SlideShare a Scribd company logo

Building a Paper Trail: Securing and Auditing Public Cloud

Download as PPTX, PDF
OVH US
OVH US

This document discusses building a paper trail to secure and audit a public cloud. It begins with an agenda that includes introducing OVH and discussing common security requirements, solutions, and scenarios. It then provides details on OVH as a global cloud provider and their data center infrastructure. The presentation outlines solutions like identity federation, role-based access control, network security using NSX, logging with Log Insight, and monitoring with vROps. It demonstrates these solutions and discusses how to overcome limitations of public clouds to maintain visibility, control, and security. Potential security scenarios are also demonstrated.

Technology
1 of 42
Building a Paper Trail: How to secure and audit a Public Cloud Neal Elinski | Technical Product Manager Rok Orsic | Consulting Cloud Architect
©2017 OVH US | Proprietary & Confidential ––– VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware or OVH to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined.
©2017 OVH US | Proprietary & Confidential ––– AGENDA 1. Intro and Objectives – 10min 2. Solution Detail – 20min 3. Scenarios – 20min 4. Q/A – 10min 3
2017 Proprietary and Confidential WHO IS OVH? ____ 4
©2017 OVH US | Proprietary & Confidential ©2017 OVH US | Proprietary & Confidential Over 1.2 Million Business Clients in 138 Countries Own 11+ Tbps Network with 32 Points of Presence 2017 27 data centers in 11 countries 2020 50 data centers Data center capacity: 1.3 million physical servers; 260,000 already deployed 19 years experience building & managing servers + data centers INTRODUCING OVH – GLOBAL HYPER-SCALE CLOUD PROVIDER * https://www.netcraft.com/internet-data-mining/hosting-analysis/ 5th Largest Cloud Provider in the world* 2016 20 data centers in 5 countries 5
©2017 OVH US | Proprietary & Confidential ©2017 OVH US | Proprietary & Confidential 6 OVH BUILDS OUR OWN DATA CENTERS
©2017 OVH US | Proprietary & Confidential ©2017 OVH US | Proprietary & Confidential 7 30% natural air cooling + 70% water cooling = 0% air conditioning OVH USES GREEN TECHNOLOGY TO MANUFACTURE SERVERS
©2017 OVH US | Proprietary & Confidential ––– + Dedicated Cloud + Virtual Private Cloud + Disaster Recovery + VMware SDDC + Open API + Automation Compatibility + Scalability + Bring you own License + Non-Virtual Workloads + Proprietary Software Dedicated Servers Bare Metal Customer Support & Services Global Hyper-Scale Reach OVH’s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN Public Cloud SOLUTIONS TO SUIT YOUR NEEDS Hosted Private Cloud
2017 Proprietary and Confidential OBJECTIVES ___ 9
©2017 OVH US | Proprietary & Confidential ––– COMMON REQUIREMENTS • Layered Security • Onion Model • Vector-based approach focused on Network, Host, and Management security • Least Privilege Access Model • Archival Activity Tracking • Anomaly Detection 10
©2017 OVH US | Proprietary & Confidential ––– HOW DO WE ACCOMPLISH THIS? • Role-Based Access Control • Management/End-User Segregation • Governance • Network Security • Systems Security • Audit Logging and Archival • Mitigation and Investigation 11
2017 Proprietary and Confidential HOW DOES THIS CHANGE WHEN WE INTRODUCE THE CLOUD? ___ 12
©2017 OVH US | Proprietary & Confidential ––– CLOUD ISSUES • Loss of control • Depends on the model, but lose control to hardware and most management software • Limited visibility • The cloud company owns the special sauce and they don’t like to share • Have to fit into given access model • May have limited RBAC • Multi-factor and federation are rare • Limited toolset • May only have limited native tools to monitor and manage 13
©2017 OVH US | Proprietary & Confidential ––– HOW TO OVERCOME LIMITATIONS • Focus on the API • Though low-level services may not be available, the API should be • Focus on platform-native tools for better integration • Work within the boundaries to segregate • This may mean setting up service accounts for shared logged access • Pull and archive activity offsite • Keep records available, just like you’d treat backups • Automate • Governance, reporting, alerting…make it scale 14
