Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Different Approach to Securing Your Cloud Journey

531 views

Published on

Whether you are just exploring moving workloads to the cloud, or are fully cloud-enabled, one thing is certain: security has changed from a purely on-premise environment.

As cybersecurity risks continue to grow with more advanced attackers and more digital surface area, how you think about staying secure without compromising user experience must adapt.

During this talk, you will:
- Hear how global consistency, agile controls, and predictable costs are goals and principles that matter in this new environment
- Be able to evaluate your current plans against a "customer security model"

Published in: Technology
  • Be the first to comment

A Different Approach to Securing Your Cloud Journey

  1. 1. Cloud Security Adoption Timothy Fong, Security Solutions
  2. 2. Transformation Imperative It’s increasingly clear that we’re entering a highly disruptive extinction event. Many enterprises that fail to transform themselves will disappear. Why digital transformation is now on the CEO’s shoulders McKinsey, December 2017
  3. 3. Customers Want More Customers are more Global Demanding Mobile
  4. 4. What are the compelling outside forces driving change in your business? What is your industry? What impacts you most in terms of customer behavior: Global Demanding Mobile Something else
  5. 5. Cloud Adoption: Opportunities and Risks Many enterprises are stuck supporting both their inefficient traditional data-center environments and inadequately planned cloud implementations that may not be as easy to manage or as affordable as they imagined. Cloud adoption to accelerate IT modernization McKinsey, April 2018
  6. 6. Modernizing Architecture and Infrastructure On Prem Hybrid Cloud Native Multi CloudPrivate Cloud Modern MicroservicesMonolithic Legacy Stacks
  7. 7. Where are you currently on the modernization spectrum? Where are you currently and where do you want to go? Infrastructure Architecture What hurdles are you experiencing or are anticipating?
  8. 8. Attackers are getting stronger While hackers are honing their skills, business is going digital—and that makes companies more vulnerable to cyberattacks. Assets ranging from new product designs to distribution networks and customer data are now at risk. A new posture for cybersecurity in a networked world McKinsey, March 2018
  9. 9. Customers Global Demanding Mobile Attackers are getting stronger DDoS Data Compromise Malicious Bots On Prem Hybrid Cloud Native Multi CloudPrivate Cloud Modern MicroservicesMonolithic Legacy Stacks
  10. 10. Which of these cyber security issues most concern you? How concerned are you with these? DDoS Data Theft Malicious Bots Which risks are you trying to address now? Access Risks Transit Risks Application Risks
  11. 11. Cloud Changes Security For a company that has only begun to use the public cloud, it can be tempting to build a public-cloud cybersecurity model using the controls it already has for on-premises systems. But this can lead to problems, because on-premises controls seldom work for public-cloud platforms without being reconfigured. Making a secure transition to the public cloud McKinsey, January 2018
  12. 12. Modernizing application, infrastructure, architecture On Prem Hybrid Cloud Native Multi CloudPrivate Cloud Attackers are getting stronger DDoS Data Compromise Malicious Bots Customers are more Global demanding mobile Modern MicroservicesMonolithic Legacy Stacks WAF Appliance Single Sign OnDDoS Appliance Cloud WAFLoad Balancer Scrubbing Center
  13. 13. Modernizing application, infrastructure, architecture On Prem Hybrid Cloud Native Multi CloudPrivate Cloud Attackers are getting stronger DDoS Data Compromise Malicious Bots Customers are more Global demanding mobile Modern MicroservicesMonolithic Legacy Stacks WAF Appliance Single Sign OnDDoS Appliance Cloud WAFLoad Balancer Scrubbing Center
  14. 14. Modernizing application, infrastructure, architecture Extract and Consolidate DNS DDoS Bot Management VPN SSL Load Balancer Firewall Attackers are getting stronger DDoS Data Compromise Malicious Bots Customers are more Global demanding mobile
  15. 15. Global Consistency Agile Control Predictable Costs Extracting Complexity 165+ Data Centers Worldwide Integrated Platform of Services Fast Deployment and Change Control Easy to Use without Expensive Training Programmatic Automation through APIs Data Intelligence from Broad Traffic Samples Unified Architecture vs Manual Professional Services Pay for “Good” Traffic Post-Sales, Customer Success, and Global Support Teams Modernizing application, infrastructure, architecture
  16. 16. Security Maturity Model Guide Assess your current posture along key security disciplines
  17. 17. Level 1 Level 2 Level 3 Level 4 Out of the box capabilities or very light weight configurations More defined use cases, typically application or user specific More granular configurations Customer extends services further along end-to-end spectrum Customer deploys dynamic or sophisticated configurations Customized policies to address edge cases. More advanced analysis of traffic and attacks inform custom policies Security Security Maturity Model Area of Discipline ● Assess your current posture along key security disciplines ● Define and clarify your Cloudflare-agnostic roadmap to improve in areas you care about ● Learn how other companies strengthen their own capabilities
