Embed Size (px)
Citation preview
Security & Compliance for Enterprise Cloud InfrastructureCarson SweetCEO, [email protected]
2
Agenda
• Evolving cloud use cases and trends• System and data protection, then and now• Pros and cons of common “next-generation” system
and data protection approaches• CloudPassage approach to cloud application
infrastructure protection• Discussion, Q&A
3
Top Cloud Infrastructure Use Cases
Dev-Test
BigData
ITaaSShared infrastructure, automated, self-
service IT-as-a-Service (a.k.a. private cloud)
Move development and test environments to public IaaS providers
Leverage shared private cloud or public IaaS resources for big-data analytics
ITaaS / Private Cloud
Drivers / Benefits
• Increased hardware utilization
• Self-service provisioning
• Decreases IT workload
• Rapid scalability / elasticity
Security Considerations
• Limited-to-no change control
• Flat network architecture
• Not everyone knows security
• Cloud-capable security tools
• Raw tech & ops scaling issues
Dev/Test in Public Clouds
Drivers / Benefits
• Decreases IT workload
• Self-sufficient BU developers
• Opens datacenter capacity
• Less configuration effort
Security Considerations
• Public cloud exposures
• Visibility / oversight
• Production data in test/dev
• Intellectual property
Big Data AnalyticsDrivers / Benefits
• Massive new capabilities
• Leverage collected data
• Previously unattainable intel
• Product enhancements, risk intelligence, BI, BPM, etc.
• Cloud analytics = scalable!
Security Considerations
• Private data, public cloud
• Analytics engine contains IP
• Geographic data hosting
• Integrity is paramount
Cloud Infrastructure Security Challenges
7
8
Cloud Benefits Create Security Headaches
Virtualized networks
New topologies
No hardware
Highly dynamic
Shared infrastructure
These cloud “pros” become security “cons”
9
What Infrastructure Looked Like
• Traditional datacenter infrastructure model–Vertical application scalability–Apps running on hardware “islands”–Few environments to contend with
• Vertical application architectures–Scalability via hardware choices & optimization–Topology and hardware essentially arbitrary–Physical proximity of application components
11
Application A Application B
Application C
Application D
Application E
12
Web Tier VMs
A A
A A
Data Tier VMs
A
A
Web App Applianc
e
Crypto Gateway
Network Firewall
CRITICAL SUCCESS FACTORS:• Physical Topology Access• Hardware Acceleration
Network IDS / IPS
13
Where Infrastructure Is Going
• Infrastructure-as-a-Service (public or private)– Virtualized sharing of commodity hardware– ITaaS (opex, scalable, dynamic, self-service)– Flat physical network, distributed topologies
• Horizontal application architectures– Scale achieved through cloning workloads– Physical topology, hardware abstracted– Wide dispersion of application & data components is
desirable
A
A A A
A A A
A
A A
A
A A
A
A A
A A
A A
B
B
B
B
C C
C
C
C
C C
D
D D
D
D
D
D D
D D
D
E
E E
E E E
E E E E
E E E
E E
E
E
E
E
E
E E
E E
Web App
Appliance
Crypto Gatewa
y
Network
Firewall
Network IDS /
IPS
You must reconcile critical security needs with
new infrastructure delivery parameters
• Strong access control
• Vulnerability, exposure and threat management
• Protection of data in motion and at rest
• Security & compliance intelligence
• Operational oversight
Security Hasn’t Changed
• Must work anywhere with diminished to no control
• Network security highly limited
• Access to hardware accelerated appliances limited
• Dramatically higher rate of code & infrastructure change
Delivery Parameters Have
“Next-Generation” Infrastructure Security
18
Next Generation Approaches
• Virtual Appliances– Existing appliance / gateway solutions
• In-Hypervisor Controls– Controls deployed in virtualization control planes
• Workload-Based Security– Deployment of controls within actual workloads
(a.k.a. “microperimeters”)
Virtual Appliances
• Benefits– Mirrors existing models, easy to understand– Existing vendors may offer this model
• Pitfalls– No hardware acceleration = scalability challenges– Topological dependencies hinder workload distribution– Limited functionality, for the same reasons
• Field Observations– We’ve only seen network security / WAF appliances, none
operating at significant scale
In-Hypervisor Controls
• Benefits– Services available to all VMs on protected hypervisors– Cannot be modified from within guest VMs
• Pitfalls– Often hypervisor-specific, cannot be used in public IaaS– Significant impact to VM density & performance
• Field Observations– Useful in data centers / private clouds, not hybrid– Performance and operational challenges abound
Workload-Based Security
• Benefits– Workload is the intersection of scale, portability, control– Moves security close to application & data constructs
• Pitfalls– Resource and performance impacted unless done right– Not operationally scalable without control automation
• Field Observations– The model that CloudPassage chose as core design– Being implemented at large scale in finserv, software
CloudPassage Approach to Workload-Based Security
23
CUSTOMER CLOUD / DATACENTER HOSTING ENVIRONMENTS
wwwnode1,2,(n)
mysqlnode1,2,
(n)
mongo-dbnode1,2,
(n)
HALO HALO HALO
• “Dumb” agents with minimal system overhead (6 MB in memory, under 0.5% CPU)
• Highly scalable centralized security analytics absorbs 98%+ of required compute cycles
• Transparently scales to protect a few workloads to tens of thousands
Halo Architecture
“Naked” VM Instance
Operating System
Application Code
System Administration Services
ApplicationStack
App StorageVolume
System StorageVolume
Halo Security Agent
1
2
4 5
67
Agent activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates.
1
Halo secures privileged access via dynamic firewall rules using multi-factor user authentication.
2
Scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity.
3
Application configurations are scanned for vulnerabilities and are continuously monitored.
4
Cryptographic integrity monitoring ensures app code and binaries are not compromised.
5
Platform monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities.
6 3
Application data stores are monitored for access; outbound firewall rules prevent data extrusion.
7
60 Seconds in the Life of a Halo’ed Workload
Halo APIHalo Portal
What’s Special about CloudPassage Halo?• Portable, built-in security & compliance automation
– Control provisioning & management automation built into workloads– Security & telemetry operates transparently across cloud environments– Enables public, hybrid cloud compliance (PCI, FFIEC, SOC2, HIPAA, etc)
• Technically, financially, operationally scalable– Central analytics = low impact to systems, low friction with sysadmins– Metered usage = pay for what’s used (hourly licensing, volume discounts)– Automation = built-in controls with zero provisioning or configuration
• Consistency, efficiency through automation– Security is built directly into the stack, synched every 60 seconds– REST API and toolkit for extensive integration with existing investments– One central point of visibility and control for systems across multiple clouds
Wrapping Up
• Infrastructure-centric security doesn’t work for cloud– Your cloud migration will demand new approaches– Next-generation alternatives have pros and cons
• Workload-based security offers distinct advantages– Moves security closer to applications– Enables greater scalability and portability– Can operate in any infrastructure environment
• Talk to your team and start the process now– Visit cloudpassage.com for white papers, etc.
www.cloudpassage.com
