SESSION ID:

#RSAC

Doug Cahill

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

STR-R14

Group Director and Senior AnalystEnterprise Strategy Group@dougcahill

#RSAC

WHO IS THIS GUY?

#RSAC

Topics

3

The Composition of Hybrid CloudsSpotlight: Container Security Considerations

Defining the Lack of Cloud Visibility

Retooling for Multi-Dimensional Hybrid CloudsSpotlight: Automating Security via Integration with the CI/CD Pipeline

Applying Best Practices

Summary

#RSAC

THE COMPOSITION OF HYBRID CLOUDS

#RSAC

What is hybrid, anyway?

#RSAC

THE MANY DEFINITIONS OF A HYBRID CLOUD

6

Primary Historical Use Case:• Public cloud as a storage target for backup and archiving

More Accurately: Cross-cloud Orchestration• By app tier – e.g. DB tier on-premise, web app tier in the cloud• Burst-mode for scale, portability for best fit and price

--> For this Discussion: • Simply the combination of an on-premises + cloud footprint

#RSAC

Multi-Cloud Adoption

7

#RSAC

16%

25% 26%

16%

10%5%

1%5%

15%

24% 24%

16% 15%

2%

Less than 10% ofworkloads

10% to 20% ofworkloads

21% to 30% ofworkloads

31% to 40% ofworkloads

41% to 50% ofworkloads

More than 50% ofworkloads

Don’t know

Percent of production workloads run on public cloud infrastructure services today

Percent of production workloads run on public cloud infrastructure services 24 months from now

Of all the production workloads used by your organization, approximately what percentage is run on public cloud infrastructure services (i.e., IaaS and/or PaaS) today? How do you expect this to change – if at all – over the next 24 months?(Percent of respondents, N=450)

Workloads are Shifting to Public Clouds

8

#RSAC

The Heterogeneous Mix of Workload Types

9

Containers, 19%Containers, 33%

Virtual machines, 46%Virtual machines, 41%

Bare metal servers, 35%

Bare metal servers, 26%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Percent of production workloads run on each servertype today

Percent of production workloads run on each servertype 24 months from now

Percent of production workloads run on each server type

TODAY

Percent of production workloads run on each server type

24 MONTHS FROM NOW

#RSACHYBRID CLOUDS ARE MULTI-DIMENSIONAL

+ =X 2+

HETEROGENOUSSERVER TYPESMULTI-CLOUDS

© 2017 by The Enterprise Strategy Group, Inc.

#RSAC

SPOTLIGHT: CONTAINER SECURITY CONSIDERATIONS

#RSAC

Containers are coming, en masse!

#RSAC

App Containers Are Moving Into Production

13

13%

42%24%

16%

4%1%

Yes, we have already deployed an extensive number of containerized production applications

Yes, we have already deployed a few containerized production applications

No, but we are testing it and plan to start deploying to production in the next 12 months

No, but we intend to start testing it in our lab in the next 12 months

No, and we have no plans to

Don’t know

56% already in production+24% in next 12 months

#RSAC

23%

73%

4%

We use/will use containers for new applications only

We use/will use containers for new applications and some pre-existing “legacy” applications

We use/will use containers for pre-existing “legacy” applications only

Legacy and New Apps are Being Containerized

14

#RSAC

Application Container Portability Make Them Location Agnostic

15

21%

52%

27%

Our container-based applications are/will bedeployed in a public cloud environment only

Our container-based applications are/will bedeployed in an on-premises data center or co-location facility managed by our organization only

Our container-based applications are/will bedeployed in a combination of public cloud platformsand private data centers

#RSAC

Container Security Concerns = VM Sprawl Redux

16

#RSAC

Container Security – Pre-Production Requirements

17

Establish Trusted Images via Registry-resident Image ScanningEliminate known software vulnerabilities — Bonus: Contextual based on risk -- known exploit, criticality of the app and dataHarden configurations against CIS benchmarksRemediate, rinse and repeatSecrets Management: Separate until runtime

#RSAC

Container Security – Runtime Requirements

18

Continuous MonitoringInventory including discovery of untrusted/unsigned containersTopology mapping to view and verify relationships East-west inter-container trafficAuditing of access requests, system activity, and Docker API callsIntegrity monitoringBaselining of normal behavior

Threat PreventionDetection and prevention of anomalous activityIntegrity and applications control to prevent driftIntrusion detection and prevention Access controls including segmentationAnti-malware detection and prevention

#RSAC

Container Security - Implementation Considerations

19

CI/CD tool integration to enable automation (build-ship-run tools)

Consider pros and cons of host vs. privileged container vs. “sensor”

Registry aware – public and private

Heterogeneous server workload type support

#RSAC

DEFINING THE LACK OF CLOUD VISIBILITY

#RSAC

Where’s the network tap?

