Most information security (InfoSec) teams have a good handle on the manner in which InfoSec is designed and managed for internal or monolithic applications, but what about the cloud? The VMware InfoSec Architecture function had to redesign and reimagine those structures and models to fit a highly adaptive cloud world—all while taking into account containers, microservices, IoT, and other cutting edge advances our business employing now. Topics covered include a quick overview of the ecosystem at VMware, our methodology for high-performing InfoSec, how we have adapted our old models and architected them into our new services and solutions, and how we created our cloud security architecture model.
Session Title:
Safe as Clouds. The Journey from Legacy to Cloud-Native Security Principles
Type:
Breakout
Session Abstract:
Most information security (InfoSec) teams have a good handle on the manner in which InfoSec is designed and managed for internal or monolithic applications, but what about the cloud? The VMware InfoSec Architecture function had to redesign and reimagine those structures and models to fit a highly adaptive cloud world—all while taking into account containers, microservices, IoT, and other cutting edge advances our business employing now. Topics covered include a quick overview of the ecosystem at VMware, our methodology for high-performing InfoSec, how we have adapted our old models and architectected them into our new services and solutions, and how we created our cloud security architecture model.
Submitting to Present at VMworld:
Both
Main Track: Network and Security
Sub Track: Secure Application Infrastructure
Products: Pulse IoT, VMware Cloud on AWS
Technical Level:
Management level
Session Participants:
Brad Doctor , Craig Savage – Information Security
Making the point that as a person, we’re all capable of being intrinsically secure, activating this ability in the corporate world is key to having a secure by default organization.
Principle: Security controls must not rely on secrecy or obscurity for effectiveness.
Rationale: Obscure configurations do not provide any meaningful measure of security. Effective security designs can withstand scrutiny without being compromised.
Implications: Security by obscurity is not acceptable, the design of security controls will be open for evaluation by parties that have a stake and interest in VMware security.
Confidentiality – Focus in the Cloud is around the interception of credentials (user/API/etc), encryption far more critical than previously, understanding how shared hosting can impact confidentiality
Integrity – moving towards certificate based validation, secure channels of communication and micro segmentation to limit transmission interception/manipulation
Availability- Focus shifts to purpose and function, recoverability plans, protecting access to data
Rationale: Perfect security does not exist, and security controls can be expensive in terms of financial and human resources to implement and maintain. Additionally, not all resources have the same value or risk. As such, it is critical to focus primary efforts on securing the most valuable and highest risk assets.
Implications: When prioritizing security spending and resources, the value of the system being protected, and the risk associated with operating the asset will be prime considerations.
Overall security effort will be weighted toward the assets that are of the highest value to VMware and whose compromise presents the greatest risk.
Not all assets will be protected equally.
Rationale: Security is a requirement and feature best implemented at design-time. Attempting to secure a system after it has been implemented and deployed is costlier, more intrusive and less effective.
Implications:
Systems and projects will be reviewed for security implications and design issues as early in the development process as is feasible.
There may be a “security tax” associated with new developments and implementations.
D-i-D Rationale: Compartmentalizing systems for security purposes helps localize security issues and contain incidents. Providing defense in depth enables multiple means of thwarting a particular threat, which decreases the likelihood that the threat will be exploited. Knowing when there has been a deviation from established baseline enables detection of new exploits.
Implications:
Security controls will be layered and will include technical, process, and people controls as well as preventive, detective, and recovery measures.
System design should take threat models into account to help identify effective controls.
Trust levels and exposure to threats will drive system, application, and network design and segmentation.
Internal servers will not be permitted to run services listening on the Internet - use of secure transfer servers in public DMZs must be used to transfer data between external and internal systems.
LP Rationale: Resource access is governed by least privilege – only the minimum level of access required will be granted. Any unnecessary access to resources can be considered a risk.
Implications:
Business requirements drive security controls and resource access.
System design must consider access requirements.
Controls that streamline access management and help detect failures in the resource control model will be favored.
Systems shall be configured to maximize security and minimize the available services to unauthorized individuals.
Rationale: Any security control implemented must directly support security policies and standards. Auditability of controls helps validate this link between controls and policy and provides transparency and assurance to internal and external business partners.
Implications:
The implementation and management of security controls will be driven by policy and standards.
Audit, monitoring, and integrity features will be key selection criteria for security controls.
Rationale: Procuring, implementing, and managing multiple security solutions that address the same issue is not cost-effective. Solutions that can be implemented across all supported platforms will be more manageable and effective.
Implications:
Preference will be given to those security solutions that are platform independent.
Exceptions to security policies must be actively managed and monitored.
Rationale: Controls that rely on human enforcement and judgment are by nature unreliable. Whenever possible, controls that can be automatically and consistently enforced must be selected.
Implications:
Controls that provide automated and consistent enforcement are preferred.
Security controls that have significant manual requirements will, in general, not be pursued.