the impact of hybrid and multi clouds to … · integrate security controls with cloud and/or...
TRANSCRIPT
SESSION ID:
#RSAC
Doug Cahill
THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES
STR-R14
Group Director and Senior AnalystEnterprise Strategy Group@dougcahill
#RSAC
WHO IS THIS GUY?
#RSAC
Topics
3
The Composition of Hybrid CloudsSpotlight: Container Security Considerations
Defining the Lack of Cloud Visibility
Retooling for Multi-Dimensional Hybrid CloudsSpotlight: Automating Security via Integration with the CI/CD Pipeline
Applying Best Practices
Summary
#RSAC
THE COMPOSITION OF HYBRID CLOUDS
#RSAC
What is hybrid, anyway?
#RSAC
THE MANY DEFINITIONS OF A HYBRID CLOUD
6
Primary Historical Use Case:• Public cloud as a storage target for backup and archiving
More Accurately: Cross-cloud Orchestration• By app tier – e.g. DB tier on-premise, web app tier in the cloud• Burst-mode for scale, portability for best fit and price
--> For this Discussion: • Simply the combination of an on-premises + cloud footprint
#RSAC
Multi-Cloud Adoption
7
#RSAC
16%
25% 26%
16%
10%5%
1%5%
15%
24% 24%
16% 15%
2%
Less than 10% ofworkloads
10% to 20% ofworkloads
21% to 30% ofworkloads
31% to 40% ofworkloads
41% to 50% ofworkloads
More than 50% ofworkloads
Don’t know
Percent of production workloads run on public cloud infrastructure services today
Percent of production workloads run on public cloud infrastructure services 24 months from now
Of all the production workloads used by your organization, approximately what percentage is run on public cloud infrastructure services (i.e., IaaS and/or PaaS) today? How do you expect this to change – if at all – over the next 24 months?(Percent of respondents, N=450)
Workloads are Shifting to Public Clouds
8
#RSAC
The Heterogeneous Mix of Workload Types
9
Containers, 19%Containers, 33%
Virtual machines, 46%Virtual machines, 41%
Bare metal servers, 35%
Bare metal servers, 26%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Percent of production workloads run on each servertype today
Percent of production workloads run on each servertype 24 months from now
Percent of production workloads run on each server type
TODAY
Percent of production workloads run on each server type
24 MONTHS FROM NOW
#RSACHYBRID CLOUDS ARE MULTI-DIMENSIONAL
+ =X 2+
HETEROGENOUSSERVER TYPESMULTI-CLOUDS
© 2017 by The Enterprise Strategy Group, Inc.
#RSAC
SPOTLIGHT: CONTAINER SECURITY CONSIDERATIONS
#RSAC
Containers are coming, en masse!
#RSAC
App Containers Are Moving Into Production
13
13%
42%24%
16%
4%1%
Yes, we have already deployed an extensive number of containerized production applications
Yes, we have already deployed a few containerized production applications
No, but we are testing it and plan to start deploying to production in the next 12 months
No, but we intend to start testing it in our lab in the next 12 months
No, and we have no plans to
Don’t know
56% already in production+24% in next 12 months
#RSAC
23%
73%
4%
We use/will use containers for new applications only
We use/will use containers for new applications and some pre-existing “legacy” applications
We use/will use containers for pre-existing “legacy” applications only
Legacy and New Apps are Being Containerized
14
#RSAC
Application Container Portability Make Them Location Agnostic
15
21%
52%
27%
Our container-based applications are/will bedeployed in a public cloud environment only
Our container-based applications are/will bedeployed in an on-premises data center or co-location facility managed by our organization only
Our container-based applications are/will bedeployed in a combination of public cloud platformsand private data centers
#RSAC
Container Security Concerns = VM Sprawl Redux
16
#RSAC
Container Security – Pre-Production Requirements
17
Establish Trusted Images via Registry-resident Image ScanningEliminate known software vulnerabilities — Bonus: Contextual based on risk -- known exploit, criticality of the app and dataHarden configurations against CIS benchmarksRemediate, rinse and repeatSecrets Management: Separate until runtime
#RSAC
Container Security – Runtime Requirements
18
Continuous MonitoringInventory including discovery of untrusted/unsigned containersTopology mapping to view and verify relationships East-west inter-container trafficAuditing of access requests, system activity, and Docker API callsIntegrity monitoringBaselining of normal behavior
Threat PreventionDetection and prevention of anomalous activityIntegrity and applications control to prevent driftIntrusion detection and prevention Access controls including segmentationAnti-malware detection and prevention
#RSAC
Container Security - Implementation Considerations
19
CI/CD tool integration to enable automation (build-ship-run tools)
Consider pros and cons of host vs. privileged container vs. “sensor”
Registry aware – public and private
Heterogeneous server workload type support
#RSAC
DEFINING THE LACK OF CLOUD VISIBILITY
#RSAC
Where’s the network tap?
