RightScale, profile picture
Uploaded byRightScale
PDF, PPTX2,449 views

8 Elements of Multi-Cloud Security

The document outlines eight essential elements of multi-cloud security, including visibility, identity and access control, workload security, data security, network security, business continuity/disaster recovery, audit, and compliance. It highlights the challenges enterprises face, such as security being the top concern, and discusses the need for a security ecosystem involving cloud providers and third-party vendors. Additionally, it emphasizes the importance of standardization, regulatory compliance, and disaster recovery strategies in managing multi-cloud environments.

Embed presentation

Download as PDF, PPTX
8 ELEMENTS OF MULTI-CLOUD SECURITY 1
o Bart Falzarano • Director, Security and Compliance, RightScale o Ryan Geyer • Cloud Solutions Architect, RightScale Panelists
POLLING QUESTIONS
o The State of Multi-Cloud Security o How to Think About Multi-Cloud Security o 8 Elements • Visibility • Identity and Access Control • Workload Security • Data Security • Network Security • Business Continuity/Disaster Recovery • Audit • Compliance Agenda
82% of Enterprises Want Multi-Cloud Single private 5% Single public 10% No plans 3% Multiple private 14% Multiple public 13% Hybrid cloud 55% 82% Enterprise Cloud Strategy 1000+ employees Multi-Cloud 82% Source: RightScale 2015 State of the Cloud Report
17% 21% 21% 18% 24% 17% 26% 17% 23% 24% 25% 25% 27% 28% Performance Governance/control Managing costs Managing multiple cloud services Compliance Lack of resources/expertise Security Cloud Challenges 2015 vs. 2014 % of Respondents Reporting These As Significant Challenges 2015 2014 Security Remains #1 Challenge Source: RightScale 2015 State of the Cloud Report
Decentralized Cloud Management 7
Security Features Vary by Cloud 8 Security Features AWS Azure Google IAM ✔ ✔ ✔ Encryption in DBaaS ✔ ✔ ✔ Key Management as a Service ✔ ✔ Hardware Key Management ✔ Security Assessment ✔ ✔ Configuration Governance ✔ ✔ Audit Trails ✔ ✔ ✔
Cloud Security Ecosystem Cloud Provider Enterprise RightScale 3rd Party Vendors Plan for a Cloud Security Ecosystem • CMDB • SIEM /Logging / Auditing • IdP • Configuration Management • Orchestration Workflows • Web Application Firewalls • File-Integrity Monitoring • Continuous Integration • Source Code Repositories
Options Abound o RightScale provides visibility, governance, auditing across clouds o Cloud providers offer cloud-specific security options o 3rd party vendors offer multi-cloud options o Ability for segregation of duties: encryption provider vs cloud storage provider Capability Who? Encrypt data in transit Vendor, Enterprise Encrypt data at rest Vendor, Cloud, Enterprise Secure communications RightScale, Cloud, Enterprise, Vendor Systems Configuration /Network segmentation Cloud, Enterprise, RightScale Integrate with IAM RightScale, Cloud, Enterprise, Vendors Privileged identity management RightScale, Cloud, Enterprise Backup/Replicate data RightScale, Cloud, Enterprise, Vendor Coordinate BC & DR RightScale, Cloud, Enterprise, Vendor Log cloud activity RightScale, Cloud, Enterprise, Vendor Shared Responsibility for Cloud Security
#1: VISIBILITY
Visibility • Can you see all your cloud accounts and instances? • Connect to all your clouds • Gain visibility to all your accounts You Can’t Control What You Can’t See 12 Many Accounts Across Clouds AWS Azure Google CloudStack OpenStack vSphere Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account AccountAccount
Single pane of glass • Multi-cloud access • Public clouds • Private clouds • Virtualized • Control access • Standardize configuration • Patch and update • Audit trails RightScale: Multi-Cloud Visibility 13 AWS Azure Google CloudStack OpenStack vSphere
