cloud security: make your ciso successful
TRANSCRIPT
PresentsPresents
What Security Pros Need to Know About CloudWhat Security Pros Need to Know About Cloud
Rich MogullSecurosis [email protected]://securosis.com
Rich MogullSecurosis [email protected]://securosis.com
The Disruption of the CloudThe Disruption of the Cloud
Multitenancy Isn’t the IssueMultitenancy Isn’t the Issue
AAAA BBBB CCCC
• We have always secured shared infrastructure.
• We have always trusted our data to others.
• Our existing processes and controls will still work.
• It is the abstraction and automation of cloud that
really impact security
AbstractionAbstractionCustomer
Compute
Networks
Storage
• Visibility changes
• Can’t rely on boxes
and wires
• Can’t rely on
physical controls
AutomationAutomation
VM VM
Hypervisor
VM VM
Hypervisor
VM VM
Hypervisor
VM VM
Hypervisor
Compute Pool
Management and Orchestration
Storage Pool
Management and Orchestration
Compute Controller
Storage/Volume Controller
Management Network
(Using APIs)
Outside World
Cloud computing resources change in minutes and seconds.
Scans, static settings, and caches can’t keep up.
DevOps, SecOps, and CloudDevOps, SecOps, and Cloud• DevOps is an operational
framework.
• It is a natural outcome of cloud
computing, not some weird over-
hyped trend.
• Traditional silos condense, then
operate with higher agility (and,
ideally, resiliency).
• Security most resistant to change
(for good reasons). Security relies
on manual operational model.
SecOps in PracticeSecOps in Practice

1111
2222
3333
4444
Inject startup script
Pull secure credentials
Register with config mgmt server
5555Pull
configuration
Adapting Security for the CloudAdapting Security for the Cloud
• Don’t rely on boxes and wires.
• Be as elastic and agile as the cloud.
• Rely more on policy-based automation.
• Understand and adjust for cloud
characteristics (e.g. security groups vs.
firewalls).
• Integrate with DevOps.
• Don’t rely on boxes and wires.
• Be as elastic and agile as the cloud.
• Rely more on policy-based automation.
• Understand and adjust for cloud
characteristics (e.g. security groups vs.
firewalls).
• Integrate with DevOps.
http://the4faces.com/2011/09/29/stages-of-evolution/
Control the Management PlaneControl the Management Plane
Harden Harden Web and Web and
API API ServersServers
Harden Harden Web and Web and
API API ServersServers
Leverage Leverage Cloud IAMCloud IAMLeverage Leverage Cloud IAMCloud IAM
CompartmeCompartment with nt with
IAMIAM
CompartmeCompartment with nt with
IAMIAM
Audit, Audit, Log, and Log, and AlertAlert
Audit, Audit, Log, and Log, and AlertAlert
Use a Use a Managenent Managenent Plane ProxyPlane Proxy
Use a Use a Managenent Managenent Plane ProxyPlane Proxy
Automate Host SecurityAutomate Host Security• Embed agents in images and at launch.
• Integrate with configuration
management.
• Dynamically configure agents.
• Prefer lightweight and agile agents.
• Host tools should support REST APIs
• Embed agents in images and at launch.
• Integrate with configuration
management.
• Dynamically configure agents.
• Prefer lightweight and agile agents.
• Host tools should support REST APIs
Intelligently EncryptIntelligently Encrypt
Key Mgmt Server
Key Mgmt Server
StorageStorageInstanceInstance
CryptCrypto o
ClienClientt
HSM, SECaaS, VM, or ServerHSM, SECaaS, VM, or Server
Public/Private Cloud (IaaS)Public/Private Cloud (IaaS)
Federate IdentityFederate Identity
Directory ServerDirectory Server
Federation Federation ExtensionsExtensions
XXSAMLSAML
Adapt Network SecurityAdapt Network Security
• Design a good security group baseline.
• Augment with host firewall that coordinates with cloud.
• Push more security into the host.
• Prefer virtual network security appliances that support
cloud APIs.
• Take advantage of cloud APIs.
• Security policies must follow instances.
• Design a good security group baseline.
• Augment with host firewall that coordinates with cloud.
• Push more security into the host.
• Prefer virtual network security appliances that support
cloud APIs.
• Take advantage of cloud APIs.
• Security policies must follow instances.
Leverage the CloudLeverage the Cloud
• Immutable servers
• Stateless security
• Security automation
• Software Defined
Security
• Immutable servers
• Stateless security
• Security automation
• Software Defined
Security
This is Real TodayThis is Real Today
Embedding and Validating Security AgentsEmbedding and Validating Security Agents
Build InBuild InBuild InBuild In InjectInjectInjectInject Config Config PushPush
Config Config PushPush
Tie to Running Tie to Running ServicesServices
Tie to Running Tie to Running ServicesServices
Tie to Cloud Tie to Cloud PlatformPlatform
Tie to Cloud Tie to Cloud PlatformPlatform
Compartmentalize with IAMCompartmentalize with IAM
Sec Dev Region Prod Action Object
Hypersegregate with Security GroupsHypersegregate with Security Groups
Where to go From HereWhere to go From Here
??
What your CISO needs to know
Nicholai Piagentini
Sr. Solutions Architect
First an allegorical example
• Large enterprise, traditional physical datacenter, traditional security.
• Growth by acquisitions introduces a widely disparate set of new environments to secure.
• Most acquisitions are in the cloud already and did not consider security as critical as the parent company.
• Security had to find a solutions to fit all of it.
Key points for this example
• Cannot rely on boxes and wires– Multiple clouds, multiple physical datacenters.– Host based security the only option that scales
• Elastic and Agile Security– New acquisitions on the horizon no real end in sight– Baking security into the stack makes this easy
• Policy Based Automation– Server Groups can link like servers across
deployments
How Halo helped
• Halo is a Security Automation Platform
• Halo agent is deployed onto the individual virtual hosts
• Policy is defined on our cloud based Security Analytics Engine
• Does not rely on and specific hypervisor system
• Policy follows the image wherever it goes