Post on 26-Jun-2020
transcript
www.cloudsec.com | #cloudsec
Extend Security from Enterprise Cloud Platform to Multi-Cloud
Don Fung | Nutanix
#cloudsec
Extend Security from Enterprise Cloud Platform to Multi-Cloud
#cloudsec
Truth in the Numbers
78%OF ORGANIZATIONSHAVE BEEN VICTIMSOF ONE OR MORESUCCESSFUL CYBERATTACKS
45%INCREASE IN DATABREACHES REPORTEDIN 2017 COMPAREDTO 2016
$3.86MIS THE AVERAGETOTAL COST OF A DATABREACH
MULTIPLE VENDORS
Disparate computing,
virtualization, storage, and
networking solutions
MULTIPLE APPROACHES
Each vendor approaches
security differently and
typically in a narrow context of
their product only
MULTIPLE GAPS
Technology silos and inherent
complexity create security
gaps.
MULTICLOUD ADOPTION
The need to avoid vendor lock-
in and to choose theright
clouds for the right workloads
leads to multi-cloud adoption
81%OF ORGANIZATIONSWORK WITH TWO OR MORE CLOUD VENDORS
#cloudsec
Pain Points
COMPLEX INFRASTRUCTURE + TRADITIONAL SECURITY APPROACHES =
INCREASED RISK
• Security blind spots: Use of multiple cloud vendors and many infrastructure
products along with manual efforts to maintain them increases complexity and security gaps.
• Software upgrade delays: Validating and maintaining a security baseline
through software upgrades is time-consuming and often involves error-prone manual processes.
• Lack of a unified solution: Although multi-product strategies can mitigate
many threats, most alone have proven to be too complex and resource-intensive to be practical in a traditional, multivendor infrastructure stack.
• Limited cloud governance: Lack of visibility into and control over resource
consumption in mutlicloud environments leads to increased misconfigurations and security risks without automated cloud governance policies in place.
Config errors are a top riskMiscellaneous errors were the second most cited reason for a data breach, after web applications.Source: “2018 Data Breach Investigations Report,” Verizon.
99%BY 2023 OF CLOUD SECURITY FAILURES
WILL BE THE CUSTOMER'S FAULT
Nutanix Customer Journey
Multi-Cloud Services for Apps and Data
Unify operations across public and private clouds
Secure and automate applications, and consolidate storage
Build an Enterprise Cloud
Modernize IT with HCI
Deliver enterprise apps and VDI from any site
#cloudsec
What is HCI?
Virtualization
App App
Fiber Channel Switch Fiber Channel Switch
Storage
Controller
Storage
Controller
Storage
Controller
Storage
Controller
Storage
Controller
Storage
Controller
Virtualization
App App
Integrated compute, storage, virtualization, network, and
security
Compute Compute
#cloudsec
Converging Storage Services
Server
Node 1 Node 2 Node N
C1 C2
User Workloads
Hypervisor
Server
Hypervisor
Server
Hypervisor
#cloudsec
Flexible Scale-out Architecture
Node 1 Node 2 Node N
User Workloads Compute & Storage Controller
Server
Hypervisor
Server
Hypervisor
Server
Hypervisor
✓ Start small and scale without limits
✓ Increase capacity one node at a time
StoragePool
C1 C2
✓ Keep data local for maximum performance
✓ Mix node types and hardware generations
E N T E R P R I S E C L O U D
| 9
One-Click Operations
Application Automation and Orchestration
• Self-service provisioning
• App deployment and governance
• Multi-cloud visibility and control
Operational Insights
• Behavior-based alerting
• Intelligent remediation
• Consumer-grade search and dashboards
Planning
• Capacity planning
• One-click infrastructure optimization
• Just-in-time forecasting
Infrastructure Management
• Provisioning of storage, VMs, networking policies and data protection
• Cluster scale-out and scale-in
App Mobility
• Migration of Application & VMs across infrastructure
• Hypervisor conversion
• Archiving of data to cloud
#cloudsec
Security Design in Enterprise CloudSecurity Lifecycle
Standards and Certifications
Factory Security Hardening & Baseline
Automated Configuration Validation and Self-healing
Data-at-Rest Encryption (FIPS 140-2 Validated)
Localized Encryption Key Management
Network Segmentation / Microsegmenation
Multi-factor Authentication, Role Based Access, & SAML
Data Protection / Replication / Availability
Flow
Visualize and Discover applications and their network connectivity
Segment applications and virtual networks without additional complexity or hardware
Secure applications, prevent data loss and support compliance goals.
