Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2018 11-06 breaking out of the perimeter without breaking security - final2

338 views

Published on

The traditional network is bursting at the seams. Good old perimeter security, enforced by traditional firewall protection, is being joined by distributed firewalls, public clouds and a shared-responsibility security model.
But as they adopt the new model, enterprises are challenged to stretch their tried-and-true security policies to their extended deployments. They lack visibility across the growing estate, they need integrated security policy management solutions for hybrid-cloud environments. They can’t keep up with DevOps, and they are unable to analyze risk.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2018 11-06 breaking out of the perimeter without breaking security - final2

  1. 1. BREAKING OUT OF THE PERIMETER WITHOUT BREAKING SECURITY Yonatan Klein Director of Product Management Yonatan.Klein@algosec.com
  2. 2. POLL How many public cloud vendors does your organization leverage? 1. We are not yet in the cloud 2. 1 vendor 3. 2 vendors 4. 3 or more vendors While we wait for our audience to join please vote using the “Votes” tab in your BrightTALK panel 2
  3. 3. WELCOME Have a question? Submit it via the chat This webinar is being recorded! Slides and recording will be sent to you after the webinar 3 marketing@algosec.com
  4. 4. AGENDA 01 Security of a Virtual Network 02 Public Cloud Challenges 03 Managing Security Fundamentals Across the Hybrid Cloud • Visibility • Change monitoring • Micro-segmentation • Risk analysis • Governance and compliance • Global management 04 Match Security Tools to Your Needs 4
  5. 5. WHO MOVED MY CHEESE NETWORK? 5
  6. 6. Traditional FW Hypervisor-based FW THE DISTRIBUTED FIREWALL Hypervisor External Network DMZ Network Internal Network Front and Load Balancer View Security Servers View Connection Servers Master and Replica Active DirectoryvCenter ESX Farm Rules from IP X to IP Y FW per VM: rules “to me” / from me” VM VM VM 6
  7. 7. Traditional FW Distributed FW THE DISTRIBUTED FIREWALL External Network DMZ Network Internal Network Front and Load Balancer View Security Servers View Connection Servers Master and Replica Active DirectoryvCenter ESX Farm Rules from IP X to IP Y 7
  8. 8. KEY NETWORK SECURITY ELEMENTS IN AWS vSec Dynamic Objects and tags: Simplifies policy definition BUT complicates policy visualization • Great inside the data center but what happens outside? • Can we keep up? 8
  9. 9. THE CHALLENGES
  10. 10. POLL What is your organization’s biggest challenge engaging with public cloud today? 1. Ensuring security of applications and data 2. Maintaining regulatory compliance 3. Lack of visibility across the entire estate 4. Lack of experience among the security team Please vote using the “Votes” tab in your BrightTALK panel 10
  11. 11. Cybersecurity Insiders 2018 Cloud Security Report EVERYONE’S CONCERNED ABOUT CLOUD SECURITY 11 Public Cloud Challenges What are the biggest challenges for organizations engaged with public cloud today? (Somewhat/Extremely large) * Source: Forbes 31% 37% 40% 47% 57% 58% 60% 66% 0% 10% 20% 30% 40% 50% 60% 70% Unplanned Outages Lack of visibility Cost Vendor lock-in Privacy Staff lacks Cloude experience Governance & Compliance Security
  12. 12. Private CloudPublic Cloud Shared responsibility security model Your good old perimeter security (FW, IPS, SWG) PERIMETER SECURITY 12
  13. 13. THE SHARED RESPONSIBILITY MODEL Sources: Amazon Web Services Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Network Traffic Protection (Encryption / Integrity/ Identity) Client – Side Data Encryption & Data Integrity Authentication Server – Side Encryption Compute NetworkingDatabaseStorage Edge Locations Availability Zones Regions AWS Global Infrastructure Customer Responsible for security ‘in’ the cloud AWS Responsible for security ‘of’ the cloud 13
  14. 14. AND WITH SAAS AND PAAS … Source: Microsoft blog “What Does Shared Responsibility in the Cloud Mean?” 14
  15. 15. MANAGING SECURITY IN THE CLOUD IS COMPLEX MULTIPLE LAYERS OF SECURITY CONTROLS Security Products by ISVs • NG Firewalls (Check Point, Palo-Alto...) • WAF (Imperva, F5...) 15 Cloud Infra Security Controls • Security Groups • Network ACLS • Storage • Permission Security Products by Cloud Providers
  16. 16. Private Clouds Multi Public Clouds On-Prem MANAGING SECURITY IN THE CLOUD IS COMPLEX MULTIPLE CLOUDS 16
  17. 17. THE ALGOSEC APPROACH: NETWORK SECURITY FUNDAMENTALS STAY THE SAME
  18. 18. Poll Which network security controls do you use? 1. Native Cloud Security Control (security groups, network security groups, network access lists) 2. Native Cloud Security & Security Product by Cloud Provider (e.g., Azure Firewall, AWS WAF) 3. Native Cloud Security & Next Generation Firewalls 4. Only Next Generation Firewalls (e.g., Palo Alto Networks VM-Series) 5. None Please vote using the “Votes” tab in your BrightTALK panel 18