©2017 OVH US | Proprietary & Confidential ––– TOOLS WE’LL FOCUS ON • VMware platforms • Access to vSphere or vCD • Focus on VMware tools, but with options for 3rd party • NSX • vRealize Log Insight • vRealize Automation • vRealize Operations • Where necessary, lean on 3rd party • HyTrust • Snort • Antivirus (guest security) 15
2017 Proprietary and Confidential SOLUTION DETAIL ___ 16
©2017 OVH US | Proprietary & Confidential ––– PLATFORM vCloud Director: • Tenant Access: • VDC– Resource pools • VMs • Catalog • Networking: • Networks • Edge Gateway • Distributed FW • Resource reservation • Users & Groups • Identity Federation • Affinity Rules – VM level vSphere: Tenant Access: • Cluster Management • HA • DRS • Resource Pools • VMs • Catalog • Networking: • Access to NSX manager • Networks • Edge Gateway • Distributed Routing • Distributed FW • Service Composer • Users & Groups • Identity Federation • Affinity Rules 17
©2017 OVH US | Proprietary & Confidential ––– RBAC vCloud Director • Authentication: • Local users • SAML: • Identity federation • 2FA • Login restriction based on time, location, etc • Auditing: • vCD UI • REST API • LogInsight with the use of scripts • Granularity • Pre-created roles 18 vSphere • Authentication: • Local users • SAML: • Identity federation • 2FA • Login restriction based on time, location, etc • Auditing: • vSphere UI • LogInsight Integration • Granularity • Pre-created roles
©2017 OVH US | Proprietary & Confidential ––– Directory Service Identity Provider User Navigates to vCloud Air URL Redirect to corporate idP User logs in idP posts SAML assertion vCloud Air Access granted User Accesses vCloud Air Dedicated Cloud portal IDENTITY FEDERATION 19
©2017 OVH US | Proprietary & Confidential ––– USER DEMO ACCESS • Client navigates to vSphere/vCA • Gets redirected to Identity Provider website • Logs in with AD credentials • Gains access to vSphere/vCA 20
©2017 OVH US | Proprietary & Confidential ––– SYSTEMS SECURITY • Encryption at rest • vCD and vSphere (6.x) don’t offer native encryption of data • HyTrust DataControl will be used for vmdk encryption • OS-level solutions (BitLocker) are also possible • AV and HIDS recommended at system level • Compliance software (VMware Trustpoint/Tanium) as well • Periodic testing • Through a 3rd party, typically via Nessus 21
©2017 OVH US | Proprietary & Confidential ––– HYTRUST DATA ENCRYPTION • Cloud Agnostic • FIPS approved AES-128/256 encryption for in motion and at rest data • Multi node HyTrust Cluster support Hybrid Cloud scenarios • Nodes running in On Premises and in Cloud Provider • Encryption travels with VM: • vMotion to vSphere/vCD based Cloud • Disaster recovery • On the fly Encryption and Rekey • AES-Ni Hardware acceleration • Forensic grade logging 22
©2017 OVH US | Proprietary & Confidential ––– NETWORK SECURITY • Edge GW • Firewall • IDS/IPS for vCloud Air possible with the use of 3rd party appliances deployed in a HDMZ • Distributed FW • Micro segmentation • FW at VM NIC level • Centrally controlled FW • Security Groups • Policy follows VM when migrating to Cloud 23
©2017 OVH US | Proprietary & Confidential ––– NETSEC DEMO • User tries to ping a new VM, but ping doesn’t work as VM is not part of any distributed FW group • User opens distributed firewall and views FW sections • User adds a VM to a pre-existing group that has ICMP allowed • VM pings 24
©2017 OVH US | Proprietary & Confidential ––– GOVERANCE • vRA • Built to limit user action, with option for layered approvals for XaaS operations • Bonus: keeps a log of every user action triggered from the self-service vRA catalog forever • SAML • Enables organizations to set login rules 25
©2017 OVH US | Proprietary & Confidential ––– vRA DEMO • User logs into vRA • Available catalog items are displayed • User deploys catalog item to vSphere/vCA • The action is limited per approval rules • The action is logged in multiple areas 26
