Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices for Multi-Cloud Security and Compliance


Published on

The last few months have seen ongoing cloud security breaches and a heightened data privacy focus due to GDPR. In today’s multi-cloud environment, enterprises are challenged to ensure security and compliance across both public and private clouds. We will help you understand best practices for multi-cloud security and compliance and how a cloud management platform (CMP) can help.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Best Practices for Multi-Cloud Security and Compliance

  2. 2. • Bailey Caldwell • VP of Customer Success and Cloud Security • Sean Pomeroy • Cloud Solutions Engineer Presenters
  3. 3. Two Solutions from RightScale RightScale Cloud Management Platform Orchestrate, automate and govern workloads across all your environments. VIRTUAL SERVERS PUBLIC CLOUDS ANY CLOUD SERVICE PRIVATE CLOUDS BARE METAL SERVERS CONTAINER CLUSTERS RightScale Optima Work collaboratively across the organization to manage and optimize clouds costs. Orchestration Cloud Workflow Plugins Monitoring Access Control Accounts/Groups Access/Permissions Tags Policies Cost Security/Compliance Operational RIGHTSCALE CMP ENGINE EXTENSIBLE ORCHESTRATION API
  4. 4. RightScale is a Leader in Both 2018 Forrester Waves: Cloud Cost Optimization and Hybrid Cloud Management The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change
  5. 5. Organizations Use Multiple Clouds 4
  6. 6. • The State of Multi-Cloud Security • How to Think About Multi-Cloud Security • Areas of Security • Visibility • Identity and Access Control • Workload Security • Data Security • Network Security • Business Continuity/Disaster Recovery • Audit • Evolving Cloud Technologies/Services • Policies & Compliance Agenda 5
  8. 8. Decentralized Cloud Management SOPs SOPs SOPs SOPs SOPs Training Guide Training Guide Training Guide Training Guide Training Guide Technical Operations Support Guide Technical Operations Support Guide Technical Operations Support Guide Technical Operations Support Guide Technical Operations Support Guide
  9. 9. Security Services Differ Across Clouds 8
  10. 10. 9 Cloud Security Ecosystem Cloud Provider Enterprise RightScale 3rd Party Vendors Plan for a Cloud Security Ecosystem • Policy • CMDB • SIEM /Logging / Auditing • IdP • Configuration Management • Orchestration Workflows • Web Application Firewalls • File-Integrity Monitoring • Continuous Integration • Source Code Repositories Shared Responsibility Model
  12. 12. RightScale CMP: Multi-Cloud Visibility VIRTUAL SERVERS PUBLIC CLOUDS ANY CLOUD SERVICE PRIVATE CLOUDS BARE METAL SERVERS CONTAINER CLUSTERS RIGHTSCALE CMP EXTENSIBLE ORCHESTRATION API Orchestration Cloud Workflow Plugins Monitoring Access Control Accounts/Groups Access/Permissions Tags Policies Cost Security/Compliance Operations CMP ENGINE Self-Service Template-based end user provisioning Optima Cost management and collaborative optimization Cloud Management Multi-cloud visibility, automation, and operations
  13. 13. IAM
  14. 14. Considerations • Directory services • AD or LDAP • Federation of identities • User Authentication • User Authorization • Account Management • Auditing/logging IAM integrations must be created for each cloud Considerations for Multi-Cloud IAM 13
  15. 15. What you get: ● SAML/ SSO integration ● RBAC for users/groups ● Sync groups with AD ● Hierarchical organization of accounts ● Aggregate accounts across clouds ● Security and Governance RightScale Multi-Cloud Access Controls 14 SAML Linked Users
  16. 16. 15 Two Use Cases for RightScale CMP Curated Use • Users primarily access cloud services through the CMP • Curated provisioning for users via multi-cloud self-service portal • Policies can be applied pre- provisioning and to deployed services. Governed Use • Users primarily access cloud services through native consoles • Discovery allows you to observe cloud resources and use • Option to use self-service portal to request native IAM access • Policies are used to provide governance Both use cases can co-exist for different users
  18. 18. • Catalog of templates that meet corporate standards • Configured to your security requirements • Define which clouds can be used • Control user options and choices • Orchestrate and automate deployment and operations Self-Service: Adhoc to Template-Based Provisioning 17 Basic instances Stacks for Dev or Prod Applications