#RSAC

6%

13%

14%

16%

16%

17%

18%

18%

18%

19%

19%

20%

23%

25%

We have not experienced any challenges

Inability to automate the application of security controls due to the lack of integration with…

Lack of visibility into the network related activity of our cloud-based workloads

Aligning regulatory compliance requirements with my organization’s cloud strategy

My organization’s existing security tools do not support cloud native conventions such as on-…

Some of our business units are doing application development and deployment on public cloud…

Satisfying our security team that our public cloud infrastructure is secure

Lack of skills needed to align strong security with our hybrid cloud strategy

Inability for existing network security controls to provide visibility into cloud

Our DevOps and application owners do not want to involve our security team in their cloud…

Meeting prescribed best practices for the configuration of cloud-resident workloads and the use…

Keeping up with the rapid pace of change via DevOps automation makes it a challenge to…

Employees signing up for cloud applications without the approval and governance of our IT…

Maintaining strong and consistent security across our own data center and multiple public cloud…

Top Hybrid Cloud Security Challenges

22

#RSAC

Top Areas for Improving Visibility IntoCloud-Resident Workloads

23

18%

18%

19%

21%

24%

26%

26%

27%

30%

30%

Alerts on the anomalous use of cloud APIs

The communication between workloads and an externally facing…

Inter-workload communication

The existence of any external facing server workloads which do not…

An audit trail of the use of IaaS APIs

An audit trail of privileged user account activity

Alerts on the detection of anomalous system-level workload activity

An audit trail of all system level activity

Identifying workload configurations that are out of compliance…

Identifying software vulnerabilities

#RSAC

WHICH IS WHY SOME FEEL THIS WAY

#RSAC

RETOOLING FOR MULTI-DIMENSIONAL HYBRID CLOUDS

#RSAC

© 2017 by The Enterprise Strategy Group, Inc.

#RSAC

Highest Priorities for Hybrid Cloud Security

27

20%

20%

20%

20%

22%

23%

24%

27%

28%

30%

Create new policies specifically for cloud workloads and containers

Figure out how we can extend our current security technologies to protect/monitor cloud workloads

Learn about the security controls, monitoring capabilities, and APIs associated with each cloud serviceprovider offering

Determine ways to accelerate security tasks to keep pace with cloud provisioning and DevOps

Explore and recommend new security technologies that are specifically designed for cloud computing

Create a self-service catalogue so that workloads can be classified and then assigned to differentpublic and private cloud options based upon their sensitivity

Work with other teams to align security requirements with cloud provisioning and managementautomation

Integrate security controls with cloud and/or container orchestration tools

Implement a workload segmentation model to limit the lateral movement of an attack, i.e., segmenttest/dev from production workloads, segment regulated from non-regulated workloads, etc.

Build a cloud security strategy that can be used across heterogeneous public and private clouds

#RSAC

Retooling Across Skills and Processes

28

6%

19%

20%

28%

31%

31%

33%

None of the above

We don’t have the right level of cloud security skills

We don’t have an adequately sized staff to meet our cloud security needs

Understanding the specifics of how our cloud service provider and ourorganization share responsibility for securing our cloud-resident assets

Working relationship between the IT Operations, DevOps, and cybersecurityteams

Lack of familiarity with the continuous integration and continuous deliveryprocesses and orchestration tools of a DevOps methodology

General knowledge of cybersecurity threats that pose a risk to hybrid cloudinfrastructure

#RSAC

The Rise of the Cloud Security Architect

29

25%

18%

24%

12%

6%

7%4%3%1%

Yes, and this position(s) has been in place for a year or more

Yes, and this position(s) has been in place for less than one year

Yes, and this position(s) was recently established

No, but we are actively hiring for this position

We have had difficulty filling this position

No, but we plan to establish this type of position(s) within the next 12to 24 monthsNo, but we are interested in establishing this type of position(s)sometime in the futureNo, and we have no plans or interest in doing so in the future

Don’t know

#RSAC

AUTOMATING SECURITY VIA INTEGRATION WITH THE CI/CD PIPELINE

#RSAC

#RSAC

Strong Interest in Security + DevOps Use Cases

32

15%

19%

41%

18%

6%1%Extensively – Automating security via DevOps was one of the main reasons we adopted DevOps