©2017 OVH US | Proprietary & Confidential ––– MONITORING 27 • vROPs • vSphere Cloud: • vROPS as a Service • Own installation • Full vSphere integration • vCloud Air: • Own installation • vCloud Air management pack • Retrieves metrics from API • Rest API
©2017 OVH US | Proprietary & Confidential ––– MONITORING DEMO • Admin views anomaly in vCD/vCA Summary Dashboard • Admin follows the error through vROps to determine the cause 28
©2017 OVH US | Proprietary & Confidential ––– LOGGING • Log Insight • Limited logging in vCD • Task and event log accessible via UI and API • To view tasks and events in Log Insight a script and helper VM is needed • Syslog for EDGE GW logs • More access in vSphere – easier to manage • Full NSX logs • Full vSphere logs 29
©2017 OVH US | Proprietary & Confidential ––– vCD LOG INSIGHT 30 dXpYvZ Dedicated Cloud VMware vCloud® Air™ +06TB Org Routed Net Hybrid Cloud Manager vCloud Air Management Plane Migrated Virtual Machines VDC Stretched VXLAN networks OrgEdge Gateway Log Insight Helper VM Rest API Pull Logs Ingestion API Push Logs Edge GW syslog settings
©2017 OVH US | Proprietary & Confidential ––– LOGGING DEMO • User logs in • Event is logged in vSphere/vCD • Event is forwarded to LogInsight • Display even in LogInsight 31
©2017 OVH US | Proprietary & Confidential ––– THE END SOLUTION– vCLOUD DIRECTOR 32 vDC 1 vDC 1 vCloud Air Direct Connect Head Quarters Production workloads Dedicated Cloud Hybrid DMZ vDC 1 BGP Active/ Standby Active MPLS/ P2P etc. vDC N Dedicated Cloud SID 1 Net/Sec VMs (F/Ws, WAN opt) Shared service VMs (AD, DNS, Logs etc.) OSPF, BGP Redundant links 1/10 Gbps INTERNET vRA vROPS LogInsight HyTrust Governance Logging Monitoring Encryption
©2017 OVH US | Proprietary & Confidential ––– vDC 1 THE END SOLUTION – vSPHERE 33 VRACK Connect Head Quarters Production workloads vSphere Based Cloud BGP Active/ Standby Active MPLS/ P2P etc. Production Workloads Net/Sec VMs (F/Ws, WAN opt) Shared service VMs (AD, DNS, Logs etc.) INTERNET vRA vROPS LogInsight HyTrust Governance Logging Monitoring Encryption
2017 Proprietary and Confidential SCENARIOS…WHERE THE BAD STUFF HAPPENS ___ 3 4
©2017 OVH US | Proprietary & Confidential ––– SCENARIO 1 Unauthorized Administrative Action • User logs in and changes distributed FW settings • Option 1 – User doesn't have permission and operation fails • Option 2 – User implements the change • Event is logged in Activity log • Show NSX manager logs • Show lack of logging in vCloud Air • Show Activity log in vCD • Events are forwarded to LogInsight • Show NSX logs in LogInsight • Show vCD activity in LogIsight 35
©2017 OVH US | Proprietary & Confidential ––– SCENARIO 2 Compromised VM • Show a three tier app • Show distributed FW rules • One VM is compromised but can’t reach other VMs because of FW rules • Show FW log • VM is put into restricted group until remediation 36
2017 Proprietary and Confidential CONCLUSIONS ___ 3 7
©2017 OVH US | Proprietary & Confidential ––– PUTTING IT ALL TOGETHER • High security is possible in the cloud • Though the provider will manage half the stack, there are ways for you to manage the other half • VMware tools can simplify security of vSphere or vCD based clouds 38
––– Q&A
©2017 OVH US | Proprietary & Confidential ––– HOW TO CONTACT US 40 VMworld Booth Location – D313 @ovh and @vcloudair_ovh @ovh and @vcloudair.ovh OVH and vCloud Air powered by OVH ovh.com
©2017 OVH US | Proprietary & Confidential ––– OVH AT VMWORLD 41 Session ID Session Title Time LHC3295BES OVH: Why Optimizing Layer 0 matters Wednesday Sept 13th 2:00 p.m. – 3:00 p.m. LHC2401BE How far is too far? The Hybrid Cloud Distance Factor. Tuesday Sept 12 3:30 p.m. – 4:30 p.m. LHC3296BES Shields Up! Building a True Security Barrier in the Cloud Tuesday Sept 12th 2:00p.m. – 3:00 p.m LHC1951BE Automate Cloud Recovery For When You Are Nuked From Orbit: It’s the Only Way to Be Sure Thursday Sept 14th 9:00 a.m. – 10:00 a.m. LHC1010BES Open your mind: mix Private Cloud, Hybridity and Elasticity all Together Tuesday, Sept 12th 5:00 p.m. – 6:00 p.m. GRC2676BE Building a Paper Trail: How to Secure and Audit a Public CloudWednesday Sept 13th 3:30 p.m. – 4:30 p.m.
––– THANK YOU

