cloud & ai summit · successful approaches and experiences securing the hybrid multi-cloud...
TRANSCRIPT
Amsterdam, November 8, 2019
Drive innovation in a multi cloud reality
Cloud & AI Summit
Securing the journey to CloudSuccessful approaches and experiences securing the hybrid multi-cloud world
Martin BorrettIBM Distinguished EngineerCTO IBM Security Europe
Cloud provides organizations
access to state-of-the-art IT
in a cost effective and flexible
manner, and enable their
digital transformation
journey, but each phase has
security implications
IBM Security / © 2019 IBM Corporation
Traditional Architecture
IT Controlled Security andResiliency w/ manual controls
Microservices Architecture
Security & Resiliency embedded in business workflow via automation & orchestration
Flexible Consumption
Native Security ComplexityLoss of Visibility & Control
On-Premises
Private Cloud
Public Cloud
Security ResponsibilitiesUnderstanding your security responsibilities vs. Cloud Service Provider’s
Cloud-Native IntegrationIntegrating cloud-native security tools into your overall security operations
Critical DataSecuring your critical data in the cloud
Shadow ITVisibility of your applications and Shadow IT usage
Cloud-Native ConfigurationEnsuring your cloud-native security tools are configured properly
Security at SpeedApplying security controls with speed to
support business innovation
Secure Application Development
Developing cloud applications & APIs that are secure by design
Managing ComplianceKeeping up with changing
compliance regulations
Dynamic WorkloadsSecuring dynamic workloads and
managing changing risk profiles
Centralized VisibilityCentrally managing policy across on-
premise & cloud environments
IBM Security / © 2019 IBM Corporation
Increasing shared responsibility. Decreasing control & visibilityIa
aS
|
In
fra
stru
ctu
re-a
s-a
-Se
rvic
e
Ca
aS
|
Co
nta
ine
r-a
s-a
-Se
rvic
e
Pa
aS
|
Pla
tfo
rm-a
s-a
-Se
rvic
e
Sa
aS
|
So
ftw
are
-as-
a-S
erv
ice
On
-Pre
mis
e
| T
rad
itio
na
l IT
Data
Application
Storage
Operating System
Virtualization
Physical Servers
Network & Storage
Data Center
Migration to Cloud brings forth new security obstacles
and reduced visibility & control
Client Responsibility Provider Responsibility
A programmatic approach to securing the hybrid enterprise
3. RunProvide threat management with an integrated resiliency plan
2. Harden native cloud security +
augment with additional security controls
1. PlanBuild a cloud security strategy and adoption roadmap
Build
A programmatic approach to securing the hybrid enterprise
Continuous Improvement as
cloud continuously
evolves
Establish a cloud security baseline
Build industry-specific maturity roadmap
Map to regulatory + privacy requirements
Perform a critical data assessment
Enable / harden native security controls
Build a plan to transition to cloud
Establish zero-trust network + endpt. controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and use contextAutomate security controls w/ DevOps
App Security and vulnerability testing
Engage offensive penetrating testing
Register all assets across hybrid-cloud
Tie all controls to single pane of glass
Establish correlation rules and runbooks
Built a joint resiliency plan w/ cloud provider
Practice response plan with threat hunting
Continuous compliance reporting
A programmatic approach to securing the hybrid enterprise – Phase 1
Continuous Improvement as
cloud continuously
evolves
Establish zero-trust network + endpt. controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and use contextAutomate security controls w/ DevOps
App Security and vulnerability testing
Engage offensive penetrating testing
Register all assets across hybrid-cloud
Tie all controls to single pane of glass
Establish correlation rules and runbooks
Built a joint resiliency plan w/ cloud provider
Practice response plan with threat hunting
Continuous compliance reporting Establish a cloud security baseline
Build industry-specific maturity roadmap
Map to regulatory + privacy requirements
Perform a critical data assessment
Enable / harden native security controls
Build a plan to transition to cloud
Firstly, you need to establish a baseline and build your maturity roadmap.
A holistic assessment of current state security maturity:
✓ Governance
✓ Metrics
✓ Cloud Security Optimization
✓ Data Security
✓ Application Security
✓ Network and System Security
✓ Security Operations
✓ Identity + Access Management
A Cloud Security Strategy and Assessment can help you:
1. Assess your current state cloud security maturity
2. Define a future state that secures workloads across your hybrid environment
3. Build a strategy + roadmap for cloud migration that addresses pertinent security + regulatory concerns
Cloud is more than a technology change! It is a cultural change to organizations
It’s critical to establish a Cloud Security Strategy, Governance + Readiness Plan
Strategy + Roadmap
Establish a cloud security baseline
Build industry-specific maturity roadmap
Map to regulatory + privacy requirements
Perform a critical data assessment
Build a plan to transition to cloud
Enable / harden native security controls
Evaluating the Enterprise Tech Stack from a Security Point of View.