Solution OverviewApplication Security with Flow
AHV and Flow deliver advanced networking and security services inside the datacenter, providing application-centric visibility and protection from network threats, automation of security baselines, and prevents data loss.
#cloudsec
What is Flow? Security and Networking
• Natively built into the Nutanix Enterprise Cloud as part of AHV
• Powerful visualization, policy-based microsegmentation and network automation capabilities
• Intuitive & scalable solution with no additional tools needed
• Built-in simplicity of NutanixServer Data Protection Storage
AHV
Prism
Flow
Comprehensive Visibility, Security, and Automation
#cloudsec
What is Flow ?
Line Rate Stateful FW on Each Node
E-W / VM to VM Level Granularity
Central Policy Management
Ubiquitous Enforcement Rich Visualization and Monitoring
App Centric Security Policy
#cloudsec
Rich Visualization to Aid in Policy Authoring
“Show me all flows for my application”
VLAN 12VLAN 10 VLAN 11
• Visualization is key to policy creation.
• Easily see application tier communication and interactions on the network.
#cloudsec
Security Zoning & Isolation
“Development VMs should not talk to Production VMs”• Isolating environments simplified
through one-click policies.
• Predefined categories for environment-type makes policy writing easy - simply add VMs to the desired category
• Moving workloads across environments is simply swapping the categories from Dev to Prod
“Promote VM from Dev to Prod”
VLAN 12VLAN 10 VLAN 11
Development ProductionDevelopment Production
#cloudsec
Internet
Application Isolation
“All VMs of the same app can talk to each other” • Isolating applications simplified through one-click policies.
• Predefined categories for application-type makes policy writing easy - simply add the VM to the application category.
• Policy language allows simple expression for well defined entry and exit points to/from the application.
“Allow inbound connections to App A from Internet”
“Allow outbound connections from App C to the AD server”
VLAN 12VLAN 10 VLAN 11
App A App B App C AD
#cloudsec
Network & Security Automation
Prism + Calm
Webhook API
Integrated Management Plane • Automated App Provisioning with Prism and
Calm• Physical Switch API Integration (Webhooks)
for Network Automation • Single Pane of Glass
Nutanix Services on AHV• App/VM deployment – PC, Clam• Security Automation with Flow m-seg• L4-L7 Integration / Service Insertion
Fabric Controller
Network Infrastructure• Keep your current physical fabric • Overlay Agnostic (VLAN or VXLAN)• Multi-vendor Support
Automated VLAN Mapping / Discovery
#cloudsec
Security Partners – DPI, NGFW
▪ Engage a security partner when customers are looking for deeper network security functionality or integration. Key Terms: Next Gen Firewall (NGFW), Deep Packet Inspection (DPI), App Firewall
▪ Flow network policy allows for virtual appliances from our security partners to be inserted “in-line” between virtual machines based on policy defined in Flow. This allows customers to specify exactly which traffic they would like to send for additional security inspection.
