SECURITY AND COMPLIANCE IN
THE CLOUD
• Bart Falzarano
Director of Security & Compliance, RightScale
• Roberto Monge
Cloud Solutions Engineer, RightScale
Q&A
• Steve Kochenderfer
Sales Development Representative, RightScale
Please use the “Questions” window to ask questions at any time
Your Panel Today
• Data Breaches/Security Threats
• Evaluating Security of IaaS providers
• Addressing Security Gaps with Vanilla/Out-of-the-Box Cloud
Infrastructure
• Live Demo of the RightScale Approach
• Q & A
Agenda
Data Breaches Occur Everywhere
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• Data Breaches -Misconfigurations/Improper Design
• Data Loss -Cloud Provider suffers Data loss or Customer loses encryption keys
• Account Hijacking -Phishing, Cross-Site Scripting XSS bugs
• Secret keys sniffed on the network or stored on Laptops/Desktops
• Denial of Service DoS & DDoS attacks
• Malicious Insiders
• Abuse of Cloud Services -Use array of servers to stage DDoS, crack encryption keys, distribute malware
Most Threats are Not Cloud Specific
Evaluating the Security of IaaS Cloud Providers
Cloud
Provider P
CI
DS
S1
HIP
AA
SSAE16
ISO
27
00
1
CS
A
Fe
dR
AM
P
Additional certifications, notes, and references
SOC1 SOC2 SOC
3
Amazon AWS ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
ITAR, FIPS140-2, DIACAP, FISMA
Amazon AWS GovCloud (US) environment
FedRAMP issued for both AWS GovCloud (US) and AWS US
East/West regions
For complete scope reference:
http://aws.amazon.com/compliance/
Microsoft
Windows
Azure
-
✔ ✔ ✔ -
✔ ✔ ✔ CSA CCM audit completed as part of their SOC2 assessment
For complete scope reference:
http://www.windowsazure.com/en-us/support/trust-center/compliance/
Rackspace ✔ -
✔ ✔ ✔ ✔ - - Safe Harbor Certified – EU Directive 95/46/EC on the protection of
personal data
SOC2 -Security and Availability Only
For complete scope reference:
http://www.rackspace.com/about/whyrackspace/
Compute
Engine
-
✔ ✔ ✔ ✔ ✔ - - Data is encrypted on local ephemeral disk and persistent disk. All
data written to disk in Compute Engine is encrypted at rest using the
AES-128-CBC algorithm
For complete scope reference:
https://cloud.google.com/products/compute-engine/
Public Clouds Expand Security Capabilities
Network Security
• Secure access with SSL
• VPC and ingress/egress
firewalls
• Private subnets w/VPC &
IPSEC VPN
• Dedicated connections
(Direct Connect),
• Separate Regions
(GovCloud)
Data Security
• Advanced Encryption
Standard (AES) 256, a
secure symmetric-key
encryption standard using
256-bit encryption keys
• AWS: HSM to manage keys
• Google: Encrypts data at
rest
• Role-Based Access Control
& MFA
Process Security
• Strong physical security
controls
• Self-service provisioning and
automation to avoid human
errors
• Deep security expertise at
cloud providers
• Support for customer
penetration testing
• Network monitoring and
protection
Place Cloud Beginners Cloud Focused
#1 Security (31%) Compliance (18%)
#2 Compliance (30%) Cost (17%)
#3 Managing multiple cloud
services (28%)
Performance (15%)
#4 Integration to internal
systems (28%)
Managing multiple cloud
services (13%)
#5 Governance/Control (26%) Security (13%)
Experience in the Cloud Changes Issues
Top 5 Challenges Change with Cloud Maturity
Source: RightScale 2014 State of the Cloud Report
Enterprises Choosing Multi-Cloud
Single private 9%
Single public 13%
No plans 4% Multiple private
11%
Multiple public 15%
Hybrid cloud 48%
74%
Enterprise Cloud Strategy 1000+ employees
Multi-Cloud
74%
Source: RightScale 2014 State of the Cloud Report
Application
Portfolio Requirements
Filters Resource
Pools
App 1
App 2
App 3
Performance
Cost
Compliance
Geo-location
Security
Multi-Cloud is an Enterprise Reality
App N
…
Hosted Private
Public Cloud 2
Public Cloud 1
Vendors
Existing DC
App 4
App 5 Internal Private
Virtualized
App 1 App 2
App 3
App 4 App 5
App 6
App 7
• Cloud Management & API differences across cloud providers
• Identity & Access Management / Access Control
• Change & Configuration Management
• Network & Data Security
• Business Continuity Planning/ Disaster Recovery
• Monitoring/Alerting Incident Response and Assessment
• Audit and Compliance
Security Gaps Remain
How RightScale Addresses The Gaps
Standardize & Automate
Baseline Security / Standardized
configurations, track versions,
automate patching, monitoring,
alerting, etc.