Somewhat – We plan to incorporate some level of security in of DevOps process

We are evaluating security use cases that leverage our DevOps processes

We do not want to slow down our DevOps processes with security

We have not yet discussed how security fits with our DevOps plans

Don’t know

#RSAC

Drivers Behind “DevSecOps” Adoption

33

1. TIGHT INTEGRATIONAllows us to improve our security posture by making sure cybersecurity controls and processes are tightly integrated at every stage of our continuous integration and continuous delivery (CI/CD) tool chain

2. COMPLIANCEAllows us to assure we meet and maintain compliance with applicable industry regulations

3. COLLABORATIONFosters a high level of collaboration between our development, infrastructure management, application owners, and cybersecurity stakeholders

4. OPERATIONAL EFFICIENCYImproves our operational efficiency by automating the deployment of cybersecurity controls

5. PROACTIVE APPROACHMakes us think about security proactively and as an immutable attribute of how we manage our infrastructure

#RSAC

DevSecOps and Cloud SecOps Use Cases Span Environments

34

34%

39%

41%

42%

44%

44%

46%

Applying inter-workload communication access controls

Applying controls which capture system activity for incident responseand forensics

Identifying workload configurations that are out of compliance with aregulation before deployment to production

Identifying software vulnerabilities before deployment to production

Applying preventative controls

Applying controls which can detect anomalous activity

Identifying workload configuration vulnerabilities before deployment toproduction

#RSAC

APPLYING BEST PRACTICES

#RSAC

#RSAC

Separate Environments and Duties

By Environment• Segment Dev, Test, and Production environments

• Further segment by compute and storage• “Tiny bubbles to reduce blast radius”

By Role with Least Privilege, MFA• APIs, not user accounts to interact with services• Least privilege model protects against credential harvesting• MFA for commits, builds, and deploys

#RSAC

Gain Visibility via Discovery, Assessments, and Monitoring

Inventory the attack surface area• Instance and container sprawl = developer manifestation of Shadow IT• On-premises and cloud resident workloads• For all accounts, all clouds

Assess Configurations• The obvious: Externally facing workloads not routing via a bastion host• Workload configs against CIS benchmarks• Use of pre-hardened images

Monitor the environment• Enable auditing services for API and service usage; augment with on-board agent • Host network flow traffic for east-west, in/outbound threat detection• “DVR” activity for trust, but verify compliance and IR investigations

#RSAC

Employ Anomaly Detection for Auto Scaling Groups

Premise: There should be no intra-group drift

Anomalies of interest:• New process and child processes• File system changes • Logins beyond ID - time, location, frequency• Netflow to/from remote IPs (i.e. not via jumphost)• User access behaviors• Inter-entity deviations

Rules by role to automate and reduce alerts storms

#RSAC

Automate Across All Environments (DevSecOps + Cloud SecOps)

In Dev: SDLC integrated • Static code analysis• Composition analysis

In Test: Reduce attack surface• Because production is immutable

• Eliminate software vulnerabilities

• Assess and harden configs of services and workloads

In Prod: Policy via tool chain integration• By tag, and thus templates, for consistency

• Host firewalls, integrity monitoring, IDS/IPS,anomaly detection

#RSAC

Unify for Consistency Across the Dimensions

• Replicate policy by workload profile/tag

• CI/CD automation on-prem and in the cloud

• Centralized visibility of inter-workload traffic

• Cloud-delivered and single console lowers operational cost

#RSAC

Seek Purpose-Built Solutions

• Supports automated policy assignment by tag

• Operates in auto-scaling groups, transient instances

• Linux support not an after thought

• Support heterogeneous server workload types

• Server less security on the roadmap

• Cloud delivered for cloud scale

• APIs for integrations and instrumentation

• Metered utility-based pricing model

#RSAC

#RSAC

Appreciate this is a Team Sport

Groups directly involved in hybrid cloud security policies (Evaluating, Purchasing, and Operating)

19%

24%

29%

33%

35%

40%

41%

56%

Legal team

Line-of-business/application owner

Application development team

Regulatory compliance team

DevOps team

Data center infrastructure/operations team

Networking team

Security team

#RSAC

SUMMARY

#RSAC

© 2018 by The Enterprise Strategy Group, Inc.

You may ask yourself “How did I get here?

#RSAC

Summary

47

Multi-dimensionality drives complexity, clouds visibility

Siloed approaches should be an interim step

Environment specifics need to be understood en route to a unified approach

CI/CD integration is an opportunity to both automate for efficiencies and move security upstream/left

Immutable production environments requires introducing security earlier

I had the best pictures at RSA Conference 2018

#RSAC