executive breakfast preso 20140609
TRANSCRIPT
![Page 1: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/1.jpg)
Security & Compliance for Enterprise Cloud InfrastructureCarson SweetCEO, [email protected]
![Page 2: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/2.jpg)
2
Agenda
• Evolving cloud use cases and trends• System and data protection, then and now• Pros and cons of common “next-generation” system
and data protection approaches• CloudPassage approach to cloud application
infrastructure protection• Discussion, Q&A
![Page 3: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/3.jpg)
3
Top Cloud Infrastructure Use Cases
Dev-Test
BigData
ITaaSShared infrastructure, automated, self-
service IT-as-a-Service (a.k.a. private cloud)
Move development and test environments to public IaaS providers
Leverage shared private cloud or public IaaS resources for big-data analytics
![Page 4: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/4.jpg)
ITaaS / Private Cloud
Drivers / Benefits
• Increased hardware utilization
• Self-service provisioning
• Decreases IT workload
• Rapid scalability / elasticity
Security Considerations
• Limited-to-no change control
• Flat network architecture
• Not everyone knows security
• Cloud-capable security tools
• Raw tech & ops scaling issues
![Page 5: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/5.jpg)
Dev/Test in Public Clouds
Drivers / Benefits
• Decreases IT workload
• Self-sufficient BU developers
• Opens datacenter capacity
• Less configuration effort
Security Considerations
• Public cloud exposures
• Visibility / oversight
• Production data in test/dev
• Intellectual property
![Page 6: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/6.jpg)
Big Data AnalyticsDrivers / Benefits
• Massive new capabilities
• Leverage collected data
• Previously unattainable intel
• Product enhancements, risk intelligence, BI, BPM, etc.
• Cloud analytics = scalable!
Security Considerations
• Private data, public cloud
• Analytics engine contains IP
• Geographic data hosting
• Integrity is paramount
![Page 7: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/7.jpg)
Cloud Infrastructure Security Challenges
7
![Page 8: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/8.jpg)
8
Cloud Benefits Create Security Headaches
Virtualized networks
New topologies
No hardware
Highly dynamic
Shared infrastructure
These cloud “pros” become security “cons”
![Page 9: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/9.jpg)
9
What Infrastructure Looked Like
• Traditional datacenter infrastructure model–Vertical application scalability–Apps running on hardware “islands”–Few environments to contend with
• Vertical application architectures–Scalability via hardware choices & optimization–Topology and hardware essentially arbitrary–Physical proximity of application components
![Page 10: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/10.jpg)
![Page 11: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/11.jpg)
11
Application A Application B
Application C
Application D
Application E
![Page 12: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/12.jpg)
12
Web Tier VMs
A A
A A
Data Tier VMs
A
A
Web App Applianc
e
Crypto Gateway
Network Firewall
CRITICAL SUCCESS FACTORS:• Physical Topology Access• Hardware Acceleration
Network IDS / IPS
![Page 13: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/13.jpg)
13
Where Infrastructure Is Going
• Infrastructure-as-a-Service (public or private)– Virtualized sharing of commodity hardware– ITaaS (opex, scalable, dynamic, self-service)– Flat physical network, distributed topologies
• Horizontal application architectures– Scale achieved through cloning workloads– Physical topology, hardware abstracted– Wide dispersion of application & data components is
desirable
![Page 14: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/14.jpg)
![Page 15: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/15.jpg)
A
A A A
A A A
A
A A
A
A A
A
A A
A A
A A
B
B
B
B
C C
C
C
C
C C
D
D D
D
D
D
D D
D D
D
E
E E
E E E
E E E E
E E E
E E
E
E
E
E
E
E E
E E
![Page 16: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/16.jpg)
Web App
Appliance
Crypto Gatewa
y
Network
Firewall
Network IDS /
IPS
![Page 17: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/17.jpg)
You must reconcile critical security needs with
new infrastructure delivery parameters
• Strong access control
• Vulnerability, exposure and threat management
• Protection of data in motion and at rest
• Security & compliance intelligence
• Operational oversight
Security Hasn’t Changed
• Must work anywhere with diminished to no control
• Network security highly limited
• Access to hardware accelerated appliances limited
• Dramatically higher rate of code & infrastructure change
Delivery Parameters Have
![Page 18: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/18.jpg)
