Dev(Sec)Ops

The Cloud Shift-Left model

McAfee. The device-to-cloud cybersecurity company.

2

Today’s Enterprise Landscape TransformationsApplications and Infrastructures

Cloud IaaS/PaaS

Offices | Remote Sites

Private Cloud

On-Prem / Hosted

SaaS Providers

Business Acceleration

3

From Monolith to Microservice Architecture

nginx

static assets

REST API

Authentication

Business

Data

A

P

P

App Server

DBDNS

Business and Data layers wired together as one REST interface

podpod

Cluster Service

podpod

Auth Service

podpod

Load balancer

podpod

API Gateway

podpod

Backend Service

Multi-layered services : Agility, Scalability, Fine grainedcontrols

4

Current IaaS AdoptionIaaS infrastructures

14%

2269

Misconfigured IaaS instances IaaS Incidents per month

AWS Azure GCP

Usage share for IaaS

* Source : McAfee Cloud adoption and risk report 2019

5

Security perceptionsApplications and Infrastructures

« DevOps is just anotherexcuse for developers to have

root access in production. »

Development Operations

Agility Stability

6

8

Shift Left to Reduce Risk

DevOps to DevSecOps

Plan Code Build Test Release Deploy Run

Where is security testing?

?

9

DevOps to DevSecOps

Plan Code Build Test Release Deploy Run

Code Checked in Deployment Templates Generated

Security Audits run

Templates and Container artifacts can be scanned to detect risk before it’s real

Ensure secure code is checked in and fully tested!

Shift Security Left to Reduce Risk

Problem: Security is usually validated after the fact on live systems

10

Shift Left (DevOps templates’ integration)

• Configuration Audit of DevOps templates

• Enforce configuration policy checks for Infrastructure-as-Code earlier in the DevOps cycle

• Security teams can define policies centrally and delegate enforcement to DevOps seamlessly

• Effectively, CASB controls “Shift Left” towards development and deployment

• AWS CloudFormation, Azure Resource Manager, GCP Deployment Manager and Terraform templates

• APIs and inline mode (Hooks interception) integration

11

SDLC – Software Development Life Cycle

Requirement, Design, Development, Testing & Support

$80 / defect $240 / defect

$960 / defect

$960 / defect

$7,600 / defect

Devlopment Build QA Security Production

12

Cloud Formation Validator Integrates As A Pre-hook to CodeBuild

CloudFormation Stacks

CloudFormation CodeBuild

CodeCommit

Customer AWS Account

CloudFormation templates

Config-Audit

Mvision Cloud AWS Account

1

2

3

4

5

Intercepted template ischecked for compliance

13

Static infrastructure rules cannot define security for dynamic workloads

Securing Dynamic Container Based Applications

T=0 T=1

14

Trusted layered security approach

Multi-layered container securityC

lou

d D

evS

ecO

ps

Orc

he

stra

tio

n

Orchestration System Config

Vulnerability Assessment

Elastic Nano-Segmentation (Zero Trust Model)

Elastic Container Service

Elastic Kubernetes Service

Fargate

16

Increasing Decision Speed, Effectiveness, Efficiency and Business Value

OPERATIONALLevel

Cloud Sec 2.0

Full visibility on cloud services. Leveraging cloud security management, access control, DLP, Threat Prevention & encryption with basic incident workflows.

FOUNDATIONLevel

Cloud Sec 1.0

v

TRUSTEDLevel

Cloud Sec 3.0

Proactively architects security into business-aligned strategies. Clearly defined policies aligned with business objectives, data driven process updates, adherence to strong process / workflow across cloud providers.

Incr

ea

sin

g B

usi

ne

ss R

esi

lie

nce

Assessing Maturity - Cloud Sec StrategyHow is the security readiness evolving?

Partial Cloud services visibility. Incomplete CIS controls. Reliance on CSPs for security.

17

Maturity Assessment - Cloud Sec Strategy

Q&A

McAfee. The device-to-cloud cybersecurity company.