a pragmatic approach to network security across your hybrid cloud environment
TRANSCRIPT
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
Nimmy Reichenberg VP Strategy
Rich MogullAnalyst and CEO
2 | Confidential
WHAT IS THE #1 REASON COMPANIES MOVE TO THE CLOUD?
3 | Confidential
COST AGILITY
4 | Confidential
AlgoSec simplifies, automates and orchestratessecurity policy management to enable you to
Manage Security at the Speed of Business
Cloud and DevOps• Cloud is a new operational model.
• It requires a re-thinking of fundamental
architectures.
• DevOps is a new operational framework, highly
attuned to cloud.
• Both shatter existing security approaches.
The Technical Security
Challenge• The vast majority of information security is really
infrastructure-centric security.
• Infrastructure-centric security relies on fixed locations of
relatively static resources.
• Even many of our application security models rely on
fixed infrastructure.
• It is context-unaware. DevOps and cloud are all about
context.
Network Security Challenges
• Virtual networks don’t provide the same visibility.
• Cloud networks are managed via APIs.
• Cloud networks change constantly, and quickly.
• Cloud networks look the same, but aren’t.
The same words mean different things…
Cloud Network Types
• Network hardware
handles config.
• Limited
customization and IP
ranges.
• Poor Security
segregation.
VLAN SDN
• Configuration and
management
abstracted from
underlying hardware.
• Software-defined
and managed.
• Massive flexibility.
Cloud Network Types
• Network hardware
handles config.
• Limited
customization and IP
ranges.
• Poor Security
segregation.
VLAN SDN
• Configuration and
management
abstracted from
underlying hardware.
• Software-defined
and managed.
• Massive flexibility.
Getting Started• Public Network
• Private Network
• Hybrid Cloud
• Gateways and VPNs
• Regions/Locations
• Zones (Availability Zones)
• Autoscaling
• Security Groups
Public Network
Private Network
Private NetworkNotice
anything
missing?
Hybrid Network• Extends on-premise network
• Technically, has to extend a private cloud. but
that’s a “purist” definition we don’t use in
practice.
• Harder to secure, and consistency becomes
critical. Each side affects the other.
• Best when you need to connect to legacy things.
Hybrid Connection Options
Direct/Private Line
VPN VPN
Network Security ControlsCloud Providers Give You Commercial Options
• Perimeter Security
• Security Groups
• ACLs
• Physical Security
Appliances
• Virtual Security
Appliances
• Host Security Agents
How it all works (in Amazon)
Route53us-east-1
d
cba
Web
App
cba
us-west-2
cba
Web
App
cba
Route53us-east-1
d
cba
Web
App
cba
us-west-2
cba
Web
App
cba
Route53us-east-1
d
cba
Web
App
cba
us-west-2
cba
Web
App
cba
us-east-1
cba
Web
App
cba
us-east-1
cba
Web
App
cba
cba
Web
App
cba
cba
Web
Subnet 1 Subnet 2
cba
Web X X
Immutable Infrastructure
Source Code
GitCloudformation
Templates
Jenkins
Functional
Tests
Chef Recipes
Chef
Server
NonFunctional
Tests
Security
Tests
Test Prod
Chef
Server
Chef
Server
Building Your Program• Key considerations:
• Provider specific limitations and advantages
• Application needs
• “New” architectures
• Impact of elasticity
• How you will manage
Design the Architecture
Design the Security Architecture
Manage Operations• Organizing and staffing
• Use dedicated, trained people
• Discover
• Procurement can help, network scanning
can’t (except sometimes for hybrid)
• Access requests to data/applications
• Integrate with development
• Build a handbook of approved patterns
• Have a cloud security architect to help with
design
• Provide automation code and support
• Policy enforcement
• Limit entitlements for security operations
• Template and automate as much as
possible
• Automate change monitoring/management
Managing Hybrid• Normalize security
• Translate rules based on application needs, don't blindly apply.
• Understand the difference between security groups and firewall rulesets.
• DON’T JUST CONVERT TO ACL’s
• Don’t just drop in virtual appliances out of habit; always start with cloud features
• If migrating applications, watch out for network configurations
The AlgoSec Suite
Application-Centric Approach
Abstraction of Underlying Network
Consistency across Hybrid-Cloud
The AlgoSec Suite
Move servers from on-premdatacenter to AWS
The AlgoSec Suite
Topology Analysis Discovers New Path
Proactive Risk and Compliance Assessment
Relevant Security Groups Added/Modified
On-Prem Firewall Rules Decommissioned
Log and Audit Trail
Logical Application Connectivity Unchanged!
Sample Architectures
Summary• Cloud networks may look the same, but they aren’t.
• Segregation is your most powerful security control, and you get it by
default.
• Hybrid networks are tougher, and need extra security care and feeding.
• Once you accept that cloud networking is “software defined everything”,
adapting your security knowledge isn’t very difficult.
SECURITY FUNDAMENTALS STAY THE SAME
• Monitoring
• Least privileged
• Change management
• Risk analysis
• (Micro) Segmentation
• Governance
• Compliance
45 | Confidential
ALL THIS IN A SINGLE PANE
Secure Application Connectivity
Security Policy Change Management
Continuous Compliance and Auditing
Security Policy Optimization
Security Policy Risk Mitigation
Network Segmentation Enforcement
Rich Mogull
Securosis
@rmogull
Nimmy ReichenbergAlgoSec@algosec
Find out more at -
www.algosec.comblog.algosec.com