#cloudsec
Extend HCI > Enterprise Cloud
▪ Consolidate File Storage
▪ AutomateApplications and IT Workflows
▪ Secure Applications
▪ Manage IT Operations
▪ More Efficiently
| 26
Application Lifecycle Management
End-to-end automation of application provisioning, scaling and management
Self-Service and Governance
One-click self-service with centralized role-based IT governance
Multi-Cloud Orchestration
Deployment of apps and centralized visibility across private and public clouds
Calm
AutomateEmpowerRelax
#cloudsec
Blueprints Capture All Elements of the Application
VMs
Base Applications
Configuration
Network
Components
Security
Connectivity
Dependencies
Operations
Policy
Blueprint
Application
| 32
Makes sense of complexity in a visual way
1
Auto generated system action flows
2
Utilize existing Bash or PowerShell scripts
3
Call any external service using HTTP Tasks
4
Easy to understand dependencies
5
Calm Blueprints
#cloudsec
Blueprints: Not Just Provisioning
▪ Provision ▪ Configure ▪ Scale ▪ Upgrade ▪ Delete ▪ Repeat
Automate routine application management operations
Reduce errors, delays and downtime
E N T E R P R I S E C L O U D
#cloudsec
Nutanix Marketplace empowers Self Service
50+ Pre-integrated blueprints
Publish custom apps to marketplace
#cloudsec
Multi-Cloud Brokering Strategy Advantages…
Right Cloud for Right workloads
Laws of physics & locality
Mitigate Vendor lock-in
Public Clouds Nutanix Cloud
#cloudsec
Cloud sprawl causescost leaks
Inadequate visibility across cloud boundaries
Many purchase plans add to planning complexity
Ensuring security compliance
…But Multi-Cloud Governance is Complex
Public Clouds Nutanix Cloud
Xi Beam
Visibilityinto performance across multiple clouds
Optimizationrecommendations and insights across multiple clouds
Controland govern multiple clouds using policy based automation
Cost Governance
Security Compliance
Making Multi-Cloud Governance Invisible
#cloudsec
CostGovernance
Multi-Cloud Cost Governance
Optimization
One-click to easily eliminate unused
resources
RI recommendations for deep cost savings
#cloudsec
Intelligent Consumption Planning
Intelligent Purchase Recommendations
Powered by machine-intelligence to improve cloud spend
Multi-Cloud Savings
Complex planning turns into simple decisions
Proactive Utilization Planning
Ongoing recommendations for consumption planning
#cloudsec
CostGovernance
Multi-Cloud Cost Governance
Control
Policy based automation to control
spend
Automated chargeback reports and budget alerts to
drive accountability
#cloudsec
Centralized Financial Governance
Cost Control
Empower teams with simple access to usage and costs
Cloud Accountability
Ensure owners make data-driven decisions
Granular Budgeting
Policy-driven cost-centers and budgets for multiple teams
#cloudsec
Multi-Cloud Security Compliance
SecurityCompliance
Visibility
Multi-Cloud security heatmap for complete
visibility
Identify security issues using 300+ automated audit
checks
#cloudsec
Global Security Summary
#cloudsec
Multi-Cloud Security Compliance
SecurityCompliance
Optimization
One-click to easily remediate security
vulnerabilities
Automate compliance with Regulatory policies like PCI-DSS/HIPAA and
more
#cloudsec
One Click Remediate
#cloudsec
Multi-Cloud Security Compliance
SecurityCompliance
Control
Custom policies and audits to meet your
specific needs
Real-time security alerts for quicker
remediation
#cloudsec
Compliance Summary
#cloudsec
Beam Advantages
Immediate ValueSaaS delivery model. Optimization
recommendations within 24hrs.
Action orientedMore than just insights. Easily execute on recommendations with ‘One-Click to fix’
feature.
Built for CustomizationCustomizable security compliance policies
and cost reports to meet your business needs.
Multi-cloud coverageSingle service for public and private clouds -
AWS, Azure & Nutanix. GCP coming soon.
Actionable UI Clean and fast interface. Easy on effort,
sharp on performance.
www.cloudsec.com | #cloudsec
THANK YOU
Don Fung| Nutanix