Outpost24 webinar - How to secure cloud services in the DevOps fast lane
1. How to secure cloud services
in the DevOps fast lane
Sergio Loureiro
Feb 2021
2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Application security for DevSecOps
Comprehensive Cloud and Container security
3. • Software is eating the world
• DevOps vs security
• Shared responsibility
• Security best practice
• Recipe for cloud success
3
Agenda
5. • Agile
• Fast adoption of new technologies
and cloud services
• Software Assembly
• Automation and dev tools
integration
5
• Stuck with old security programs
• Too many new technologies to
master
• Too many components
• Too many configuration best
practices
• Poor automation
DevOps vs Security Teams
8. Top 3 Shared Responsibility Blind Spots
1. Even with SaaS, there is a configuration
2. Workloads are still your responsibility
3. Supply chain risk
8
9. • Configurations are too permissive by
default
• Behind the firewall perimeter is over,
no VPN
9
Exploits
• Bypassing MFA
• Federated authentication abuse
Consequences
• Propagation of attacks
Cloud ConfigurationExample
11. • Misconfigured Docker API port
• Looking for compute clusters:
vulnerable Redis servers
11
Exploits
• Rogue workloads
Consequences
• Overspending
• Data leak
Workloads Example
12. • Software comes from multiple
sources, public and private
• Build gets open-package indexes and
dependencies
12
Exploits
• Substitution of packages on publics
feeds
Consequences
• Hard to detect sophisticatedattacks
such as SolarWinds
Supply Chain Example
14. CISA and CIS hardening guidelines
• Zero trust conditional access
• MFA
• Securing privileged access
• Audit logs for anomalous activity
14
Security Best Practice – Cloud Configuration
15. Workload protection
• Vulnerability Management
• Microsegmentation
• System integrity
• Application Security
15
Security Best Practice - Workloads
Image credit: Gartner
16. Security Best Practice – Supply Chain
16
Source:
https://medium.com/@
alex.birsan/dependency-
confusion-4a5d60fec610
17. • Implement CSPM
• Fully automated, only using API
• Auto discovery
Next: Extend CSPM for all cloud
services
17
Recipe for Cloud Success – Cloud Configuration
18. • Shift left
• Automate testing
• Infrastructure as Code
Next: Implement Cloud Native
Computing Foundation guidelines
18
Recipe for Cloud Success - Workloads
19. Zero trust
• Limit feeds
• Controlled scopes
• Client-side verification
Next: Read Microsoft whitepaper
19
Recipe for Cloud Success – Supply Chain
20. Configurations
• CSPM
• AWS
• Azure
• GCP
• Container
• Docker
• Kubernetes
20
Supply chain
• Container
Inspection
• More to come
Workloads
• Vulnerability
Management
• Application
Security
How can Outpost24 help?