Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Chris Swan, CTO, @cpswan
Application centric:
How the cloud has changed the way
we deploy, secure and connect
© 2015
Google moves its corporate apps to the Internet
2
Google Inc., taking a new approach to enterprise security, is mov...
© 2015
Setting the scene
© 2015
Traditional apps
4
Business applications are collections of (virtual) servers
Is the “right” traffic going to/from ...
© 2015
Modern architectures don’t change things that much
5
Micro services based applications are collections of services
...
© 2015
Enterprise data center
6
Perimeter Security
Enterprise data centers are filled with these applications, often left
...
© 2015
Hard on the outside, soft on the inside
7
Perimeter Security
Hacker
Penetration
© 2015
One penetration creates major “East-West” exposure
8
Perimeter Security
On average
undetected for
234 days!
© 2015
Cloud architectures have been different
© 2015
2006 – The lonely (and exposed) VM
VM
© 2015
2008 - Overlays
VMVM VM
VM
© 2015
2009 - VPCs
VMVM VM VM
© 2015
Containment often not enough – overlays stayed
VM
VMVM VM VM
© 2015
Lots of people did something like this
VM
© 2015
Some even did something like this
VM VM
© 2015
And the really large (or paranoid) might do this
VM
VM
© 2015
Or even this
VM VM
© 2015
Thankfully almost nobody tries to do this
© 2015
What was that perimeter made of?
A quick detour to the worlds of:
Unified Threat Management (UTM)
and Application D...
© 2015
Unified Threat Management
Firewall
NIDS/NIPS
AV
Anti Spam
VPN
DLP
Load Balancer
UTM
© 2015
Application Delivery Controllers
Cache
TLS offload
Compression
WAF
Multiplexing
Load Balancer
ADC
Traffic Shaping
© 2015
The UTM & ADC delivery model
© 2015
SDN and NFV
© 2015
Networks made from and configured by software
© 2015
We can put a bunch of ‘network’ onto a VM
Firewall
VPN
Switch
Router
© 2015
And add more functions into containers
Firewall
VPN
Switch
Router
Cache
TLS offload
WAF
Load Balancer
NIDS/NIPS
© 2015
This could be thought of as an app centric perimeter
© 2015
But it refactors very readily into microservices
© 2015
The audit paradox
© 2015
Building in
CC photo by WorldSkills
© 2015
What building in looks like
© 2015
Bolting on
CC photo by arbyreed
© 2015
What bolting on looks like
© 2015
PaaS gives us the chance to ‘bolt in’
© 2015
But Docker adoption shows a movement against
opinionated platforms
© 2015
If a security event happens and it isn’t monitored
© 2015
Some challenges remain
© 2015
ToDo: SecDevOps
APIs are necessary but not sufficient:
Need to have them integrated into the overall system
Control...
Upcoming SlideShare
Loading in …5
×

CTO Chris Swan's talk from Internet and Mobile World " Application centric – how the cloud has changed the way we deploy, secure and connect"

322 views

Published on

Application centric – how the cloud has changed the way we deploy, secure and connect

The cloud has brought a new model for how we deploy applications. In the enterprise everything was put on the same network, ‘the intranet’. People claimed that things were safe there because they were, ‘behind the firewall’. It was easy to build a spaghetti of interconnections because everything could talk to everything. Cloud has changed all of that. At first it was just lonely virtual machines fending for themselves on the Internet, but now we have virtual private clouds (VPCs) and a multitude of ways to connect to them. Pretty much nobody has built a cloud intranet. The cloud is used to host applications, and each application gets its own security and connectivity. We’re moving to an application centric world.

Cohesive Networks CTO Chris Swan spoke at the 2015 Internet and Mobile World. His talk, "Application centric – how the cloud has changed the way we deploy, secure and connect" presented on Day 2 10:15 - 11:00.

