KEY ELEMENTS OF

MULTI-CLOUD SECURITY

FOR 2017

1

oBart Falzarano

• Director, Security and Compliance, RightScale

oBrian Adler

• Director, Enterprise Architecture, RightScale

Panelists

o The State of Multi-Cloud Security

o How to Think About Multi-Cloud Security

o Key Elements

• Visibility

• Identity and Access Control

• Workload Security

• Data Security

• Network Security

• Business Continuity/Disaster Recovery

• Audit

• Evolving Cloud Technologies/Services

• Compliance

Agenda

Single private 6%

Single public 9%

No plans 3%

Multiple private 11%

Multiple public 16%

Hybrid cloud 55%

Enterprise Cloud Strategy 1000+ employees

Multi-Cloud

82%

82% of Enterprises Still Want Multi-Cloud

Source: RightScale 2016 State of the Cloud Report

17%

23%

26%

24%

25%

25%

28%

27%

15%

23%

24%

26%

26%

26%

29%

32%

Performance

Governance/control

Complexity of building a private cloud

Managing costs

Managing multiple cloud services

Compliance

Security

Lack of resources/expertise

Cloud Challenges 2016 vs. 2015

2016

2015

Lack of Resources/Expertise is Now #1

Challenge, Not Security

Source: RightScale 2016 State of the Cloud Report

47%

2014

Central IT Concerns About Security Decline

41%

2015

Enterprise Central IT Rating Cloud Security

as Significant Challenge

Source: RightScale 2016 State of the Cloud Report

37%

2016

Decentralized Cloud Management

7

Security Services (similar but different capabilities)

8

Security Features AWS Azure Google

IAM ✔ ✔ ✔

Encryption in DBaaS ✔ ✔ ✔

Key Management as a Service ✔ ✔ ✔(beta)

Hardware Key Modules HSMs ✔ ✔

Security Assessment ✔ ✔ ✔

Configuration Governance ✔ ✔

Audit Trails ✔ ✔ ✔

DDoS Protection/ WAF ✔ ✔ ✔

9

Cloud Security Ecosystem

Cloud Provider

Enterprise

RightScale

3rd Party Vendors

Plan for a Cloud Security Ecosystem

• CMDB

• SIEM /Logging / Auditing

• IdP

• Configuration

Management

• Orchestration Workflows

• Web Application Firewalls

• File-Integrity Monitoring

• Continuous Integration

• Source Code

Repositories

Shared Responsibility Model

VISIBILITY

Visibility

• Can you see all your

cloud accounts and

instances?

• Connect to all your

clouds

• Gain visibility to all your

accounts

You Can’t Control What You Can’t See

11

Many Accounts Across Clouds

AWS Azure Google CloudStack OpenStack vSphere

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account Account

Single pane of glass

• Multi-cloud access

• Public clouds

• Private clouds

• Virtualized

• Control access

• Standardize

configuration

• Patch and update

• Audit trails

RightScale: Multi-Cloud Visibility

12

AWS Azure Google CloudStack OpenStack vSphere

IAM

1) What directory services

solution are you using to

store your users’ identities? AD or LDAP

2) How will you federate the

users’ identities? SAML, WS-

Fed, Oauth, OpenID? 3rd party IdP

(Okta, One Login, Ping Identity, etc.)

or ADFS? 2FA or MFA?

3) Need to address User

Authentication, Authorization,

Account Management,

Auditing/logging

4) IAM Integrations

accomplished through

identity mappings, grafts and

tie-ins

• Microsoft Active Directory

• commercial directory services leader

• over 90% market share

• LDAP

Considerations for IAM

14

What you get:

• SAML/ SSO integration

• RBAC -10 specific roles

definable at the user level

(http://docs.rightscale.com/cm/ref/u

ser_roles.html)