#RSAC
6%
13%
14%
16%
16%
17%
18%
18%
18%
19%
19%
20%
23%
25%
We have not experienced any challenges
Inability to automate the application of security controls due to the lack of integration with…
Lack of visibility into the network related activity of our cloud-based workloads
Aligning regulatory compliance requirements with my organization’s cloud strategy
My organization’s existing security tools do not support cloud native conventions such as on-…
Some of our business units are doing application development and deployment on public cloud…
Satisfying our security team that our public cloud infrastructure is secure
Lack of skills needed to align strong security with our hybrid cloud strategy
Inability for existing network security controls to provide visibility into cloud
Our DevOps and application owners do not want to involve our security team in their cloud…
Meeting prescribed best practices for the configuration of cloud-resident workloads and the use…
Keeping up with the rapid pace of change via DevOps automation makes it a challenge to…
Employees signing up for cloud applications without the approval and governance of our IT…
Maintaining strong and consistent security across our own data center and multiple public cloud…
Top Hybrid Cloud Security Challenges
22
#RSAC
Top Areas for Improving Visibility IntoCloud-Resident Workloads
23
18%
18%
19%
21%
24%
26%
26%
27%
30%
30%
Alerts on the anomalous use of cloud APIs
The communication between workloads and an externally facing…
Inter-workload communication
The existence of any external facing server workloads which do not…
An audit trail of the use of IaaS APIs
An audit trail of privileged user account activity
Alerts on the detection of anomalous system-level workload activity
An audit trail of all system level activity
Identifying workload configurations that are out of compliance…
Identifying software vulnerabilities
#RSAC
WHICH IS WHY SOME FEEL THIS WAY
#RSAC
RETOOLING FOR MULTI-DIMENSIONAL HYBRID CLOUDS
#RSAC
© 2017 by The Enterprise Strategy Group, Inc.
#RSAC
Highest Priorities for Hybrid Cloud Security
27
20%
20%
20%
20%
22%
23%
24%
27%
28%
30%
Create new policies specifically for cloud workloads and containers
Figure out how we can extend our current security technologies to protect/monitor cloud workloads
Learn about the security controls, monitoring capabilities, and APIs associated with each cloud serviceprovider offering
Determine ways to accelerate security tasks to keep pace with cloud provisioning and DevOps
Explore and recommend new security technologies that are specifically designed for cloud computing
Create a self-service catalogue so that workloads can be classified and then assigned to differentpublic and private cloud options based upon their sensitivity
Work with other teams to align security requirements with cloud provisioning and managementautomation
Integrate security controls with cloud and/or container orchestration tools
Implement a workload segmentation model to limit the lateral movement of an attack, i.e., segmenttest/dev from production workloads, segment regulated from non-regulated workloads, etc.
Build a cloud security strategy that can be used across heterogeneous public and private clouds
#RSAC
Retooling Across Skills and Processes
28
6%
19%
20%
28%
31%
31%
33%
None of the above
We don’t have the right level of cloud security skills
We don’t have an adequately sized staff to meet our cloud security needs
Understanding the specifics of how our cloud service provider and ourorganization share responsibility for securing our cloud-resident assets
Working relationship between the IT Operations, DevOps, and cybersecurityteams
Lack of familiarity with the continuous integration and continuous deliveryprocesses and orchestration tools of a DevOps methodology
General knowledge of cybersecurity threats that pose a risk to hybrid cloudinfrastructure
#RSAC
The Rise of the Cloud Security Architect
29
25%
18%
24%
12%
6%
7%4%3%1%
Yes, and this position(s) has been in place for a year or more
Yes, and this position(s) has been in place for less than one year
Yes, and this position(s) was recently established
No, but we are actively hiring for this position
We have had difficulty filling this position
No, but we plan to establish this type of position(s) within the next 12to 24 monthsNo, but we are interested in establishing this type of position(s)sometime in the futureNo, and we have no plans or interest in doing so in the future
Don’t know
#RSAC
AUTOMATING SECURITY VIA INTEGRATION WITH THE CI/CD PIPELINE
#RSAC
#RSAC
Strong Interest in Security + DevOps Use Cases
32
15%
19%
41%
18%
6%1%Extensively – Automating security via DevOps was one of the main reasons we adopted DevOps
Somewhat – We plan to incorporate some level of security in of DevOps process
We are evaluating security use cases that leverage our DevOps processes