“Next-Generation” Infrastructure Security
18
![Page 19: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/19.jpg)
Next Generation Approaches
• Virtual Appliances– Existing appliance / gateway solutions
• In-Hypervisor Controls– Controls deployed in virtualization control planes
• Workload-Based Security– Deployment of controls within actual workloads
(a.k.a. “microperimeters”)
![Page 20: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/20.jpg)
Virtual Appliances
• Benefits– Mirrors existing models, easy to understand– Existing vendors may offer this model
• Pitfalls– No hardware acceleration = scalability challenges– Topological dependencies hinder workload distribution– Limited functionality, for the same reasons
• Field Observations– We’ve only seen network security / WAF appliances, none
operating at significant scale
![Page 21: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/21.jpg)
In-Hypervisor Controls
• Benefits– Services available to all VMs on protected hypervisors– Cannot be modified from within guest VMs
• Pitfalls– Often hypervisor-specific, cannot be used in public IaaS– Significant impact to VM density & performance
• Field Observations– Useful in data centers / private clouds, not hybrid– Performance and operational challenges abound
![Page 22: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/22.jpg)
Workload-Based Security
• Benefits– Workload is the intersection of scale, portability, control– Moves security close to application & data constructs
• Pitfalls– Resource and performance impacted unless done right– Not operationally scalable without control automation
• Field Observations– The model that CloudPassage chose as core design– Being implemented at large scale in finserv, software
![Page 23: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/23.jpg)
CloudPassage Approach to Workload-Based Security
23
![Page 24: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/24.jpg)
CUSTOMER CLOUD / DATACENTER HOSTING ENVIRONMENTS
wwwnode1,2,(n)
mysqlnode1,2,
(n)
mongo-dbnode1,2,
(n)
HALO HALO HALO
• “Dumb” agents with minimal system overhead (6 MB in memory, under 0.5% CPU)
• Highly scalable centralized security analytics absorbs 98%+ of required compute cycles
• Transparently scales to protect a few workloads to tens of thousands
Halo Architecture
![Page 25: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/25.jpg)
“Naked” VM Instance
Operating System
Application Code
System Administration Services
ApplicationStack
App StorageVolume
System StorageVolume
Halo Security Agent
1
2
4 5
67
Agent activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates.
1
Halo secures privileged access via dynamic firewall rules using multi-factor user authentication.
2
Scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity.
3
Application configurations are scanned for vulnerabilities and are continuously monitored.
4
Cryptographic integrity monitoring ensures app code and binaries are not compromised.
5
Platform monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities.
6 3
Application data stores are monitored for access; outbound firewall rules prevent data extrusion.
7
60 Seconds in the Life of a Halo’ed Workload
![Page 26: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/26.jpg)
Halo APIHalo Portal
![Page 27: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/27.jpg)
What’s Special about CloudPassage Halo?• Portable, built-in security & compliance automation
– Control provisioning & management automation built into workloads– Security & telemetry operates transparently across cloud environments– Enables public, hybrid cloud compliance (PCI, FFIEC, SOC2, HIPAA, etc)
• Technically, financially, operationally scalable– Central analytics = low impact to systems, low friction with sysadmins– Metered usage = pay for what’s used (hourly licensing, volume discounts)– Automation = built-in controls with zero provisioning or configuration
• Consistency, efficiency through automation– Security is built directly into the stack, synched every 60 seconds– REST API and toolkit for extensive integration with existing investments– One central point of visibility and control for systems across multiple clouds
![Page 28: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/28.jpg)
Wrapping Up
• Infrastructure-centric security doesn’t work for cloud– Your cloud migration will demand new approaches– Next-generation alternatives have pros and cons
• Workload-based security offers distinct advantages– Moves security closer to applications– Enables greater scalability and portability– Can operate in any infrastructure environment
• Talk to your team and start the process now– Visit cloudpassage.com for white papers, etc.
![Page 29: Executive breakfast preso 20140609](https://reader033.vdocuments.site/reader033/viewer/2022042821/55d50ffbbb61eb7e2e8b45b9/html5/thumbnails/29.jpg)
www.cloudpassage.com