Comprehensive Cloud Security
Requires an Automated Approach
Andras Cser, VP and Principal Analyst
Forrester Research
Carso...
Cloud Security: Automation and
Centralization Matters

Andras Cser, VP and Principal Analyst

November 12, 2013
Agenda

› Why is Cloud Security Important
› Challenges with Cloud Security
› Forrester’s Recommendations

© 2013 Forrester...
Agenda

› Why is Cloud Security Important
› Challenges with Cloud Security
› Recommendations

© 2013 Forrester Research, I...
Cloud-based Services Employed Regularly
“Which of the following cloud-based services have you employed on a regular basis?...
“Which of the following initiatives are likely to be your IT organization's top project and
organizational priorities over...
Why Cloud Security is
like a two component
glue, a unique blend:
A: The Cloud is not
just a new delivery
platform
B: Cloud...
Cloud Pulls the CISO in Many Directions
1. Cloud
Offers
Irresistible
Benefits

2. LOB
procures
cloud
services

CISO and
Se...
Cloud Security Means a Lot of Things to a
Lot of People
› What interfaces our company has to have to work well
with our Cl...
Cloud Security Prepositions
Agenda

› Why is Cloud Security Important
› Challenges with Cloud Security
› Recommendations

© 2013 Forrester Research, I...
General Challenges with Cloud Security
›

Ease of Use for End Users (you can’t control end users)
• Cloud security should ...
Challenges with Cloud Security
› Data protection
› Workload separation and multi tenancy
› Information Rights Management
›...
Cloud Does NOT Shift the Responsibility
of Data Protection

› “When data is transferred to a
cloud, the responsibility for...
Agenda

› Why is Cloud Security Important
› Challenges with Cloud Security
› Protecting Data In the Cloud
› Recommendation...
When it comes to
responsibilities…

How do we
avoid this?
Who’s Responsible for IaaS Security?
AWS Shared Responsibility Model

“…the customer should assume responsibility
and mana...
Think Security From the Cloud
Typical questions and
requirements:
• How can you source security
services from MSSPs?
• How...
Do your homework…
›
›
›
›
›
›
›

Get as much detail around security from your SaaS
provider as you can
Set clear boundarie...
© 2013 Forrester Research, Inc. Reproduction Prohibited

20
Thank you
Andras Cser
+1 617.613.6365
acser@forrester.com
Security automation for
virtualized & cloud environments
Problem: Infrastructure Security Is Behind
›
›
›
›

Infrastructure more distributed and dynamic than ever
Current security...
The Old Model: everything behind firewall, low
rate of change, very few infrastructure stacks
The New Model: multiple stacks, broadly
distributed, legacy approaches fail
Security Buyer Challenges
› Achieving compliance in cloud environments
• PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST

›...
Why Do Existing Solutions Fail?

Network &
hardware
dependencies

Cannot operate
across cloud
models

Lack of meteredusage...
How we built high-scale
security & compliance
automation
Objective: Consolidate & Automate Controls
Halo Security Automation Platform
Automation Needs To Work Anywhere
Automation Must Extend Current Tools
Security Automation Outcomes
›

Massive reduction in security ops overhead
• Automated control deployment & orchestration
...
Key Takeaway:

Automating security enables saying
“yes” to cloud, improves security, and
makes complex compliance achievab...
Questions?
Comprehensive Cloud Security Requires an Automated Approach
Upcoming SlideShare
Loading in …5
×

Comprehensive Cloud Security Requires an Automated Approach

770 views
625 views

Published on

Andras Cser, VP Principal Analyst at Forrester Research and Carson Sweet, CEO at CloudPassage discussed a new enterprise security architecture that will:

-Apply elastic compute power, big data, and massively horizontal distribution of security controls and telemetry.

-Automate security and compliance monitoring in a scalable and portable manner across both traditional datacenter and cloud environments.

-Address both data at rest and in motion and create minimal resource impact across environments.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
770
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Comprehensive Cloud Security Requires an Automated Approach

