Your SlideShare is downloading. ×

Cloud Security: Make Your CISO Successful

374
views

Published on

Enterprises today cannot get by without a clear strategy for cloud security. Whether the organization’s adoption of cloud environments (private, public or hybrid) is mandated by business strategy or …

Enterprises today cannot get by without a clear strategy for cloud security. Whether the organization’s adoption of cloud environments (private, public or hybrid) is mandated by business strategy or by unsanctioned employee use, CISOs and their security teams need to be prepared for this inevitable infrastructure shift.

Attend and learn how to build a cloud security strategy that makes your CISO successful. Join Rich Mogull, lead analyst at Securosis, and Nick Piagentini, Solution Architect at CloudPassage as they discuss the following topics:

-Cloud is Different, But Not the Way You Think
-Adapting Security for Cloud Computing Principles
-Getting Started: Practical Applications
-CISO Cloud Security Checklist

Published in: Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
374
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Azure, Rackspace, Amazon and physical data center
  • Transcript

    • 1. Presents What Security Pros Need to Know About Cloud Rich Mogull Securosis LLC rmogull@securosis.com http://securosis.com
    • 2. The Disruption of the Cloud
    • 3. Multitenancy Isn’t the Issue AAAA BBBB CCCC • We have always secured shared infrastructure. • We have always trusted our data to others. • Our existing processes and controls will still work. • It is the abstraction and automation of cloud that really impact security
    • 4. Abstraction Customer Compute Networks Storage • Visibility changes • Can’t rely on boxes and wires • Can’t rely on physical controls
    • 5. Automation VM VM Hypervisor VM VM Hypervisor VM VM Hypervisor VM VM Hypervisor Compute Pool Management and Orchestration Storage Pool Management and Orchestration Compute Controller Storage/Vo lume ControllerManagement Network (Using APIs) Outside World Cloud computing resources change in minutes and seconds. Scans, static settings, and caches can’t keep up.
    • 6. DevOps, SecOps, and Cloud • DevOps is an operational framework. • It is a natural outcome of cloud computing, not some weird over- hyped trend. • Traditional silos condense, then operate with higher agility (and, ideally, resiliency). • Security most resistant to change (for good reasons). Security relies on manual operational model.
    • 7. SecOps in Practice  1111 2222 3333 4444 Inject startup script Pull secure credentials Register with config mgmt server 5555 Pull configuration
    • 8. Adapting Security for the Cloud • Don’t rely on boxes and wires. • Be as elastic and agile as the cloud. • Rely more on policy-based automation. • Understand and adjust for cloud characteristics (e.g. security groups vs. firewalls). • Integrate with DevOps. http://the4faces.com/2011/09/29/stages-of-evolution/
    • 9. Control the Management Plane HardenHarden Web andWeb and API ServersAPI Servers HardenHarden Web andWeb and API ServersAPI Servers LeverageLeverage Cloud IAMCloud IAM LeverageLeverage Cloud IAMCloud IAM CompartmentCompartment with IAMwith IAM CompartmentCompartment with IAMwith IAM Audit, Log,Audit, Log, and Alertand Alert Audit, Log,Audit, Log, and Alertand Alert Use a ManagenentUse a Managenent Plane ProxyPlane Proxy Use a ManagenentUse a Managenent Plane ProxyPlane Proxy
    • 10. Automate Host Security • Embed agents in images and at launch. • Integrate with configuration management. • Dynamically configure agents. • Prefer lightweight and agile agents. • Host tools should support REST APIs
    • 11. Intelligently Encrypt Key Mgmt Server StorageInstance CryptoCrypto ClientClient HSM, SECaaS, VM, or Server Public/Private Cloud (IaaS)
    • 12. Federate Identity Directory Server FederationFederation ExtensionsExtensions XSAML
    • 13. Adapt Network Security • Design a good security group baseline. • Augment with host firewall that coordinates with cloud. • Push more security into the host. • Prefer virtual network security appliances that support cloud APIs. • Take advantage of cloud APIs. • Security policies must follow instances.
    • 14. Leverage the Cloud • Immutable servers • Stateless security • Security automation • Software Defined Security
    • 15. This is Real Today
    • 16. Embedding and Validating Security Agents Build InBuild InBuild InBuild In InjectInjectInjectInject Config PushConfig PushConfig PushConfig Push Tie to RunningTie to Running ServicesServices Tie to RunningTie to Running ServicesServices Tie to Cloud PlatformTie to Cloud PlatformTie to Cloud PlatformTie to Cloud Platform
    • 17. Compartmentalize with IAM Sec Dev Region Prod Action Object
    • 18. Hypersegregate with Security Groups
    • 19. Where to go From Here ?
    • 20. What your CISO needs to know Nicholai Piagentini Sr. Solutions Architect
    • 21. First an allegorical example • Large enterprise, traditional physical datacenter, traditional security. • Growth by acquisitions introduces a widely disparate set of new environments to secure. • Most acquisitions are in the cloud already and did not consider security as critical as the parent company. • Security had to find a solutions to fit all of it.
    • 22. Key points for this example • Cannot rely on boxes and wires – Multiple clouds, multiple physical datacenters. – Host based security the only option that scales • Elastic and Agile Security – New acquisitions on the horizon no real end in sight – Baking security into the stack makes this easy • Policy Based Automation – Server Groups can link like servers across deployments
    • 23. How Halo helped • Halo is a Security Automation Platform • Halo agent is deployed onto the individual virtual hosts • Policy is defined on our cloud based Security Analytics Engine • Does not rely on and specific hypervisor system • Policy follows the image wherever it goes