Mighty Guides, Inc., profile picture
Uploaded byMighty Guides, Inc.
345 views

Resetting Your Security Thinking for the Public Cloud

The document discusses the complexities of securing cloud infrastructures as organizations increasingly adopt cloud-first strategies. Seven security experts emphasize the need for a paradigm shift in security practices to effectively protect public cloud environments, focusing on automation, continuous monitoring, and integration of security into all operational processes. Additionally, the text highlights the challenges of transitioning from traditional security approaches to strategies that align with the dynamic and scalable nature of cloud computing.

Embed presentation

Download to read offline
RESETTINGYOURSECURITY THINKINGFORTHEPUBLICCLOUD Seven experts discuss the intricacies of securing cloud infrastructures. Sponsored bySponsored by
2 INTRODUCTION As businesses build increasingly complex IT infrastructures consisting of public, private, and hybrid cloud instances, securing these frameworks has become the cornerstone of IT strategy. Many security fundamentals remain unchanged, but how you address them in the public cloud is altogether different. We take a closer look at securing cloud infrastructures by asking seven experts the following question: To operate public cloud-based IT infrastructures securely, what security thinking needs to change, and why? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
3 FOREWORD The network is dead. Reset your security mindset for a public cloud More organizations are adopting cloud-first strategies as they initiate new projects or migrate from older systems. To meet rigorous business demands, they operate with frequent code releases, increasingly make use of containers, and process and store data for compliance and cost-management. It’s a lot to manage, and SIEMs and firewalls just can’t provide the level of insight required — they aren’t engineered for automation, and they definitely can’t operate at scale. Old school security merchants can’t build solutions fast enough to address the growing tide of cloud migrants and upstarts initiating a cloud-first strategy, so they’re opting to piece together component parts to make something that vaguely resembles a comprehensive solution. Their sales approach is menu-like, but their product strategy is far from unified. This is confusing for customers, especially as security teams question whether a company with a hardware mentality can adapt its technology and product strategy to meet the velocity and scalability needs of fast-moving organizations. It’s time for a new approach, one optimized for the cloud and containerized environments that provides comprehensive threat defense, intrusion detection, and compliance management over their cloud accounts and workloads, all at scale. This book offers valuable insights into how innovative security managers approach defense and risk management for their multicloud infrastructures. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 06 Mauro Loda, Senior Security Architect McKesson.......................................................... 13 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 08 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 14 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 10 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 16 Ross Young, Director Capital One........................................................ 11
6 “IF YOU DID NOT HAVE A STRONG SECURITY FRAMEWORK IN YOUR ON-PREMISES MODEL, JUST MOV- ING TO THE CLOUD BRINGS THOSE OLD BAD HABITS WITH YOU.” When growing and scaling infrastructure, moving to the cloud is a logical next step. But the cloud presents a different kind of IT environment even though many of the fundamental security challenges remain the same. These include: n Cost — There are costs associated with building and maintaining a cloud-based security strategy, just as there are costs of securing on- premises infrastructure. n Focus — In the past, security focused on availability, then it moved to risk, and later to compliance. Today it emphasizes optimization, pushing on traditional approaches to reduce costs, be scalable, and implement quickly. n Resources — Traditionally you were limited by budgets, skills, and legacy systems. The cloud bypasses some of the old issues but places new demands on resources. Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
7 The same constraints are going to be factors when you go to the cloud, but now you manage them with tools that give you more flexibility and that release you from dependencies you had before. Now you have to think of the layers of cloud security, and architect a strategy around how you’re going to build cloud applications, and how you test them, deploy them, and promote them. A key point, though, is that if you did not have a strong security framework in your on-premises model, just moving to the cloud brings those old bad habits with you. You have more tools in a more accessible and dynamic format, and you can create containers for development, testing, and production. But you still have to test for the same things and train your resources. And you still need a process that’s going to ask which vulnerabilities you care about and which ones are not important. n
