key elements of multi-cloud security for 2017
TRANSCRIPT
oBart Falzarano
• Director, Security and Compliance, RightScale
oBrian Adler
• Director, Enterprise Architecture, RightScale
Panelists
o The State of Multi-Cloud Security
o How to Think About Multi-Cloud Security
o Key Elements
• Visibility
• Identity and Access Control
• Workload Security
• Data Security
• Network Security
• Business Continuity/Disaster Recovery
• Audit
• Evolving Cloud Technologies/Services
• Compliance
Agenda
Single private 6%
Single public 9%
No plans 3%
Multiple private 11%
Multiple public 16%
Hybrid cloud 55%
Enterprise Cloud Strategy 1000+ employees
Multi-Cloud
82%
82% of Enterprises Still Want Multi-Cloud
Source: RightScale 2016 State of the Cloud Report
17%
23%
26%
24%
25%
25%
28%
27%
15%
23%
24%
26%
26%
26%
29%
32%
Performance
Governance/control
Complexity of building a private cloud
Managing costs
Managing multiple cloud services
Compliance
Security
Lack of resources/expertise
Cloud Challenges 2016 vs. 2015
2016
2015
Lack of Resources/Expertise is Now #1
Challenge, Not Security
Source: RightScale 2016 State of the Cloud Report
47%
2014
Central IT Concerns About Security Decline
41%
2015
Enterprise Central IT Rating Cloud Security
as Significant Challenge
Source: RightScale 2016 State of the Cloud Report
37%
2016
Security Services (similar but different capabilities)
8
Security Features AWS Azure Google
IAM ✔ ✔ ✔
Encryption in DBaaS ✔ ✔ ✔
Key Management as a Service ✔ ✔ ✔(beta)
Hardware Key Modules HSMs ✔ ✔
Security Assessment ✔ ✔ ✔
Configuration Governance ✔ ✔
Audit Trails ✔ ✔ ✔
DDoS Protection/ WAF ✔ ✔ ✔
9
Cloud Security Ecosystem
Cloud Provider
Enterprise
RightScale
3rd Party Vendors
Plan for a Cloud Security Ecosystem
• CMDB
• SIEM /Logging / Auditing
• IdP
• Configuration
Management
• Orchestration Workflows
• Web Application Firewalls
• File-Integrity Monitoring
• Continuous Integration
• Source Code
Repositories
Shared Responsibility Model
Visibility
• Can you see all your
cloud accounts and
instances?
• Connect to all your
clouds
• Gain visibility to all your
accounts
You Can’t Control What You Can’t See
11
Many Accounts Across Clouds
AWS Azure Google CloudStack OpenStack vSphere
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account Account
Single pane of glass
• Multi-cloud access
• Public clouds
• Private clouds
• Virtualized
• Control access
• Standardize
configuration
• Patch and update
• Audit trails
RightScale: Multi-Cloud Visibility
12
AWS Azure Google CloudStack OpenStack vSphere
1) What directory services
solution are you using to
store your users’ identities? AD or LDAP
2) How will you federate the
users’ identities? SAML, WS-
Fed, Oauth, OpenID? 3rd party IdP
(Okta, One Login, Ping Identity, etc.)
or ADFS? 2FA or MFA?