Recommended

How far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorHow far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorOVH US
 
From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19NGINX, Inc.
 
Global Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINXGlobal Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINXNGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 
Migrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCMigrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCNGINX, Inc.
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXNGINX, Inc.
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX, Inc.
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPOlivia LaMar
 

Recommended

How far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorHow far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorOVH US
 
From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19NGINX, Inc.
 
Global Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINXGlobal Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINXNGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 
Migrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCMigrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCNGINX, Inc.
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXNGINX, Inc.
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX, Inc.
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPOlivia LaMar
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX, Inc.
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKatherine Bagood
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXNGINX, Inc.
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationNGINX, Inc.
 
NGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices WorkshopNGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices WorkshopNGINX, Inc.
 
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...David McGeough
 
Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19NGINX, Inc.
 
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXSecure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXNGINX, Inc.
 
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINXNGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINXNGINX, Inc.
 
API Workloads on Kubernetes | Show Code Part 4
API Workloads on Kubernetes | Show Code Part 4API Workloads on Kubernetes | Show Code Part 4
API Workloads on Kubernetes | Show Code Part 4NGINX, Inc.
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatMuhammad Yuga Nugraha
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEANGINX, Inc.
 
NGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX, Inc.
 
NGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX, Inc.
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 
NGINX as a Content Cache
NGINX as a Content CacheNGINX as a Content Cache
NGINX as a Content CacheNGINX, Inc.
 
Shields Up! Building a True Security Barrier in the Cloud
Shields Up! Building a True Security Barrier in the CloudShields Up! Building a True Security Barrier in the Cloud
Shields Up! Building a True Security Barrier in the CloudOVH US
 
How far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorHow far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorOVH US
 
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Khash Nakhostin
 

More Related Content

What's hot

NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX, Inc.
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKatherine Bagood
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXNGINX, Inc.
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationNGINX, Inc.
 
NGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices WorkshopNGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices WorkshopNGINX, Inc.
 
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...David McGeough
 
Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19NGINX, Inc.
 
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXSecure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXNGINX, Inc.
 
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINXNGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINXNGINX, Inc.
 
API Workloads on Kubernetes | Show Code Part 4
API Workloads on Kubernetes | Show Code Part 4API Workloads on Kubernetes | Show Code Part 4
API Workloads on Kubernetes | Show Code Part 4NGINX, Inc.
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEANGINX, Inc.
 
NGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX, Inc.
 
NGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX, Inc.
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 
NGINX as a Content Cache
NGINX as a Content CacheNGINX as a Content Cache
NGINX as a Content CacheNGINX, Inc.
 

What's hot (19)

NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEA
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress Controller
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINX
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service Communication
 
NGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices WorkshopNGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices Workshop
 
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...
Citrix TechEdge 2014 - Understanding and Troubleshooting Authentication Flow ...
 
Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19
 
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXSecure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
 
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINXNGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
 
API Workloads on Kubernetes | Show Code Part 4
API Workloads on Kubernetes | Show Code Part 4API Workloads on Kubernetes | Show Code Part 4
API Workloads on Kubernetes | Show Code Part 4
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
 
NGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX Plus R20 Webinar
NGINX Plus R20 Webinar
 
NGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX Plus R19 : EMEA
NGINX Plus R19 : EMEA
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
 
NGINX as a Content Cache
NGINX as a Content CacheNGINX as a Content Cache
NGINX as a Content Cache
 

Similar to Building a Paper Trail: Securing and Auditing Public Cloud

Shields Up! Building a True Security Barrier in the Cloud
Shields Up! Building a True Security Barrier in the CloudShields Up! Building a True Security Barrier in the Cloud
Shields Up! Building a True Security Barrier in the CloudOVH US
 
How far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorHow far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorOVH US
 
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Khash Nakhostin
 
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...OVH US
 
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...OVH US
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsKhash Nakhostin
 
One And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxOne And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxAvi Networks
 
Designing your XenApp 7.5 Environment
Designing your XenApp 7.5 EnvironmentDesigning your XenApp 7.5 Environment
Designing your XenApp 7.5 EnvironmentDavid McGeough
 
ENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWSENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWSAmazon Web Services
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkJuraj Hantak
 
VMworld 2013: How to Build a Hybrid Cloud in Less than a Day
VMworld 2013: How to Build a Hybrid Cloud in Less than a Day VMworld 2013: How to Build a Hybrid Cloud in Less than a Day
VMworld 2013: How to Build a Hybrid Cloud in Less than a Day VMworld
 
Implementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureImplementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureDevSecOpsSg
 
Designing your xen app 7.5 environment
Designing your xen app 7.5 environmentDesigning your xen app 7.5 environment
Designing your xen app 7.5 environmentsolarisyougood
 