#2: IAM
• Mostly the same • Govern and enforce user access • Configure Role Management • Context Based Access Control • Enable Audit reporting • 3rd Party Identity Providers • SSO SAML, MFA, Oauth, ADFS • But… • How do you handle multiple clouds and accounts? • So how do you control cloud credentials? Considerations for IAM in Cloud 15 “Should this person (user) who performs this job function and therefore has these roles assigned (role) be allowed to access this type of data as it applies to this particular account (context)?”
Current state • CSPs follow proprietary schemes to support user provisioning and lifecycle management of user profiles • IAM Integrations accomplished through grafts and tie-ins • What’s the state of IAM for difference cloud providers? • Not all have IAM services for all features. • How do you manage multiple clouds? • Centralize control through your CMP • Limit users that can go directly to cloud accounts • AD Agents/Connectors • Okta, Ping Identity, OneLogin • Enterprise Directory Services • Active Directory Federation Services ADFS/ SAML integration Multi-Cloud IAM 16
Challenges • Difficult to implement, manage, and support • Difficult to scale and/ or extend to other CSPs • No direct coupling between AD and AWS IAM Integrating IAM 17 ADFS AWS STS A D SQ L 1 2 3 4 5 6 Your Environment SAML 7 AWS AWS account 123456789012 AWS account 111122223333 IAM roles=> ADFS-Production ADFS-DEV IAM roles=> ADFS-Production ADFS-DEV IAM role=> ADFS-DEV IAM role=> ADFS-DEV AWS account 777788889999 AWS account 444455556666 AD group memberships=> AWS-Production AWS-DEV User object attribute 123456789012 111122223333
What you get: • Aggregate accounts across clouds • Hierarchical organization of accounts • Security and access controls • SSO integration RightScale Multi-Cloud Access Controls 18 User BUser A User EUser DUser C Enterprise Account Cloud Account Cloud Account Cloud Account Cloud Account Cloud Account Cloud Account Account 2Account 1 RightScale Access Control Authenticate with passwords or SSO Authenticate with cloud credentials
#3: WORKLOAD SECURITY
Enforce Policies • Catalog of templates that meet corporate standards • Configured to your security requirements • Define which clouds can be used • Control user options and choices • Orchestrate and automate deployment and operations Workload Security: From Rogue to Policy-Based 20 Basic instances Stacks for Dev or Prod Applications
Standardization • Automate provisioning and configuration • Version-controlled • Follow standards for versions, patches and configuration • Leverage a variety of scripting languages • Modular and auditable • Define Security Configuration Baselines Standardize Server Configurations AWS Azure Google CloudStack OpenStack vSphere Multi-Cloud Image Configuration Scripts Containers 21
Standardize System Configurations 22 Load Balancers App Servers Master DB Slave DB Replicate > DNS Configure a system: Cloud Application Template (CAT) Configure a server: • ServerTemplates (portable) • Docker container (portable) • AMI • CloudFormation • VM template
Increase IT efficiency o Bring your own configuration management o Clone existing architectures o Updates and patches o Monitor and alert o Auto-scale up and down Patch and Update
• Asymmetric keys private/public • Key Management • NISTIR 7966 http://tinyurl.com/lhtujnv • Key storage options • Key Management-as-a-Service • AWS, Azure • Multi-tenant • Hardware Security Modules • On-premise • Cloud services (AWS) • RightScale • Encryption of keys -MUST Key Management 24
