Simplicity in Hybrid IT Environments:A Security Oxymoron?

Scott Crawford – Research Director, Information Security

Some hybrids are successful…

2

Others,

not so

much

Momentum favors the cloud

“How would you generally categorize your organization’s information security view of hosted cloud computing solutions (Hosted Private Cloud, IaaS, or PaaS) in terms of your organization’s tolerance for information security risk?”

3

Source: 451 Research Quarterly Advisory

Report: Budgets and Outlook – Information

Security 2016

But legacy /on-premises investments aren’t going anywhere soon

“Approximately how is your organization’s total information security spending on vendor-based security tools currently distributed across the following locations?”

4

Source: 451 Research Quarterly Advisory

Report: Budgets and Outlook – Information

Security 2016

Why maintain the investment?

• Realizing its full value

• Dependencies

• Maturity

• Of the technology

• Of operations &

expertise

• The cloud is different…

• Regulatory requirements

• Ownership & control

5

“The” cloud?

6

Different

implementations

Different

services

Different

approaches to

management

So what’s the problem?One set of techniques for legacy/

on-premises

One (or more) set(s) of techniques for

the cloud

7

So simplify!

8

Hint: What are common objectives?

• Consistency of control,

across both legacy and

“new IT”

• Assurance of enterprise

responsibilities

• Demonstrations of

adherence to enterprise

requirements

9

Security/Compliance Concern Score

Encryption 4.33

Identity Management/Authorization/Access

Control Tools

4.26

Assumption of Liability for Security Breaches or

Outages

4.23

Explicit Contractual Responsibilities for

Security Between the Cloud Provider and

Customer

4.17

Explicit SLAs 4.12

Data Leakage Prevention (DLP) 4.00

Providing Regular Results of Security Audits

from Known Security Testing Companies

3.99

Proven Compliance with Industry Standards 3.92

Auditability 3.91

“Rate the importance of each of the following in addressing

organizational concerns around security and compliance with hosted

cloud solutions:”

Source: 451 Research Quarterly Advisory Report: Budgets and Outlook – Information

Security 2016

Finding common ground

• Consistent application of

policy

• Essential for assuring

enterprise compliance

obligations, no matter

where

• Consistent execution of tasks

• Completeness of coverage

across hybrid environments

• Consistent data gathering

• For determining priorities

for the entire investment

10

But one size does not fit all

“Most things that we've encountered require a different approach for the

cloud-based solutions, than they do for the on-premises solutions. And

they almost always run into, ‘Oh, yes. But I can't support that’ …

“[For example], ‘we have the best […] security management tool in the

industry,’ ‘Do you support SAP HANA?,’ ‘What's SAP HANA?’…

“Or, ‘We support Amazon Web Services for cloud-based packet inspection.’

‘Does the same system work with my on-premises solution, and put it in

the same console?’ ‘Oh no, you have to have two separate accounts.’

Those are the kinds of conversations that I have all the time…”

-Mid-level management, $1-5bn retailer

11

From recent interviews with enterprise practitioners:

Source: 451 Research Information Security Narratives -: Budgets and Outlook 2016

Implementations can be very different

Legacy/on-premises infrastructure

• Accuracy/depth/breadth of asset

discovery

• Across a variety of physical assets

(hosts, networks, applications)

• Balance of speed and accuracy

• Policy constraints

• Tools often purpose-built

Cloud techniques

• API-based - ASK the cloud for

whatever you want to know• ec2-describe-images --filter

“tag-value=prod”

• DescribeInstances

• DescribeVpnGateways

• DescribeFlowLogs

• Tools must be able to interact

with APIs, automation at scale

12

Example: Asset inventory

How well do your preferred tools

adapt?

A small application? No problem.

13

That escalated quickly…

14

The long view: Infrastructure’s disappearing act

15

2000s: On-prem

virtualization

Rise of IaaS,

PaaS, growth in

SaaS

Containers,

microservices

“Serverless”

If you think hybrid IT is diverse today…

16

Centralized Distributed

IoT

“Data centers on wheels”

17

• Up to 100 ECUs in some

vehicles1

…or with

arms

…or

wings

…or

legs1 https://techcrunch.com/2016/08/25/the-biggest-threat-

facing-connected-autonomous-vehicles-is-cybersecurity/

Not just “smart” endpoints

• Sophisticated compute near the edge

• Data volume, thin pipes, latency

• Real-time action & response

• Functionality offload for constrained endpoints

18

Will you be ready?

19

Thank you!Scott CrawfordResearch Director, Information Security

Twitter: @s_crawford

FOUNDATIONAL CONTROLS

FOR THE HYBRID ENTERPRISE

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

UNIFIED MANAGEMENT

Elastic monitoringCloud policies

& platformsContainerization

To learn more, download the

TRIPWIRE FOUNDATIONAL CONTROLS FOR THE HYBRID CLOUD

executive brief from the resource widget

tripwire.com | @TripwireInc