8 “SERVICES CONSTANTLY CHANGE AND EVOLVE DEPENDING ON WHAT THE USERS NEED.” The cloud is basically an extension of your network that’s hosted on someone else’s server. You should always have that mindset. And bridging the connection between on-premises locations and customer sites to the cloud is a big security concern. To do that safely, you have to know what that looks like, and you have to know what safeguards are available from the cloud service provider. Things happen differently in the cloud. You recycle so many things when you’re offering a public cloud instance, whether IPs, disk drives, or the fact that you’re constantly destroying and recreating data on the fly to perform any number of on-demand resource capabilities. Services constantly change and evolve depending on what the users need, so you are constantly varying how you deliver those services to the appropriate end points. Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
9 A lot of what is happening is not user-facing. For example, if I have a server in my environment that needs to talk to Amazon, there’s no user interaction. You are not only configuring your local on-premises equipment to talk to the cloud, you are configuring the cloud, too. To be able to grant secure access when necessary, you need to leverage their tools, their identity sources, and their federation. A lot of autonomous connections are being made, which is why you have to stay on top of your access control lists (ACLs). Throughout the life cycle of a cloud process, you must always audit changes and controls. Keeping track of how it’s being configured requires having eyes on it at all times. n
10 “THERE IS A LOT OF CONTINUOUS CHANGE HAPPENING IN A CLOUD ENVIRONMENT THAT REQUIRES CONTINUOUS MONITORING.” When you move into a public cloud such as Amazon Web Services, you and the cloud provider have separate security responsibilities. You have to make sure you have a good migration plan that includes in-depth research and understanding of the different kinds of security features offered by the cloud provider. For example, you still need firewall protection, but AWS builds firewall functionality into its EC2 instances. Configuration of those firewall settings is your responsibility. Your security team needs to be familiar with these settings and comfortable managing access-control lists. There is a lot of continuous change happening in a cloud environment that requires continuous monitoring. To make sure you are covering all your bases, it’s worth investing in a tool that audits your settings. For instance there are AWS security configuration and monitoring tools that work by taking an identity and access management role with audit permissions, and then they look at all your configurations and roles. The results are presented on a dashboard. You can set up weekly, daily, or hourly scans, depending on your monitoring needs Hourly audits would pick up on a vulnerability that might appear in the environment pretty quickly. In a highly dynamic cloud environment in which new APIs are being built and new services developed, frequent scanning is essential for good security. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
11 “IN A DYNAMIC CLOUD ENVIRONMENT, THE OLD SECURITY GROUPS ARE NOT AS IMPORTANT. WHAT BECOMES MORE IMPORT- ANT ARE SERVICE MESHES.” When moving to the cloud, the way you secure things goes hand-in-hand with how you lower maintenance and development costs. For example, when you build your cloud architecture, are you talking about EC2 servers, containerized servers, or Amazon serverless applications? As you go further down that path, the cloud provider provides more functionality. You no longer have to worry about patching the operating system, configuring, monitoring, and scaling. All of those things are now managed by the AWS provider. This impacts the way you develop and the way you secure your architecture. In a dynamic cloud environment, the old security groups are not as important. What becomes more important are service meshes and Layer 7 firewalls where you’re limiting the scope of applications by controlling which microservices talk to which APIs. The challenge becomes how to create those types of services in an enterprise service-level offering so that all of your developers from whatever lines of business can now utilize them. Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
12 It starts with everyone agreeing to a trusted DevSecOps or continuous integration, continuous delivery (CI/CD) pipeline. Organizations begin by looking at the earliest point at which they can find anything bad, which is typically the integrated developer environment (IDE), and that’s where they implement a code- scanning tool. They also have a code check-in process that examines the quality of source code through static code analysis. The pipeline also needs to support component analysis that looks at all the code dependencies to see if dependent components are properly patched and consistent, or what known vulnerabilities are in libraries you are using. The challenge at this stage is optimizing the tools to focus on the vulnerabilities that matter most in your environment, to make sure you are seeing everything and scanning what you need to scan, and how you build more security checks into the pipeline. Then you analyze the code in production and scan for application-layer vulnerabilities. Doing all of those things helps you have a more proactively secure environment. To gain runtime protection, you still need tools that provide continuous real-time monitoring. n
