tiecon 2016 keynote - security challenges & opportunities with public cloud adoption
TRANSCRIPT
Ravi Amanaganti
Vice President of Engineering, Cisco Systems Inc.May 6th 2016
Security Challenges and SolutionsPublic Cloud Adoption
My Journey
The Traditional Enterprise
DATA CENTER is
DISAPPEARING
Private Cloud(63% Enterprises)
Public Cloud (88% Enterprises)
Hybrid Cloud(58% Enterprises)
Single Tenant Multi-Tenant
IT in Transition
Source: Rightscale 2015 State of the Cloud Report
$191 billion
$97 billion
2015
2020
Estimated Growth of Public Cloud
2010$15 billion
Source: Forrester Research Inc.
Cloud as a % of IT spending
< 1%
4.3%
14.5%
2010 2015 2020
Businesses & Organizations Using Public Cloud
Why Are Enterprises Moving to Public Cloud?
Cost Savings SpeedElasticity & Scalability
Top Cloud Providers
Other
Lack of Visibility
Outages and Availability
Lock-in
No Concerns
Ability to Manage Hybrid
Cost
Security
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00%
Top Concerns About Moving to Public Cloud
Source: platform9.com
Top Data Breaches of 2015
191 million Registered
Voter records
Anthem80 million
records
Securus70 million prisoner
phonecalls
Ashley Madison
37 million records
Office of Personnel
Management21.5 million
recordsExperian
15 million records
MacKeeper13 million
records
VTech11.3 million
records
Premera11 million
records
Excellus10 million
records$575B Lost Annually
The Changing Cloud Security ThreatsThe Treacherous Twelve
2010 2013 2015 Top Threats
5 1 1 Data Breaches
2 Insufficient Identity, Credentials and Access Management
2 4 3 Insecure Interfaces and APIs
4 System Vulnerabilities
6 3 5 Account Hijacking
3 6 6 Malicious Insiders
7 Advanced Persistent Threats
5 2 8 Data Loss
7 8 9 Insufficient Due Diligence
1 7 10 Abuse and Nefarious Use of Cloud Services
5 11 Denial of Service
4 9 12 Shared Technology Issues
Source: Cloud Security Alliance
Cloud Delivery Models & Security
Application
Data
Guest OS
Virtualization
Compute & Storage
Network
Facility
IaaS PaaS SaaS
Tenant
Provider
Application
Data
Guest OS
Virtualization
Compute & Storage
Network
Facility
Application
Data
Guest OS
Virtualization
Compute & Storage
Network
Facility
Application
Data
Guest OS
Virtualization
Compute & Storage
Network
Facility
Private Cloud
Data Lifecycle Protection
Stolen CredentialsMalwareSpoofingPivot
End Devices
Visible pipeWeak encryptionKey compromise
Data in transit
Data visibilityData loss
Rogue/Weak/DirtyApplications
Compute
Compute
How to Achieve Effective Security?
Visibility Enforcement Automation
Do we have sufficient visibility into our apps and network ?
Are we able to apply policy effectively ?
Can we automate our operations ?
Cloud Access Security Broker
IaaS
PaaS
SaaS
CASB
Compliance
Malware Detection
End Devices
Visibility
17© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Security Solutions
OpenDNS‣ Security from the cloud‣ Blocks 95% of threats before they
cause damage
AMP‣ See a threat once, block it
everywhere‣ Most effective solution for known
and emerging advanced threats
Next-Gen Firewall‣ Prioritizes threats‣ Automates response‣ Improved malware protection ‣ Fully integrated management
Lancope‣ Alerts attempted communication
with an infected host ‣ Prevents infected host from
communication within the network ‣ Uses Network as a Sensor to
contain and minimize threats
Users
The Changing Landscape
Mobile
Network Software Defined Networks
Application Microservices Architecture
Compute Containers
Storage Data Virtualization
Application Architecture Evolution
Database Access
Service Service
Service Service
Presentation Layer
HTTP HTTP
API Gateway
RPC HTTP AMQP HTTP
Monolith Microservice
AMQP
Popular Containers & Adoption
Adoption up 5X in 2015Source: datadog.com
Container Threats
Infrastructure
Operating System
Container Infrastructure
Bins/Libs
App 1
Bins/Libs
App 2
Bins/Libs
App 3
Attacks on host and its networkAttacks on other
Containers
Attacks on Container Infrastructure
Things to worry about
‣ Kernel Exploits‣ DOS Attacks‣ Container breakouts‣ Poisoned images‣ Compromising secrets
Hardening Container Security
Isolation via
Namespaces
Control Groups
Linux Capabilities
Linux Security Modules
Run the Container inside a Virtual
Machine
Vulnerability Management
Compliance
Runtime Defense
Access Control
Policy Enforcement in Network
Essential Steps to Secure ContainersManage vulnerabilities spanning Linux distributions, containers, and app frameworks
Monitor activities, detect anomalies, and policy violations
Enforce configurations, best practices, and trusted images
Enforce user access policies for containers
Enforce security policies in network for applications running inside containers
Microservice Infrastructure Solutions
Network Visibility for Container Workloads
Network
No Policy application
No Visibility into individual flows
Network Visibility with Cisco
Network
Group Based Policy
Visibility into individual flows
Hybrid Environments
Dynamic End-point Scale
Auto-botsData Analytics
& Machine Learning
Operational Policies for
Containerized Apps
Innovation Opportunities
Competitive Landscape
Cisco Entrepreneurs in Residence
30© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
THANK YOU