#4: DATA SECURITY
Compliance Requirements • PCI E-Commerce • HIPAA / PHI/ 21CFR11 • NPI / PII • FTI IRS PUB1075 • MPAA • Data Protection / Encryption • In-transit: MUST • At rest: MUST • In process: DEPENDS • Considerations in the Cloud • Select the right cloud provider • Some cloud providers encrypt by default • Review their security documents • Most Cloud Providers will sign BAA • Segregate workloads Data Security 26
Data Residency with a Global Cloud Platform Amazon Web Services Google Cloud Platform IBM SoftLayer Rackspace Windows Azure Public Clouds Singapore Hong Kong Japan Texas DC Area SF Area Seattle Chicago Dublin London Amsterdam Oregon São Paulo Midwest Beijing Sydney W Europe Private Clouds CloudStack OpenStack vSphere Melbourne Toronto Mexico City Taiwan 27
• Data privacy legislation differs around the world • Evaluate encryption options where you manage the keys (a la Amazon Aurora) so vendor can’t give data in case of subpoena • What is the CSP’s data retention period? • What country is the CSP headquartered out of? • Which jurisdiction covers the contract between you and the CSP? Data Residency: Impact of Safe Harbor 28
#5: NETWORK SECURITY
• HTTPS / TLS • SSL? • IP address Whitelisting • VPN IPSEC • VPC (AWS) Securely Connecting to Cloud
• AWS DirectConnect • Azure ExpressRoute • Google Carrier Interconnect • SoftLayer DirectLink Direct Connection Options 31 AWS Cage Customer Cage AWS Direct Connect Azure Cage Customer Cage Azure ExpressRoute
Comply with policies • Quickly Audit Security Groups • Interactive Network Visualization • Maintain Security and Compliance Network Visibility 32
#6: BUSINESS CONTINUITY & DISASTER RECOVERY
34 SLAs by Cloud Certification AWS Azure Google SoftLayer Uptime SLA 99.95% 99.95% 99.95% 100% Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes downtime Downtime Calculation Any minutes downtime Any minutes downtime 5+ consecutive minutes downtime 30+ consecutive minutes downtime
Architect for SLAs • HA/DR reference architectures • Cross-region and cross- cloud • Auto-scale to meet demand • Hybrid cloudbursting • Monitor and automate failover • Hot, warm, and cold DR scenarios Implement DR Architectures for your Apps 35 Load Balancers App Servers Slave DB Master DB App Servers Slave DB < Replicate Replicate > Load Balancers PRIMARY WARM DR DNS
Ensure availability o Separate management plane from cloud and cloud applications o RightScale platform is fully redundant o Automate failover processes for hot, warm or cold DR Outage-Proof with Independent Control Plane
#7: AUDIT
38 o Cloud Trails o Azure Diagnostics o Google Cloud Logging (beta) o SoftLayer Audit Trails What Audit Tools by Provider?
Approach: • Feed audit trails from individual clouds to SIEM • Feed audit trails from CMP to SIEM Multi-Cloud Logging and Audit Trails 39 Cloud Management Platform Cloud SIEM Cloud Cloud Cloud Cloud Cloud
Ensure compliance o See who changed what and when o Provide audit logs and reports to satisfy regulators o Available via API to integrate with other systems Gain Visibility with Audit Trails
#8: COMPLIANCE
Cloud Provider Certifications Matrix 42 Certification AWS Azure Google SoftLayer PCI DSS1     HIPAA     SSAE16 SOC1 (Type II)     SSAE16 SOC2 (Type II)     SSAE16 SOC3 (Type II)     ISO 27001     ISO 27017  ISO 27018    CSA    FedRAMP   In process  FISMA    
• RightScale Certifications • State of the Cloud Report • www.rightscale.com/2015-cloud-report • Private and Hybrid Cloud Whitepaper • www.rightscale.com/private-hybrid-cloud-whitepaper Questions? 43 SSAE16 SOC1 and SOC2 Type II PCI DSS SAQ C CompliantU.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework

More Related Content

PDF
How to Manage VMware vSphere Like AWS and Azure
byRightScale
 
PDF
How 2015 Cloud Trends Should Impact Your 2016 Cloud Strategy
byRightScale
 
PDF
The Path to Broker Cloud Services
byRightScale
 
PDF
Beyond PaaS v.s IaaS: How to Manage Both
byRightScale
 
PDF
Successful Cloud Orchestration with RightScale CMP
byRightScale
 
PPTX
How to Manage Clouds, VMs and Bare Metal via RightScale
byRightScale
 
PDF
7 Common Questions About a Cloud Management Platform
byRightScale
 
PDF
Best Practices for Your CMP RFP or RFI
byRightScale
 
How to Manage VMware vSphere Like AWS and Azure
byRightScale
 
How 2015 Cloud Trends Should Impact Your 2016 Cloud Strategy
byRightScale
 
The Path to Broker Cloud Services
byRightScale
 
Beyond PaaS v.s IaaS: How to Manage Both
byRightScale
 
Successful Cloud Orchestration with RightScale CMP
byRightScale
 
How to Manage Clouds, VMs and Bare Metal via RightScale
byRightScale
 
7 Common Questions About a Cloud Management Platform
byRightScale
 
Best Practices for Your CMP RFP or RFI
byRightScale
 

What's hot

PDF
How to Find and Fix Waste to Optimize Your Cloud Spend
byRightScale
 
PDF
Cloud Trends for 2017 and Actions You Can Take Now
byRightScale
 
PDF
Top 10 Cloud Trends for 2018 and Actions You Can Take Now
byRightScale
 
PDF
Multi-Cloud Management with RightScale CMP (Demo)
byRightScale
 
PDF
Automating Cloud Operations: Tips from Managed Services
byAngela_Tripp
 
PDF
Using RightScale CMP with Cloud Provider Tools
byRightScale
 
PDF
Cloud Orchestration with RightScale Cloud Workflow
byRightScale
 
PDF
How MSPs Can Be Successful in AWS, Azure, and Google Clouds
byRightScale
 
PDF
Ten Ways to Optimize Costs on Public and Private Clouds
byRightScale
 
PDF
RightScale Webinar: Hybrid-IT: Connecting Your On-Premises Infrastructure Wit...
byRightScale
 
PDF
How to Report and Optimize Cloud Costs Across All Your Clouds by RightScale
byRightScale
 
PDF
Cloud Lessons Learned: 3 Cloud Case Studies
byRightScale
 
PDF
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScale
byRightScale
 
PDF
Got a Multi-Cloud Strategy? How RightScale CMP Helps
byRightScale
 
PDF
Cloud Migration and Portability (with and without Containers)
byRightScale
 
PDF
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
byRightScale
 
How to Find and Fix Waste to Optimize Your Cloud Spend
byRightScale
 
Cloud Trends for 2017 and Actions You Can Take Now
byRightScale
 
Top 10 Cloud Trends for 2018 and Actions You Can Take Now
byRightScale
 
Multi-Cloud Management with RightScale CMP (Demo)
byRightScale
 
Automating Cloud Operations: Tips from Managed Services
byAngela_Tripp
 
Using RightScale CMP with Cloud Provider Tools
byRightScale
 
Cloud Orchestration with RightScale Cloud Workflow
byRightScale
 
How MSPs Can Be Successful in AWS, Azure, and Google Clouds
byRightScale
 
Ten Ways to Optimize Costs on Public and Private Clouds
byRightScale
 
RightScale Webinar: Hybrid-IT: Connecting Your On-Premises Infrastructure Wit...
byRightScale
 
How to Report and Optimize Cloud Costs Across All Your Clouds by RightScale
byRightScale
 
Cloud Lessons Learned: 3 Cloud Case Studies
byRightScale
 
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScale
byRightScale
 
Got a Multi-Cloud Strategy? How RightScale CMP Helps
byRightScale
 
Cloud Migration and Portability (with and without Containers)
byRightScale
 
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
byRightScale
 

Similar to 8 Elements of Multi-Cloud Security

PDF
Best Practices for Multi-Cloud Security and Compliance
byRightScale
 
PDF
RightScale Webinar: Security and Compliance in the Cloud
byRightScale
 
PDF
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
byAdnene Guabtni
 
PDF
Securing The Clouds with The Standard Best Practices-1.pdf
byChinatu Uzuegbu
 
PPTX
Cloud security Presentation
byAjay p
 
PPTX
Transforming cloud security into an advantage
byMoshe Ferber
 
PPTX
dtechnClouologyassociatepart2
byAnne Starr
 
PDF
Security Considerations When Using Cloud Infrastructure Services.pdf
byCiente
 
PDF
Cloud Customer Architecture for Securing Workloads on Cloud Services
byCloud Standards Customer Council
 