  19. 19. Increase IT efficiency • Bring your own configuration management • Clone existing architectures • Updates and patches • Monitor and alert • Auto-scale up and down • Keep templates patched • Test patches/updates in the lower tier environments first e.g. test, dev or QA environments Patch and Update 18
  20. 20. Function-as-a-Service /Serverless 19 App OS Hypervisor App OS App OS x86 storage networking compute virtualization Cloud Provider’s responsibility Your responsibility Your business logic is in your Apps OS Hypervisor OS OS x86 storage networking compute virtualization Cloud Provider’s responsibility Focus on your business logic operating system < > < > <Fn>
  22. 22. Compliance Requirements • PCI E-Commerce • HIPAA / PHI/ 21CFR11 • NPI / PII • FTI IRS PUB1075 • MPAA • GDPR • …... • Access Controls • Data Classification / Data Types • Data Encryption • Segregate workloads • Read and understand the Cloud Provider’s • Terms and Agreements • Data Privacy / Data residency policies • Review their security documents Data Security 21
  23. 23. Data Residency with a Global Cloud Platform 22
  25. 25. • HTTPS / TLS • SSL -Should not used as SSL has been deprecated • Direct Connections • VPN IPSEC Securely Connecting to Cloud
  26. 26. • AWS DirectConnect • Azure ExpressRoute • Google Carrier Interconnect • IBM DirectLink Direct Connection Options 25 AWS Cage Customer Cage AWS Direct Connect Azure Cage Customer Cage Azure ExpressRoute
  27. 27. Secure Connections to RightScale Platform Region 1 VPN Endpoint Region 2 VPN Endpoint 26 XYZ Company IPSEC VPN Examples: API calls to RightScale over private VPN connection
  28. 28. RCA-V (RightScale Cloud Appliance for vSphere) ● Wraps vSphere clusters with cloud-compatible APIs Enabling Hybrid
  29. 29. Comply with policies • Quickly Audit Security Groups • Interactive Network Visualization • Maintain Security and Compliance Network Visibility 28
  31. 31. 30 SLAs by Cloud
  32. 32. Architect for SLAs • HA/DR reference architectures • Cross-region and cross-cloud • Auto-scale to meet demand • Monitor and automate failover • Hot, warm, and cold DR scenarios Implement DR Architectures for your Apps 31 Load Balancers App Servers Slave DB Master DB App Servers Slave DB < Replicate Replicate > Load Balancers PRIMARY WARM DR DNS
  33. 33. Ensure availability • Separate management plane from cloud and cloud applications • RightScale platform is fully redundant • Automate failover processes for hot, warm or cold DR Outage-Proof with Independent Control Plane 32
  34. 34. AUDIT
  35. 35. Approach: • Feed audit trails from individual clouds to SIEM • Feed audit trails from CMP to SIEM • Feed audit trails from instances / servers to SIEM Multi-Cloud Logging and Audit Trails 34 SIEM or Centralized Logging Facility Audit entries are exportable via an API Cloud Management Platform VIRTUAL SERVERS PUBLIC CLOUD ANY CLOUD SERVICE PRIVATE CLOUDS PUBLIC CLOUD PUBLIC CLOUD
  36. 36. Ensure compliance ● See who changed what and when ● Provide audit logs and reports to satisfy regulators ● Available via API to integrate with other systems Gain Visibility with Audit Trails
  38. 38. Cloud Provider Certifications 37
  39. 39. Many Types of Policies 38 Policies Define and enforce governance rules Cost Unattached volumes Old snapshots Unused RIs Underutilized VMs ...and more Security Unsecured storage Open security groups Disallowed ports Open IAM policies ...and more Compliance Untagged resources Invalid tags Disallowed configurations ...and more Operational No recent snapshots No DB backup No required alerts Upsize instances ...and more
  40. 40. Enforce security, operational, cost optimization or financial policies ● Retrieve data exposed by the RightScale platform or any public APIs ○ Cloud data, monitoring data, cost data etc. ● Define validation logic potentially mixing multiple data sources ○ Write arbitrarily complex logic ● Define remediations ○ Run automatically, schedule or require approval ○ Send notifications ○ Trigger orchestration (e.g. delete unattached volumes) Powerful Policy Engine
  41. 41. • Out-of-the-box and custom policies • One policy engine across all your clouds & services • Policies for any resource, regardless of how provisioned • Combine and test data from any API-enabled data source • Take any action on any API-enabled cloud/web services • Powerful workflow language for robust logic and actions What’s Unique About RightScale Policies 40
  42. 42. • Cloud Comparison • • Contact us • Q&A 41