SAFE JOURNEY TO THE CLOUD - Controlware...• Market-leading threat prevention –anti-bots, IPS,...

transcript

Chris Strebl

Cloud Security Architect EMEA

SAFE JOURNEY TO THE CLOUD

XaaS – “X” As a Service

Customer responsible for security in the cloud

Cloud vendor responsible for security of the cloud

Cloud = Shared Responsibility

Cloud Global Infrastructure

Regions

Availability Zones

Edge Locations

Compute Storage Database Networking

Customer Data

Platform, Applications, IAM

Operating System, Network and FW Configs

Client-side Data Encryption & Data

Integrity Authentication

Server-side Encryption (File System / Data)

Network Traffic Protection (Encryption,

Integrity, Identity)

STATE OF CLOUD CYBER SECURITY

esecurityplanet.com, September 19, 2017 pcmag.com, July 7, 2017

Lightreading.com – September 5, 2017Gizmodo.com – September 19, 2017 Scmagazine.com, September 5, 2017

ZDNet.com, August 16, 2017

CloudGuard IaaS + Dome9 = Comprehensive Multi-Cloud Security

• Market-leading threat prevention – anti-bots, IPS, anti-malware, AV and more

• Securely connect your hybrid cloud

• Adaptive policy for macro-segmentation

• Full security visibility and control

• Cloud services and applications are never exposed

• Continuous compliance for cloud native services

• Auto-remediation of security misconfigurations

• Active protection against identity theft and data loss

About Dome9

300+customers

100Global 2000

100+employees

Mountain View, CA

Tel Aviv, Israel

Network Security

Privileged Identity Protection

Cloud Threat Intelligence

Protecting your Cloud workloads and services is no longer complex. Get full security visibility & control with continuous compliance

Continuous Compliance

Check Point CloudGuard Dome9SaaS Platform for Security and Compliance Automation in the Public Cloud

Native Support for the Big 3 Clouds

Clarity: Complete Network & Security Visibility

Dome9 Compliance Bundles

Compliance Engine: Cloud Compliance and Best Practices

Continues Compliance

Alerts Console

Email (Scheduled Report)

Email (Immediate Notification)

SNS (Slack, Sumo Logic / Splunk;

ElasticSearch; S3; Remediation script/functions)

Ticketing System

Service Now

PagerDuty

AWS Security Hub

Dome9 Magellan: Context-Aware Security Intelligence

Enriched FlowLogs

Visual Traffic Map Detailed Properties

Canned & Custom Queries

Traditional Security Not Designed FOR CLOUD

Static workloads

Manually intensive

DevOps don't know Security

IT Security doesn't know Cloud

NO Threat Prevention in real time (L4-L7 protections)

NO unified management for all Clouds & Traditional Data Center

NO Identity based authentication access to applications

NO URL Filtering

NO Threat Extraction and Zero-day Sanboxing

WHERE CLOUD NATIVE SECURITY FALLS SHORT

Where are we ?

1990 2000 2010 2015 2017

THREATS

PROTECTIONS

Networks

Gen II

Applications

Gen III

Payload

Gen IV

GRADE I

GRADE II

GRADE III

GRADE V

GRADE IV

Enterprises are between

Gen 2-3

Lateral threat movements

Data breach due to misconfiguration

Abuse of cloud services

API hacking

Malicious insiders

THIS MIGHT EXPOSE YOU TO…

4 STEPS TO SECURE YOUR CLOUD

STEP #1: CONTROL THE CLOUD PERIMETER

•Use advanced threat prevention at the cloud perimeter

•Securely connect your cloud with your on-premise environment

ON-PREMISE

STEP #2: SECURE THE CLOUD FROM THE INSIDE

•Micro-segment your cloud to control inside communication

•Prevent lateral threats movement between applications

STEP #3: MANAGE CONSISTENT SECURITY FOR HYBRID ENVIRONMENTS

• Deploy unified security management for your hybrid cloud (On-Premise and Cloud)

• Ensure policy consistency

• Reduce operation cost

ON-PREMISE

STEP #4: AUTOMATE YOUR SECURITY

Security should be as elastic and dynamic as your cloud

• Auto-provisioning via templates and APIs

• Auto-scale security with Pay-as-you-Go

• Adaptive to changes

Consistent security policy and control across ALL Private and Public CloudsACI

THE CloudGuard FAMILY

Fast API connectLook for a security solution that talks to all major vendor Architectures

Security Workgroups

Public

Private

For AWS

For Azure

For NSX

For vCenter For ACIFor OpenStack

For Google

ADAPTIVE SECURITY

Reduce Firewall Tickets by 60%

Telefonica: “vSEC adaptive security is a game changer.”

Check Point Access Policy

Rule From To Application Action

3 Finance_App1(vCenter Object)

Database_Group

(NSX SecGroup)MSSQL Allow

4 HR_App2(Open StackObject)

Finance_Group(ACI EndPoint Group)

CRM Allow

5 User_ID SAP_App(Azure Object)

SAP Allow

CloudGuard IaaS FOR THE CLOUD

Infrastructure Security

Next Generation Firewall & VPN

Application and Data Security

Advanced Threat Prevention

Forensic Analysis

CloudVendor

‘Cloud Ready’ Unified Access Policy

Users Devices Applications Data Gateways Mobile Public Cloud Private Cloud

SUMMARY

Cloud is eating the world

Bad guys are everywhere

Cloud Native Controls are good, but…

Own your security!

You can get burned when it’s cloudy, protect yourself!

THANK YOU

SAFE JOURNEY TO THE CLOUD - Controlware...• Market-leading threat prevention –anti-bots, IPS,...

Documents