PPT
Securing Sensitive Data in Your Hybrid Cloud
byRightScale
 
PPTX
Cloud computing and Cloud security fundamentals
byViresh Suri
 
PDF
Cloud services and it security
byEast Midlands Cyber Security Forum
 
PPTX
security and compliance in the cloud
byAjay Rathi
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
PPTX
Cloud-Architecture-Technology-Deovps-Eng
byGanesh Bhosale
 
PDF
Practical Cloud Security A Guide For Secure Design And Deployment 1st Edition...
byjaromdembo
 
PPT
Cloud computing-security-issues
byAleem Mohammed
 
PPTX
(ISC)2 CCSP - Certified Cloud Security Professional
byHatem ElSahhar
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
PPTX
Cloud is not an option, but is security?
byJody Keyser
 
Best Practices for Multi-Cloud Security and Compliance
byRightScale
 
RightScale Webinar: Security and Compliance in the Cloud
byRightScale
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
byAdnene Guabtni
 
Securing The Clouds with The Standard Best Practices-1.pdf
byChinatu Uzuegbu
 
Cloud security Presentation
byAjay p
 
Transforming cloud security into an advantage
byMoshe Ferber
 
dtechnClouologyassociatepart2
byAnne Starr
 
Security Considerations When Using Cloud Infrastructure Services.pdf
byCiente
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
byCloud Standards Customer Council
 
Securing Sensitive Data in Your Hybrid Cloud
byRightScale
 
Cloud computing and Cloud security fundamentals
byViresh Suri
 
Cloud services and it security
byEast Midlands Cyber Security Forum
 
security and compliance in the cloud
byAjay Rathi
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
byShannon Lietz
 
Cloud-Architecture-Technology-Deovps-Eng
byGanesh Bhosale
 
Practical Cloud Security A Guide For Secure Design And Deployment 1st Edition...
byjaromdembo
 
Cloud computing-security-issues
byAleem Mohammed
 
(ISC)2 CCSP - Certified Cloud Security Professional
byHatem ElSahhar
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
Cloud is not an option, but is security?
byJody Keyser
 

More from RightScale

PDF
10 Must-Have Automated Cloud Policies for IT Governance
byRightScale
 
PDF
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
byRightScale
 
PDF
Optimize Software, SaaS, and Cloud with Flexera and RightScale
byRightScale
 
PDF
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
byRightScale
 
PDF
How to Set Up a Cloud Cost Optimization Process for your Enterprise
byRightScale
 
PDF
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
byRightScale
 
PDF
How to Allocate and Report Cloud Costs with RightScale Optima
byRightScale
 
PDF
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
byRightScale
 
PDF
The 5 Stages of Cloud Management for Enterprises
byRightScale
 
PDF
9 Ways to Reduce Cloud Storage Costs
byRightScale
 
PDF
Serverless Comparison: AWS vs Azure vs Google vs IBM
byRightScale
 
PDF
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
byRightScale
 
PDF
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
byRightScale
 
PDF
2018 Cloud Trends: RightScale State of the Cloud Report
byRightScale
 
PDF
How to Manage Cloud Costs with RightScale Optima
byRightScale
 
PDF
AWS re:Invent 2017 Recap
byRightScale
 
PDF
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
byRightScale
 
PDF
Enterprise Cloud Strategy: 7 Areas You Need to Re-Think
byRightScale
 
PDF
Orchestrating PaaS and IaaS+ with RightScale
byRightScale
 
PDF
Understanding VMware Cloud on AWS
byRightScale
 
10 Must-Have Automated Cloud Policies for IT Governance
byRightScale
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
byRightScale
 
