We are in a world of transition. Most of the compliance standards are slow to catch up to this change, and you hear a lot of FUD (Fear, Uncertainty and Doubt) with regards to what you "have to do" to meet them. This talk is about understanding "What" some of the most universal standards are truly asking for, and then discussing "How" can you accomplish this with your environment and RightScale.
6. 6#
The world around us is changing
technically and it affects us all
Talk with the Experts.
7. 7#
Compliance standards are
slow to catch up
Talk with the Experts.
8. 8#
PCI - 1.1.3 Requirements for a firewall at
each Internet connection and between any
demilitarized zone (DMZ) and the internal
network zone
Talk with the Experts.
9. 9#
There is a lot of FUD (Fear, Uncertainty
and Doubt) with regards to what you "have
to do" to meet them
Talk with the Experts.
10. 10#
This is my point of view from ~15 years of
experience as a Consultant/Assessor and
a Practitioner …
Talk with the Experts.
11. 11#
We’ll identify what the standards and
regulations really “Want”
Talk with the Experts.
12. 12#
We’ll then identify “How” can RightScale
help you meet those requirements
Talk with the Experts.
13. 13#
Side Note
You need to know if you are you shooting
for
“letter of the law”
or
“intent of the law”
compliance
Talk with the Experts.
15. 15#
Want #1:
Governance – Verifiable and Repeatable
Talk with the Experts.
16. 16#
You have identified business drivers and
know what you want to accomplish
Talk with the Experts.
17. 17#
You have taken the time to document
what you want, so it is repeatable
Talk with the Experts.
18. 18#
You have evidence that you do what you
say you do
Talk with the Experts.
19. 19#
How #1
This is your governance structure.
I can chat with you, but this is on you.
Talk with the Experts.
20. 20#
Want #2
Build it right – Design and Architecture
Talk with the Experts.
21. 21#
It is entirely possible to design and
architect something that is not securable!
Talk with the Experts.
22. 22#
How #2
Engage RightScale Professional Services
We ARE as good as it gets!
Talk with the Experts.
23. 23#
How #2
The support portal for webinars and
whitepapers
Talk with the Experts.
24. 24#
Want #3
Deploy it correctly and securely
Talk with the Experts.
25. 25#
How #3
Leverage Multi-Cloud Images,
ServerTemplates, RightScripts/Chef
Templates
Talk with the Experts.
26. 26#
Added advantage
Meet governance requirements -
Documented with version control
Talk with the Experts.
27. 27#
Want #4
Patch it appropriately
Talk with the Experts.
28. 28#
How #4
Use RightScale to configure the system to
be consistent with your process and policy
Talk with the Experts.
29. 29#
Want #5
Audit/Watch what is happening
Talk with the Experts.
30. 30#
How #5
Operational Audit Entries via API or
Dashboard
Talk with the Experts.
31. 31#
How #5
Configure syslog/event logs to your SIEM
Talk with the Experts.
32. 32#
Want #6
Proactive vulnerability management
Talk with the Experts.
33. 33#
How #6
Use RightScale to deploy agents (e.g.,
CloudPassage Halo, TrendMicro Deep
Security, etc.)
Talk with the Experts.
34. 34#
How #6
Use RightScale API to get all active
internal and external IP’s regardless of
Cloud and feed to Vulnerability Scanner
(SAINT, Nessus, etc.)
Talk with the Experts.
35. 35#
Want #7
Audit and Review
Talk with the Experts.
36. 36#
How #7
Use the Infrastructure Audit report to
show Security Group settings
Talk with the Experts.
Matt has over 12 years experience operating a variety of different datacenter and cloud environments with a heavy focus on automation, reliability and systems performance.Currently at Nextdoor.com, Matt serves as the primary architect for the Production and Development cloud environments serving thousands of Nextdoor.com private neighborhoods. Before Nextdoor, worked at Netflix in the IT Operations team as the Sr. Systems Architect for an internal cloud project based on Cloud.com and RightScale software/service solutions.
Is VPN internal? What about SSL VPN? What about HTTPS? Can it be internal on a public multi-tenant system?
Big problem is that many of the “checkers” are at odds as to what is the right answer.
Pragmatically is should be the latter, but in reality it is often the former that you will be judged on. Need to keep that in mind.
With that, here we go …
The combination allows the complete automation of a “secure as possible” system and application
Unpatched systems are a MAJOR source of compromise. Using RightScale to ensure that all system are under management correctly is a HUGE win.Question: What percentage of systems that are not running up to date anti-virus?Answer: Zero. There is NO acceptable excuse for out of date softwareSimilarly, there is NO acceptable excuse for a system that is open, unpatched, and unmonitored.Caveat: Mitigating controls – IT IS YOUR RISK ACCEPTANCE – If not patched, then blocked or heavily monitored (pref both)
Trend Micro OSSEC is a good free solution used by manyMany commercial solutions exist: Splunk, QRadar, …
With some pre-planning you could use our API to be able to pull massive forensics data on multiple cloud resources to give you huge gains in the forensics process.
This is available to any current customer or qualified prospect