Simplicity in Hybrid IT Environments:A Security Oxymoron?
Scott Crawford – Research Director, Information Security
Momentum favors the cloud
“How would you generally categorize your organization’s information security view of hosted cloud computing solutions (Hosted Private Cloud, IaaS, or PaaS) in terms of your organization’s tolerance for information security risk?”
3
Source: 451 Research Quarterly Advisory
Report: Budgets and Outlook – Information
Security 2016
But legacy /on-premises investments aren’t going anywhere soon
“Approximately how is your organization’s total information security spending on vendor-based security tools currently distributed across the following locations?”
4
Source: 451 Research Quarterly Advisory
Report: Budgets and Outlook – Information
Security 2016
Why maintain the investment?
• Realizing its full value
• Dependencies
• Maturity
• Of the technology
• Of operations &
expertise
• The cloud is different…
• Regulatory requirements
• Ownership & control
5
So what’s the problem?One set of techniques for legacy/
on-premises
One (or more) set(s) of techniques for
the cloud
7
Hint: What are common objectives?
• Consistency of control,
across both legacy and
“new IT”
• Assurance of enterprise
responsibilities
• Demonstrations of
adherence to enterprise
requirements
9
Security/Compliance Concern Score
Encryption 4.33
Identity Management/Authorization/Access
Control Tools
4.26
Assumption of Liability for Security Breaches or
Outages
4.23
Explicit Contractual Responsibilities for
Security Between the Cloud Provider and
Customer
4.17
Explicit SLAs 4.12
Data Leakage Prevention (DLP) 4.00
Providing Regular Results of Security Audits
from Known Security Testing Companies
3.99
Proven Compliance with Industry Standards 3.92
Auditability 3.91
“Rate the importance of each of the following in addressing
organizational concerns around security and compliance with hosted
cloud solutions:”
Source: 451 Research Quarterly Advisory Report: Budgets and Outlook – Information
Security 2016
Finding common ground
• Consistent application of
policy
• Essential for assuring
enterprise compliance
obligations, no matter
where
• Consistent execution of tasks
• Completeness of coverage
across hybrid environments
• Consistent data gathering
• For determining priorities
for the entire investment
10
But one size does not fit all
“Most things that we've encountered require a different approach for the
cloud-based solutions, than they do for the on-premises solutions. And
they almost always run into, ‘Oh, yes. But I can't support that’ …
“[For example], ‘we have the best […] security management tool in the
industry,’ ‘Do you support SAP HANA?,’ ‘What's SAP HANA?’…
“Or, ‘We support Amazon Web Services for cloud-based packet inspection.’
‘Does the same system work with my on-premises solution, and put it in
the same console?’ ‘Oh no, you have to have two separate accounts.’
Those are the kinds of conversations that I have all the time…”
-Mid-level management, $1-5bn retailer
11
From recent interviews with enterprise practitioners:
Source: 451 Research Information Security Narratives -: Budgets and Outlook 2016
Implementations can be very different
Legacy/on-premises infrastructure
• Accuracy/depth/breadth of asset
discovery
• Across a variety of physical assets
(hosts, networks, applications)
• Balance of speed and accuracy
• Policy constraints
• Tools often purpose-built
Cloud techniques
• API-based - ASK the cloud for
whatever you want to know• ec2-describe-images --filter
“tag-value=prod”
• DescribeInstances
• DescribeVpnGateways
• DescribeFlowLogs
• Tools must be able to interact
with APIs, automation at scale
12
Example: Asset inventory
How well do your preferred tools
adapt?
The long view: Infrastructure’s disappearing act
15
2000s: On-prem
virtualization
Rise of IaaS,
PaaS, growth in
SaaS
Containers,
microservices
“Serverless”
“Data centers on wheels”
17
• Up to 100 ECUs in some
vehicles1
…or with
arms
…or
wings
…or
legs1 https://techcrunch.com/2016/08/25/the-biggest-threat-
facing-connected-autonomous-vehicles-is-cybersecurity/
Not just “smart” endpoints
• Sophisticated compute near the edge
• Data volume, thin pipes, latency
• Real-time action & response
• Functionality offload for constrained endpoints
18
To learn more, download the
TRIPWIRE FOUNDATIONAL CONTROLS FOR THE HYBRID CLOUD
executive brief from the resource widget
Top Related