Optimize Software, SaaS, and Cloud with Flexera and RightScale
byRightScale
 
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
byRightScale
 
How to Set Up a Cloud Cost Optimization Process for your Enterprise
byRightScale
 
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
byRightScale
 
How to Allocate and Report Cloud Costs with RightScale Optima
byRightScale
 
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
byRightScale
 
The 5 Stages of Cloud Management for Enterprises
byRightScale
 
9 Ways to Reduce Cloud Storage Costs
byRightScale
 
Serverless Comparison: AWS vs Azure vs Google vs IBM
byRightScale
 
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
byRightScale
 
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
byRightScale
 
2018 Cloud Trends: RightScale State of the Cloud Report
byRightScale
 
How to Manage Cloud Costs with RightScale Optima
byRightScale
 
AWS re:Invent 2017 Recap
byRightScale
 
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
byRightScale
 
Enterprise Cloud Strategy: 7 Areas You Need to Re-Think
byRightScale
 
Orchestrating PaaS and IaaS+ with RightScale
byRightScale
 
Understanding VMware Cloud on AWS
byRightScale
 

Recently uploaded

PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PPTX
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
PPT
Telecommunication system introduction to wireless communication
by143irha
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PDF
Français Patch Tuesday - Janvier
byIvanti
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
Telecommunication system introduction to wireless communication
by143irha
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Français Patch Tuesday - Janvier
byIvanti
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 