  18. 18. Q&A
  19. 19. Thank you! fongster@cloudflare.com
  20. 20. Level 1 Level 2 Level 3 Level 4 Out of the box capabilities or very light weight configurations More defined use cases, typically application or user specific More granular configurations Customer extends services further along end-to-end spectrum Customer deploys dynamic or sophisticated configurations Customized policies to address edge cases. More advanced analysis of traffic and attacks inform custom policies Security Customer Maturity Model Area of Discipline Performance ● Assess your current posture along key security and performance disciplines ● Define and clarify your Cloudflare-agnostic roadmap to improve in areas you care about ● Learn how other companies strengthen their own capabilities
  21. 21. Level 1 Level 2 Level 3 Level 4 Block volumetric attacks inline Block malicious countries manually Implement custom Layer 7 rate-based defense Block specific IP addresses manually Deploy tiered Layer 7 rate-based defense Protect all TCP ports from DDoS Review DDoS analytics Make web server IP address private Programmatically block traffic based on analysis in SIEM Block with machine learning and behavior analysis Deploy latest SSL/TLS to encrypt traffic from client to the origin Reduce risks of route hijacks with public key infrastructure Secure DNS with DNSSEC Redirect insecure requests to HTTPS Deploy custom certificates Deploy HSTS Deploy Keyless SSL Authenticate requests to the origin server Reduce phishing attacks for internal users Tunnel securely and directly from origin to reverse proxy Deploy and integrate a Hardware Security Module (HSM) Deploy HMAC to secure end-points Improve discovery of shadow IT Client authentication with mutual TLS Mitigate DDoS Attacks Attack traffic degrades application availability or performance and can spike infrastructure costs Reduce Transit Risks Attackers hijack Internet routes or domains, or snoop traffic to compromise sensitive data or re-route visitors to malicious destinations. Security Maturity Model Area of Discipline
  22. 22. Level 1 Level 2 Level 3 Level 4 Reduce Application Risks Attackers exploit application vulnerabilities that can compromise sensitive data Security Maturity Model Reduce Access Vulnerabilities Insider threat and privileged access attacks allow unauthorized users to access applications and systems Area of Discipline All or nothing access management Manual deployment and enforcement Enforce basic access policies Use SSO and 2FA Integrate access with Identity Provider Centralized access control across internal applications Hide origin IP address Deploy hard key based 2FA Secure access to SSH and RDP without a VPN Search and access audit logs Enforce granular access policies Apply application-level user permissions Apply adaptive authentication Secure applications against the OWASP top 10 threats Protect open-source applications from zero-day threats with shared intelligence Defend against application specific attacks with custom request-based rules Apply threat-intelligence based reputation filters Hide origin by closing all ports to the IP address Analyze logs for anomalies Apply Runtime Application Self Protection Detect and block basic data exfiltration
  23. 23. Level 1 Level 2 Level 3 Level 4 Blocks malicious bots with known bad UA strings, IP addresses, poor IP reputations, or high requests per second. Inject Javascript to fingerprint devices and mitigate bots. Maintain a whitelist of “good” bots. Apply machine learning to intelligently manage bots. Apply behavior analysis to detect anomalous bot traffic. Secure mobile APIs with a secure connection from device. Detect and block attacks by hijacked mobile apps. Secure applications against the OWASP top 10 threats Protect open-source applications from zero-day threats with shared intelligence Defend against application specific attacks with custom rules Block or challenge visitors by user agent, IP address, country codes Apply reputation-based filters Hide origin by closing all ports to the IP address Detect and block basic data exfiltration Apply IP firewall rules to all TCP applications Reduce Data Leaks Attackers attempt to contaminate, exfiltrate, or compromise sensitive data Security Maturity Model Manage Bots Malicious bots mimic humans in order to harm the business along a number of threat vectors Area of Discipline
  24. 24. Modernizing application, infrastructure, architecture Monolithic Legacy Stacks Modern Micro-services On Prem Hybrid Cloud Native Multi CloudPrivate Cloud Extract and Consolidate DNS DDoS Bot Management VPN SSL Load Balancer Firewall Attackers are getting stronger DDoS Data Compromise Malicious Bots Customers are more Global demanding mobile
  25. 25. Modernizing application, infrastructure, architecture Attackers are getting stronger DDoS Data Compromise Malicious Bots Customers are more Global demanding mobile
  26. 26. Customers are more Global Demanding Mobile Companies Respond to Their Market Modernizing application, infrastructure, architecture On Prem Hybrid Cloud Native Multi CloudPrivate Cloud Modern MicroservicesMonolithic Legacy Stacks

×