Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | alert-logic |
View: | 1,596 times |
Download: | 5 times |
Introduction• Misha Govshteyn – CTO, Alert Logic
– Work in security and web-scale architecture; operate high performance LAMP environment and Erlang-based compute grid
– Help hosting/cloud service providers deliver security services– Secure Cloud Review blog -> http://www.securecloudreview.com/
• What we do at Alert Logic
About this session
• Objective:Help you make security & compliance decisions that prepare your company for the future
• This presentation addresses a broad trend of consuming IT as a service
– Cloud in this context includes • IaaS• PaaS• SaaS
Why take such a broad view? Because each of these models has potential to significantly alter the way you protect your most critical assets
Putting 2010 questions in perspective
IT vs Cloud?
Private vs Public?
IaaS? PaaS? SaaS?
• Questions of today are less important than this fact : IT is increasingly delivered as a service
• Your IT footprint is already changing…– probably adopting some form of cloud services– network is already becoming decentralized
• Some of your data may already be off-premise
Formulating a Security Strategy
Position decisions you make today to
meet demands of tomorrow
Make a new set of
assumptions
Identify relevant
questions
Your Enterprise in 2015
private
Enterprise Software
Enterprise Platforms
Cloud Enabled Functions
HRCRMFinancePOS web storefront
ISV platformsaas
burst
virtualdesktop
Your enterprise 5 years from now
• Perimeter is less important than ever– More than 50% of your critical data is offsite– Some in environments you do not control– Some users don’t need your VPN to do their jobs
• Securing the enterprise will be characterized by– Continuous transfer of security responsibility to
service providers of all types– Application/protocol level attacks– Even more compliance requirements than today
Security trends in next 5 years• Governance and compliance efforts will extend to private
and public cloud environments• Cloud providers will use security as a differentiator
– Become increasingly more transparent– Provide automated attestation and auditing of key controls, including
access to logs– Native data encryption available & heavily promoted, but sparingly used– Most will offer enterprise-level Security-as-a-Service within 2-3 years
• Changes in security industry– Identity management is likely to become the first cloud sec “killer app”– Netsec vendors, less strategic to enterprises, will focus on CSPs– Application/protocol security and Data Leak Prevention are likely to
become increasingly important due to PCI mandates
Cloud impact on network security• Most network security products are unable to deal with
complexity of CSP networks– Big pipes: CSPs already see speeds well in excess of 50gbps– Small customers: thousands of customers, some with very little
traffic (no native multi-tenancy)– Rapid elasticity – changing topology, new IP allocations, new
VLANS, more traffic flows• Today’s notions of trusted users, networks and computing
resources will need to be re-thought• Cloud Service Providers will begin to control an
increasing share of the network, rather than Enterprise IT
The Evolving perimeter• Traditional notion of perimeter will
change dramatically as data migrates into the cloud
• Network firewalls will fade in importance as perimeter disappears
• Network security functions subsumed by service providers
• Increasingly offered as a service• Become embedded in CSP and
NSP network fabric • New security focus:
• Applications• Protocols• Endpoints
mobile devices
terminals
remote users
laptops
Emerging cloud security services
IPS
IDM
App
VA
Logs
WAF
cloud security saas
Web
VPN
AV
security saas
• Delivered by– Cloud Service Providers (CSPs) – Network Service Providers (NSPs) – Direct to enterprise by pure-play Security SaaS providers
CSP vs Customer responsibility
Policy Violations
Serving illegal content (Movies, MP3’s, Warez)
VulnerabilityScanning
SPAM
BotnetsMalware
Mass ScaleCloud
Attacks
Multi-Tenant Compromise
Service/Vuln Enumeration
Platform Targeting
Mass data leakage
Management Infrastructure
Brute force attacks
Information leakage
Mass permissions
changes
API Targeting
Security SaaS
Single Tenant Compromise
Data Theft
Application Attacks
Worm/Botnet Infection
Compliance Services
Attestation
Auditing
Log Review
PCI Scans
Customer /Managed Service
Cloud Service Provider
Compliance in the cloud
→ Attestation→ Auditing of key controls→ Activity reporting → Log availability
• Requires a robust set of enterprise-grade security capabilities and services from CSPs
• Automated cloud auditability:
Emerging standard: CloudAudit/A6
X-Factor: the Auditors
• Passing a compliance audit in the cloud in next 5 years will require equal parts luck and planning
• Improving your chances– Distant future: find an auditor that understands and
has experience in cloud environments– Today: help your auditor understand your environment
API? CSA? XML? A6? Hadoop?
EC2? VPC? XEN?
First steps
• Engage with your IT security and auditors• Build a roadmap for dealing with the dissolving
perimeter and set realistic goals for your team• Understand how Security SaaS fits into your
current and future strategy• Explore technologies/efforts important to secure
cloud adoption: IDM, OWASP, WAF, CSA, A6• Choose cloud environments that understand and
plan to address your evolving security needs
Alert Logichttp://www.alertlogic.com/
Secure Cloud Review Bloghttp://www.securecloudreview.com/
Email: [email protected]: @CToMG