Cloud is more than a technology change! It is a cultural change to organizations
Cloud maturity & capabilities are very important
Strategy + Roadmap
Establish a cloud security baseline
Build industry-specific maturity roadmap
Map to regulatory + privacy requirements
Perform a critical data assessment
Build a plan to transition to cloud
Enable / harden native security controls
Misconfigured cloud services is one of the top reasons for data breachesIt’s imperative to lock down your cloud environments and harden your native controls.
• Harden security posture of native cloud capabilities
• Align native security with organization’s threat management process
• Streamline enterprise visibility for native security activity
• Enhance an organization’s readiness for cloud innovation
• Enable knowledge transfer for effective native security operations
Strategy + Roadmap
Establish a cloud security baseline
Build industry-specific maturity roadmap
Map to regulatory + privacy requirements
Perform a critical data assessment
Build a plan to transition to cloud
Enable / harden native security controls
Establish a cloud security baseline
Build industry-specific maturity roadmap
Map to regulatory + privacy requirements
Perform a critical data assessment
Enable / harden native security controls
Build a plan to transition to cloud
A programmatic approach to securing the hybrid enterprise – Phase 2
Continuous Improvement as
cloud continuously
evolvesRegister all assets across hybrid-cloud
Tie all controls to single pane of glass
Establish correlation rules and runbooks
Built a joint resiliency plan w/ cloud provider
Practice response plan with threat hunting
Continuous compliance reporting
Establish zero-trust network + endpt. controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and use contextAutomate security controls w/ DevOps
App Security and vulnerability testing
Engage offensive penetrating testing
Augment Native
Controls
Extend beyond traditional network + endpoint security controls for more comprehensive coverage.
Establish zero-trust network + endpoint
controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and user context
Automate security controls w/ DevOps
App Security + vulnerability testing
Engage offensive testing
Micro-segmentation Containerization
Traditional networks:
• Little visibility into application level traffic flows,
• Static policies - harder to upkeep and can lead to application outages due to misconfiguration
Micro-segmentation:
• Application-centric visibility with more granular control
• Adaptive and can support hybrid environments.
Container security solution across Build, Ship, & Run.
• Scanning of images to check for vulnerabilities
• Protection + visibility into CI/CD dev tools
• Vulnerability analysis on all images
• Certify and track image inventory
• Re-assure valid images are running
• Runtime protection to prevent configuration drifts or rogue containers
• L3 and L7 Firewall capabilities
• Monitor host OS + container system calls + processes
• Compliance and reporting
BUILD
SHIP
RUN
Secure your critical data across your hybrid environment.
Now that you’ve identified your critical data, you must implement controls to protect it.
DLP in the cloud
• Use policy based DLP to protect sensitive assets from being copied to the cloud
• Sensitive data can be blocked from exfiltration, quarantined, or deleted.
Multi-cloud Data Encryption
• Protect your data across dedicated private, hybrid and public clouds
• Encryption agents are deployed across your workloads
• Setting access policies + agent management is all handled through a central console
Augment Native
Controls
Establish zero-trust network + endpoint
controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and user context
Automate security controls w/ DevOps
App Security + vulnerability testing
Engage offensive testing
Assess your cloud IAM strategy + explore IDaaS solutions to optimize your technology investments
Use Case: Can access to your cloud accounts be integrated as part of your privileged access management program?
Use Case:Can your MFA be extended to internet-facing / accessible applications?
Design a solution focused on user outcomes using IBM Design Thinking
Optimize your technology investmentsby complementing existing IAM program with the cloud-based solution that fits your needs
Enhance your operational efficiency with improved business processes and Robotic Programming Automation (RPA)
The Journey to Cloud-Based IAM solution approaches your IAM transformation in three stages:
Moving workloads to cloud doesn’t necessarily mean changes to your IAM
toolset
Find the right cloud
strategy
Transform the IAM
environment
Operate and continuously
improve
1
2
3
Can you extend your existing policies and controls to the new cloud workloads?
