Executive breakfast preso 20140609


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

  • ----- Meeting Notes (1/13/14 14:01) -----
    They are doing hosting in the cloud, some test-dev and some production; this is very early, may not make sense for them.
  • Executive breakfast preso 20140609

    1. 1. Security & Compliance for Enterprise Cloud Infrastructure Carson Sweet CEO, CloudPassage carson@cloudpassage.com
    2. 2. Agenda • Evolving cloud use cases and trends • System and data protection, then and now • Pros and cons of common “next-generation” system and data protection approaches • CloudPassage approach to cloud application infrastructure protection • Discussion, Q&A 2
    3. 3. Top Cloud Infrastructure Use Cases 3 Dev- Test Big Data ITaaS Shared infrastructure, automated, self- service IT-as-a-Service (a.k.a. private cloud) Move development and test environments to public IaaS providers Leverage shared private cloud or public IaaS resources for big-data analytics
    4. 4. ITaaS / Private Cloud Drivers / Benefits • Increased hardware utilization • Self-service provisioning • Decreases IT workload • Rapid scalability / elasticity Security Considerations • Limited-to-no change control • Flat network architecture • Not everyone knows security • Cloud-capable security tools • Raw tech & ops scaling issues
    5. 5. Dev/Test in Public Clouds Drivers / Benefits • Decreases IT workload • Self-sufficient BU developers • Opens datacenter capacity • Less configuration effort Security Considerations • Public cloud exposures • Visibility / oversight • Production data in test/dev • Intellectual property
    6. 6. Big Data Analytics Drivers / Benefits • Massive new capabilities • Leverage collected data • Previously unattainable intel • Product enhancements, risk intelligence, BI, BPM, etc. • Cloud analytics = scalable! Security Considerations • Private data, public cloud • Analytics engine contains IP • Geographic data hosting • Integrity is paramount
    7. 7. Cloud Infrastructure Security Challenges 7
    8. 8. Cloud Benefits Create Security Headaches 8 Virtualized networks New topologies No hardware Highly dynamic Shared infrastructure These cloud “pros” become security “cons”
    9. 9. What Infrastructure Looked Like • Traditional datacenter infrastructure model –Vertical application scalability –Apps running on hardware “islands” –Few environments to contend with • Vertical application architectures –Scalability via hardware choices & optimization –Topology and hardware essentially arbitrary –Physical proximity of application components 9
    10. 10. 11 Application A Application B Application C Application D Application E
    11. 11. 12 Web Tier VMs A A A A Data Tier VMs A A Web App Appliance Crypto Gateway Network Firewall CRITICAL SUCCESS FACTORS: • Physical Topology Access • Hardware Acceleration Network IDS / IPS
    12. 12. Where Infrastructure Is Going 13 • Infrastructure-as-a-Service (public or private) – Virtualized sharing of commodity hardware – ITaaS (opex, scalable, dynamic, self-service) – Flat physical network, distributed topologies • Horizontal application architectures – Scale achieved through cloning workloads – Physical topology, hardware abstracted – Wide dispersion of application & data components is desirable
    13. 13. A A A A A A A A A A A A A A A A A A A A B B B B C C C C C C C D D D D D D D D D D D E E E E E E E E E E E E E E E E E E E E E E E E
    14. 14. Web App Applianc e Crypto Gateway Network Firewall Network IDS / IPS
    15. 15. You must reconcile critical security needs with new infrastructure delivery parameters • Strong access control • Vulnerability, exposure and threat management • Protection of data in motion and at rest • Security & compliance intelligence • Operational oversight Security Hasn’t Changed • Must work anywhere with diminished to no control • Network security highly limited • Access to hardware accelerated appliances limited • Dramatically higher rate of code & infrastructure change Delivery Parameters Have
    16. 16. “Next-Generation” Infrastructure Security 18
    17. 17. Next Generation Approaches • Virtual Appliances – Existing appliance / gateway solutions • In-Hypervisor Controls – Controls deployed in virtualization control planes • Workload-Based Security – Deployment of controls within actual workloads (a.k.a. “microperimeters”)
    18. 18. Virtual Appliances • Benefits – Mirrors existing models, easy to understand – Existing vendors may offer this model • Pitfalls – No hardware acceleration = scalability challenges – Topological dependencies hinder workload distribution – Limited functionality, for the same reasons • Field Observations – We’ve only seen network security / WAF appliances, none operating at significant scale
    19. 19. In-Hypervisor Controls • Benefits – Services available to all VMs on protected hypervisors – Cannot be modified from within guest VMs • Pitfalls – Often hypervisor-specific, cannot be used in public IaaS – Significant impact to VM density & performance • Field Observations – Useful in data centers / private clouds, not hybrid – Performance and operational challenges abound
    20. 20. Workload-Based Security • Benefits – Workload is the intersection of scale, portability, control – Moves security close to application & data constructs • Pitfalls – Resource and performance impacted unless done right – Not operationally scalable without control automation • Field Observations – The model that CloudPassage chose as core design – Being implemented at large scale in finserv, software
    21. 21. CloudPassage Approach to Workload-Based Security 23
    22. 22. CUSTOMER CLOUD / DATACENTER HOSTING ENVIRONMENTS www node1,2,(n) mysql node1,2,(n) mongo-db node1,2,(n) HALO HALO HALO • “Dumb” agents with minimal system overhead (6 MB in memory, under 0.5% CPU) • Highly scalable centralized security analytics absorbs 98%+ of required compute cycles • Transparently scales to protect a few workloads to tens of thousands Halo Architecture
    23. 23. “Naked” VM Instance Operating System Application Code System Administration Services Application Stack App Storage Volume System Storage Volume Halo Security Agent 1 2 4 5 67 Agent activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates. 1 Halo secures privileged access via dynamic firewall rules using multi-factor user authentication. 2 Scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity. 3 Application configurations are scanned for vulnerabilities and are continuously monitored. 4 Cryptographic integrity monitoring ensures app code and binaries are not compromised. 5 Platform monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities. 6 3 Application data stores are monitored for access; outbound firewall rules prevent data extrusion. 7 60 Seconds in the Life of a Halo’ed Workload
    24. 24. Halo API Halo Portal
    25. 25. What’s Special about CloudPassage Halo? • Portable, built-in security & compliance automation – Control provisioning & management automation built into workloads – Security & telemetry operates transparently across cloud environments – Enables public, hybrid cloud compliance (PCI, FFIEC, SOC2, HIPAA, etc) • Technically, financially, operationally scalable – Central analytics = low impact to systems, low friction with sysadmins – Metered usage = pay for what’s used (hourly licensing, volume discounts) – Automation = built-in controls with zero provisioning or configuration • Consistency, efficiency through automation – Security is built directly into the stack, synched every 60 seconds – REST API and toolkit for extensive integration with existing investments – One central point of visibility and control for systems across multiple clouds
    26. 26. Wrapping Up • Infrastructure-centric security doesn’t work for cloud – Your cloud migration will demand new approaches – Next-generation alternatives have pros and cons • Workload-based security offers distinct advantages – Moves security closer to applications – Enables greater scalability and portability – Can operate in any infrastructure environment • Talk to your team and start the process now – Visit cloudpassage.com for white papers, etc.
    27. 27. www.cloudpassage.com