hybrid cloud security: potential to be the stuff of dreams, not nightmares

Hybrid Cloud Security:Potential to be the stuff of dreams, not nightmares…Adrian SanabriaSenior Analyst, Enterprise Security Practice

2

Three critical IT changes

Photo Credits:”IBM PC-IMG 7271" by Rama & Musée Bolo

3

Agenda

Opportunities

Challenges

Fear of the

unknown

1 2 3

Why does cloud scare people?

5

Rapid change - cloud is constantly evolving

6

Cloud computing and security – feel the pain

31% 63%

7

Cloud experience and security concerns

Databarracks Survey

RightScale Survey0%

10%20%30%40%50%60%70%80%

Little to no expe-rienceExperienced

% greatly concerned with security

8

Agenda

Opportunities

Challenges

Fear of the

unknown

1 2 3

9

New Challenges

Traditional IT Cloud

Containers,

DevOps

10

Path from traditional to private cloud

Physical Infrastructure/Data Center

Applications

Operating System

Network

Hypervisor/Virtualization Layer

Man

agem

ent P

laneCustomer

Responsibility

Data

New challenges & opportunities

New Attack Surface

11

Public IaaS: Provider vs. customer responsibilities

Physical Infrastructure/Data Center

Applications

Operating System

Network

Hypervisor/Virtualization Layer

Man

agem

ent

Plan

e

Customer Responsibility

Service ProviderResponsibility

Data

Encryption & Tokenization Opportunitie

s

New Attack Surface

12

Containers – Cloud 2.0 already?

Physical Infrastructure/Data Center

Applications

Container Management

Network

Hypervisor/Virtualization Layer

Man

agem

ent P

lane

Customer Responsibility

Data

Cont

aine

r

Imag

e R

epos

itorie

s

Unvalidated Images

New Operating Systems

Breakout potential

13

Case Study: Code Spaces

14

Case Study: Code SpacesAWS Console

Rope

Data Center

Pit of data loss

Attacker

86%

15

Agenda

Opportunities

Challenges

Fear of the

unknown

1 2 3

16

Automation with APIs, SDN and NFVAutomation/Orchestration

Microsegmentation

Integration, on premises and off

VMware NSX

ForeScout Cloud APIs

17

New perspective: Servers are like cattle, not pets

18

Servers as pets: the old modelOld & Busted

Attackers

Users

Support Service

s

Admins

Hostname: JabbaUptime: 347 daysBuilt: Nov 2009Built by: BrandonMissing Patches: 49Unique configuration

R/W Filesystem

19

Servers as cattle: the new modelNew & Shiny

Attackers

Users

Support Service

s

Admins

Hostname: SVR129Uptime: 9 hoursBuilt: YesterdayBuilt by: a scriptMissing Patches: 0Non-unique config

R/W Filesystem

R/O Filesystem

20

Conclusions

21

My Top RecommendationsProtect the management

plane

Multi-factor authentication

Principle of least privilege

123

Thank You!

22