8 Elements of Multi-Cloud Security

  • 1.
  • 2.
    o Bart Falzarano •Director, Security and Compliance, RightScale o Ryan Geyer • Cloud Solutions Architect, RightScale Panelists
  • 3.
  • 4.
    o The Stateof Multi-Cloud Security o How to Think About Multi-Cloud Security o 8 Elements • Visibility • Identity and Access Control • Workload Security • Data Security • Network Security • Business Continuity/Disaster Recovery • Audit • Compliance Agenda
  • 5.
    82% of EnterprisesWant Multi-Cloud Single private 5% Single public 10% No plans 3% Multiple private 14% Multiple public 13% Hybrid cloud 55% 82% Enterprise Cloud Strategy 1000+ employees Multi-Cloud 82% Source: RightScale 2015 State of the Cloud Report
  • 6.
    17% 21% 21% 18% 24% 17% 26% 17% 23% 24% 25% 25% 27% 28% Performance Governance/control Managing costs Managing multiplecloud services Compliance Lack of resources/expertise Security Cloud Challenges 2015 vs. 2014 % of Respondents Reporting These As Significant Challenges 2015 2014 Security Remains #1 Challenge Source: RightScale 2015 State of the Cloud Report
  • 7.
  • 8.
    Security Features Varyby Cloud 8 Security Features AWS Azure Google IAM ✔ ✔ ✔ Encryption in DBaaS ✔ ✔ ✔ Key Management as a Service ✔ ✔ Hardware Key Management ✔ Security Assessment ✔ ✔ Configuration Governance ✔ ✔ Audit Trails ✔ ✔ ✔
  • 9.
    Cloud Security Ecosystem Cloud Provider Enterprise RightScale 3rd Party Vendors Planfor a Cloud Security Ecosystem • CMDB • SIEM /Logging / Auditing • IdP • Configuration Management • Orchestration Workflows • Web Application Firewalls • File-Integrity Monitoring • Continuous Integration • Source Code Repositories
  • 10.
    Options Abound o RightScaleprovides visibility, governance, auditing across clouds o Cloud providers offer cloud-specific security options o 3rd party vendors offer multi-cloud options o Ability for segregation of duties: encryption provider vs cloud storage provider Capability Who? Encrypt data in transit Vendor, Enterprise Encrypt data at rest Vendor, Cloud, Enterprise Secure communications RightScale, Cloud, Enterprise, Vendor Systems Configuration /Network segmentation Cloud, Enterprise, RightScale Integrate with IAM RightScale, Cloud, Enterprise, Vendors Privileged identity management RightScale, Cloud, Enterprise Backup/Replicate data RightScale, Cloud, Enterprise, Vendor Coordinate BC & DR RightScale, Cloud, Enterprise, Vendor Log cloud activity RightScale, Cloud, Enterprise, Vendor Shared Responsibility for Cloud Security
  • 11.
  • 12.
    Visibility • Can yousee all your cloud accounts and instances? • Connect to all your clouds • Gain visibility to all your accounts You Can’t Control What You Can’t See 12 Many Accounts Across Clouds AWS Azure Google CloudStack OpenStack vSphere Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account AccountAccount
  • 13.
    Single pane ofglass • Multi-cloud access • Public clouds • Private clouds • Virtualized • Control access • Standardize configuration • Patch and update • Audit trails RightScale: Multi-Cloud Visibility 13 AWS Azure Google CloudStack OpenStack vSphere
  • 14.
  • 15.
    • Mostly thesame • Govern and enforce user access • Configure Role Management • Context Based Access Control • Enable Audit reporting • 3rd Party Identity Providers • SSO SAML, MFA, Oauth, ADFS • But… • How do you handle multiple clouds and accounts? • So how do you control cloud credentials? Considerations for IAM in Cloud 15 “Should this person (user) who performs this job function and therefore has these roles assigned (role) be allowed to access this type of data as it applies to this particular account (context)?”
  • 16.
    Current state • CSPsfollow proprietary schemes to support user provisioning and lifecycle management of user profiles • IAM Integrations accomplished through grafts and tie-ins • What’s the state of IAM for difference cloud providers? • Not all have IAM services for all features. • How do you manage multiple clouds? • Centralize control through your CMP • Limit users that can go directly to cloud accounts • AD Agents/Connectors • Okta, Ping Identity, OneLogin • Enterprise Directory Services • Active Directory Federation Services ADFS/ SAML integration Multi-Cloud IAM 16
  • 17.
    Challenges • Difficult toimplement, manage, and support • Difficult to scale and/ or extend to other CSPs • No direct coupling between AD and AWS IAM Integrating IAM 17 ADFS AWS STS A D SQ L 1 2 3 4 5 6 Your Environment SAML 7 AWS AWS account 123456789012 AWS account 111122223333 IAM roles=> ADFS-Production ADFS-DEV IAM roles=> ADFS-Production ADFS-DEV IAM role=> ADFS-DEV IAM role=> ADFS-DEV AWS account 777788889999 AWS account 444455556666 AD group memberships=> AWS-Production AWS-DEV User object attribute 123456789012 111122223333
  • 18.
    What you get: •Aggregate accounts across clouds • Hierarchical organization of accounts • Security and access controls • SSO integration RightScale Multi-Cloud Access Controls 18 User BUser A User EUser DUser C Enterprise Account Cloud Account Cloud Account Cloud Account Cloud Account Cloud Account Cloud Account Account 2Account 1 RightScale Access Control Authenticate with passwords or SSO Authenticate with cloud credentials
  • 19.
  • 20.
