According to Gartner, the IaaS market grew at a blistering 42.8% in 2017—twice as fast as SaaS. And with last year’s high-profile data exposures, the focus on bolstering IaaS security practices has increased. We’ve worked with AWS and hundreds of IaaS security professionals to develop a list of security practices specifically designed to protect AWS environments and the applications and data within them. In this session, you’ll discover: common yet preventable scenarios that can result in the loss of corporate data, security best practices for user and admin behavior monitoring, secure auditable configuration, Amazon S3 data loss and threat prevention, blueprints for how a solution-based approach (including bridging to your on-premises best practices) can provide IaaS visibility and control, step-by-step guidance on how to gain visibility across all workloads, protect against advanced threats, and discover insights into lateral threat movements, and recommendations for creating a successful DevOps workflow that integrates security.
3. Securing Workloads in Amazon Web Services (AWS):
A cloud native security architecture
Srini Gurrapu
Chief Cloud Evangelist
McAfee-Skyhigh
Carrie Laskowski
AVP Security
US Bank
4. 4
Agenda
• State of Public Cloud Overview
• Security Challenges
• Cloud Native Security Considerations
• McAfee Overview
• Summary and recommendations
5. 5
IT Cloud Disruption in Context: Infrastructure Security -> Information Security
Internet CloudMainframe
On-Premises On-Premises On-Premises
Partner/BYODCorporate
PCTerminal
Mainframe
PC
6. 6
Sanctioned
Public Cloud
Customer Drivers for Cloud Adoption
Enterprise data center/private
cloud
Devices
IaaS/PaaS
Shadow
Personal productivity
Business agility
Business Transformation
Network
Cloud Data Usage Bypasses Existing
Network Security Controls1
7. 7
IaaS Fastest Growing Segment of Cloud
Source: Gartner Forecasts Worldwide Public Cloud Revenue press release April 12, 2018
IaaS 35.9% CAGR
SaaS 22.2% CAGR
8. 8
Question 1: US Bank Current Public Cloud Strategy
1
Moving
everything to
Public Cloud
2
Hybrid
Environment
(x% - AWS,
y% - Hybrid,
z% - Private)
3
Private only;
just testing out
public cloud
environments
9. 9
US Bank’s 3-Year Cloud Strategy
US Bank can reduce operating expense and cash outlay and enable growth by adopting and
implementing an enterprise Cloud and DevOps solution with integrated information security.
2016 Onwards2017 2018
We will be embarking on a Cloud and DevOps transformation over the next severalyears
Cloud 1.0
Foundational Release
Establishing enterprise, self-service cloud
services on a pay-per-usebasis with enhanced
application stability and security
Cloud 2.0
Operational efficiency
Increasing operational efficiency through public
cloud and DevOpscapabilities,reducing
application downtime and increasing developer
productivity
Cloud 3.0
Continuous Development
Refining hybrid cloud capabilities to enable a
cloud-optimizedapplication portfolio,
leveraging microservicesand CI/CD
capabilities
10. 10
Question 2: Driving Public Cloud Security Requirements [US Bank]
1
Cloud
Architect
2
CASB /
Data Protection
teams
3
DC
Infrastructure
teams
4
Other
11. 11
Data Classification & Accountability
Client & End-Point Protection
Identity & Access Management
Application Level Controls
Network Control
Host Infrastructure
Physical Security
SaaSPaaSIaaS
Question 3: Do we understand the Shared Responsibility Model?
Service Provider Responsibility
Customer Responsibility
Customer’s responsibility
in securing workloads in the Cloud
is much greater than securing
SaaS applications.
12. “Through 2020, 99% of
cloud security failures will be
the customer’s fault”
Garnter Magic Quadrant for CASB - 2017
14. 14
Provision
AvailabilityZone 1
AvailabilityZone 2
AvailabilityZone 3
InterConnect
RDS
Elasticache
ELB
Platform ServicesCompute
IaaS Cloud Native Security Considerations
Github
Commit
Jenkins
Build &
Verify
Push
Trigger
Pull
Deploy
Users
DevOps CloudFormation
Build
How to I protect my compute
infrastructure from malware
How to protect against
vulnerabilities in code
How to I ensure security groups aren’t
too permissive
How to I ensure that my
devops user is not
compromised
How do I ensure
complianceof stored
data
How do I ensure that my
data stores are not open to
the world
How I protect against threats that
move laterally in my VPC
How to protect the custom
application
How do I ensure complianceof data
stored on localhost
16. 16
IaaS Security Layers Simplified
Infrastructure
1
Detect and correct security
misconfigurations
2
Detect and secure
Workloads and Containers
Workloads and Containers
3 Protect the data in the apps
Apps
IaaS
AWS Cloud
17. 17
IaaS—Securing Infrastructure and Apps
Infrastructure
1
Detect and correct security
misconfigurations
2
Detect and Secure
Workloads and Containers
Workloads and Containers
3 Protect the data in the apps
Apps
IaaS
AWS Cloud
18. 18
Securing Infrastructure and Apps: Use Cases
2. Managing Rogue IaaS Accounts
Discover shadow IT usage and reclaim control of risky IaaS usage.
1. Security Configuration Monitoring of IaaS Resources
Identify IaaS resources with security settings that are non-compliant to CIS Level 1, 2 policies.
3. Visibility of Confidential Data
Gain visibility of regulated/high-value data stored in Amazon S3 Buckets
4. Advanced Threat Protection
Detect compromised accounts, insider/privileged user threats, malware.
5. Activity Monitoring and Forensics
Capture and categorize an audit trail of activity for forensic investigations.
19. 19
IaaS—Securing Infrastructure and Apps
Infrastructure
1
Detect and correct security
misconfigurations
2
Detect and Secure
Workloads and Containers
Workloads and Containers
3 Protect the data in the Apps
Apps
IaaS
AWS Cloud
20. 20
Securing Workloads and Containers —Use cases
2. Visualize Your entire IT environment on-prem to cloud
Gain visibility into North-South and East-West threat movement.
1. Discover Workloads, Containers … All Computing Resources … Instantly
Quickly discover, assess and remediate threats.
3. Protect IT from Device-to-Cloud with Comprehensive Security Solutions
Strong defense against advanced attacks.
4. Simplify Deployment, and Management Across Hybrid Infrastructures
Centralized, automated policy management of public, private and hybrid environments
23. 23
Mvision Cloud (formerly Skyhigh Networks):
Cloud Security Foundation
Founded in 2012
backed by:
Skyhigh granted 14th
seminal
CASB Patent
Only CASB to be named
“Leader” in all 3 major
analyst reports
Acquisition
announced
Custom
Apps
Expansion to IaaS
API control: Sanctioned Apps
Shadow
IT
The CASB Market is Born
Expand IaaS
CASB Connect