But many clients do want to move their IAM workloads to the cloud as well
Augment Native
Controls
Establish zero-trust network + endpoint
controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and user context
Automate security controls w/ DevOps
App Security + vulnerability testing
Engage offensive testing
Emerging DevOps teams lead to conflicting objectives
You need a solution that can satisfy both sets of objectives
CISO: Organization Challenges
Securing compute critical data assets on Cloud
Continuous compliance to changing regulations
Policy enforcement & threat detection across hybrid environments
Policy enforcement at DevOps
DevOps: Business Innovation
Business demands flexibility and speed to
market
Capitalize on constantly evolving
CSP capabilities
No time to wait on security approvals
Security Solution
Secure by Design integrated into DevOps
Infrastructure provisioning
Automated base security controls provisioning
Enable Managed Services
Augment Native
Controls
Establish zero-trust network + endpoint
controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and user context
Automate security controls w/ DevOps
App Security + vulnerability testing
Engage offensive testing
Implement a secure-by-design application development methodology
Application Security Program Services
Secure DevelopmentTraining Services
Application Security Testing Services
Secure Development Support Services
Requirements Design Coding Testing Release
Application Security solutions to support clients across their entire SDLC
Secure-by-Design strategy + advisory services
Guidance with CI/CD implementationDevelopment standards, etc.
Providing support to the development organization across their various tasks + challenges
Non-functional security requirements gathering, remediation and implementation support, etc.
Secure development training & coding language best practices
Full suite of tools and processes around to help identify vulnerabilities early
Pre and post production penetration testing
Augment Native
Controls
Establish zero-trust network + endpoint
controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and user context
Automate security controls w/ DevOps
App Security + vulnerability testing
Engage offensive testing
Establish zero-trust network + endpt. controls
Enable DLP controls, key mgmt. + encryption
Integrate with cloud IAM and use contextAutomate security controls w/ DevOps
App Security and vulnerability testing
Engage offensive penetrating testing
Establish a cloud security baseline
Build industry-specific maturity roadmap
Map to regulatory + privacy requirements
Perform a critical data assessment
Enable / harden native security controls
Build a plan to transition to cloud
A programmatic approach to securing the hybrid enterprise – Phase 3
Continuous Improvement as
cloud continuously
evolvesRegister all assets across hybrid-cloud
Tie all controls to single pane of glass
Establish correlation rules and runbooks
Built a joint resiliency plan w/ cloud provider
Practice response plan with threat hunting
Continuous compliance reporting
Operating in a hybrid environment often leads to disparate controls.
You need to centralize security visibility for policy management
You have....
Workloads on premise + on cloud(s)
With....
Disparate security controls across both
Need to bring....
Logs & alerts into a single pane of glass
Providing....
Threat Management
Incident Management
Log Management & Alerting
Ticketing
Cloud Agnostic
Supporting workloads across:
IBM Cloud | AWS | Azure | Private DC + On Premise
Vendor Agnostic
Supporting multiple best-of-breed technologies across
multiple cloud environments & on-premise
Threat Management + Resiliency
Register all assets across hybrid-cloud
Tie all controls to single pane of glass
Establish correlation rules and runbooks
Built a joint resiliency plan w/ cloud provider
Practice response plan with threat hunting
Continuous compliance reporting
Compliance doesn’t stop at the cloudThere are hundreds of mandatory laws and regulations, as well as voluntary standards, audit standards, codes of conduct and internal policies that companies have to comply with.
$
Threat Management + Resiliency
Register all assets across hybrid-cloud
Tie all controls to single pane of glass
Establish correlation rules and runbooks
Built a joint resiliency plan w/ cloud provider
Practice response plan with threat hunting
Continuous compliance reporting
Compliance doesn’t stop at the cloud.There are hundreds of mandatory laws and regulations, as well as voluntary standards, audit standards, codes of conduct and internal policies that companies have to comply with.
How can you ensure rigorous compliance for cloud workloads?
The financial impacts of non-compliance are large and rising.
The legal and regulatory landscape is always changing.
$$
Strategy Development
Tool-Based Solution
Fully Managed
Not sure where to start?Let us help you assess your current state cloud controls maturity against relevant regulatory requirements, and define a strategy for improving and managing your compliance posture.
Not in a highly regulated industry?Some use-cases can be solved with simple tooling. We can help design and implement a tool-based compliance approach with tools such as Dome9.
Highly regulated or operating across multiple jurisdictions?Our managed Technology Compliance Advisor service can help map your existing controls to relevant regulatory requirements, and then regularly assessing for updates & notify you of required actions.
Threat Management + Resiliency
Register all assets across hybrid-cloud
Tie all controls to single pane of glass
Establish correlation rules and runbooks
Built a joint resiliency plan w/ cloud provider
Practice response plan with threat hunting
Continuous compliance reporting
A programmatic approach to securing the hybrid enterprise
3. RunProvide threat management with an integrated resiliency plan
2. Harden native cloud security +
augment with additional security controls
1. PlanBuild a cloud security strategy and adoption roadmap
Build
Thank you for your attention!
Learn more on www.ibm.com/