3) Need to address User
Authentication, Authorization,
Account Management,
Auditing/logging
4) IAM Integrations
accomplished through
identity mappings, grafts and
tie-ins
• Microsoft Active Directory
• commercial directory services leader
• over 90% market share
• LDAP
Considerations for IAM
14
What you get:
• SAML/ SSO integration
• RBAC -10 specific roles
definable at the user level
(http://docs.rightscale.com/cm/ref/u
ser_roles.html)
• Hierarchical organization
of accounts
• Aggregate accounts
across clouds
• Security and Governance
-standardized, repeatable and
consistent process for
Authentication, Authorization,
Account Management,
Auditing/Logging
RightScale Multi-Cloud Access Controls
15
SAML
Linked
Users
Enforce Policies
• Catalog of templates that
meet corporate standards
• Configured to your
security requirements
• Define which clouds can
be used
• Control user options and
choices
• Orchestrate and automate
deployment and
operations
Workload Security: From Rogue to Policy-Based
17
Basic instances
Stacks for Dev or Prod Applications
Standardization
• Automate provisioning and
configuration
• Version-controlled
• Follow standards for
versions, patches and
configuration
• Leverage a variety of
scripting languages
• Modular and auditable
• Define Security
Configuration Baselines
Standardize Server Configurations
AWS Azure Google CloudStack OpenStack vSphere
Multi-Cloud Image
Configuration Scripts Containers
18
Standardize System Configurations
19
Load Balancers
App Servers
Master DB Slave DB
Replicate >
DNS
Configure a system: Cloud Application Template (CAT)
Configure a server: • ServerTemplates (portable)
• Docker container (portable)
• AMI
• CloudFormation
• VM template
Increase IT efficiency
o Bring your own
configuration management
o Clone existing
architectures
o Updates and patches
o Monitor and alert
o Auto-scale up and down
o Keep templates patched
o Test patches/updates in
the lower tier
environments first e.g.
test, dev or QA
environments
Patch and Update
• Ownership and Management of keys is different in
cloud • Shared model
• Fully maintained and managed by the cloud provider
• BYOK
• Hardware Security Modules • On-premise
• Cloud services (AWS, Azure)
• SSH Key Management • RightScale Key Management
• Manage your own SSH key pair
• Key Management Issues and Challenges in Cloud
Services • NISTIR 7956 http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=914304
Key Management
21
Compliance
Requirements
• PCI E-Commerce
• HIPAA / PHI/ 21CFR11
• NPI / PII
• FTI IRS PUB1075
• MPAA
• Access Controls • MFA/ 2FA used for Authentication
• RBAC
• Auditing/ Logging
• Data Classification / Data Types
• Data Encryption
• Data-in-transit and Data-at-rest
• In process: DEPENDS
• Segregate workloads
• Do read and understand the Cloud Provider’s
• Terms and Agreements
• Data Privacy / Data residency policies
• Review their security documents
Data Security
23
Data Residency with a Global Cloud Platform
Amazon Web Services
Google Cloud Platform
IBM SoftLayer
Rackspace
Windows Azure
Public Clouds
Singapore
Hong Kong
Japan
Texas
DC Area SF Area
Seattle
Chicago
Dublin
London
Amsterdam
Oregon
São Paulo
Midwest
Beijing
Sydney
W Europe
Private Clouds
CloudStack
OpenStack
vSphere
Melbourne
Toronto
Mexico City
Taiwan
24
• HTTPS / TLS
• SSL -Should not used as SSL has been deprecated
• Direct Connections
• VPN IPSEC
Securely Connecting to Cloud
• AWS DirectConnect
• Azure ExpressRoute
• Google Carrier Interconnect
• SoftLayer DirectLink
Direct Connection Options
27
AWS Cage
Customer Cage
AWS Direct
Connect
Azure Cage
Customer Cage
Azure
ExpressRoute
Secure Connections to RightScale Platform
IPSEC VPN Examples: API calls to RightScale over private VPN connection
RightScale Region1
VPN Endpoint
RightScale Region2
VPN Endpoint
28
Companyx
Facility (n) Companyx
Facility (n+1)
Companyx VPC network Amazon AWS VPN GW to RightScale example
VPN gateway