13 “IN THE CLOUD, EVERYTHING SHOULD START FROM THE CODE, AND EVERYONE MUST AGREE ON WHAT IS NEEDED.” In today’s world, the perimeter is expanding and visibility is impacted by the volatile nature of the cloud. To assure security in this kind of changeable environment, we strive to deploy an immutable architecture and operations. For example, instead of patching a server, we simply rebuild it from scratch and redeploy it to the cloud as a new image. Our controls now need to focus on different levels of our application- execution states, such as the least privileged design, data blocks, key management, and all the different dependencies. And most important of all is identity — everything is identity based. In the cloud, everything should start from the code, and everyone must agree on what is needed. Having consistency in the deployment life cycle makes a big difference. This involves having a tightly controlled CIDI pipeline, and a way to verify the process end-to-end. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
14 “IT’SSURPRISINGTHATMANY LARGEORGANIZATIONSSTILL MANUALLYCHECKEACHCONTROL THEYUSE.INACLOUDENVIRON- MENTOPERATINGATSCALE,THAT BECOMESANIMPOSSIBLETASK.” When it comes to cloud security, everyone in the organization — not only the security department — needs to feel ownership responsibility for security. There are too many ways human error can introduce vulnerabilities into the system. Only with the mindset that security is a collective effort will you be able to control the variables needed to secure your environment. One of the biggest challenges in cloud security is verifying that the controls you put in place are actually working. It’s surprising that many large organizations still manually check each control they use. In a cloud environment operating at scale, that becomes an impossible task. James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
15 There are tools available to automate this process. They monitor and analyze all the security tools you have in place to verify they are performing as expected. For example, if you implement a firewall in your environment and you expect it to have a certain level of traffic, the tool can verify that and alert you if it is not behaving as expected. This kind of continuous, active monitoring is essential in a continuously changing cloud environment. n
16 “WHEN OPERATING IN THE CLOUD, YOU MUST INTEGRATE SECURITY INTO YOUR STRATEGY SO THAT MONITORING AND REMEDIATION BECOME AN INTEGRAL PART OF YOUR OPERATIONAL PLAN.” The public cloud is a very different environment from your typical physical data center, because everything is living and breathing — and changing. You have to think differently in terms of your overall approach, what the security architecture looks like, how you strengthen security, and how you automate it. There is a great deal of security hygiene you may not have considered in the past. To have the level of visibility you need in the cloud, you have to adapt controls and engineering practices and apply a lot more automation. This means automating processes that scan for and identify vulnerabilities, and automating vulnerability remediation at the code and container layer. You must also place strong security checkpoints in place along the way so that you know what’s happening in every Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
17 environment. Because you are continuously monitoring, the concept of manual monitoring is not going to work anymore. When operating in the cloud, you must integrate security into your strategy so that monitoring and remediation become an integral part of your operational plan. That’s why the DevSecOps model is so important in cloud implementations, where you have security engineers, software engineers, and operational engineers partnering together. We all own the cloud-security challenge. n
18 KEY POINTS When operating in a cloud environment, many resources are recycled, such as IP addresses, disk drives, or data that is constantly destroyed and recreated on the fly to fulfill any number of on-demand resource requirements. Securing the cloud goes hand-in-hand with operational considerations. Whether your cloud architecture consists of EC2 servers, containerized servers, or Amazon serverless applications determines levels of built-in functionality. This impacts the way you develop and the way you secure your architecture. Analyzing code in production and scanning for application-layer vulnerabilities helps you have a more proactively secure environment. To gain runtime protection, you still need tools that provide continuous real-time monitoring.
19 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Interested in more? Try Lacework for free and validate the security  of your cloud: TRY FOR FREE Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.

