time
NTX ISSA Cyber Security Conference – October 2-3, 2015 17
@NTXISSA #NTXISSACSC3
CloudPassage Halo Architecture
NTX ISSA Cyber Security Conference – October 2-3, 2015 18
@NTXISSA #NTXISSACSC3
Questions
NTX ISSA Cyber Security Conference – October 2-3, 2015 19
@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 20
Thank you
Top Related