Multi-Cloud
Govern many clouds with
a single pane of glass
Outage-Proof & DR
Ensure applications stay up
during cloud or data center
outages
Audit & Compliance
Maintain a complete audit trail
and comply with regulations
Network & Data Security
Manage cloud network
configurations and encrypt data
Access Control
Integrate to SSO and control
access to cloud credentials
Decentralized Cloud Management
Be Ready To Manage a Portfolio of Clouds
Your Cloud Portfolio
Self-Service Cloud Analytics Cloud Management
Manage Govern Optimize
RightScale Cloud Portfolio Management
Public
Clouds
Private
Clouds
Virtualized
Environments
Single pane of glass
o Deep integration to public
and private cloud
providers
o Elevates:
• Configurations
• APIs
• Automation behaviors
• Access control
• Billing and governance
o Deploy to clouds and
virtualized environment
o Move between clouds
and virtualized
Manage Public, Private and Virtualized
On-premises
Private
Clouds
RightScale Cloud Portfolio Management
Corporate Firewall
RightScale Cloud
Appliance for vSphere
vCenter Server™
ESXi
VMware® vSphere®
Public
Clouds
Egress only option
Robust Governance
• API or GUI account
provisioning
• Temporary users
• SSO integration
• SAML or OpenID
• Role based access control
• Hierarchical organization
of accounts
• Limit access to cloud
credentials
• Cloud resources isolated
per account
Control Enterprise Access
Enforce Policies
o Pre-defined stacks to
meet corporate standards
o Configured to your
security requirements
o Define which clouds can
be used
o Control user options and
choices
o Control costs through
quotas
From Rogue to Policy-Based Cloud Usage
Enforce standards
o Automate provisioning and
configuration across
clouds
o Version-controlled
o Follow standards for
versions, patches and
configuration
o Leverage a variety of
scripting languages
Standardize with ServerTemplates
http://www.rightscale.com/blog/cloud-management-best-practices/rightscale-servertemplates-explained
Enforce standards
o Modular building block
approach to managing and
securing server
configurations
o Automate baseline
security settings / system
hardening configurations
o Version-controlled / Anti-
tamper
o Perform system and
security configuration
audits
Enforce Security Configuration Baselines with ServerTemplates
Repeatability and Consistency
RightScale Solution
• Scalable campaigns on tight deadlines
• Clone-able, customizable environments
• Deliver SLAs during huge traffic spikes
• Control infrastructure costs for clients Increase Investment Flexibility
Reduce Risk
Improve IT Efficiency
Monitor, Alert, Automate
o Application, cluster and
server-level monitoring
o 80 built-in server, volume,
database, and application
monitors.
o Assign alerts to any
metric.
o Customize escalations
o Trigger automated scaling,
operational scripts, and
notifications
o Create self-healing
servers and deployments
Keep Tabs on All Cloud Resources in One Place
Ensure compliance
o See who changed what
and when
o Provide audit logs and
reports to satisfy
regulators
o Available via API to
integrate with other
systems
Gain Visibility with Audit Trails
Intimately Understand
your Cloud Spend
o Quickly identify &
diagnose spikes in activity
o Visibility by project & user
o Planning and forecasting
o Budgets and cost controls
o Allocations
o Chargeback and
showback
o Optimize spend
Maintain a Pulse on your Cloud Costs
Secure Cloud with Network Manager
Clouds
Networks
Instances
Subnets
IP Address Bindings
Security Groups
Network ACLs
Routing Tables
IP Addresses
Abstract Network Security
o Manage network
configuration across
clouds
• VPCs
• Subnets
• Security groups
• Network gateways
o Maintain ability to leverage
cloud-specific features
o Control permissions and
audit changes to network
configuration
o API and UI access
Visualize Security
o Visualize and audit
network configuration
parameters
o Understand which
deployments and security
groups have which ports
open to which IP
addresses
View Network Security in Context
Protect Confidential Information
RightScale Solution
• Protect PII
• Deliver visibility & governance
• Optimize lifecycle automation
“RightScale gives us visibility.
It helped us develop trust with
security, finance, development
and management.” -John Fitch
Accelerate Application Delivery
Reduce Risk
Data Residency with a Global Cloud Platform
Outage-Proof with Independent Control Plane
Replicate >
< Failover> < Failover>
Your Public
Cloud A
RightScale
Primary
RightScale
Backup
Your Public
Cloud B
Your Private
Cloud
RightScale UI RightScale API
User B User A User C
Globally Hosted
Scalable
Resilient
SaaS Platform
Your Cloud
Applications
Secure authentication
and communication
DEMO
Security Lifecycle
Assess/Design
Set Policies & Controls/ Implement
Monitor & Enforce/ Sustain
Measure / Evaluate
Security Development Life Cycle
oU.S.-EU Safe Harbor Framework
oU.S.-Swiss Safe Harbor Framework
oSSAE16 SOC1Type II & SOC2 Type II (in process)
RightScale Certifications
Next Steps and Q&A
• Talk to us today about your requirements:
+1 888-989-1856
• Learn more – request more info:
• RightScale Security White Paper
• ServerTemplates and HSM configuration
brief
• Try RightScale Today:
www.rightscale.com/free-trial