  19. 19. ONE MAP FOR ON-PREM, CLOUD AND PHYSICAL Native Cloud Security Models Virtual appliance in the cloud Traditional FW Virtual appliance in the SDN arena Private cloud SDN – distributed FW 19
  20. 20. SECURITY FUNDAMENTALS STAY THE SAME Visibility Change Monitoring Risk analysis ComplianceGovernance(Micro) Segmentation 20
  21. 21. VISIBILITY All rules applied to an instance or subnet: • Security Groups/Network Security Groups, NACLs 21
  22. 22. SECURITY FUNDAMENTALS STAY THE SAME Visibility Change Monitoring Risk analysis ComplianceGovernance(Micro) Segmentation 22
  23. 23. CHANGE MONITORING Change reporting takes all rules (NACL + security groups/network security groups) into account 23
  24. 24. SECURITY FUNDAMENTALS STAY THE SAME Visibility Change Monitoring Risk analysis ComplianceGovernance(Micro) Segmentation 24
  25. 25. APPLICATION CONNECTIVITY DEFINITION • Manage, provision and monitor application connectivity • Keeping an application-centric view across the different networks and security domains • Review vulnerabilities and risks • Enable DevOps automation through extensive APIs Traffic not filtered 25
  26. 26. EXAMPLE: Detecting Misconfigurations Traffic does not go through the firewall 26
  27. 27. SECURITY FUNDAMENTALS STAY THE SAME Visibility Change Monitoring Risk analysis ComplianceGovernance(Micro) Segmentation 27
  28. 28. RISK ANALYSIS Risk reporting all rules (NACL + security groups) into account 28
  29. 29. SECURITY FUNDAMENTALS STAY THE SAME Visibility Change Monitoring Risk analysis ComplianceGovernance(Micro) Segmentation 29
  30. 30. UNIFIED COMPLIANCE REPORTS 30
  31. 31. SECURITY FUNDAMENTALS STAY THE SAME Visibility Change Monitoring Risk analysis ComplianceGovernance(Micro) Segmentation 31
  32. 32. CHANGE MANAGEMENT AND AUTOMATION • Automatic design and push of changes • End-to-end: multi-vendor, multi-platform • Optimized changes, eliminate human error • Zero-Touch • Full documentation and audit trail • What-if security check • DevOps friendly • Consistency across multiple clouds and hybrid environments 32
  33. 33. UNIFIED CHANGE MANAGEMENT W/ORDERED WORKFLOW 33
  34. 34. EXAMINE YOUR SECURITY NEEDS
  35. 35. Private Clouds Multi Public Clouds On-Prem WHAT TECHNOLOGIES ARE BEING USED? 35
  36. 36. MATCH TOOLS TO YOUR TECHNOLOGY NEEDS • “I am migrating to the cloud” Need a discovery tool for on-prem resources and connectivity Need an automation tool to provision my migrated applications’ connectivity • “I have a hybrid cloud” Need to gain visibility into the hybrid cloud estate End-to-end network security connectivity and risk analysis • “I have a multi-cloud estate” Need a single pane of glass for cloud management 36
  37. 37. Who Manages Cloud Security? 37 Multiple Stake Holders Cloud Teams IT / Network Security CISO Security Operations Application Developers / DevOps
  38. 38. WHICH TEAM IS RESPONSIBLE FOR MANAGING SECURITY IN THE PUBLIC CLOUD IT Operations 28.50% Network Operations 10.90% Security Operations 19.50% Information Security 17.50% Data Center Management 3.60% Application Owners 2.40% Managed Service Providers 2.70% Cloud Security 7.10% Not Sure / Other 7.80% 38
  39. 39. MATCH TOOLS TO YOUR ORGANIZATION AND PROCESSES • “DevOps manage security groups, but SecOps are responsible for security” SecOps need change monitoring; risk analysis, risk management tools DevOps need a tool to provide a what-if risk check • “All security changes are going through SecOps” Need a good change management tool • “We have similar security groups we wish to deploy in different locations” Need a good central management tool • “My cloud environment is quite dynamic and hard to manage” Need easy to use navigation and visibility into cloud estate 39
  40. 40. SUMMARY • Cloud security is complex: • Multiple security controls • Limited visibility • Multiple stake-holders • Easy to achieve agility, harder to keep it secure • You can apply your security guidelines in the cloud if you choose the right tools 40
  41. 41. Q & A You are also welcome to request a demo and email questions marketing@algosec.com
  42. 42. MORE RESOURCES https://www.algosec.com/resources • INFOGRAPHIC • SURVEY • DATASHEET WEBINAR SLIDES
  43. 43. UPCOMING WEBINARS https://www.algosec.com/webinars Having it All: Achieving Agility and Security with Automation When: Nov 19th By: Yoni Geva, Product Manager Joint Webinar with CSA: Taking Control of Your Complex Security Policy Across Hybrid and Multi-Cloud Environments When: Dec 5th By: Yitzy Tannenbaum, Product Marketing Manager Network Security Policy Management: Tips & Tricks When: Dec 17th By: Dania Peretz, Product Manager -- Sign up now --43
  44. 44. 44 JOIN OUR COMMUNITY Follow us for the latest on security policy management trends, tips & tricks, best practices, thought leadership, fun stuff, prizes and much more! Subscribe to our YouTube channel for a wide range of educational videos presented by Professor Wool youtube.com/user/AlgoSeclinkedin.com/company/AlgoSec facebook.com/AlgoSec twitter.com/AlgoSec www.AlgoSec.com/blog
  45. 45. Thank You Yonatan Klein Director of Product Management Yonatan.Klein@algosec.com

×