We do not want to slow down our DevOps processes with security
We have not yet discussed how security fits with our DevOps plans
Don’t know
#RSAC
Drivers Behind “DevSecOps” Adoption
33
1. TIGHT INTEGRATIONAllows us to improve our security posture by making sure cybersecurity controls and processes are tightly integrated at every stage of our continuous integration and continuous delivery (CI/CD) tool chain
2. COMPLIANCEAllows us to assure we meet and maintain compliance with applicable industry regulations
3. COLLABORATIONFosters a high level of collaboration between our development, infrastructure management, application owners, and cybersecurity stakeholders
4. OPERATIONAL EFFICIENCYImproves our operational efficiency by automating the deployment of cybersecurity controls
5. PROACTIVE APPROACHMakes us think about security proactively and as an immutable attribute of how we manage our infrastructure
#RSAC
DevSecOps and Cloud SecOps Use Cases Span Environments
34
34%
39%
41%
42%
44%
44%
46%
Applying inter-workload communication access controls
Applying controls which capture system activity for incident responseand forensics
Identifying workload configurations that are out of compliance with aregulation before deployment to production
Identifying software vulnerabilities before deployment to production
Applying preventative controls
Applying controls which can detect anomalous activity
Identifying workload configuration vulnerabilities before deployment toproduction
#RSAC
APPLYING BEST PRACTICES
#RSAC
#RSAC
Separate Environments and Duties
By Environment• Segment Dev, Test, and Production environments
• Further segment by compute and storage• “Tiny bubbles to reduce blast radius”
By Role with Least Privilege, MFA• APIs, not user accounts to interact with services• Least privilege model protects against credential harvesting• MFA for commits, builds, and deploys
#RSAC
Gain Visibility via Discovery, Assessments, and Monitoring
Inventory the attack surface area• Instance and container sprawl = developer manifestation of Shadow IT• On-premises and cloud resident workloads• For all accounts, all clouds
Assess Configurations• The obvious: Externally facing workloads not routing via a bastion host• Workload configs against CIS benchmarks• Use of pre-hardened images
Monitor the environment• Enable auditing services for API and service usage; augment with on-board agent • Host network flow traffic for east-west, in/outbound threat detection• “DVR” activity for trust, but verify compliance and IR investigations
#RSAC
Employ Anomaly Detection for Auto Scaling Groups
Premise: There should be no intra-group drift
Anomalies of interest:• New process and child processes• File system changes • Logins beyond ID - time, location, frequency• Netflow to/from remote IPs (i.e. not via jumphost)• User access behaviors• Inter-entity deviations
Rules by role to automate and reduce alerts storms
#RSAC
Automate Across All Environments (DevSecOps + Cloud SecOps)
In Dev: SDLC integrated • Static code analysis• Composition analysis
In Test: Reduce attack surface• Because production is immutable
• Eliminate software vulnerabilities
• Assess and harden configs of services and workloads
In Prod: Policy via tool chain integration• By tag, and thus templates, for consistency
• Host firewalls, integrity monitoring, IDS/IPS,anomaly detection
#RSAC
Unify for Consistency Across the Dimensions
• Replicate policy by workload profile/tag
• CI/CD automation on-prem and in the cloud
• Centralized visibility of inter-workload traffic
• Cloud-delivered and single console lowers operational cost
#RSAC
Seek Purpose-Built Solutions
• Supports automated policy assignment by tag
• Operates in auto-scaling groups, transient instances
• Linux support not an after thought
• Support heterogeneous server workload types
• Server less security on the roadmap
• Cloud delivered for cloud scale
• APIs for integrations and instrumentation
• Metered utility-based pricing model
#RSAC
#RSAC
Appreciate this is a Team Sport
Groups directly involved in hybrid cloud security policies (Evaluating, Purchasing, and Operating)
19%
24%
29%
33%
35%
40%
41%
56%
Legal team
Line-of-business/application owner
Application development team
Regulatory compliance team
DevOps team
Data center infrastructure/operations team
Networking team
Security team
#RSAC
SUMMARY
#RSAC
© 2018 by The Enterprise Strategy Group, Inc.
You may ask yourself “How did I get here?
#RSAC
Summary
47
Multi-dimensionality drives complexity, clouds visibility
Siloed approaches should be an interim step
Environment specifics need to be understood en route to a unified approach
CI/CD integration is an opportunity to both automate for efficiencies and move security upstream/left
Immutable production environments requires introducing security earlier
I had the best pictures at RSA Conference 2018
#RSAC