cloud based security
TRANSCRIPT
Cloud Based Security ServicesSimplification Or Complexity
Michael Ferrell, Security Solutions ArchitectMS In Information Security, CISSP, ISSAP, CISA, CGEIT
© 2016 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice.
2
Enterprise workloads shifting quickly to cloud
The shift of workloads to cloud environments over the next two years is dramatic, from 38% overall today to 56% expected in two years
Off-premises workloads also shift from 29% today to 44% in two years
Cloud providers will account for 68% of all Cloud workloads, up from 60% today
Base=Cloud AdoptersSource: 451 Research, Voice of the Enterprise: Cloud Computing, Q2 2015
3
Change Management (n=425)
Internal Resources/Expertise (n=425)
Migration/Integration (n=423)
Budget/Cost/Pricing (n=427)
Control of Data Locality/Sovereignty (n=428)
Compliance/Regulation (n=424)
Security (n=754)
31%
24%
19%
20%
16%
20%
15%
43%
45%
43%
39%
31%
27%
30%
26%
31%
39%
41%
53%
53%
55%
Low Impact (0-4) Moderate Impact (5-7) Significant Impact (8-10)
Security/Compliance is an inhibiting factor
Q. Please rate the impact the following have on inhibiting your organization’s use of cloud computing on a 1-10 scale.
Source: 451 Voice of the Enterprise, Cloud Computing – Wave 7
4
Cloud Level Set
5
On-Prem Colocation Public IaaS Public PaaS Public SaaS Molo-PrivateData Data Data Data Data DataApp App App App App AppVM VM VM Services Services VM
Server Server Server Server Server ServerStorage Storage Storage Storage Storage StorageNetwork Network Network Network Network Network
Responsibility
Organization controls
Provider controls
Sharedcontrol
Less direct control More trust in provider
6
Security Versus Compliance
Vulnerability assessment
Security configuration management
Application security
Web application firewall (WAF)
Endpoint security
Advanced anti-malware or advanced persistent threat (APT) protection
Data loss prevention (DLP)
Data encryption / key management services
Security information and event management (SEIM)
Identity and access management (IAM)
IT governance, risk and compliance (GRC) tools
Application of organizational policies
Service level agreement
Execution / QOS
Audits, attestations and reports
• Risk– Evaluate risk and appropriate controls• Are today’s controls appropriate to reduce risk? • Do they need to change in the cloud?
– Are controls being executed effectively?
• Governance becomes greater challenge– Rogue and shadow cloud usage
• Can everything fir?– May fit, but should it?
– Where should it fit?
• Public? Private? Community? On Prem?
Cloud Security Decision Points
8
Multiple Providers – Multiple Data Locations
• Visibility– Where is the data?– Who is using the data? – Actions of provider and service
• Data Security:– Data Sovereignty – Geo political data constraints– Multi-tenancy – concerns/perceptions about comingling of data– Provider visibility to data – what can they access and “see”
• Compliance– Auditability – my auditors concerns
• Sustainability – will provider be there long term?• Overall security
– Controls – can I implement the same compliance/security controls? – Threat protection– User Behavior analysis
Cloud Concerns
9
Cloud controls
• Common view/tools across multiple cloud environments
• Cloud based consumption and deployment model
• Flexible scaling• Extensibility across multiple
providers
• Security as service models
• Not all tools are able to run or be deployed in various clouds– Cloud vendor specific tools can’t be
extended to others
• Does security as a service model across multiple cloud providers fit companies risk and data model?
10
Desired state Constraints
11
• Extend security from the enterprise– Restrictive not an enable of business– Traditional first reaction to introduction of clouds– Becomes the constraint on flexibility in the cloud
• Adopt similar security from providers– Focus becomes result of controls, not the toolset– Mapping to existing known tool results often becomes difficult– Clarity suffers
• Cloud Security Brokers– Model uses on site and api to provide visibility into prem and remote activity– Allows for more unified visibility and clarity across cloud providers– Can tie to on premise applications
Approaches
12
Controls
Audits, attestations and reports
Scheduled audits with third-party organizations, regular and irregular reports as required, providing attestation of compliance on request
Data IAM, Data loss prevention (DLP), data access logging, encryption in transit and at rest, key management, physical location attestation
Connectivity Uptime, performance and external incident response and tracking
Server and workload
Software asset management, activity and performance logging, user access logging, scheduled patching and maintenance, performance testing
Infrastructure (IT hardware)
Asset management, monitoring for failure, logged access, logged maintenance, scheduled maintenance and inspection
Operational redundancy
Contingency planning, power, cooling and connectivity duplication, infrastructure redundancy, failover testing
Physical security
Cameras, perimeter alarm systems, secure entryways, security personnel, access logging
13
Tool Type Areas Description
Identity Control access and authentication
Federate with existing, or standalone cross services and providers
Network/Endpoints Threat detection & prevention, usage
From Malware, to host IDS/IPS file integrity, and mobile
Virtualization Policy enforcement, access
Includes encryption, two man rule policy control, 2FA,. In depth logging , RBAC
Cloud infrastructure Monitor and threat Platforms provide compliance, monitoring of workloads, threat intel, vulnerability mgmt
Cloud data protection Discovery, gateways, brokers, encryption
Detect & monitor cloud usage, provide policy based data encryption, data centric multi device
Cloud Applications Pass through to cloud services
Cloud based gateway to SaaS, IaaS, PaaS with monitoring and rules
Incident Response Covers threat management, intel, response
Ties often to asset management, and launching scans for newly discovered or changing vulnerabilities and threats
Representative Cloud Based Security Tools
14
Software Defined Networking
Application
CONTROLLER
Southbound API
Northbound API
Application Application
ControlPlane
DataPlane
15
• Consistent policy– Centralized “control”• Example: SOHO and multiple similar locations
• Security across all– Or security missing ?
• Ability to isolate vulnerable systems– Or compromised hosts– Or specialized segments
SND Security Promises
16
Security in SDN
Application
CONTROLLER
Southbound API
Northbound API
Application Application
ControlPlane
DataPlane
17
• The model changes– Not a physical barrier• Similar to cloud
• Applications and controllers– Have complete control of the network• Inmates have the keys?
– If compromised, whole network may be compromised
• General Purpose Computing Platforms– Used for controllers
What will hackers target!
Issues with SDN Security
18