• Share
  • Email
  • Embed
  • Like
  • Private Content
Executive breakfast preso   20140609

Executive breakfast preso 20140609






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • <br /> ----- Meeting Notes (1/13/14 14:01) ----- <br /> They are doing hosting in the cloud, some test-dev and some production; this is very early, may not make sense for them.

Executive breakfast preso   20140609 Executive breakfast preso 20140609 Presentation Transcript

  • Security & Compliance for Enterprise Cloud Infrastructure Carson Sweet CEO, CloudPassage carson@cloudpassage.com
  • Agenda • Evolving cloud use cases and trends • System and data protection, then and now • Pros and cons of common “next-generation” system and data protection approaches • CloudPassage approach to cloud application infrastructure protection • Discussion, Q&A 2
  • Top Cloud Infrastructure Use Cases 3 Dev- Test Big Data ITaaS Shared infrastructure, automated, self- service IT-as-a-Service (a.k.a. private cloud) Move development and test environments to public IaaS providers Leverage shared private cloud or public IaaS resources for big-data analytics
  • ITaaS / Private Cloud Drivers / Benefits • Increased hardware utilization • Self-service provisioning • Decreases IT workload • Rapid scalability / elasticity Security Considerations • Limited-to-no change control • Flat network architecture • Not everyone knows security • Cloud-capable security tools • Raw tech & ops scaling issues
  • Dev/Test in Public Clouds Drivers / Benefits • Decreases IT workload • Self-sufficient BU developers • Opens datacenter capacity • Less configuration effort Security Considerations • Public cloud exposures • Visibility / oversight • Production data in test/dev • Intellectual property
  • Big Data Analytics Drivers / Benefits • Massive new capabilities • Leverage collected data • Previously unattainable intel • Product enhancements, risk intelligence, BI, BPM, etc. • Cloud analytics = scalable! Security Considerations • Private data, public cloud • Analytics engine contains IP • Geographic data hosting • Integrity is paramount
  • Cloud Infrastructure Security Challenges 7
  • Cloud Benefits Create Security Headaches 8 Virtualized networks New topologies No hardware Highly dynamic Shared infrastructure These cloud “pros” become security “cons”
  • What Infrastructure Looked Like • Traditional datacenter infrastructure model –Vertical application scalability –Apps running on hardware “islands” –Few environments to contend with • Vertical application architectures –Scalability via hardware choices & optimization –Topology and hardware essentially arbitrary –Physical proximity of application components 9
  • 11 Application A Application B Application C Application D Application E
  • 12 Web Tier VMs A A A A Data Tier VMs A A Web App Appliance Crypto Gateway Network Firewall CRITICAL SUCCESS FACTORS: • Physical Topology Access • Hardware Acceleration Network IDS / IPS
  • Where Infrastructure Is Going 13 • Infrastructure-as-a-Service (public or private) – Virtualized sharing of commodity hardware – ITaaS (opex, scalable, dynamic, self-service) – Flat physical network, distributed topologies • Horizontal application architectures – Scale achieved through cloning workloads – Physical topology, hardware abstracted – Wide dispersion of application & data components is desirable
  • A A A A A A A A A A A A A A A A A A A A B B B B C C C C C C C D D D D D D D D D D D E E E E E E E E E E E E E E E E E E E E E E E E
  • Web App Applianc e Crypto Gateway Network Firewall Network IDS / IPS
  • You must reconcile critical security needs with new infrastructure delivery parameters • Strong access control • Vulnerability, exposure and threat management • Protection of data in motion and at rest • Security & compliance intelligence • Operational oversight Security Hasn’t Changed • Must work anywhere with diminished to no control • Network security highly limited • Access to hardware accelerated appliances limited • Dramatically higher rate of code & infrastructure change Delivery Parameters Have
  • “Next-Generation” Infrastructure Security 18
  • Next Generation Approaches • Virtual Appliances – Existing appliance / gateway solutions • In-Hypervisor Controls – Controls deployed in virtualization control planes • Workload-Based Security – Deployment of controls within actual workloads (a.k.a. “microperimeters”)
  • Virtual Appliances • Benefits – Mirrors existing models, easy to understand – Existing vendors may offer this model • Pitfalls – No hardware acceleration = scalability challenges – Topological dependencies hinder workload distribution – Limited functionality, for the same reasons • Field Observations – We’ve only seen network security / WAF appliances, none operating at significant scale
  • In-Hypervisor Controls • Benefits – Services available to all VMs on protected hypervisors – Cannot be modified from within guest VMs • Pitfalls – Often hypervisor-specific, cannot be used in public IaaS – Significant impact to VM density & performance • Field Observations – Useful in data centers / private clouds, not hybrid – Performance and operational challenges abound
  • Workload-Based Security • Benefits – Workload is the intersection of scale, portability, control – Moves security close to application & data constructs • Pitfalls – Resource and performance impacted unless done right – Not operationally scalable without control automation • Field Observations – The model that CloudPassage chose as core design – Being implemented at large scale in finserv, software
  • CloudPassage Approach to Workload-Based Security 23
  • CUSTOMER CLOUD / DATACENTER HOSTING ENVIRONMENTS www node1,2,(n) mysql node1,2,(n) mongo-db node1,2,(n) HALO HALO HALO • “Dumb” agents with minimal system overhead (6 MB in memory, under 0.5% CPU) • Highly scalable centralized security analytics absorbs 98%+ of required compute cycles • Transparently scales to protect a few workloads to tens of thousands Halo Architecture
  • “Naked” VM Instance Operating System Application Code System Administration Services Application Stack App Storage Volume System Storage Volume Halo Security Agent 1 2 4 5 67 Agent activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates. 1 Halo secures privileged access via dynamic firewall rules using multi-factor user authentication. 2 Scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity. 3 Application configurations are scanned for vulnerabilities and are continuously monitored. 4 Cryptographic integrity monitoring ensures app code and binaries are not compromised. 5 Platform monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities. 6 3 Application data stores are monitored for access; outbound firewall rules prevent data extrusion. 7 60 Seconds in the Life of a Halo’ed Workload
  • Halo API Halo Portal
  • What’s Special about CloudPassage Halo? • Portable, built-in security & compliance automation – Control provisioning & management automation built into workloads – Security & telemetry operates transparently across cloud environments – Enables public, hybrid cloud compliance (PCI, FFIEC, SOC2, HIPAA, etc) • Technically, financially, operationally scalable – Central analytics = low impact to systems, low friction with sysadmins – Metered usage = pay for what’s used (hourly licensing, volume discounts) – Automation = built-in controls with zero provisioning or configuration • Consistency, efficiency through automation – Security is built directly into the stack, synched every 60 seconds – REST API and toolkit for extensive integration with existing investments – One central point of visibility and control for systems across multiple clouds
  • Wrapping Up • Infrastructure-centric security doesn’t work for cloud – Your cloud migration will demand new approaches – Next-generation alternatives have pros and cons • Workload-based security offers distinct advantages – Moves security closer to applications – Enables greater scalability and portability – Can operate in any infrastructure environment • Talk to your team and start the process now – Visit cloudpassage.com for white papers, etc.
  • www.cloudpassage.com