• Hierarchical organization

of accounts

• Aggregate accounts

across clouds

• Security and Governance

-standardized, repeatable and

consistent process for

Authentication, Authorization,

Account Management,

Auditing/Logging

RightScale Multi-Cloud Access Controls

15

SAML

Linked

Users

WORKLOAD SECURITY

Enforce Policies

• Catalog of templates that

meet corporate standards

• Configured to your

security requirements

• Define which clouds can

be used

• Control user options and

choices

• Orchestrate and automate

deployment and

operations

Workload Security: From Rogue to Policy-Based

17

Basic instances

Stacks for Dev or Prod Applications

Standardization

• Automate provisioning and

configuration

• Version-controlled

• Follow standards for

versions, patches and

configuration

• Leverage a variety of

scripting languages

• Modular and auditable

• Define Security

Configuration Baselines

Standardize Server Configurations

AWS Azure Google CloudStack OpenStack vSphere

Multi-Cloud Image

Configuration Scripts Containers

18

Standardize System Configurations

19

Load Balancers

App Servers

Master DB Slave DB

Replicate >

DNS

Configure a system: Cloud Application Template (CAT)

Configure a server: • ServerTemplates (portable)

• Docker container (portable)

• AMI

• CloudFormation

• VM template

Increase IT efficiency

o Bring your own

configuration management

o Clone existing

architectures

o Updates and patches

o Monitor and alert

o Auto-scale up and down

o Keep templates patched

o Test patches/updates in

the lower tier

environments first e.g.

test, dev or QA

environments

Patch and Update

• Ownership and Management of keys is different in

cloud • Shared model

• Fully maintained and managed by the cloud provider

• BYOK

• Hardware Security Modules • On-premise

• Cloud services (AWS, Azure)

• SSH Key Management • RightScale Key Management

• Manage your own SSH key pair

• Key Management Issues and Challenges in Cloud

Services • NISTIR 7956 http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=914304

Key Management

21

DATA SECURITY

Compliance

Requirements

• PCI E-Commerce

• HIPAA / PHI/ 21CFR11

• NPI / PII

• FTI IRS PUB1075

• MPAA

• Access Controls • MFA/ 2FA used for Authentication

• RBAC

• Auditing/ Logging

• Data Classification / Data Types

• Data Encryption

• Data-in-transit and Data-at-rest

• In process: DEPENDS

• Segregate workloads

• Do read and understand the Cloud Provider’s

• Terms and Agreements

• Data Privacy / Data residency policies

• Review their security documents

Data Security

23

Data Residency with a Global Cloud Platform

Amazon Web Services

Google Cloud Platform

IBM SoftLayer

Rackspace

Windows Azure

Public Clouds

Singapore

Hong Kong

Japan

Texas

DC Area SF Area

Seattle

Chicago

Dublin

London

Amsterdam

Oregon

São Paulo

Midwest

Beijing

Sydney

W Europe

Private Clouds

CloudStack

OpenStack

vSphere

Melbourne

Toronto

Mexico City

Taiwan

24

NETWORK SECURITY

• HTTPS / TLS

• SSL -Should not used as SSL has been deprecated

• Direct Connections

• VPN IPSEC

Securely Connecting to Cloud

• AWS DirectConnect

• Azure ExpressRoute

• Google Carrier Interconnect

• SoftLayer DirectLink

Direct Connection Options

27

AWS Cage

Customer Cage

AWS Direct

Connect

Azure Cage

Customer Cage

Azure

ExpressRoute

Secure Connections to RightScale Platform

IPSEC VPN Examples: API calls to RightScale over private VPN connection

RightScale Region1

VPN Endpoint

RightScale Region2

VPN Endpoint

28

Companyx

Facility (n) Companyx

Facility (n+1)

Companyx VPC network Amazon AWS VPN GW to RightScale example

VPN gateway

Comply with policies

• Quickly Audit Security

Groups

• Interactive Network

Visualization

• Maintain Security and

Compliance

Network Visibility

29

BUSINESS CONTINUITY

& DISASTER RECOVERY

31

SLAs by Cloud

Service Level

Description

AWS Azure Google SoftLayer

Uptime SLA 99.95% 99.95% 99.95% 100%

Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes

downtime

Downtime Calculation Any minutes

downtime

Any minutes

downtime

5+ consecutive

minutes

downtime

30+ consecutive

minutes downtime

Architect for SLAs

• HA/DR reference

architectures

• Cross-region and cross-

cloud

• Auto-scale to meet

demand

• Hybrid cloudbursting

• Monitor and automate

failover

• Hot, warm, and cold DR

scenarios

Implement DR Architectures for your Apps

32

Load Balancers

App Servers

Slave DB Master DB

App Servers

Slave DB

< Replicate Replicate >

Load Balancers

PRIMARY WARM DR

DNS

Ensure availability

o Separate management

plane from cloud and

cloud applications

o RightScale platform is fully

redundant

o Automate failover

processes for hot, warm or

cold DR

Outage-Proof with Independent Control Plane

AUDIT

Approach:

• Feed audit trails from

individual clouds to SIEM

• Feed audit trails from CMP

to SIEM

• Feed audit trails from

instances / servers to

SIEM

Multi-Cloud Logging and Audit Trails

35

Cloud Management

Platform

Cloud

SIEM or Centralized Logging Facility

Cloud Cloud Cloud Cloud Cloud

Audit

entries are

exportable

via an API

Ensure compliance

3

6

o See who changed what

and when

o Provide audit logs and

reports to satisfy

regulators

o Available via API to

integrate with other

systems

Gain Visibility with Audit Trails

EVOLVING CLOUD

TECHNOLOGIES/

SERVICES

Function-as-a-Service /Serverless

38

App

OS

Hypervisor

App

OS

App

OS

x86

storage

networking

compute

virtualization

Cloud Provider’s

responsibility

Your

responsibility

Your business

logic is in your

Apps

OS

Hypervisor

OS OS

x86

storage

networking

compute

virtualization

Cloud Provider’s

responsibility

Focus on your

business logic

operating

system

< > < > <Fn>

• API Gateway

• Lambda Functions

• IAM

• IdP for Authentication • SAML Token

• Authorization

• Auditing/Logging

Microservices

39

Client-side/

front-end App

Restful API/

backend

services SAML

IdP

AWS IAM

Security

Token Service

1 2

4

3

AWS Cloud

Watch

COMPLIANCE

Cloud Provider Certifications Matrix

41

Certification AWS Azure Google SoftLayer

PCI DSS1

HIPAA

SSAE16 SOC1 (Type II)

SSAE16 SOC2 (Type II)

SSAE16 SOC3 (Type II)

ISO 27001

ISO 27017

ISO 27018

FedRAMP

FISMA

• RightScale Certifications/ Compliance

• State of the Cloud Report

• www.rightscale.com/2016-cloud-report

• Private and Hybrid Cloud Whitepaper

• www.rightscale.com/private-hybrid-cloud-whitepaper

Questions?

42

SSAE16 SOC1 and SOC2 Type

2 Reports of Compliance PCI DSS SAQ A-EP v3.2 Compliant for

our E-commerce systems EU Privacy Shield

(pending)

EXTRAS

Challenges

• Difficult to implement,

manage, and support

• Difficult to scale and/ or

extend to other CSPs

• No direct coupling

between AD and AWS

IAM

Integrating IAM

44

ADFS AWS

STS

A

D

SQ

L

1

2 3

4

5

6

Your Environment

SAML

7

AWS

AWS account

123456789012

AWS account

111122223333

IAM roles=>

ADFS-Production

ADFS-DEV

IAM roles=>

ADFS-Production

ADFS-DEV

IAM role=>

ADFS-DEV

IAM role=>

ADFS-DEV

AWS account

777788889999

AWS account

444455556666

AD group memberships=>

AWS-Production

AWS-DEV

User object attribute

123456789012

111122223333

• Asymmetric keys private/public

• Key Management

• NISTIR 7966 http://tinyurl.com/lhtujnv

• Key storage options

• Key Management-as-a-Service

• AWS, Azure

• Multi-tenant

• Hardware Security Modules

• On-premise

• Cloud services (AWS)

• RightScale

• Encryption of keys -MUST

Key Management

45

• Data privacy legislation differs around the world

• Evaluate encryption options where you manage the keys (a la

Amazon Aurora) so vendor can’t give data in case of

subpoena

• What is the CSP’s data retention period?

• What country is the CSP headquartered out of?

• Which jurisdiction covers the contract between you and the

CSP?

Data Residency: Impact of Safe Harbor

46

47

oCloud Trails

oAzure Diagnostics

oGoogle Cloud Logging (beta)

oSoftLayer Audit Trails

What Audit Tools by Provider?