  1. 1. Comprehensive Cloud Security Requires an Automated Approach Andras Cser, VP and Principal Analyst Forrester Research Carson Sweet, CEO and Co-founder CloudPassage November 12, 2013
  2. 2. Cloud Security: Automation and Centralization Matters Andras Cser, VP and Principal Analyst November 12, 2013
  3. 3. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Forrester’s Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 3
  4. 4. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 4
  5. 5. Cloud-based Services Employed Regularly “Which of the following cloud-based services have you employed on a regular basis?" Compute (e.g., Amazon EC2, Microsoft Azure VM Role) 50% Storage 49% Relational database (e.g. SQL Azure) 42% Development tools/IDE (e.g. Cloud9, Cloud Foundry) 37% Social (e.g., Salesforce Chatter) 33% Messaging 33% Content management 31% Message queuing 26% Integration (e.g., Dell Boomi, IBM Cast Iron) 23% Application-level caching 23% Content delivery network 21% Mobile back end 18% BPM 16% Nonrelational database Don't know Other 14% 3% 2% Base = 175 software developers from companies with 1,000 or more employees Source: Forrsights Developer Survey, Q1 2013 © 2013 Forrester Research, Inc. Reproduction Prohibited 5
  6. 6. “Which of the following initiatives are likely to be your IT organization's top project and organizational priorities over the next 12 months?” Increase our use of software-as-a-service (cloud applications) Critical or High priority 48% Low priority 35% Not on our agenda Don't know 15% 1% Base: 1,176 North American and European IT decision-makers at firms with 1,000 or more employees Source: Forrester Software Survey, Q4 2012 © 2013 Forrester Research, Inc. Reproduction Prohibited 6
  7. 7. Why Cloud Security is like a two component glue, a unique blend: A: The Cloud is not just a new delivery platform B: Cloud Security is NOT just continuing security and extending it to the cloud © 2013 Forrester Research, Inc. Reproduction Prohibited 7
  8. 8. Cloud Pulls the CISO in Many Directions 1. Cloud Offers Irresistible Benefits 2. LOB procures cloud services CISO and Security Organization Changes, aka Uneven Handshake 5. Security Struggles to Reduce Cloud Security Risks © 2013 Forrester Research, Inc. Reproduction Prohibited 4. Data Center Is Loosely Coupled 3. CISO Can’t Say No All the Time 8
  9. 9. Cloud Security Means a Lot of Things to a Lot of People › What interfaces our company has to have to work well with our Cloud Providers? (Security To the Cloud) › › › How can a Cloud Provider (like Amazon Web Services or SalesForce.com) prove to us that they are secure? (Security In the Cloud) How can our company make its internal (and in some cases, Cloud Provider) security better? (Security From the Cloud) What are the organizational implications of Cloud and Cloud Security to our IT security organization? © 2013 Forrester Research, Inc. Reproduction Prohibited 9
  10. 10. Cloud Security Prepositions
  11. 11. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 11
  12. 12. General Challenges with Cloud Security › Ease of Use for End Users (you can’t control end users) • Cloud security should not require users to change behaviors or tools › Inconsistent Control (you don’t own everything) • The only thing you can count on is guest VM ownership › Elasticity (not all servers are steady-state) • Cloudbursting, stale servers, dynamic provisioning › Scalability (highly variable server counts) • May have one dev server or 1,000 production web servers › Portability (same controls work anywhere) • Nobody wants multiple tools or IaaS provider lock-in © 2013 Forrester Research, Inc. Reproduction Prohibited 12
  13. 13. Challenges with Cloud Security › Data protection › Workload separation and multi tenancy › Information Rights Management › SaaS providers don’t help much with security related concerns › › › › Network Security Identity and Access Management (IAM) and Privileged Identity Management (PIM) Business Continuity and Disaster Recovery (BCDR) Log Management (SIEM) © 2013 Forrester Research, Inc. Reproduction Prohibited 13
  14. 14. Cloud Does NOT Shift the Responsibility of Data Protection › “When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data.” Cloud Security Alliance, Guidance v3.0 © 2013 Forrester Research, Inc. Reproduction Prohibited 14
  15. 15. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Protecting Data In the Cloud › Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 15
  16. 16. When it comes to responsibilities… How do we avoid this?
  17. 17. Who’s Responsible for IaaS Security? AWS Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...” App Code App Framework Operating System Amazon Web Services: Overview of Security Processes Virtual Machine Hypervisor Compute & Storage Shared Network Physical Facilities Provider Responsibility “it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.” Customer Responsibility Data
  18. 18. Think Security From the Cloud Typical questions and requirements: • How can you source security services from MSSPs? • How can you protect security and data at our cloud providers? • In general: How do we integrate on existing onpremise security with the MSSPs security products?
  19. 19. Do your homework… › › › › › › › Get as much detail around security from your SaaS provider as you can Set clear boundaries for security responsibilities between you and your IaaS/PaaS provider Data protection, data protection, data protection Don’t build your own tools Apply comprehensive approach to cloud security Centralize and scale security policy management for your cloud Automate your security (you can’t manually configure thousands of servers) © 2013 Forrester Research, Inc. Reproduction Prohibited 19
  20. 20. © 2013 Forrester Research, Inc. Reproduction Prohibited 20
  21. 21. Thank you Andras Cser +1 617.613.6365 acser@forrester.com
  22. 22. Security automation for virtualized & cloud environments
  23. 23. Problem: Infrastructure Security Is Behind › › › › Infrastructure more distributed and dynamic than ever Current security models neither dynamic nor distributed Perimeters, appliances, hardware reliance, stable configurations, change control, endpoint security solutions… all marginalized to worthless in new models Without infrastructure security, all other security measures are weak (castle on sand, not bedrock) Security teams can’t assure security or compliance, being dragged behind business
  24. 24. The Old Model: everything behind firewall, low rate of change, very few infrastructure stacks
  25. 25. The New Model: multiple stacks, broadly distributed, legacy approaches fail
  26. 26. Security Buyer Challenges › Achieving compliance in cloud environments • PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST › Disparate systems & high rate of change • “Dynamic” is core to cloud, new mode of operation • Security orchestration & automation underserved needs › Existing products don’t work well (if at all) • Technically designed for a different time • Do not match up to dynamic cloud operational models
  27. 27. Why Do Existing Solutions Fail? Network & hardware dependencies Cannot operate across cloud models Lack of meteredusage licensing Cannot handle elasticity or wide distribution
  28. 28. How we built high-scale security & compliance automation
  29. 29. Objective: Consolidate & Automate Controls
  30. 30. Halo Security Automation Platform
  31. 31. Automation Needs To Work Anywhere
  32. 32. Automation Must Extend Current Tools
  33. 33. Security Automation Outcomes › Massive reduction in security ops overhead • Automated control deployment & orchestration • Consolidation of otherwise disparate functions • Single point of security & compliance management › Security and compliance consistency • Security & compliance that’s truly built-in • Eliminates opportunities for human error • Deploy once, certify many (complex compliance) › Enables safe use of cloud models • Security teams have confidence in controls • Cloud projects don’t require manual intervention
  34. 34. Key Takeaway: Automating security enables saying “yes” to cloud, improves security, and makes complex compliance achievable.
  35. 35. Questions?

×