Date post: | 05-Dec-2014 |
Category: |
Business |
Upload: | bill-burns |
View: | 553 times |
Download: | 1 times |
Practical Cloud Security Lessons Learned from the Bleeding Edge
Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3
Background • Production hybrid cloud security at scale
o Deployed distributed, hybrid cloud WAF o Co-developed CloudHSM for IaaS HW root of trust
• Corporate IT “all-cloud” security strategy o Cloud-first, mobile-first infrastructure model o Mix of public cloud, best-of-breed SaaS o This is the Future of corporate IT services
• RSAC Program Committee, Startup Technical Advisory Boards, ISSA CISO Forum & Career Lifecycle
• Netflix, AOL, Netscape, Accenture Research
Topics • Cloud: Why now? What’s changed? • Forcing functions and new perimeters • Cloud Security Controls: What’s new? • Third-Party Risks: InfoSec and The Business • Herding Data: Getting Started • Security startups
Forcing Functions on IT Security
Cloud Services
Network Access Ubiquity
Mobility Consumerization / BYOD
Work/Life Integration
Business Risk
Agile/ DevOps
Cloud Forcing Function - Mobility
Source: Mary Meeker, KPCB
Cloud Forcing Function - Consumerization • 58% / 42% of Americans now own a smartphone / tablet(1)
• By 2017: 50% of employers will require employees to BYOD for work purposes(2)
(1) Pew Research, Jan 2014 (2) Gartner, May 2013
Forcing Function - Network Access Forcing Function - Network Access
• Network connectivity & seamless roaming o 802.11ac – wireless networking now “just works”
§ Faster than typical wired ports, easier to provision o Mobile 4G LTE is “fast enough”
§ Faster than home ISPs § 2018: 25% of corporate data will flow directly mobile-cloud(3)
• Blending work/life integration o Aruba’s “#GenMobile”initiative o Starbucks wants to be your life’s “3rd Place”
(3) Gartner, Nov 2013
Old: Perimeter Firewalls
• Castle and Moat defense • Provisioning was serialized, expensive • Place people, data behind datacenter firewalls • “Behind firewalls” = Trusted
New Perimeters : Follow the Data • Controls evolving to be more:
o Proximal - Controls are close to the application/data o Mobile - Move with the infrastructure/application o Resilient - Emphasize recovery, response o Holistic - Technical, legal, and business-level input o Coordinated - Reliant on communications, automation o Tiered - Nothing new here
New Perimeters : Follow the Data
What’s Your Cloud Comfort Level? • Cloud Adoption / Maturity:
o Naysayers: you can’t do that (but can’t articulate why) o Pathfinders: here’s how to do it, lessons learned o Optimizers: here’s how to do it well, what not to do
What’s Your Cloud Comfort Level? • Cloud Adoption/Maturity
o Naysayers o Pathfinders o Optimizers
o Cloud is inevitable. Learn how to manage it. o Example: “We have 10 years of legacy work to deal with,
we don’t have time to look at our cloud usage!” • It’s about the business
o Board-level discussion on results, competition, risk
Cloud Security: New(ish) tech controls • Goal: Track movement, access to data
o DRM/DLP-like controls, applied closer to the data o Encrypt data, SoD for encryption keys o Even though the data is not in your datacenter
• Goal: Restrict access to data, applications o Forward and Reverse proxy servers o Old: Port/protocol-based network, subnets, host firewalls o New: Tags, labels, data and host classification/sensitivity o Log management, anomaly detection o IAM - Risk-based authentication, SSO (for free)
Risks: InfoSec and The Business Q: Who owns the risk in a new business endeavor?
Risks: InfoSec and The Business • Who owns the risk in a new business endeavors?
• The business does • InfoSec’s role:
• Be a trusted advisor to the business • Anticipate security risk/controls changes and needs • Communicate technical risks in business terms • Propose options, help the business take smart risks • Implement guardrails based on risk, sensitivity • Measure risk, managing remediation/response
• Measure of success: Repeat business for your team!
Risks: InfoSec and The Business • Legal, business perspectives • Managing the risk – legal levers
o Risk-based: Level of scrutiny based on data sensitivity o Add boilerplate language in your contracts, MSAs, etc. o Strive to require partners to have security
fundamentals in place: operational security basics, secure development, security incident notification, etc.
o Right to audit, assess => partner with your partners
Risks: InfoSec and The Business • Managing the risk – technical levers
o Trust but verify their controls. It’s your data! o Do an initial assessment, plus ongoing automated tests o Partner with your partners on results you find o Things to watch out for …
Risks: InfoSec and The Business • Proving data security, good security hygiene
o Service Providers should be more secure than SMBs § Laser-focused, homogeneous environment, etc.
o Doesn’t scale: Every customer pentesting their provider § Open Item: Which standard should we trust?
• Which controls are most relevant, important for your data? o Encryption, incident response, audit, SoD, … o Prioritize those during negotiations, evaluations
Lessons learned: Getting Started • Start simple
o Move least-risky workflows first o Orchestrate, automate security controls o Stage patches like other bugs and new features o Datacenter-to-Cloud connectivity, WAN-like latency o Wholesale migration vs. re-architecting apps
• Migration phase o Running “hybrid”, “dual stack” or “riding roman” o Migrate workflows systematically o Inter-service dependencies
Lessons learned: Getting Started • Infrastructure Services
o Plan: Pick 1-3 security metrics you’d like to improve in your cloud, compare them to legacy infrastructure o Days to patch vulns, avg host uptime, fw ACLs used
o Do: Start simple, fail fast on “uninteresting” workflows and transactions; test response protocols
o Improve: Start codifying security policies, patches, automating provisioning and inventory controls o Good security starts with solid operational hygiene
o Repeat: review lessons learned often, make small course corrections.
Lessons learned: Getting Started • Corporate Services & “Shadow IT”
o Baseline: Get visibility into your cloud services § You’re using more than you realize § Meet and share with IT, legal, other stakeholders § Facts lead to business-level conversations
o Log: Start collecting/mining SaaS access, audit logs o Protect and Observe:
§ Deploy SAML, 2FA, integrate with your directory § Evaluate cloud service brokers, features
Evaluating Security Startups • Investors:
o Management team domain expertise, background o Competitive advantages o Market readiness, fit o Product fit
• Customers: o Support fit, scalability o Roadmap fit, ability to execute against it o Risk fit, operational hygiene / best practices
Guidance for Security Startups o Be 10x better - provide superior customer value
o Look for disruptive technologies, approaches o What else does the solution require? o What can I turn off?
o Think API first o Defenders & DevOps: The future is automation, interoperability,
integration o No cheating: Build your GUI on your API
o Model, measure, provide insights o A/B testing, modeling allows safe experimentation o Provide insights of current risk state o Manage my cloud risk better than my legacy infrastructure o A good deployment strategy starts with a great migration strategy
Thank you
Bill Burns | Executive-In-Residence | Scale Venture Partners | [email protected] | @x509v3