Automating security in aws with divvy cloud
Automating security in aws with divvy cloudAutomating security in aws with divvy cloud
Automating security in aws with divvy cloudJohn Varghese
 
Inteligentní řízení WAN konektivity
Inteligentní řízení WAN konektivityInteligentní řízení WAN konektivity
Inteligentní řízení WAN konektivityMarketingArrowECS_CZ
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Khash Nakhostin
 
Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...
Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...
Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...Amazon Web Services
 
QSS at Cisco Live 2016 Berlin
QSS at Cisco Live 2016 BerlinQSS at Cisco Live 2016 Berlin
QSS at Cisco Live 2016 BerlinQSS
 
Cisco Connect Ottawa 2018 multi cloud
Cisco Connect Ottawa 2018 multi cloudCisco Connect Ottawa 2018 multi cloud
Cisco Connect Ottawa 2018 multi cloudCisco Canada
 

Similar to Building a Paper Trail: Securing and Auditing Public Cloud (20)

Shields Up! Building a True Security Barrier in the Cloud
Shields Up! Building a True Security Barrier in the CloudShields Up! Building a True Security Barrier in the Cloud
Shields Up! Building a True Security Barrier in the Cloud
 
How far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance FactorHow far is too far? The Hybrid Cloud Distance Factor
How far is too far? The Hybrid Cloud Distance Factor
 
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
Security Requirements and Tradeoffs for Controlling VPC-to-Internet Egress Tr...
 
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
 
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
Let OVH Help You Automate your Cloud Recovery for when you are Nuked from Orb...
 
Keeping Your Cloud Workloads Protected
Keeping Your Cloud Workloads ProtectedKeeping Your Cloud Workloads Protected
Keeping Your Cloud Workloads Protected
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNets
 
One And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxOne And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptx
 
Designing your XenApp 7.5 Environment
Designing your XenApp 7.5 EnvironmentDesigning your XenApp 7.5 Environment
Designing your XenApp 7.5 Environment
 
ENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWSENT208 Transform your Business with VMware Cloud on AWS
ENT208 Transform your Business with VMware Cloud on AWS
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lk
 
VMworld 2013: How to Build a Hybrid Cloud in Less than a Day
VMworld 2013: How to Build a Hybrid Cloud in Less than a Day VMworld 2013: How to Build a Hybrid Cloud in Less than a Day
VMworld 2013: How to Build a Hybrid Cloud in Less than a Day
 
Implementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureImplementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices Infrastructure
 
Designing your xen app 7.5 environment
Designing your xen app 7.5 environmentDesigning your xen app 7.5 environment
Designing your xen app 7.5 environment
 
Automating security in aws with divvy cloud
Automating security in aws with divvy cloudAutomating security in aws with divvy cloud
Automating security in aws with divvy cloud
 
Inteligentní řízení WAN konektivity
Inteligentní řízení WAN konektivityInteligentní řízení WAN konektivity
Inteligentní řízení WAN konektivity
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
 
Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...
Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...
Transform Your Business with VMware Cloud on AWS, an Integrated Hybrid Approa...
 
QSS at Cisco Live 2016 Berlin
QSS at Cisco Live 2016 BerlinQSS at Cisco Live 2016 Berlin
QSS at Cisco Live 2016 Berlin
 
Cisco Connect Ottawa 2018 multi cloud
Cisco Connect Ottawa 2018 multi cloudCisco Connect Ottawa 2018 multi cloud
Cisco Connect Ottawa 2018 multi cloud
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Building a Paper Trail: Securing and Auditing Public Cloud