    Enforce Policies • Catalogof templates that meet corporate standards • Configured to your security requirements • Define which clouds can be used • Control user options and choices • Orchestrate and automate deployment and operations Workload Security: From Rogue to Policy-Based 20 Basic instances Stacks for Dev or Prod Applications
  • 21.
    Standardization • Automate provisioningand configuration • Version-controlled • Follow standards for versions, patches and configuration • Leverage a variety of scripting languages • Modular and auditable • Define Security Configuration Baselines Standardize Server Configurations AWS Azure Google CloudStack OpenStack vSphere Multi-Cloud Image Configuration Scripts Containers 21
  • 22.
    Standardize System Configurations 22 LoadBalancers App Servers Master DB Slave DB Replicate > DNS Configure a system: Cloud Application Template (CAT) Configure a server: • ServerTemplates (portable) • Docker container (portable) • AMI • CloudFormation • VM template
  • 23.
    Increase IT efficiency oBring your own configuration management o Clone existing architectures o Updates and patches o Monitor and alert o Auto-scale up and down Patch and Update
  • 24.
    • Asymmetric keysprivate/public • Key Management • NISTIR 7966 http://tinyurl.com/lhtujnv • Key storage options • Key Management-as-a-Service • AWS, Azure • Multi-tenant • Hardware Security Modules • On-premise • Cloud services (AWS) • RightScale • Encryption of keys -MUST Key Management 24
  • 25.
  • 26.
    Compliance Requirements • PCI E-Commerce •HIPAA / PHI/ 21CFR11 • NPI / PII • FTI IRS PUB1075 • MPAA • Data Protection / Encryption • In-transit: MUST • At rest: MUST • In process: DEPENDS • Considerations in the Cloud • Select the right cloud provider • Some cloud providers encrypt by default • Review their security documents • Most Cloud Providers will sign BAA • Segregate workloads Data Security 26
  • 27.
    Data Residency witha Global Cloud Platform Amazon Web Services Google Cloud Platform IBM SoftLayer Rackspace Windows Azure Public Clouds Singapore Hong Kong Japan Texas DC Area SF Area Seattle Chicago Dublin London Amsterdam Oregon São Paulo Midwest Beijing Sydney W Europe Private Clouds CloudStack OpenStack vSphere Melbourne Toronto Mexico City Taiwan 27
  • 28.
    • Data privacylegislation differs around the world • Evaluate encryption options where you manage the keys (a la Amazon Aurora) so vendor can’t give data in case of subpoena • What is the CSP’s data retention period? • What country is the CSP headquartered out of? • Which jurisdiction covers the contract between you and the CSP? Data Residency: Impact of Safe Harbor 28
  • 29.
  • 30.
    • HTTPS /TLS • SSL? • IP address Whitelisting • VPN IPSEC • VPC (AWS) Securely Connecting to Cloud
  • 31.
    • AWS DirectConnect •Azure ExpressRoute • Google Carrier Interconnect • SoftLayer DirectLink Direct Connection Options 31 AWS Cage Customer Cage AWS Direct Connect Azure Cage Customer Cage Azure ExpressRoute
  • 32.
    Comply with policies •Quickly Audit Security Groups • Interactive Network Visualization • Maintain Security and Compliance Network Visibility 32
  • 33.
    #6: BUSINESS CONTINUITY &DISASTER RECOVERY
  • 34.
    34 SLAs by Cloud CertificationAWS Azure Google SoftLayer Uptime SLA 99.95% 99.95% 99.95% 100% Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes downtime Downtime Calculation Any minutes downtime Any minutes downtime 5+ consecutive minutes downtime 30+ consecutive minutes downtime
  • 35.
    Architect for SLAs •HA/DR reference architectures • Cross-region and cross- cloud • Auto-scale to meet demand • Hybrid cloudbursting • Monitor and automate failover • Hot, warm, and cold DR scenarios Implement DR Architectures for your Apps 35 Load Balancers App Servers Slave DB Master DB App Servers Slave DB < Replicate Replicate > Load Balancers PRIMARY WARM DR DNS
  • 36.
    Ensure availability o Separatemanagement plane from cloud and cloud applications o RightScale platform is fully redundant o Automate failover processes for hot, warm or cold DR Outage-Proof with Independent Control Plane
  • 37.
  • 38.
    38 o Cloud Trails oAzure Diagnostics o Google Cloud Logging (beta) o SoftLayer Audit Trails What Audit Tools by Provider?
  • 39.
    Approach: • Feed audittrails from individual clouds to SIEM • Feed audit trails from CMP to SIEM Multi-Cloud Logging and Audit Trails 39 Cloud Management Platform Cloud SIEM Cloud Cloud Cloud Cloud Cloud
  • 40.
    Ensure compliance o Seewho changed what and when o Provide audit logs and reports to satisfy regulators o Available via API to integrate with other systems Gain Visibility with Audit Trails
  • 41.
  • 42.
    Cloud Provider CertificationsMatrix 42 Certification AWS Azure Google SoftLayer PCI DSS1     HIPAA     SSAE16 SOC1 (Type II)     SSAE16 SOC2 (Type II)     SSAE16 SOC3 (Type II)     ISO 27001     ISO 27017  ISO 27018    CSA    FedRAMP   In process  FISMA    
  • 43.
    • RightScale Certifications •State of the Cloud Report • www.rightscale.com/2015-cloud-report • Private and Hybrid Cloud Whitepaper • www.rightscale.com/private-hybrid-cloud-whitepaper Questions? 43 SSAE16 SOC1 and SOC2 Type II PCI DSS SAQ C CompliantU.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework