Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
@ncooprider
1
How security changes in the cloud
and why you care
Nathan Cooprider
Senior Software Engineer
@ncooprider
2
The story so far . . .
@ncooprider
3
My day job: agent team lead
@ncooprider
4
Update our security metaphors
Change our defense paradigm
PROFIT
=
+
@ncooprider
5
Update our security metaphors
@ncooprider
6
Vauban & the Maginot Line
Company
assets
zero-day
@ncooprider
7
Gettysburg
Offensive
security!
@ncooprider
8
Bank Security
@ncooprider
9
Update our security metaphors
@ncooprider
10
Theater of combat operations
@ncooprider
11
The times, they are a changin’
@ncooprider
12
Maybe we can wait it out?
@ncooprider
13
“Late last year, US bank Capital One said it was
reducing the number of its own data centres from
eight to ...
@ncooprider
14
Pets vs. cattle
@ncooprider
15
Metaphors: revisited
@ncooprider
16
Update our security metaphors
Change our defense paradigm
+
@ncooprider
17
“While AWS manages security of the cloud, security in
the cloud is the responsibility of the customer.”
htt...
@ncooprider
18
• Security fundamentals still apply
• Good security hygiene
• Constant vigilance
• No silver bullet
• Drama...
@ncooprider
19
“Web scale"
On prem: one
admin per 250
machines
On cloud: one
admin per
25,000 instances
@ncooprider
20
Real and false positives
@ncooprider
21
Cancel or allow
@ncooprider
22
Rebooting
@ncooprider
23
Shadow IT
@ncooprider
24
Update our security metaphors
Change our defense paradigm
+
@ncooprider
25
A new metaphor: The Twinkie Speech
“You don’t let
somebody come
into your house,
cheat on your
sister, and ...
@ncooprider
26
Uptime: the goal and the liability
@ncooprider
27
Retreat vector
@ncooprider
28
Tooling & mindset
@ncooprider
29
Update our security metaphors
Change our defense paradigm
PROFIT
=
+
@ncooprider
30
Getting there: becoming secure
@ncooprider
31
Getting there: becoming secure
@ncooprider
32
@ncooprider
33
@ncooprider
34
• Remember: the enemy’s gate is down
• Update our security metaphors
• The Twinkie speech
• To the cloud
• ...
@ncooprider
35
Questions?
@ncooprider
36
• http://xkcd.com/241/
• http://www.bbc.co.uk/news/business-36151754
• http://exponent.fm/episode-077-physi...
@ncooprider
37
Extra slides
@ncooprider
38
Breach highlights!
@ncooprider
39
“I don’t get it”
@ncooprider
40
Compliance?
Where we’re going, they have compliance
@ncooprider
41
@ncooprider
42
Large numbers
@ncooprider
43
Let it go
Upcoming SlideShare
Loading in …5
×

How security changes in the cloud and why you care

697 views

Published on

We know that "the enemy's gate is down." Many of us know the lessons from Vauban. We draw our computer security metaphors from the physical world, and it mostly works. Traditional security analogies talk about defense-in-depth, locks & surveillance, active defense, mitigation & response, and many other clever comparisons. Then came the cloud. While it's true that security fundamentals still apply, several things dramatically change when defense moves into the cloud.

Scale - A single IT admin can reasonably expect to manage between 100 and 250 physical assets. We expect cloud admins to scale up to 25,000 instances and beyond. The same scale that makes using the cloud attractive for business makes managing the cloud a Gordian Knot. Think about that scale in terms of security alerts, real and false positives.

Control - We can simply go over and troubleshoot in safe mode when an on-prem asset misbehaves. When the cloud instance misbehaves, the cloud provider might just reboot it for you. Even worse, your asset might get rebooted if somebody else on the same hardware misbehaves. Cloud providers give a different granularity of control.

Transience - This represents the biggest paradigm shift for the cloud. Where previous admins bragged about uptime, long-running servers become a liability in the cloud. Attackers can surround an asset, only to find the asset has disappeared. That idea sounds like a nightmare for most admins too, but the right tooling and mindset turns it into a strength.

We can leverage scale, control and transience away from liabilities and into strengths. Traditional physical defense metaphors do not capture the paradigm shift, so we need to make sure we abandon those when appropriate. Cloud security is different.

