“ for a moment, i had a feeling of total security. then someone said cloud or devops or...
TRANSCRIPT
“ For A Moment, I Had A Feeling Of Total Security. Then Someone Said Cloud or
DevOps or Self-provisioning (or was it all 3)! “
2 | © 2015 CloudPassage Confidential
IT Security –The Missing Piece in IT ReplatformingNicholas LeeCloud Security [email protected]
3 | © 2015 CloudPassage Confidential
IT Replatforming – Next Gen, Gen 3…
4 | © 2015 CloudPassage Confidential
What’s Driving IT Replatforming?• The business wants new features faster than ever
• New Features = New Revenue
IT has Responded◦ Virtualization◦ Self service
Development has Responded◦ DevOps◦ Rapid releases◦ Cloud test & QA
Security has [Not] Responded◦ Current tools built for Gen 2 data center◦ In many cases, asking for things to slow down◦ In other cases, pushed aside in acceptance of risk
Provisioning – Weeks to Minutes
Release Cycle – Quarters to Days
Change Breaks Security
5 | © 2015 CloudPassage Confidential
Legacy
6 | © 2015 CloudPassage Confidential
Legacy
Traditional Data Center
Bare Metal
Basic Virtualization
Basic Virtualization
7 | © 2015 CloudPassage Confidential
Modern
UCS Director
8 | © 2015 CloudPassage Confidential
Modern
UCS Director
9 | © 2015 CloudPassage Confidential
Modern
UCS Director
10 | © 2015 CloudPassage Confidential
Legacy Modern
Seeks control to avoid risk
Waterfall approach
Low rate of change
Data centers / colo
Approval-driven
Stringent change control
Network-centric security
IT focused (less customer-centric)
More centralized IT operations
Embraces risk to gain agility
Fast-iteration approach
High rate of change
SDDC / cloud
Learning-driven
Little or no change control
System & app-centric security
Business focused (closer to customer)
More distributed IT operations
Legacy Modern
Security Must: Embrace Both Legacy and Modern IT“Either you will or your replacement will”
11 | © 2015 CloudPassage Confidential
Modern
Legacy
Experiments
Innovation
GreenfieldApplications
Any NewApplication
Low-Risk Migrations
High-RiskMigrations
Core BusinessApplications
“BUSINESS AS USUAL”
Last LegacyProject
IT Replatforming
12 | © 2015 CloudPassage Confidential
Modern
Legacy
New Security Tool Research
Experiments with Public Security
Securing DevOps
Full IT SecurityReplatforming
Securing Low-Risk Apps
Trusting Security to Protect your
High-Risk Apps Wherever they Reside
Network Security “BUSINESS AS USUAL”
Server Security for Critical Apps
IT Security Replatforming
13 | © 2015 CloudPassage Confidential
J DF M A M J J A S O N
Analysis and design Coding & implementation Quality testing Staging and release
R1
Legacy Application Development (traditional waterfall)
14 | © 2015 CloudPassage Confidential
Quality testing
Staging and release
J DF M A M J J A S O N
Analysis and design
Coding and implementation
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
Modern Application Development (agile / iterative)
15 | © 2015 CloudPassage Confidential
Quality testing
Staging and release
J DF M A M J J A S O N
Analysis and design
Coding and implementation
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
Modern Application Development (agile / iterative)
App 1
App 2
App 3
App 4
App n
16 | © 2015 CloudPassage Confidential
Core security policies already implemented, regardless of environment
Security unit-testing cases required, or code is rejected (yes, really)
Code & infrastructure policies ensured using DevOps-style automation
Staging smoke tests include automated pen-testing, vulnerability assessment, policy validation, security baselines (against gold master)
J DF M A M J J A S O N
R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9
Weaving Security & Compliance into Modern AppDev / Devops
All of this feeds into SIEM and GRC tools
Quality testing
Staging and release
Analysis and design
Coding and implementation
17 | © 2015 CloudPassage Confidential
• Everything “behind the firewall”• Complete visibility & control• Fewer changes at slower pace• IT largely calls the shots• Natural physical segmentation• More controlled, paced cadence
Legacy Modern
• Assets are everywhere• Inconsistent visibility & control• More & faster changes (by OOM)• Business units run their own IT• Physical constructs are gone (portability)• As-fast-as-automation-allows
You Need Security That Embraces Both Modern and Legacy IT
18 | © 2015 CloudPassage Confidential
8 Keys to Securing the Transformation of IT
1. Built directly into core environments
2. Security that operates anywhere
3. Context-aware operation
4. Orchestration of many functions
5. Deep automation of each function
6. Instant and long-term scalability
7. Alignment with DevOps models
8. API-based integration capabilities
This is the most profound IT transformation you’re likely to see in your career…make it count!
19 | © 2015 CloudPassage Confidential
www.cloudpassage.com
Questions/Thoughts/Comments?