More Related Content

PDF
Avoiding Container Vulnerabilities
byMighty Guides, Inc.
 
PDF
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
PDF
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
PDF
Overcoming the five hybrid cloud adoption challenges
byCloudify Community
 
PDF
Csathreats.v1.0
byvivek_kale27
 
PDF
With-All-Due-Diligence20150330
byJim Kramer
 
PDF
Auckland University of technology Gets Complete Patch Management with Secuia ...
byFlexera
 
PDF
Trusted Cloud Initiative: Identity Management Research
byguestba832ad
 
Avoiding Container Vulnerabilities
byMighty Guides, Inc.
 
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
Overcoming the five hybrid cloud adoption challenges
byCloudify Community
 
Csathreats.v1.0
byvivek_kale27
 
With-All-Due-Diligence20150330
byJim Kramer
 
Auckland University of technology Gets Complete Patch Management with Secuia ...
byFlexera
 
Trusted Cloud Initiative: Identity Management Research
byguestba832ad
 

What's hot

PDF
Cloud Security: A Brief Journey through the Revolutionary Technology
byrosswilks1
 
PDF
REDUCING CYBER EXPOSURE From Cloud to Containers
byartseremis
 
PDF
The notorious nine_cloud_computing_top_threats_in_2013
byVenkateswar Reddy Melachervu
 
PPTX
Cloud computing - Assessing the Security Risks - Jared Carstensen
byjaredcarst
 
PDF
Review on Security Aspects for Cloud Architecture
byIJECEIAES
 
PDF
Facing the Future - Is the cloud right for you?
byAdvanced Business Solutions
 
PDF
Migrating to cloud-native_app_architectures_pivotal
bykkdlavak3
 
PDF
Coso erm for cloud computing
byVidipOlhyan
 
PDF
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
byYounesChafi1
 
PDF
BriefingsDirect Transcript--How security leverages virtualization to counter ...
byDana Gardner
 
PDF
Privacy Issues In Cloud Computing
byiosrjce
 
PDF
Survey on Security in Cloud Hosted Service & Self Hosted Services
byijtsrd
 
PDF
CloudLex - The Only Legal Cloud™ For Plaintiff Trial Lawyers
byCloudLex Inc.
 
PDF
CSA Security Guidance Cloud Computing v3.0
byCloudSecurityAllianceAustralia
 
Cloud Security: A Brief Journey through the Revolutionary Technology
byrosswilks1
 
REDUCING CYBER EXPOSURE From Cloud to Containers
byartseremis
 
The notorious nine_cloud_computing_top_threats_in_2013
byVenkateswar Reddy Melachervu
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
byjaredcarst
 
Review on Security Aspects for Cloud Architecture
byIJECEIAES
 
Facing the Future - Is the cloud right for you?
byAdvanced Business Solutions
 
Migrating to cloud-native_app_architectures_pivotal
bykkdlavak3
 
Coso erm for cloud computing
byVidipOlhyan
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
byYounesChafi1
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
byDana Gardner
 
Privacy Issues In Cloud Computing
byiosrjce
 
Survey on Security in Cloud Hosted Service & Self Hosted Services
byijtsrd
 
CloudLex - The Only Legal Cloud™ For Plaintiff Trial Lawyers
byCloudLex Inc.
 
CSA Security Guidance Cloud Computing v3.0
byCloudSecurityAllianceAustralia
 

Similar to Resetting Your Security Thinking for the Public Cloud

PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PDF
The Secure Path to Value in the Cloud by Denny Heaberlin
byCloud Expo
 
PDF
Security in the cloud planning guide
byYury Chemerkin
 
PDF
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
PDF
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
byAdnene Guabtni
 
PPTX
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
PDF
Cloud Security - Kloudlearn
byKloudLearn
 
PPTX
Cloud Security By Dr. Anton Ravindran
byGSTF
 
PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PDF
Security Teams & Tech In A Cloud World
byMark Nunnikhoven
 
PDF
Lecture27 cc-security2
byAnkit Gupta
 
PPTX
security and compliance in the cloud
byAjay Rathi
 
PDF
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
DOCX
How to implement cloud computing security
byRandall Spence
 
PPTX
Rik Ferguson
byCloudExpoEurope
 
PDF
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
byUnited States Cybersecurity Institute (USCSI®)
 
PDF
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
byUnited States Cybersecurity Institute (USCSI®)
 
PPTX
Cloud is not an option, but is security?
byJody Keyser
 
PDF
Asset 1 security-in-the-cloud
bydrewz lin
 
PDF
Zero trust strategy: cloud security by design
byaccenture
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
The Secure Path to Value in the Cloud by Denny Heaberlin
byCloud Expo
 
Security in the cloud planning guide
byYury Chemerkin
 
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
byAdnene Guabtni
 
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
Cloud Security - Kloudlearn
byKloudLearn
 
Cloud Security By Dr. Anton Ravindran
byGSTF
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
Security Teams & Tech In A Cloud World
byMark Nunnikhoven
 
