“ for a moment, i had a feeling of total security. then someone said cloud! “

“ For A Moment, I Had A Feeling Of Total Security. Then Someone Said Cloud! “

2 | © 2015 CloudPassage Confidential

IT Security –The Missing Piece in IT ReplatformingSteve OpferEnterprise Sales [email protected]


IT Replatforming – Next Gen, Gen 3, …


What’s Driving IT Replatforming?• New Features = New Revenue

• The Business wants new features faster than ever

IT has Responded◦ Virtualization◦ Self Service

Development has Responded◦ DevOps◦ Rapid Releases◦ Cloud Test & QA

Security has [Not] Responded◦ Current tools built for Gen 2 data center◦ In many cases, asking for things to Slow down◦ In other cases, pushed aside in acceptance of Risk

Provisioning – Weeks to Minutes

Release Cycle – Quarters to Days

Change Breaks Security


LegacyTraditional

Data Center

Bare Metal

Basic Virtualization

Basic Virtualization


Modern

UCS Director


Legacy Modern

Seeks control to avoid risk

Waterfall approach

Low rate of change

Data centers / colo

Approval-driven

Stringent change control

Network-centric security

IT focused (less customer-centric)

More centralized IT operations

Embraces risk to gain agility

Fast-iteration approach

High rate of change

SDDC / cloud

Learning-driven

Little or no change control

System & app-centric security

Business focused (closer to customer)

More distributed IT operations

Legacy Modern

Security Must: Embrace Both Legacy and Modern IT


ModernLegacy

Experiments

Innovation

GreenfieldApplications

Any NewApplication

Low-Risk Migrations

High-RiskMigrations

Core BusinessApplications

“BUSINESS AS USUAL”

Last LegacyProject

IT Replatforming


ModernLegacy

New Security Tool Research

Experiments with Public Security

Securing DevOps

Full IT SecurityReplatforming

Securing Low-Risk Apps

Trusting Security to Protect your

High-Risk Apps Wherever they Reside

Network Security “BUSINESS AS USUAL”

Server Security for Critical Apps

IT Security Replatforming


J DF M A M J J A S O N

Analysis and design Coding & implementation Quality testing Staging and release

R1

Legacy Application Development (traditional waterfall)


Quality testing

Staging and release


Analysis and design

Coding and implementation

R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9

Modern Application Development (agile / iterative)


Quality testing

Staging and release


Analysis and design


R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9

Modern Application Development (agile / iterative)

App 1

App 2

App 3

App 4

App n


Core security policies already implemented, regardless of environment

Security unit-testing cases required, or code is rejected (yes, really)

Code & infrastructure policies ensured using DevOps-style automation

Staging smoke tests include automated pen-testing, vulnerability assessment, policy validation, security baselines (against gold master)


R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9

Weaving Security & Compliance into Modern AppDev / Devops

All of this feeds into SIEM and GRC tools

Quality testing

Staging and release

Analysis and design



• Everything “behind the firewall”• Complete visibility & control• Fewer changes at slower pace• IT largely calls the shots• Natural physical segmentation• More controlled, paced cadence

Legacy Modern• Assets are everywhere• Inconsistent visibility & control• More & faster changes (by OOM)• Business units run their own IT• Physical constructs are gone (portability)• As-fast-as-automation-allows

You Need Security That Embraces Both Modern and Legacy IT


8 Keys To Securing The Transformation of IT

1. Built directly into core environments

2. Security that operates anywhere

3. Context-aware operation

4. Orchestration of many functions

5. Deep automation of each function

6. Instant and long-term scalability

7. Alignment with DevOps models

8. API-based integration capabilities

This is the most profound IT transformation you’re likely to see in your career… make it count!


www.cloudpassage.com

Questions or more importantly Thoughts/Comments?

“ for a moment, i had a feeling of total security. then someone said cloud! “

Documents