  • 1. Building a Paper Trail: How to secure and audit a Public Cloud Neal Elinski | Technical Product Manager Rok Orsic | Consulting Cloud Architect
  • 2. ©2017 OVH US | Proprietary & Confidential ––– VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware or OVH to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined.
  • 3. ©2017 OVH US | Proprietary & Confidential ––– AGENDA 1. Intro and Objectives – 10min 2. Solution Detail – 20min 3. Scenarios – 20min 4. Q/A – 10min 3
  • 4. 2017 Proprietary and Confidential WHO IS OVH? ____ 4
  • 5. ©2017 OVH US | Proprietary & Confidential ©2017 OVH US | Proprietary & Confidential Over 1.2 Million Business Clients in 138 Countries Own 11+ Tbps Network with 32 Points of Presence 2017 27 data centers in 11 countries 2020 50 data centers Data center capacity: 1.3 million physical servers; 260,000 already deployed 19 years experience building & managing servers + data centers INTRODUCING OVH – GLOBAL HYPER-SCALE CLOUD PROVIDER * https://www.netcraft.com/internet-data-mining/hosting-analysis/ 5th Largest Cloud Provider in the world* 2016 20 data centers in 5 countries 5
  • 6. ©2017 OVH US | Proprietary & Confidential ©2017 OVH US | Proprietary & Confidential 6 OVH BUILDS OUR OWN DATA CENTERS
  • 7. ©2017 OVH US | Proprietary & Confidential ©2017 OVH US | Proprietary & Confidential 7 30% natural air cooling + 70% water cooling = 0% air conditioning OVH USES GREEN TECHNOLOGY TO MANUFACTURE SERVERS
  • 8. ©2017 OVH US | Proprietary & Confidential ––– + Dedicated Cloud + Virtual Private Cloud + Disaster Recovery + VMware SDDC + Open API + Automation Compatibility + Scalability + Bring you own License + Non-Virtual Workloads + Proprietary Software Dedicated Servers Bare Metal Customer Support & Services Global Hyper-Scale Reach OVH’s Fiber Optic Network (11+ Tbps) + Anti-DDoS + Private LAN Public Cloud SOLUTIONS TO SUIT YOUR NEEDS Hosted Private Cloud
  • 9. 2017 Proprietary and Confidential OBJECTIVES ___ 9
  • 10. ©2017 OVH US | Proprietary & Confidential ––– COMMON REQUIREMENTS • Layered Security • Onion Model • Vector-based approach focused on Network, Host, and Management security • Least Privilege Access Model • Archival Activity Tracking • Anomaly Detection 10
  • 11. ©2017 OVH US | Proprietary & Confidential ––– HOW DO WE ACCOMPLISH THIS? • Role-Based Access Control • Management/End-User Segregation • Governance • Network Security • Systems Security • Audit Logging and Archival • Mitigation and Investigation 11
  • 12. 2017 Proprietary and Confidential HOW DOES THIS CHANGE WHEN WE INTRODUCE THE CLOUD? ___ 12
  • 13. ©2017 OVH US | Proprietary & Confidential ––– CLOUD ISSUES • Loss of control • Depends on the model, but lose control to hardware and most management software • Limited visibility • The cloud company owns the special sauce and they don’t like to share • Have to fit into given access model • May have limited RBAC • Multi-factor and federation are rare • Limited toolset • May only have limited native tools to monitor and manage 13
  • 14. ©2017 OVH US | Proprietary & Confidential ––– HOW TO OVERCOME LIMITATIONS • Focus on the API • Though low-level services may not be available, the API should be • Focus on platform-native tools for better integration • Work within the boundaries to segregate • This may mean setting up service accounts for shared logged access • Pull and archive activity offsite • Keep records available, just like you’d treat backups • Automate • Governance, reporting, alerting…make it scale 14
  • 15. ©2017 OVH US | Proprietary & Confidential ––– TOOLS WE’LL FOCUS ON • VMware platforms • Access to vSphere or vCD • Focus on VMware tools, but with options for 3rd party • NSX • vRealize Log Insight • vRealize Automation • vRealize Operations • Where necessary, lean on 3rd party • HyTrust • Snort • Antivirus (guest security) 15
  • 16. 2017 Proprietary and Confidential SOLUTION DETAIL ___ 16
  • 17. ©2017 OVH US | Proprietary & Confidential ––– PLATFORM vCloud Director: • Tenant Access: • VDC– Resource pools • VMs • Catalog • Networking: • Networks • Edge Gateway • Distributed FW • Resource reservation • Users & Groups • Identity Federation • Affinity Rules – VM level vSphere: Tenant Access: • Cluster Management • HA • DRS • Resource Pools • VMs • Catalog • Networking: • Access to NSX manager • Networks • Edge Gateway • Distributed Routing • Distributed FW • Service Composer • Users & Groups • Identity Federation • Affinity Rules 17
  • 18. ©2017 OVH US | Proprietary & Confidential ––– RBAC vCloud Director • Authentication: • Local users • SAML: • Identity federation • 2FA • Login restriction based on time, location, etc • Auditing: • vCD UI • REST API • LogInsight with the use of scripts • Granularity • Pre-created roles 18 vSphere • Authentication: • Local users • SAML: • Identity federation • 2FA • Login restriction based on time, location, etc • Auditing: • vSphere UI • LogInsight Integration • Granularity • Pre-created roles
  • 19. ©2017 OVH US | Proprietary & Confidential ––– Directory Service Identity Provider User Navigates to vCloud Air URL Redirect to corporate idP User logs in idP posts SAML assertion vCloud Air Access granted User Accesses vCloud Air Dedicated Cloud portal IDENTITY FEDERATION 19
  • 20. ©2017 OVH US | Proprietary & Confidential ––– USER DEMO ACCESS • Client navigates to vSphere/vCA • Gets redirected to Identity Provider website • Logs in with AD credentials • Gains access to vSphere/vCA 20
  • 21. ©2017 OVH US | Proprietary & Confidential ––– SYSTEMS SECURITY • Encryption at rest • vCD and vSphere (6.x) don’t offer native encryption of data • HyTrust DataControl will be used for vmdk encryption • OS-level solutions (BitLocker) are also possible • AV and HIDS recommended at system level • Compliance software (VMware Trustpoint/Tanium) as well • Periodic testing • Through a 3rd party, typically via Nessus 21