The cloud has brought a new model for how we deploy applications. In the enterprise everything was put on the same network, ‘the intranet’. People claimed that things were safe there because they were, ‘behind the firewall’. It was easy to build a spaghetti of interconnections because everything could talk to everything. Cloud has changed all of that. At first it was just lonely virtual machines fending for themselves on the Internet, but now we have virtual private clouds (VPCs) and a multitude of ways to connect to them. Pretty much nobody has built a cloud intranet. The cloud is used to host applications, and each application gets its own security and connectivity. We’re moving to an application centric world.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CTO Chris Swan's talk from Internet and Mobile World " Application centric – how the cloud has changed the way we deploy, secure and connect"

  1. 1. Chris Swan, CTO, @cpswan Application centric: How the cloud has changed the way we deploy, secure and connect
  2. 2. © 2015 Google moves its corporate apps to the Internet 2 Google Inc., taking a new approach to enterprise security, is moving its corporate applications to the Internet. In doing so, the Internet giant is flipping common corporate security practice on its head, shifting away from the idea of a trusted internal corporate network secured by perimeter devices such as firewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials. The new model — called the BeyondCorp initiative — assumes that the internal network is as dangerous as the Internet. (Wall Street Journal | “Google Moves Its Corporate Applications to the Internet” | May 11, 2015 )
  3. 3. © 2015 Setting the scene
  4. 4. © 2015 Traditional apps 4 Business applications are collections of (virtual) servers Is the “right” traffic going to/from our servers? Database Tier AppServer Tier Web Tier = type of server
  5. 5. © 2015 Modern architectures don’t change things that much 5 Micro services based applications are collections of services Is the “right” traffic going to/from our services? Persistence services Business services Front end services = type of server
  6. 6. © 2015 Enterprise data center 6 Perimeter Security Enterprise data centers are filled with these applications, often left insecure by lack of focus on interior network paths. 20% of Security Spend is on “interior”, yet 80% of the network traffic. 80% of Security Spend is on perimeter, 20% of traffic.
  7. 7. © 2015 Hard on the outside, soft on the inside 7 Perimeter Security Hacker Penetration
  8. 8. © 2015 One penetration creates major “East-West” exposure 8 Perimeter Security On average undetected for 234 days!
  9. 9. © 2015 Cloud architectures have been different
  10. 10. © 2015 2006 – The lonely (and exposed) VM VM
  11. 11. © 2015 2008 - Overlays VMVM VM VM
  12. 12. © 2015 2009 - VPCs VMVM VM VM
  13. 13. © 2015 Containment often not enough – overlays stayed VM VMVM VM VM
  14. 14. © 2015 Lots of people did something like this VM
  15. 15. © 2015 Some even did something like this VM VM
  16. 16. © 2015 And the really large (or paranoid) might do this VM VM
  17. 17. © 2015 Or even this VM VM
  18. 18. © 2015 Thankfully almost nobody tries to do this
  19. 19. © 2015 What was that perimeter made of? A quick detour to the worlds of: Unified Threat Management (UTM) and Application Delivery Controllers (ADC)
  20. 20. © 2015 Unified Threat Management Firewall NIDS/NIPS AV Anti Spam VPN DLP Load Balancer UTM
  21. 21. © 2015 Application Delivery Controllers Cache TLS offload Compression WAF Multiplexing Load Balancer ADC Traffic Shaping
  22. 22. © 2015 The UTM & ADC delivery model
  23. 23. © 2015 SDN and NFV
  24. 24. © 2015 Networks made from and configured by software
  25. 25. © 2015 We can put a bunch of ‘network’ onto a VM Firewall VPN Switch Router
  26. 26. © 2015 And add more functions into containers Firewall VPN Switch Router Cache TLS offload WAF Load Balancer NIDS/NIPS
  27. 27. © 2015 This could be thought of as an app centric perimeter
  28. 28. © 2015 But it refactors very readily into microservices
  29. 29. © 2015 The audit paradox
  30. 30. © 2015 Building in CC photo by WorldSkills
  31. 31. © 2015 What building in looks like
  32. 32. © 2015 Bolting on CC photo by arbyreed
  33. 33. © 2015 What bolting on looks like
  34. 34. © 2015 PaaS gives us the chance to ‘bolt in’
  35. 35. © 2015 But Docker adoption shows a movement against opinionated platforms
  36. 36. © 2015 If a security event happens and it isn’t monitored
  37. 37. © 2015 Some challenges remain
  38. 38. © 2015 ToDo: SecDevOps APIs are necessary but not sufficient: Need to have them integrated into the overall system Control metadata (and its mutability): Must be visible and understandable Security events need to be captured: Then turned into something humans can action

×