Comply with policies
• Quickly Audit Security
Groups
• Interactive Network
Visualization
• Maintain Security and
Compliance
Network Visibility
29
31
SLAs by Cloud
Service Level
Description
AWS Azure Google SoftLayer
Uptime SLA 99.95% 99.95% 99.95% 100%
Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes
downtime
Downtime Calculation Any minutes
downtime
Any minutes
downtime
5+ consecutive
minutes
downtime
30+ consecutive
minutes downtime
Architect for SLAs
• HA/DR reference
architectures
• Cross-region and cross-
cloud
• Auto-scale to meet
demand
• Hybrid cloudbursting
• Monitor and automate
failover
• Hot, warm, and cold DR
scenarios
Implement DR Architectures for your Apps
32
Load Balancers
App Servers
Slave DB Master DB
App Servers
Slave DB
< Replicate Replicate >
Load Balancers
PRIMARY WARM DR
DNS
Ensure availability
o Separate management
plane from cloud and
cloud applications
o RightScale platform is fully
redundant
o Automate failover
processes for hot, warm or
cold DR
Outage-Proof with Independent Control Plane
Approach:
• Feed audit trails from
individual clouds to SIEM
• Feed audit trails from CMP
to SIEM
• Feed audit trails from
instances / servers to
SIEM
Multi-Cloud Logging and Audit Trails
35
Cloud Management
Platform
Cloud
SIEM or Centralized Logging Facility
Cloud Cloud Cloud Cloud Cloud
Audit
entries are
exportable
via an API
Ensure compliance
3
6
o See who changed what
and when
o Provide audit logs and
reports to satisfy
regulators
o Available via API to
integrate with other
systems
Gain Visibility with Audit Trails
Function-as-a-Service /Serverless
38
App
OS
Hypervisor
App
OS
App
OS
x86
storage
networking
compute
virtualization
Cloud Provider’s
responsibility
Your
responsibility
Your business
logic is in your
Apps
OS
Hypervisor
OS OS
x86
storage
networking
compute
virtualization
Cloud Provider’s
responsibility
Focus on your
business logic
operating
system
< > < > <Fn>
• API Gateway
• Lambda Functions
• IAM
• IdP for Authentication • SAML Token
• Authorization
• Auditing/Logging
Microservices
39
Client-side/
front-end App
Restful API/
backend
services SAML
IdP
AWS IAM
Security
Token Service
1 2
4
3
AWS Cloud
Watch
Cloud Provider Certifications Matrix
41
Certification AWS Azure Google SoftLayer
PCI DSS1
HIPAA
SSAE16 SOC1 (Type II)
SSAE16 SOC2 (Type II)
SSAE16 SOC3 (Type II)
ISO 27001
ISO 27017
ISO 27018
FedRAMP
FISMA
• RightScale Certifications/ Compliance
• State of the Cloud Report
• www.rightscale.com/2016-cloud-report
• Private and Hybrid Cloud Whitepaper
• www.rightscale.com/private-hybrid-cloud-whitepaper
Questions?
42
SSAE16 SOC1 and SOC2 Type
2 Reports of Compliance PCI DSS SAQ A-EP v3.2 Compliant for
our E-commerce systems EU Privacy Shield
(pending)
Challenges
• Difficult to implement,
manage, and support
• Difficult to scale and/ or
extend to other CSPs
• No direct coupling
between AD and AWS
IAM
Integrating IAM
44
ADFS AWS
STS
A
D
SQ
L
1
2 3
4
5
6
Your Environment
SAML
7
AWS
AWS account
123456789012
AWS account
111122223333
IAM roles=>
ADFS-Production
ADFS-DEV
IAM roles=>
ADFS-Production
ADFS-DEV
IAM role=>
ADFS-DEV
IAM role=>
ADFS-DEV
AWS account
777788889999
AWS account
444455556666
AD group memberships=>
AWS-Production
AWS-DEV
User object attribute
123456789012
111122223333
• Asymmetric keys private/public
• Key Management
• NISTIR 7966 http://tinyurl.com/lhtujnv
• Key storage options
• Key Management-as-a-Service
• AWS, Azure
• Multi-tenant
• Hardware Security Modules
• On-premise
• Cloud services (AWS)
• RightScale
• Encryption of keys -MUST
Key Management
45
• Data privacy legislation differs around the world
• Evaluate encryption options where you manage the keys (a la
Amazon Aurora) so vendor can’t give data in case of
subpoena
• What is the CSP’s data retention period?
• What country is the CSP headquartered out of?
• Which jurisdiction covers the contract between you and the
CSP?
Data Residency: Impact of Safe Harbor
46