  • 22. ©2017 OVH US | Proprietary & Confidential ––– HYTRUST DATA ENCRYPTION • Cloud Agnostic • FIPS approved AES-128/256 encryption for in motion and at rest data • Multi node HyTrust Cluster support Hybrid Cloud scenarios • Nodes running in On Premises and in Cloud Provider • Encryption travels with VM: • vMotion to vSphere/vCD based Cloud • Disaster recovery • On the fly Encryption and Rekey • AES-Ni Hardware acceleration • Forensic grade logging 22
  • 23. ©2017 OVH US | Proprietary & Confidential ––– NETWORK SECURITY • Edge GW • Firewall • IDS/IPS for vCloud Air possible with the use of 3rd party appliances deployed in a HDMZ • Distributed FW • Micro segmentation • FW at VM NIC level • Centrally controlled FW • Security Groups • Policy follows VM when migrating to Cloud 23
  • 24. ©2017 OVH US | Proprietary & Confidential ––– NETSEC DEMO • User tries to ping a new VM, but ping doesn’t work as VM is not part of any distributed FW group • User opens distributed firewall and views FW sections • User adds a VM to a pre-existing group that has ICMP allowed • VM pings 24
  • 25. ©2017 OVH US | Proprietary & Confidential ––– GOVERANCE • vRA • Built to limit user action, with option for layered approvals for XaaS operations • Bonus: keeps a log of every user action triggered from the self-service vRA catalog forever • SAML • Enables organizations to set login rules 25
  • 26. ©2017 OVH US | Proprietary & Confidential ––– vRA DEMO • User logs into vRA • Available catalog items are displayed • User deploys catalog item to vSphere/vCA • The action is limited per approval rules • The action is logged in multiple areas 26
  • 27. ©2017 OVH US | Proprietary & Confidential ––– MONITORING 27 • vROPs • vSphere Cloud: • vROPS as a Service • Own installation • Full vSphere integration • vCloud Air: • Own installation • vCloud Air management pack • Retrieves metrics from API • Rest API
  • 28. ©2017 OVH US | Proprietary & Confidential ––– MONITORING DEMO • Admin views anomaly in vCD/vCA Summary Dashboard • Admin follows the error through vROps to determine the cause 28
  • 29. ©2017 OVH US | Proprietary & Confidential ––– LOGGING • Log Insight • Limited logging in vCD • Task and event log accessible via UI and API • To view tasks and events in Log Insight a script and helper VM is needed • Syslog for EDGE GW logs • More access in vSphere – easier to manage • Full NSX logs • Full vSphere logs 29
  • 30. ©2017 OVH US | Proprietary & Confidential ––– vCD LOG INSIGHT 30 dXpYvZ Dedicated Cloud VMware vCloud® Air™ +06TB Org Routed Net Hybrid Cloud Manager vCloud Air Management Plane Migrated Virtual Machines VDC Stretched VXLAN networks OrgEdge Gateway Log Insight Helper VM Rest API Pull Logs Ingestion API Push Logs Edge GW syslog settings
  • 31. ©2017 OVH US | Proprietary & Confidential ––– LOGGING DEMO • User logs in • Event is logged in vSphere/vCD • Event is forwarded to LogInsight • Display even in LogInsight 31
  • 32. ©2017 OVH US | Proprietary & Confidential ––– THE END SOLUTION– vCLOUD DIRECTOR 32 vDC 1 vDC 1 vCloud Air Direct Connect Head Quarters Production workloads Dedicated Cloud Hybrid DMZ vDC 1 BGP Active/ Standby Active MPLS/ P2P etc. vDC N Dedicated Cloud SID 1 Net/Sec VMs (F/Ws, WAN opt) Shared service VMs (AD, DNS, Logs etc.) OSPF, BGP Redundant links 1/10 Gbps INTERNET vRA vROPS LogInsight HyTrust Governance Logging Monitoring Encryption
  • 33. ©2017 OVH US | Proprietary & Confidential ––– vDC 1 THE END SOLUTION – vSPHERE 33 VRACK Connect Head Quarters Production workloads vSphere Based Cloud BGP Active/ Standby Active MPLS/ P2P etc. Production Workloads Net/Sec VMs (F/Ws, WAN opt) Shared service VMs (AD, DNS, Logs etc.) INTERNET vRA vROPS LogInsight HyTrust Governance Logging Monitoring Encryption
  • 34. 2017 Proprietary and Confidential SCENARIOS…WHERE THE BAD STUFF HAPPENS ___ 3 4
  • 35. ©2017 OVH US | Proprietary & Confidential ––– SCENARIO 1 Unauthorized Administrative Action • User logs in and changes distributed FW settings • Option 1 – User doesn't have permission and operation fails • Option 2 – User implements the change • Event is logged in Activity log • Show NSX manager logs • Show lack of logging in vCloud Air • Show Activity log in vCD • Events are forwarded to LogInsight • Show NSX logs in LogInsight • Show vCD activity in LogIsight 35
  • 36. ©2017 OVH US | Proprietary & Confidential ––– SCENARIO 2 Compromised VM • Show a three tier app • Show distributed FW rules • One VM is compromised but can’t reach other VMs because of FW rules • Show FW log • VM is put into restricted group until remediation 36
  • 37. 2017 Proprietary and Confidential CONCLUSIONS ___ 3 7
  • 38. ©2017 OVH US | Proprietary & Confidential ––– PUTTING IT ALL TOGETHER • High security is possible in the cloud • Though the provider will manage half the stack, there are ways for you to manage the other half • VMware tools can simplify security of vSphere or vCD based clouds 38
  • 40. ©2017 OVH US | Proprietary & Confidential ––– HOW TO CONTACT US 40 VMworld Booth Location – D313 @ovh and @vcloudair_ovh @ovh and @vcloudair.ovh OVH and vCloud Air powered by OVH ovh.com
  • 41. ©2017 OVH US | Proprietary & Confidential ––– OVH AT VMWORLD 41 Session ID Session Title Time LHC3295BES OVH: Why Optimizing Layer 0 matters Wednesday Sept 13th 2:00 p.m. – 3:00 p.m. LHC2401BE How far is too far? The Hybrid Cloud Distance Factor. Tuesday Sept 12 3:30 p.m. – 4:30 p.m. LHC3296BES Shields Up! Building a True Security Barrier in the Cloud Tuesday Sept 12th 2:00p.m. – 3:00 p.m LHC1951BE Automate Cloud Recovery For When You Are Nuked From Orbit: It’s the Only Way to Be Sure Thursday Sept 14th 9:00 a.m. – 10:00 a.m. LHC1010BES Open your mind: mix Private Cloud, Hybridity and Elasticity all Together Tuesday, Sept 12th 5:00 p.m. – 6:00 p.m. GRC2676BE Building a Paper Trail: How to Secure and Audit a Public CloudWednesday Sept 13th 3:30 p.m. – 4:30 p.m.

