tiecon 2016 keynote - security challenges & opportunities with public cloud adoption

Ravi Amanaganti

Vice President of Engineering, Cisco Systems Inc.May 6th 2016

Security Challenges and SolutionsPublic Cloud Adoption

My Journey

The Traditional Enterprise

DATA CENTER is

DISAPPEARING

Private Cloud(63% Enterprises)

Public Cloud (88% Enterprises)

Hybrid Cloud(58% Enterprises)

Single Tenant Multi-Tenant

IT in Transition

Source: Rightscale 2015 State of the Cloud Report

$191 billion

$97 billion

2015

2020

Estimated Growth of Public Cloud

2010$15 billion

Source: Forrester Research Inc.

Cloud as a % of IT spending

< 1%

4.3%

14.5%

2010 2015 2020

Businesses & Organizations Using Public Cloud

Why Are Enterprises Moving to Public Cloud?

Cost Savings SpeedElasticity & Scalability

Top Cloud Providers

Other

Lack of Visibility

Outages and Availability

Lock-in

No Concerns

Ability to Manage Hybrid

Cost

Security

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00%

Top Concerns About Moving to Public Cloud

Source: platform9.com

Top Data Breaches of 2015

191 million Registered

Voter records

Anthem80 million

records

Securus70 million prisoner

phonecalls

Ashley Madison

37 million records

Office of Personnel

Management21.5 million

recordsExperian

15 million records

MacKeeper13 million

records

VTech11.3 million

records

Premera11 million

records

Excellus10 million

records$575B Lost Annually

The Changing Cloud Security ThreatsThe Treacherous Twelve

2010 2013 2015 Top Threats

5 1 1 Data Breaches

2 Insufficient Identity, Credentials and Access Management

2 4 3 Insecure Interfaces and APIs

4 System Vulnerabilities

6 3 5 Account Hijacking

3 6 6 Malicious Insiders

7 Advanced Persistent Threats

5 2 8 Data Loss

7 8 9 Insufficient Due Diligence

1 7 10 Abuse and Nefarious Use of Cloud Services

5 11 Denial of Service

4 9 12 Shared Technology Issues

Source: Cloud Security Alliance

Cloud Delivery Models & Security

Application

Data

Guest OS

Virtualization

Compute & Storage

Network

Facility

IaaS PaaS SaaS

Tenant

Provider

Application

Data

Guest OS

Virtualization

Compute & Storage

Network

Facility

Application

Data

Guest OS

Virtualization

Compute & Storage

Network

Facility

Application

Data

Guest OS

Virtualization

Compute & Storage

Network

Facility

Private Cloud

Data Lifecycle Protection

Stolen CredentialsMalwareSpoofingPivot

End Devices

Visible pipeWeak encryptionKey compromise

Data in transit

Data visibilityData loss

Rogue/Weak/DirtyApplications

Compute

Compute

How to Achieve Effective Security?

Visibility Enforcement Automation

Do we have sufficient visibility into our apps and network ?

Are we able to apply policy effectively ?

Can we automate our operations ?

Cloud Access Security Broker

IaaS

PaaS

SaaS

CASB

Compliance

Malware Detection

End Devices

Visibility

17© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Security Solutions

OpenDNS‣ Security from the cloud‣ Blocks 95% of threats before they

cause damage

AMP‣ See a threat once, block it

everywhere‣ Most effective solution for known

and emerging advanced threats

Next-Gen Firewall‣ Prioritizes threats‣ Automates response‣ Improved malware protection ‣ Fully integrated management

Lancope‣ Alerts attempted communication

with an infected host ‣ Prevents infected host from

communication within the network ‣ Uses Network as a Sensor to

contain and minimize threats

Users

The Changing Landscape

Mobile

Network Software Defined Networks

Application Microservices Architecture

Compute Containers

Storage Data Virtualization

Application Architecture Evolution

Database Access

Service Service

Service Service

Presentation Layer

HTTP HTTP

API Gateway

RPC HTTP AMQP HTTP

Monolith Microservice

AMQP

Popular Containers & Adoption

Adoption up 5X in 2015Source: datadog.com

Container Threats

Infrastructure

Operating System

Container Infrastructure

Bins/Libs

App 1

Bins/Libs

App 2

Bins/Libs

App 3

Attacks on host and its networkAttacks on other

Containers

Attacks on Container Infrastructure

Things to worry about

‣ Kernel Exploits‣ DOS Attacks‣ Container breakouts‣ Poisoned images‣ Compromising secrets

Hardening Container Security

Isolation via

Namespaces

Control Groups

Linux Capabilities

Linux Security Modules

Run the Container inside a Virtual

Machine

Vulnerability Management

Compliance

Runtime Defense

Access Control

Policy Enforcement in Network

Essential Steps to Secure ContainersManage vulnerabilities spanning Linux distributions, containers, and app frameworks

Monitor activities, detect anomalies, and policy violations

Enforce configurations, best practices, and trusted images

Enforce user access policies for containers

Enforce security policies in network for applications running inside containers

Microservice Infrastructure Solutions

Network Visibility for Container Workloads

Network

No Policy application

No Visibility into individual flows

Network Visibility with Cisco

Network

Group Based Policy

Visibility into individual flows

Hybrid Environments

Dynamic End-point Scale

Auto-botsData Analytics

& Machine Learning

Operational Policies for

Containerized Apps

Innovation Opportunities

Competitive Landscape

Cisco Entrepreneurs in Residence