Delivered at SOURCE Conference Boston 2016 on May 18, 2016

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How security changes in the cloud and why you care

  1. 1. @ncooprider 1 How security changes in the cloud and why you care Nathan Cooprider Senior Software Engineer
  2. 2. @ncooprider 2 The story so far . . .
  3. 3. @ncooprider 3 My day job: agent team lead
  4. 4. @ncooprider 4 Update our security metaphors Change our defense paradigm PROFIT = +
  5. 5. @ncooprider 5 Update our security metaphors
  6. 6. @ncooprider 6 Vauban & the Maginot Line Company assets zero-day
  7. 7. @ncooprider 7 Gettysburg Offensive security!
  8. 8. @ncooprider 8 Bank Security
  9. 9. @ncooprider 9 Update our security metaphors
  10. 10. @ncooprider 10 Theater of combat operations
  11. 11. @ncooprider 11 The times, they are a changin’
  12. 12. @ncooprider 12 Maybe we can wait it out?
  13. 13. @ncooprider 13 “Late last year, US bank Capital One said it was reducing the number of its own data centres from eight to three by 2018 and moving a lot of its processes and product development to AWS. And Towergate Insurance recently announced that it was migrating its IT infrastructure to the public cloud as well.” http://www.bbc.com/news/business-36151754 Cloud adoption
  14. 14. @ncooprider 14 Pets vs. cattle
  15. 15. @ncooprider 15 Metaphors: revisited
  16. 16. @ncooprider 16 Update our security metaphors Change our defense paradigm +
  17. 17. @ncooprider 17 “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer.” https://aws.amazon.com/compliance/shared-responsibility-model/ “As with any new technology, there are new risks. It is our responsibility to educate our businesses and customers and we can also develop tools and processes to mitigate risk. But it is also a shared responsibility of cloud users” Mark Russinovich, Microsoft Azure CTO Security TOS and SLAs
  18. 18. @ncooprider 18 • Security fundamentals still apply • Good security hygiene • Constant vigilance • No silver bullet • Dramatic changes occur in the cloud • Scale • Control • Transcience Defend the cloud
  19. 19. @ncooprider 19 “Web scale" On prem: one admin per 250 machines On cloud: one admin per 25,000 instances
  20. 20. @ncooprider 20 Real and false positives
  21. 21. @ncooprider 21 Cancel or allow
  22. 22. @ncooprider 22 Rebooting
  23. 23. @ncooprider 23 Shadow IT
  24. 24. @ncooprider 24 Update our security metaphors Change our defense paradigm +
  25. 25. @ncooprider 25 A new metaphor: The Twinkie Speech “You don’t let somebody come into your house, cheat on your sister, and eat your Twinkies.”
  26. 26. @ncooprider 26 Uptime: the goal and the liability
  27. 27. @ncooprider 27 Retreat vector
  28. 28. @ncooprider 28 Tooling & mindset
  29. 29. @ncooprider 29 Update our security metaphors Change our defense paradigm PROFIT = +
  30. 30. @ncooprider 30 Getting there: becoming secure
  31. 31. @ncooprider 31 Getting there: becoming secure
  32. 32. @ncooprider 32
  33. 33. @ncooprider 33
  34. 34. @ncooprider 34 • Remember: the enemy’s gate is down • Update our security metaphors • The Twinkie speech • To the cloud • Don’t get left behind • Reasons for hesitancy going away • Leverage the new environment • Scale, control, and transience • Become secure Conclusion
  35. 35. @ncooprider 35 Questions?
  36. 36. @ncooprider 36 • http://xkcd.com/241/ • http://www.bbc.co.uk/news/business-36151754 • http://exponent.fm/episode-077-physical-goods/ • http://www.computerweekly.com/news/2240232396/How-to- mitigate-top-ten-public-cloud-security-risks-Azure-CTO-Mark- Russinovich • http://about.att.com/innovation/sdn • https://blog.codingoutloud.com/2016/03/31/talk-secureworld- boston-2016-swbos16-how-adopting-the-public-cloud-can- improve-your-enterprise-security/ • http://blog.threatstack.com/3-key-practices-for-enabling-cloud- security Resources
  37. 37. @ncooprider 37 Extra slides
  38. 38. @ncooprider 38 Breach highlights!
  39. 39. @ncooprider 39 “I don’t get it”
  40. 40. @ncooprider 40 Compliance? Where we’re going, they have compliance
  41. 41. @ncooprider 41
  42. 42. @ncooprider 42 Large numbers
  43. 43. @ncooprider 43 Let it go

×