Editor's Notes

  1. OVH – we host you “On Vous Héberge” Sounds like “Ahn ne vouz he-bear-zhe”
  2. OVH is the largest hosting provider you have never heard of. While you may have not heard of it, OVH is the third largest cloud provider in the world. The link at the bottom is to the Netcraft report that shows the ranking of Service providers around the world.
  3. With OVH you get access to almost any type of infrastructure you will need. If you are like most businesses you have a large number of Vmware based VMs running on-prem. OVH’s private cloud is based on Vmware’s SDDC stack and with the acquisition of vCloud Air, connecting your on-prem to a private cloud has never been easier. If you are looking for public cloud burstability OVH has you covered with Public Cloud provided and run on Openstack. But let’s say you have a workload that has specific requirements and you want access to all parts of the software stack. OVH has Bare Metal servers for you. OVH not only provides differing product platforms to address specific project needs of customers, we also allow the integration of these resources to allow for easy setup and communication between these platforms with our vRack product. A customer may have a piece of each of these all combined into a single solution that suites their needs. Private cloud – vSphere SDDC allowing ease of management by leveraging the same tools you’re used to from VMware. Public Cloud – Get virtualized machines at a per hour/minute cost by leveraging OVH’s public cloud built with Openstack. Dedicated Servers – Have full control of every aspect of your environment by starting from bare metal. Have root and BIOs level access to your hardware, and install what you want.