In today’s cloud-first environment, enterprises are embracing a heterogeneous cloud strategy that spans multiple public clouds as well as private clouds. This creates complexities for enterprise IT teams who need to ensure security across all of their applications and all of their infrastructure resources. This webinar will help you understand how to approach multi-cloud security.
4. o The State of Multi-Cloud Security
o How to Think About Multi-Cloud Security
o 8 Elements
• Visibility
• Identity and Access Control
• Workload Security
• Data Security
• Network Security
• Business Continuity/Disaster Recovery
• Audit
• Compliance
Agenda
5. 82% of Enterprises Want Multi-Cloud
Single private
5%
Single public
10%
No plans
3%
Multiple private
14%
Multiple public
13%
Hybrid cloud
55%
82%
Enterprise Cloud Strategy
1000+ employees
Multi-Cloud
82%
Source: RightScale 2015 State of the Cloud Report
12. Visibility
• Can you see all your
cloud accounts and
instances?
• Connect to all your
clouds
• Gain visibility to all your
accounts
You Can’t Control What You Can’t See
12
Many Accounts Across Clouds
AWS Azure Google CloudStack OpenStack vSphere
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
AccountAccount
13. Single pane of glass
• Multi-cloud access
• Public clouds
• Private clouds
• Virtualized
• Control access
• Standardize
configuration
• Patch and update
• Audit trails
RightScale: Multi-Cloud Visibility
13
AWS Azure Google CloudStack OpenStack vSphere
15. • Mostly the same
• Govern and enforce user access
• Configure Role Management
• Context Based Access Control
• Enable Audit reporting
• 3rd Party Identity Providers
• SSO SAML, MFA, Oauth, ADFS
• But…
• How do you handle multiple clouds and
accounts?
• So how do you control cloud credentials?
Considerations for IAM in Cloud
15
“Should this person (user) who
performs this job function and
therefore has these roles assigned
(role) be allowed to access this type
of data as it applies to this particular
account (context)?”
16. Current state
• CSPs follow proprietary
schemes to support
user provisioning and
lifecycle management
of user profiles
• IAM Integrations
accomplished through
grafts and tie-ins
• What’s the state of IAM for difference
cloud providers?
• Not all have IAM services for all features.
• How do you manage multiple clouds?
• Centralize control through your CMP
• Limit users that can go directly to cloud
accounts
• AD Agents/Connectors
• Okta, Ping Identity, OneLogin
• Enterprise Directory Services
• Active Directory Federation Services ADFS/
SAML integration
Multi-Cloud IAM
16
17. Challenges
• Difficult to implement,
manage, and support
• Difficult to scale and/ or
extend to other CSPs
• No direct coupling
between AD and AWS
IAM
Integrating IAM
17
ADFS
AWS
STS
A
D
SQ
L
1
2
3
4
5
6
Your Environment
SAML
7
AWS
AWS account
123456789012
AWS account
111122223333
IAM roles=>
ADFS-Production
ADFS-DEV
IAM roles=>
ADFS-Production
ADFS-DEV
IAM role=>
ADFS-DEV
IAM role=>
ADFS-DEV
AWS account
777788889999
AWS account
444455556666
AD group memberships=>
AWS-Production
AWS-DEV
User object attribute
123456789012
111122223333
18. What you get:
• Aggregate accounts
across clouds
• Hierarchical organization
of accounts
• Security and access
controls
• SSO integration
RightScale Multi-Cloud Access Controls
18
User BUser A User EUser DUser C
Enterprise Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Account 2Account 1
RightScale
Access
Control
Authenticate with
passwords or SSO
Authenticate with cloud
credentials
20. Enforce Policies
• Catalog of templates that
meet corporate standards
• Configured to your
security requirements
• Define which clouds can
be used
• Control user options and
choices
• Orchestrate and automate
deployment and
operations
Workload Security: From Rogue to Policy-Based