Lecture27 cc-security2
byAnkit Gupta
 
security and compliance in the cloud
byAjay Rathi
 
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
How to implement cloud computing security
byRandall Spence
 
Rik Ferguson
byCloudExpoEurope
 
Understanding Cloud Security - An In-Depth Exploration For Business Growth | ...
byUnited States Cybersecurity Institute (USCSI®)
 
UNDERSTANDING CLOUD SECURITY- AN IN-DEPTH EXPLORATION FOR BUSINESS GROWTH.pdf
byUnited States Cybersecurity Institute (USCSI®)
 
Cloud is not an option, but is security?
byJody Keyser
 
Asset 1 security-in-the-cloud
bydrewz lin
 
Zero trust strategy: cloud security by design
byaccenture
 

More from Mighty Guides, Inc.

PDF
7 Experts on Implementing Microsoft 365 Defender
byMighty Guides, Inc.
 
PDF
7 Experts on Implementing Azure Sentinel
byMighty Guides, Inc.
 
PDF
7 Experts on Implementing Microsoft Defender for Endpoint
byMighty Guides, Inc.
 
PDF
8 Experts on Flawless App Delivery
byMighty Guides, Inc.
 
PDF
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
byMighty Guides, Inc.
 
PDF
Sharktower: Will AI change the way you manage change?
byMighty Guides, Inc.
 
PDF
Workfront: 7 Experts on Flawless Campaign Execution
byMighty Guides, Inc.
 
PDF
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
byMighty Guides, Inc.
 
PDF
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
byMighty Guides, Inc.
 
PDF
Citrix: 7 Experts on Transforming Employee Experience
byMighty Guides, Inc.
 
PDF
7 Experts on Transforming Customer Experience with Data Insights (1)
byMighty Guides, Inc.
 
PDF
15 Experts on Reimagining Field Marketing
byMighty Guides, Inc.
 
PDF
Kyriba: 7 Experts on Activating Liquidity
byMighty Guides, Inc.
 
PDF
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
byMighty Guides, Inc.
 
PDF
11 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 
PDF
Defining Marketing Success- 28 Experts Tell You How
byMighty Guides, Inc.
 
PDF
7 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 
PDF
Iron Mountain: 8 Experts on Workplace Transformation
byMighty Guides, Inc.
 
PDF
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
byMighty Guides, Inc.
 
PDF
Iron Mountain: The Essential Guide To Understanding Digital Transformation
byMighty Guides, Inc.
 
7 Experts on Implementing Microsoft 365 Defender
byMighty Guides, Inc.
 
7 Experts on Implementing Azure Sentinel
byMighty Guides, Inc.
 
7 Experts on Implementing Microsoft Defender for Endpoint
byMighty Guides, Inc.
 
8 Experts on Flawless App Delivery
byMighty Guides, Inc.
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
byMighty Guides, Inc.
 
Sharktower: Will AI change the way you manage change?
byMighty Guides, Inc.
 
Workfront: 7 Experts on Flawless Campaign Execution
byMighty Guides, Inc.
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
byMighty Guides, Inc.
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
byMighty Guides, Inc.
 
Citrix: 7 Experts on Transforming Employee Experience
byMighty Guides, Inc.
 
7 Experts on Transforming Customer Experience with Data Insights (1)
byMighty Guides, Inc.
 
15 Experts on Reimagining Field Marketing
byMighty Guides, Inc.
 
Kyriba: 7 Experts on Activating Liquidity
byMighty Guides, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
byMighty Guides, Inc.
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 
Defining Marketing Success- 28 Experts Tell You How
byMighty Guides, Inc.
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 
Iron Mountain: 8 Experts on Workplace Transformation
byMighty Guides, Inc.
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
byMighty Guides, Inc.
 
Iron Mountain: The Essential Guide To Understanding Digital Transformation
byMighty Guides, Inc.
 

