A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment

Nimmy Reichenberg VP Strategy

Rich MogullAnalyst and CEO

2 | Confidential

WHAT IS THE #1 REASON COMPANIES MOVE TO THE CLOUD?

3 | Confidential

COST AGILITY

4 | Confidential

AlgoSec simplifies, automates and orchestratessecurity policy management to enable you to

Manage Security at the Speed of Business

Cloud and DevOps• Cloud is a new operational model.

• It requires a re-thinking of fundamental

architectures.

• DevOps is a new operational framework, highly

attuned to cloud.

• Both shatter existing security approaches.

The Technical Security

Challenge• The vast majority of information security is really

infrastructure-centric security.

• Infrastructure-centric security relies on fixed locations of

relatively static resources.

• Even many of our application security models rely on

fixed infrastructure.

• It is context-unaware. DevOps and cloud are all about

context.

Network Security Challenges

• Virtual networks don’t provide the same visibility.

• Cloud networks are managed via APIs.

• Cloud networks change constantly, and quickly.

• Cloud networks look the same, but aren’t.

The same words mean different things…

Cloud Network Types

• Network hardware

handles config.

• Limited

customization and IP

ranges.

• Poor Security

segregation.

VLAN SDN

• Configuration and

management

abstracted from

underlying hardware.

• Software-defined

and managed.

• Massive flexibility.

Cloud Network Types

• Network hardware

handles config.

• Limited

customization and IP

ranges.

• Poor Security

segregation.

VLAN SDN

• Configuration and

management

abstracted from

underlying hardware.

• Software-defined

and managed.

• Massive flexibility.

Getting Started• Public Network

• Private Network

• Hybrid Cloud

• Gateways and VPNs

• Regions/Locations

• Zones (Availability Zones)

• Autoscaling

• Security Groups

Public Network

Private Network

Private NetworkNotice

anything

missing?

Hybrid Network• Extends on-premise network

• Technically, has to extend a private cloud. but

that’s a “purist” definition we don’t use in

practice.

• Harder to secure, and consistency becomes

critical. Each side affects the other.

• Best when you need to connect to legacy things.

Hybrid Connection Options

Direct/Private Line

VPN VPN

Network Security ControlsCloud Providers Give You Commercial Options

• Perimeter Security

• Security Groups

• ACLs

• Physical Security

Appliances

• Virtual Security

Appliances

• Host Security Agents

How it all works (in Amazon)

Route53us-east-1

d

cba

Web

App

cba

us-west-2

cba

Web

App

cba

Route53us-east-1

d

cba

Web

App

cba

us-west-2

cba

Web

App

cba

Route53us-east-1

d

cba

Web

App

cba

us-west-2

cba

Web

App

cba

us-east-1

cba

Web

App

cba

us-east-1

cba

Web

App

cba

cba

Web

App

cba

cba

Web

Subnet 1 Subnet 2

cba

Web X X

Immutable Infrastructure

Source Code

GitCloudformation

Templates

Jenkins

Functional

Tests

Chef Recipes

Chef

Server

NonFunctional

Tests

Security

Tests

Test Prod

Chef

Server

Chef

Server

Building Your Program• Key considerations:

• Provider specific limitations and advantages

• Application needs

• “New” architectures

• Impact of elasticity

• How you will manage

Design the Architecture

Design the Security Architecture

Manage Operations• Organizing and staffing

• Use dedicated, trained people

• Discover

• Procurement can help, network scanning

can’t (except sometimes for hybrid)

• Access requests to data/applications

• Integrate with development

• Build a handbook of approved patterns

• Have a cloud security architect to help with

design

• Provide automation code and support

• Policy enforcement

• Limit entitlements for security operations

• Template and automate as much as

possible

• Automate change monitoring/management

Managing Hybrid• Normalize security

• Translate rules based on application needs, don't blindly apply.

• Understand the difference between security groups and firewall rulesets.

• DON’T JUST CONVERT TO ACL’s

• Don’t just drop in virtual appliances out of habit; always start with cloud features

• If migrating applications, watch out for network configurations

The AlgoSec Suite

Application-Centric Approach

Abstraction of Underlying Network

Consistency across Hybrid-Cloud

The AlgoSec Suite

Move servers from on-premdatacenter to AWS

The AlgoSec Suite

Topology Analysis Discovers New Path

Proactive Risk and Compliance Assessment

Relevant Security Groups Added/Modified

On-Prem Firewall Rules Decommissioned

Log and Audit Trail

Logical Application Connectivity Unchanged!

Sample Architectures

Summary• Cloud networks may look the same, but they aren’t.

• Segregation is your most powerful security control, and you get it by

default.

• Hybrid networks are tougher, and need extra security care and feeding.

• Once you accept that cloud networking is “software defined everything”,

adapting your security knowledge isn’t very difficult.

SECURITY FUNDAMENTALS STAY THE SAME

• Monitoring

• Least privileged

• Change management

• Risk analysis

• (Micro) Segmentation

• Governance

• Compliance

45 | Confidential

ALL THIS IN A SINGLE PANE

Secure Application Connectivity

Security Policy Change Management

Continuous Compliance and Auditing

Security Policy Optimization

Security Policy Risk Mitigation

Network Segmentation Enforcement

Rich Mogull

Securosis

@rmogull

Nimmy ReichenbergAlgoSec@algosec

Find out more at -

www.algosec.comblog.algosec.com