20
Basic instances
Stacks for Dev or Prod Applications
21. Standardization
• Automate provisioning and
configuration
• Version-controlled
• Follow standards for
versions, patches and
configuration
• Leverage a variety of
scripting languages
• Modular and auditable
• Define Security
Configuration Baselines
Standardize Server Configurations
AWS Azure Google CloudStack OpenStack vSphere
Multi-Cloud Image
Configuration Scripts Containers
21
22. Standardize System Configurations
22
Load Balancers
App Servers
Master DB Slave DB
Replicate >
DNS
Configure a system:
Cloud Application Template (CAT)
Configure a server:
• ServerTemplates (portable)
• Docker container (portable)
• AMI
• CloudFormation
• VM template
23. Increase IT efficiency
o Bring your own
configuration management
o Clone existing
architectures
o Updates and patches
o Monitor and alert
o Auto-scale up and down
Patch and Update
26. Compliance
Requirements
• PCI E-Commerce
• HIPAA / PHI/ 21CFR11
• NPI / PII
• FTI IRS PUB1075
• MPAA
• Data Protection / Encryption
• In-transit: MUST
• At rest: MUST
• In process: DEPENDS
• Considerations in the Cloud
• Select the right cloud provider
• Some cloud providers encrypt by default
• Review their security documents
• Most Cloud Providers will sign BAA
• Segregate workloads
Data Security
26
27. Data Residency with a Global Cloud Platform
Amazon Web Services
Google Cloud Platform
IBM SoftLayer
Rackspace
Windows Azure
Public Clouds
Singapore
Hong Kong
Japan
Texas
DC Area
SF Area
Seattle
Chicago
Dublin
London
Amsterdam
Oregon
São Paulo
Midwest
Beijing
Sydney
W Europe
Private Clouds
CloudStack
OpenStack
vSphere
Melbourne
Toronto
Mexico City
Taiwan
27
28. • Data privacy legislation differs around the world
• Evaluate encryption options where you manage the keys (a la
Amazon Aurora) so vendor can’t give data in case of
subpoena
• What is the CSP’s data retention period?
• What country is the CSP headquartered out of?
• Which jurisdiction covers the contract between you and the
CSP?
Data Residency: Impact of Safe Harbor
28
34. 34
SLAs by Cloud
Certification AWS Azure Google SoftLayer
Uptime SLA 99.95% 99.95% 99.95% 100%
Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes
downtime
Downtime Calculation Any minutes
downtime
Any minutes
downtime
5+ consecutive
minutes
downtime
30+ consecutive
minutes downtime
35. Architect for SLAs
• HA/DR reference
architectures
• Cross-region and cross-
cloud
• Auto-scale to meet
demand
• Hybrid cloudbursting
• Monitor and automate
failover
• Hot, warm, and cold DR
scenarios
Implement DR Architectures for your Apps
35
Load Balancers
App Servers
Slave DB Master DB
App Servers
Slave DB
< Replicate Replicate >
Load Balancers
PRIMARY WARM DR
DNS
36. Ensure availability
o Separate management
plane from cloud and
cloud applications
o RightScale platform is fully
redundant
o Automate failover
processes for hot, warm or
cold DR
Outage-Proof with Independent Control Plane
38. 38
o Cloud Trails
o Azure Diagnostics
o Google Cloud Logging (beta)
o SoftLayer Audit Trails
What Audit Tools by Provider?
39. Approach:
• Feed audit trails from
individual clouds to SIEM
• Feed audit trails from CMP
to SIEM
Multi-Cloud Logging and Audit Trails
39
Cloud Management
Platform
Cloud
SIEM
Cloud Cloud Cloud Cloud Cloud
40. Ensure compliance
o See who changed what
and when
o Provide audit logs and
reports to satisfy
regulators
o Available via API to
integrate with other
systems
Gain Visibility with Audit Trails
43. • RightScale Certifications
• State of the Cloud Report
• www.rightscale.com/2015-cloud-report
• Private and Hybrid Cloud Whitepaper
• www.rightscale.com/private-hybrid-cloud-whitepaper
Questions?
43
SSAE16 SOC1 and
SOC2 Type II
PCI DSS SAQ C CompliantU.S.-EU Safe Harbor Framework
and U.S.-Swiss Safe Harbor
Framework