Comprehensive Cloud Security Requires an Automated Approach

Comprehensive Cloud Security
Requires an Automated Approach
Andras Cser, VP and Principal Analyst
Forrester Research
Carson Sweet, CEO and Co-founder
CloudPassage
November 12, 2013

Cloud Security: Automation and
Centralization Matters

Andras Cser, VP and Principal Analyst

November 12, 2013

Agenda

› Why is Cloud Security Important
› Challenges with Cloud Security
› Forrester’s Recommendations

© 2013 Forrester Research, Inc. Reproduction Prohibited

3

Agenda

› Recommendations


4

Cloud-based Services Employed Regularly
“Which of the following cloud-based services have you employed on a regular basis?"
Compute (e.g., Amazon EC2, Microsoft Azure VM Role)

50%

Storage

49%

Relational database (e.g. SQL Azure)

42%

Development tools/IDE (e.g. Cloud9, Cloud Foundry)

37%

Social (e.g., Salesforce Chatter)

33%

Messaging

33%

Content management

31%

Message queuing

26%

Integration (e.g., Dell Boomi, IBM Cast Iron)

23%

Application-level caching

23%

Content delivery network

21%

Mobile back end

18%

BPM

16%

Nonrelational database
Don't know
Other

14%

3%
2%

Base = 175 software developers from companies with 1,000 or more employees
Source: Forrsights Developer Survey, Q1 2013

5

“Which of the following initiatives are likely to be your IT organization's top project and
organizational priorities over the next 12 months?”
Increase our use of software-as-a-service (cloud applications)

Critical or High priority

48%

Low priority

35%

Not on our agenda

Don't know

15%

1%

Base: 1,176 North American and European IT decision-makers at firms with 1,000 or more employees

Source: Forrester Software Survey, Q4 2012

6

Why Cloud Security is
like a two component
glue, a unique blend:
A: The Cloud is not
just a new delivery
platform
B: Cloud Security is
NOT just continuing
security and
extending it to the
cloud

7

Cloud Pulls the CISO in Many Directions
1. Cloud
Offers
Irresistible
Benefits

2. LOB
procures
cloud
services

CISO and
Security
Organization
Changes, aka
Uneven
Handshake
5. Security
Struggles to
Reduce Cloud
Security Risks

4. Data Center
Is Loosely
Coupled

3. CISO
Can’t Say No
All the Time
8

Cloud Security Means a Lot of Things to a
Lot of People
› What interfaces our company has to have to work well
with our Cloud Providers? (Security To the Cloud)

›
›
›

How can a Cloud Provider (like Amazon Web Services
or SalesForce.com) prove to us that they are secure?
(Security In the Cloud)
How can our company make its internal (and in some
cases, Cloud Provider) security better? (Security From
the Cloud)
What are the organizational implications of Cloud and
Cloud Security to our IT security organization?


9

Agenda

› Recommendations


11

General Challenges with Cloud Security
›

Ease of Use for End Users (you can’t control end users)
• Cloud security should not require users to change behaviors or
tools

›

Inconsistent Control (you don’t own everything)
• The only thing you can count on is guest VM ownership

› Elasticity (not all servers are steady-state)
• Cloudbursting, stale servers, dynamic provisioning

›

Scalability (highly variable server counts)
• May have one dev server or 1,000 production web servers

›

Portability (same controls work anywhere)
• Nobody wants multiple tools or IaaS provider lock-in


12

Challenges with Cloud Security
› Data protection
› Workload separation and multi tenancy
› Information Rights Management
› SaaS providers don’t help much with security related
concerns

›
›
›
›

Network Security
Identity and Access Management (IAM) and Privileged
Identity Management (PIM)
Business Continuity and Disaster Recovery (BCDR)
Log Management (SIEM)


13

Cloud Does NOT Shift the Responsibility
of Data Protection

› “When data is transferred to a
cloud, the responsibility for
protecting and securing the data
typically remains with the collector
or custodian of that data.”
Cloud Security Alliance, Guidance v3.0


14

Agenda

› Protecting Data In the Cloud
› Recommendations


15

When it comes to
responsibilities…

How do we
avoid this?

Who’s Responsible for IaaS Security?
AWS Shared Responsibility Model

“…the customer should assume responsibility
and management of, but not limited to, the
guest operating system and associated
application software...”

App Code
App Framework
Operating System

Amazon Web Services: Overview of Security
Processes

Virtual Machine
Hypervisor
Compute & Storage
Shared Network

Physical Facilities

Provider Responsibility

“it is possible for customers to enhance security
and/or meet more stringent compliance
requirements with the addition of host based
firewalls, host based intrusion
detection/prevention, encryption and key
management.”

Customer Responsibility

Data

Think Security From the Cloud
Typical questions and
requirements:
• How can you source security
services from MSSPs?
• How can you protect security
and data at our cloud
providers?
• In general: How do we
integrate on existing onpremise security with the
MSSPs security products?

Do your homework…
›
›
›
›
›
›
›

Get as much detail around security from your SaaS
provider as you can
Set clear boundaries for security responsibilities
between you and your IaaS/PaaS provider
Data protection, data protection, data protection
Don’t build your own tools
Apply comprehensive approach to cloud security
Centralize and scale security policy management for
your cloud
Automate your security (you can’t manually configure
thousands of servers)


19


20

Thank you
Andras Cser
+1 617.613.6365
acser@forrester.com

Security automation for
virtualized & cloud environments

Problem: Infrastructure Security Is Behind
›
›
›
›

Infrastructure more distributed and dynamic than ever
Current security models neither dynamic nor distributed
Perimeters, appliances, hardware reliance, stable
configurations, change control, endpoint security
solutions… all marginalized to worthless in new models
Without infrastructure security, all other security measures
are weak (castle on sand, not bedrock)

Security teams can’t assure security or
compliance, being dragged behind business

The Old Model: everything behind firewall, low
rate of change, very few infrastructure stacks

The New Model: multiple stacks, broadly
distributed, legacy approaches fail

Security Buyer Challenges
› Achieving compliance in cloud environments
• PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST

› Disparate systems & high rate of change
• “Dynamic” is core to cloud, new mode of operation
• Security orchestration & automation underserved needs

› Existing products don’t work well (if at all)
• Technically designed for a different time
• Do not match up to dynamic cloud operational models

Why Do Existing Solutions Fail?

Network &
hardware
dependencies

Cannot operate
across cloud
models

Lack of meteredusage licensing

Cannot handle
elasticity or wide
distribution

How we built high-scale
security & compliance
automation

Objective: Consolidate & Automate Controls

Halo Security Automation Platform

Automation Needs To Work Anywhere

Automation Must Extend Current Tools

Security Automation Outcomes
›

Massive reduction in security ops overhead
• Automated control deployment & orchestration

• Consolidation of otherwise disparate functions
• Single point of security & compliance management

›

Security and compliance consistency
• Security & compliance that’s truly built-in
• Eliminates opportunities for human error
• Deploy once, certify many (complex compliance)

› Enables safe use of cloud models
• Security teams have confidence in controls
• Cloud projects don’t require manual intervention

Key Takeaway:

Automating security enables saying
“yes” to cloud, improves security, and
makes complex compliance achievable.

Comprehensive Cloud Security Requires an Automated Approach

More Related Content

What's hot

Similar to Comprehensive Cloud Security Requires an Automated Approach

More from CloudPassage

Recently uploaded

Comprehensive Cloud Security Requires an Automated Approach