Recently uploaded

PDF
What Is A Woman (WIAW) Token – Smart Contract Security Audit Report by EtherA...
byEtherAuthority
 
PDF
Here’s the case study that shows how companies lose ₹2–6 Cr annually due to m...
bysiddhantdazzlo
 
PDF
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
DOCX
How to Change Classic SharePoint to Modern SharePoint (An Updated Guide)
bySharepoint Designs
 
PDF
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PPTX
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
PDF
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
PDF
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PDF
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
PPTX
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
PDF
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
PDF
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
PDF
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
PDF
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
PDF
Intelligent CRM for Insurance Brokers: Managing Clients with Precision
byInsurance Tech Services
 
What Is A Woman (WIAW) Token – Smart Contract Security Audit Report by EtherA...
byEtherAuthority
 
Here’s the case study that shows how companies lose ₹2–6 Cr annually due to m...
bysiddhantdazzlo
 
Manual vs Automated Accessibility Testing – What to Choose in 2025.pdf
bykalichargn70th171
 
How to Change Classic SharePoint to Modern SharePoint (An Updated Guide)
bySharepoint Designs
 
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
application security presentation 2 by harman
byharmanideapad
 
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
Intelligent CRM for Insurance Brokers: Managing Clients with Precision
byInsurance Tech Services
 

Resetting Your Security Thinking for the Public Cloud

  • 1.
    RESETTINGYOURSECURITY THINKINGFORTHEPUBLICCLOUD Seven experts discussthe intricacies of securing cloud infrastructures. Sponsored bySponsored by
  • 2.
    2 INTRODUCTION As businesses buildincreasingly complex IT infrastructures consisting of public, private, and hybrid cloud instances, securing these frameworks has become the cornerstone of IT strategy. Many security fundamentals remain unchanged, but how you address them in the public cloud is altogether different. We take a closer look at securing cloud infrastructures by asking seven experts the following question: To operate public cloud-based IT infrastructures securely, what security thinking needs to change, and why? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
  • 3.
    3 FOREWORD The network isdead. Reset your security mindset for a public cloud More organizations are adopting cloud-first strategies as they initiate new projects or migrate from older systems. To meet rigorous business demands, they operate with frequent code releases, increasingly make use of containers, and process and store data for compliance and cost-management. It’s a lot to manage, and SIEMs and firewalls just can’t provide the level of insight required — they aren’t engineered for automation, and they definitely can’t operate at scale. Old school security merchants can’t build solutions fast enough to address the growing tide of cloud migrants and upstarts initiating a cloud-first strategy, so they’re opting to piece together component parts to make something that vaguely resembles a comprehensive solution. Their sales approach is menu-like, but their product strategy is far from unified. This is confusing for customers, especially as security teams question whether a company with a hardware mentality can adapt its technology and product strategy to meet the velocity and scalability needs of fast-moving organizations. It’s time for a new approach, one optimized for the cloud and containerized environments that provides comprehensive threat defense, intrusion detection, and compliance management over their cloud accounts and workloads, all at scale. This book offers valuable insights into how innovative security managers approach defense and risk management for their multicloud infrastructures. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
  • 4.
    4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendationson how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
  • 5.
    5 TABLE OF CONTENTS KathrineRiley, Director of Information Security & Compliance Braintrace.......................................................... 06 Mauro Loda, Senior Security Architect McKesson.......................................................... 13 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 08 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 14 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 10 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 16 Ross Young, Director Capital One........................................................ 11
  • 6.
    6 “IF YOU DIDNOT HAVE A STRONG SECURITY FRAMEWORK IN YOUR ON-PREMISES MODEL, JUST MOV- ING TO THE CLOUD BRINGS THOSE OLD BAD HABITS WITH YOU.” When growing and scaling infrastructure, moving to the cloud is a logical next step. But the cloud presents a different kind of IT environment even though many of the fundamental security challenges remain the same. These include: n Cost — There are costs associated with building and maintaining a cloud-based security strategy, just as there are costs of securing on- premises infrastructure. n Focus — In the past, security focused on availability, then it moved to risk, and later to compliance. Today it emphasizes optimization, pushing on traditional approaches to reduce costs, be scalable, and implement quickly. n Resources — Traditionally you were limited by budgets, skills, and legacy systems. The cloud bypasses some of the old issues but places new demands on resources. Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
  • 7.
    7 The same constraintsare going to be factors when you go to the cloud, but now you manage them with tools that give you more flexibility and that release you from dependencies you had before. Now you have to think of the layers of cloud security, and architect a strategy around how you’re going to build cloud applications, and how you test them, deploy them, and promote them. A key point, though, is that if you did not have a strong security framework in your on-premises model, just moving to the cloud brings those old bad habits with you. You have more tools in a more accessible and dynamic format, and you can create containers for development, testing, and production. But you still have to test for the same things and train your resources. And you still need a process that’s going to ask which vulnerabilities you care about and which ones are not important. n
  • 8.
    8 “SERVICES CONSTANTLY CHANGE ANDEVOLVE DEPENDING ON WHAT THE USERS NEED.” The cloud is basically an extension of your network that’s hosted on someone else’s server. You should always have that mindset. And bridging the connection between on-premises locations and customer sites to the cloud is a big security concern. To do that safely, you have to know what that looks like, and you have to know what safeguards are available from the cloud service provider. Things happen differently in the cloud. You recycle so many things when you’re offering a public cloud instance, whether IPs, disk drives, or the fact that you’re constantly destroying and recreating data on the fly to perform any number of on-demand resource capabilities. Services constantly change and evolve depending on what the users need, so you are constantly varying how you deliver those services to the appropriate end points. Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
  • 9.
    9 A lot ofwhat is happening is not user-facing. For example, if I have a server in my environment that needs to talk to Amazon, there’s no user interaction. You are not only configuring your local on-premises equipment to talk to the cloud, you are configuring the cloud, too. To be able to grant secure access when necessary, you need to leverage their tools, their identity sources, and their federation. A lot of autonomous connections are being made, which is why you have to stay on top of your access control lists (ACLs). Throughout the life cycle of a cloud process, you must always audit changes and controls. Keeping track of how it’s being configured requires having eyes on it at all times. n
  • 10.
    10 “THERE IS ALOT OF CONTINUOUS CHANGE HAPPENING IN A CLOUD ENVIRONMENT THAT REQUIRES CONTINUOUS MONITORING.” When you move into a public cloud such as Amazon Web Services, you and the cloud provider have separate security responsibilities. You have to make sure you have a good migration plan that includes in-depth research and understanding of the different kinds of security features offered by the cloud provider. For example, you still need firewall protection, but AWS builds firewall functionality into its EC2 instances. Configuration of those firewall settings is your responsibility. Your security team needs to be familiar with these settings and comfortable managing access-control lists. There is a lot of continuous change happening in a cloud environment that requires continuous monitoring. To make sure you are covering all your bases, it’s worth investing in a tool that audits your settings. For instance there are AWS security configuration and monitoring tools that work by taking an identity and access management role with audit permissions, and then they look at all your configurations and roles. The results are presented on a dashboard. You can set up weekly, daily, or hourly scans, depending on your monitoring needs Hourly audits would pick up on a vulnerability that might appear in the environment pretty quickly. In a highly dynamic cloud environment in which new APIs are being built and new services developed, frequent scanning is essential for good security. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
