mcafee mvision device security - customer presentation · 2019-10-22 · 10 shift left (devops...
TRANSCRIPT
Dev(Sec)Ops
The Cloud Shift-Left model
McAfee. The device-to-cloud cybersecurity company.
2
Today’s Enterprise Landscape TransformationsApplications and Infrastructures
Cloud IaaS/PaaS
Offices | Remote Sites
Private Cloud
On-Prem / Hosted
SaaS Providers
Business Acceleration
3
From Monolith to Microservice Architecture
nginx
static assets
REST API
Authentication
Business
Data
A
P
P
App Server
DBDNS
Business and Data layers wired together as one REST interface
podpod
Cluster Service
podpod
Auth Service
podpod
Load balancer
podpod
API Gateway
podpod
Backend Service
Multi-layered services : Agility, Scalability, Fine grainedcontrols
4
Current IaaS AdoptionIaaS infrastructures
14%
2269
Misconfigured IaaS instances IaaS Incidents per month
AWS Azure GCP
Usage share for IaaS
* Source : McAfee Cloud adoption and risk report 2019
5
Security perceptionsApplications and Infrastructures
« DevOps is just anotherexcuse for developers to have
root access in production. »
Development Operations
Agility Stability
6
8
Shift Left to Reduce Risk
DevOps to DevSecOps
Plan Code Build Test Release Deploy Run
Where is security testing?
?
9
DevOps to DevSecOps
Plan Code Build Test Release Deploy Run
Code Checked in Deployment Templates Generated
Security Audits run
Templates and Container artifacts can be scanned to detect risk before it’s real
Ensure secure code is checked in and fully tested!
Shift Security Left to Reduce Risk
Problem: Security is usually validated after the fact on live systems
10
Shift Left (DevOps templates’ integration)
• Configuration Audit of DevOps templates
• Enforce configuration policy checks for Infrastructure-as-Code earlier in the DevOps cycle
• Security teams can define policies centrally and delegate enforcement to DevOps seamlessly
• Effectively, CASB controls “Shift Left” towards development and deployment
• AWS CloudFormation, Azure Resource Manager, GCP Deployment Manager and Terraform templates
• APIs and inline mode (Hooks interception) integration
11
SDLC – Software Development Life Cycle
Requirement, Design, Development, Testing & Support
$80 / defect $240 / defect
$960 / defect
$960 / defect
$7,600 / defect
Devlopment Build QA Security Production
12
Cloud Formation Validator Integrates As A Pre-hook to CodeBuild
CloudFormation Stacks
CloudFormation CodeBuild
CodeCommit
Customer AWS Account
CloudFormation templates
Config-Audit
Mvision Cloud AWS Account
1
2
3
4
5
Intercepted template ischecked for compliance
13
Static infrastructure rules cannot define security for dynamic workloads
Securing Dynamic Container Based Applications
T=0 T=1
14
Trusted layered security approach
Multi-layered container securityC
lou
d D
evS
ecO
ps
Orc
he
stra
tio
n
Orchestration System Config
Vulnerability Assessment
Elastic Nano-Segmentation (Zero Trust Model)
Elastic Container Service
Elastic Kubernetes Service
Fargate
16
Increasing Decision Speed, Effectiveness, Efficiency and Business Value
OPERATIONALLevel
Cloud Sec 2.0
Full visibility on cloud services. Leveraging cloud security management, access control, DLP, Threat Prevention & encryption with basic incident workflows.
FOUNDATIONLevel
Cloud Sec 1.0
v
TRUSTEDLevel
Cloud Sec 3.0
Proactively architects security into business-aligned strategies. Clearly defined policies aligned with business objectives, data driven process updates, adherence to strong process / workflow across cloud providers.
Incr
ea
sin
g B
usi
ne
ss R
esi
lie
nce
Assessing Maturity - Cloud Sec StrategyHow is the security readiness evolving?
Partial Cloud services visibility. Incomplete CIS controls. Reliance on CSPs for security.
17
Maturity Assessment - Cloud Sec Strategy
Q&A
McAfee. The device-to-cloud cybersecurity company.