  • 11.
    11 “IN A DYNAMICCLOUD ENVIRONMENT, THE OLD SECURITY GROUPS ARE NOT AS IMPORTANT. WHAT BECOMES MORE IMPORT- ANT ARE SERVICE MESHES.” When moving to the cloud, the way you secure things goes hand-in-hand with how you lower maintenance and development costs. For example, when you build your cloud architecture, are you talking about EC2 servers, containerized servers, or Amazon serverless applications? As you go further down that path, the cloud provider provides more functionality. You no longer have to worry about patching the operating system, configuring, monitoring, and scaling. All of those things are now managed by the AWS provider. This impacts the way you develop and the way you secure your architecture. In a dynamic cloud environment, the old security groups are not as important. What becomes more important are service meshes and Layer 7 firewalls where you’re limiting the scope of applications by controlling which microservices talk to which APIs. The challenge becomes how to create those types of services in an enterprise service-level offering so that all of your developers from whatever lines of business can now utilize them. Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
  • 12.
    12 It starts witheveryone agreeing to a trusted DevSecOps or continuous integration, continuous delivery (CI/CD) pipeline. Organizations begin by looking at the earliest point at which they can find anything bad, which is typically the integrated developer environment (IDE), and that’s where they implement a code- scanning tool. They also have a code check-in process that examines the quality of source code through static code analysis. The pipeline also needs to support component analysis that looks at all the code dependencies to see if dependent components are properly patched and consistent, or what known vulnerabilities are in libraries you are using. The challenge at this stage is optimizing the tools to focus on the vulnerabilities that matter most in your environment, to make sure you are seeing everything and scanning what you need to scan, and how you build more security checks into the pipeline. Then you analyze the code in production and scan for application-layer vulnerabilities. Doing all of those things helps you have a more proactively secure environment. To gain runtime protection, you still need tools that provide continuous real-time monitoring. n
  • 13.
    13 “IN THE CLOUD,EVERYTHING SHOULD START FROM THE CODE, AND EVERYONE MUST AGREE ON WHAT IS NEEDED.” In today’s world, the perimeter is expanding and visibility is impacted by the volatile nature of the cloud. To assure security in this kind of changeable environment, we strive to deploy an immutable architecture and operations. For example, instead of patching a server, we simply rebuild it from scratch and redeploy it to the cloud as a new image. Our controls now need to focus on different levels of our application- execution states, such as the least privileged design, data blocks, key management, and all the different dependencies. And most important of all is identity — everything is identity based. In the cloud, everything should start from the code, and everyone must agree on what is needed. Having consistency in the deployment life cycle makes a big difference. This involves having a tightly controlled CIDI pipeline, and a way to verify the process end-to-end. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
  • 14.
    14 “IT’SSURPRISINGTHATMANY LARGEORGANIZATIONSSTILL MANUALLYCHECKEACHCONTROL THEYUSE.INACLOUDENVIRON- MENTOPERATINGATSCALE,THAT BECOMESANIMPOSSIBLETASK.” When it comesto cloud security, everyone in the organization — not only the security department — needs to feel ownership responsibility for security. There are too many ways human error can introduce vulnerabilities into the system. Only with the mindset that security is a collective effort will you be able to control the variables needed to secure your environment. One of the biggest challenges in cloud security is verifying that the controls you put in place are actually working. It’s surprising that many large organizations still manually check each control they use. In a cloud environment operating at scale, that becomes an impossible task. James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
  • 15.
    15 There are toolsavailable to automate this process. They monitor and analyze all the security tools you have in place to verify they are performing as expected. For example, if you implement a firewall in your environment and you expect it to have a certain level of traffic, the tool can verify that and alert you if it is not behaving as expected. This kind of continuous, active monitoring is essential in a continuously changing cloud environment. n
  • 16.
    16 “WHEN OPERATING INTHE CLOUD, YOU MUST INTEGRATE SECURITY INTO YOUR STRATEGY SO THAT MONITORING AND REMEDIATION BECOME AN INTEGRAL PART OF YOUR OPERATIONAL PLAN.” The public cloud is a very different environment from your typical physical data center, because everything is living and breathing — and changing. You have to think differently in terms of your overall approach, what the security architecture looks like, how you strengthen security, and how you automate it. There is a great deal of security hygiene you may not have considered in the past. To have the level of visibility you need in the cloud, you have to adapt controls and engineering practices and apply a lot more automation. This means automating processes that scan for and identify vulnerabilities, and automating vulnerability remediation at the code and container layer. You must also place strong security checkpoints in place along the way so that you know what’s happening in every Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
  • 17.
    17 environment. Because youare continuously monitoring, the concept of manual monitoring is not going to work anymore. When operating in the cloud, you must integrate security into your strategy so that monitoring and remediation become an integral part of your operational plan. That’s why the DevSecOps model is so important in cloud implementations, where you have security engineers, software engineers, and operational engineers partnering together. We all own the cloud-security challenge. n
  • 18.
    18 KEY POINTS When operatingin a cloud environment, many resources are recycled, such as IP addresses, disk drives, or data that is constantly destroyed and recreated on the fly to fulfill any number of on-demand resource requirements. Securing the cloud goes hand-in-hand with operational considerations. Whether your cloud architecture consists of EC2 servers, containerized servers, or Amazon serverless applications determines levels of built-in functionality. This impacts the way you develop and the way you secure your architecture. Analyzing code in production and scanning for application-layer vulnerabilities helps you have a more proactively secure environment. To gain runtime protection, you still need tools that provide continuous real-time monitoring.
  • 19.