real-world cloud infrastructure box - cloud security alliance
TRANSCRIPT
© 2010 - 2013 CloudPassage Inc.!
Enterprise Cloud Use Cases
and Security Considerations
Carson Sweet!CEO, CloudPassage!
© 2010 - 2013 CloudPassage Inc.!
For This Discussion…
• We’re talking about cloud infrastructure!– Cloud-oriented infrastructure delivery – Infrastructure for any workload, not just web apps – Everything from the bricks through the app delivery stack
• We generally consider “cloud-oriented” as…!– Virtualized servers, networking, & application stacks – Self-service infrastructure provisioning – Utility billing / cost structure (pay for what’s used) – Highly automated management / orchestration – Public, private, or hybrid infrastructure models
© 2010 - 2013 CloudPassage Inc.!
Survey: 2013 Cloud Server Plans
Public CSP
Private Cloud or SDDC
Hybrid Cloud
Temporary workload / big data / analytics 30% 19% 40%
E-commerce applications 34% 15% 40%
Public content hosting (news, blogs, video) 32% 23% 33%
Hosting development and testing environments 48% 19% 38%
Externally-facing applications 50% 25% 38%
Non “core-business” apps (HR, CRM, ERP, email) 43% 19% 23%
Source: 2012 CloudPassage Survey of information technology, security and compliance managers (n=201)!
% of respondents anticipating use of cloud environments for delivery!
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
production-01
production-02
production-03
production-04
production-05
production-06
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
production-01
production-02
production-03
production-04
production-05
production-06
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
production-01
production-02
production-03
production-04
production-05
production-06
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
production-07
production-08
production-09
production-10
production-11
production-12
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
Drivers / Benefits • Decreases IT workload • Self-sufficient BU developers • Opens datacenter capacity • Reduces configuration efforts
Security Considerations • Public cloud server exposures • Visibility into misconfigurations • Production data in test/dev • Tracking server launches/clones
© 2010 - 2013 CloudPassage Inc.!
Big Data Analytics
quant-1
analytics slave
cluster
production-01
production-02
production-03
production-04
production-05
production database
cluster
map-reduce (e.g. hadoop)
quant-2
quant-3
quant-(n) …
data pump
© 2010 - 2013 CloudPassage Inc.!
Big Data Analytics Drivers / Benefits • Massive new capabilities • Leverage yrs of collected data • Previously unattainable intel • Product enhancements, risk
intelligence, BI, BPM… • Cloud analytics = scalable!
Security Considerations • Your data, public cloud • Analytics engine contains IP • Geographic data hosting • Integrity is paramount
© 2010 - 2013 CloudPassage Inc.!
Private IaaS / PaaS Clouds
Drivers / Benefits • Increased hardware utilization • Self-service provisioning • Decreases IT workload • Rapid scalability / elasticity Security Considerations • Limited-to-no change control • Flattened network architecture • Not everyone knows security • Cloud-capable security tools • Raw tech & ops scaling issues
© 2010 - 2013 CloudPassage Inc.!
Cloud Infrastructure Security Pain
• Meeting Compliance & Best Practices!– PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST
• Too many systems & high velocity of change!– “Dynamic” is core to cloud, is the new mode of operation – Security orchestration & automation are underserved needs
• Rounding out public CSP security basics!– Customers are responsible for the bulk of security – Very different operating environment
• Existing products don’t work well (or at all)!– Technology was designed for a different time, operating model – Do not match up to dynamic cloud operational models
© 2010 - 2013 CloudPassage Inc.!
Existing Approaches Fall Short
Cloud Provider A
www-4 www-5 www-6
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Dependence on
Hardware and
Network Control
Not Portable to
Multiple Cloud
Environments
No Usage-based,
Metered Licensing
Cloud Provider A
www-4 www-5 www-6
Cannot Handle
Elasticity or Automatic
Provisioning Scenarios
© 2010 - 2013 CloudPassage Inc.!
Architecting Next-Gen Cloud Security
Halo
Halo Daemon!• Ultra light-weight agent • Installed on server images • Automatically provisioned!
www-1
www-1
Halo Grid!• Elastic compute grid • Hosted by CloudPassage • Diverts 95% or more of analytics
cycles from VM daemons
(U.S. Patent No. 8,412,945)
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Lightweight Daemon!
Policies,!Commands,
Reports!
www-1
Halo
Daemons installed via CloudPassage scripts or server management tools like Chef, Puppet, or RightScale.!
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
Policies & Commands!
Server policies & commands are retrieved securely from the Grid.!
Policy templates can be copied & customized to specific user needs.!
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Results & Updates!
Halo
Daemon runs commands, applies policies, returns results and status to Grid.!
Examples: server account data, configuration details, network changes, new servers, etc.!
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
State and Event
Analysis!
Grid analyses data sent by Daemon & issues commands to update security controls.!
Grid provides > 95% of analytics compute power to preserving server VM resources.!
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
Users receive alerts, reports, etc. via
email, Halo Portal, or Halo REST API.!
© 2010 - 2013 CloudPassage Inc.!
www-4
Halo
www-3 www-1
Halo
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
Daemons automatically deployed to servers created via cloud-bursting or server cloning.!
This ensures consistent security by making it part of the cloud stack itself.!
www-2
Halo
© 2010 - 2013 CloudPassage Inc.!
Example of Operation (Cloud Web Server)
Cloud Server VM!FW FW
Orchestrate network access control and multi-factor auth
Result: Fully automated, portable, �scalable security & compliance
Data!
App Code!
App Framework!
Operating System !
Monitor sensitive data and prevent
egress Continuously verify application code� is current and �un-tampered Ensure application
stacks locked down, meet compliance & security standards
Verify compliance and harden server
configurations
© 2010 - 2013 CloudPassage Inc.!
Why Is This Architecture Better?
• Portable, built-in security & compliance automation!– Self-service infrastructure provisioning (private IaaS) – Controls that transparently move across cloud environments (hybrid) – Secure, compliant use of cloud service providers (PCI, ISO-27002, SOC2)
• Technically, financially, operationally scalable!– Grid architecture = low impact to systems, massive horizontal scalability – Metered usage = pay for what’s used (hourly licensing, volume discounts) – Automation = built-in controls with zero provisioning or configuration
• Consistency, efficiency through automation!– Security is built directly into the stack; changes, removal instantly detected – REST API and toolkit for extensive integration with existing tools, processes – One central point of visibility and control for systems across multiple clouds
© 2010 - 2013 CloudPassage Inc.!
This architecture works anywhere…
© 2010 - 2013 CloudPassage Inc.!
… and it enables multiple functions.
Server Account Managements
Security Event Alerting
File Integrity Monitoring
REST API Integrations
Cloud Firewall Automation
System & Application Config Security
Multi-Factor Authentication
Vulnerability & �Patch Scanning
HALO PLATFORM
Security moves with distributed workloads and achieves massive horizontal scalability
© 2010 - 2013 CloudPassage Inc.!
Key Takeaways
• Hybrid / multi-cloud infrastructure and constant change will be the norm!
• Hardware-driven perimeter security models don’t scale, can’t keep up!
• Security that’s horizontal scalable and are tied to cloud workloads is critical!
• Whether it’s this approach or another, figure it out and be ready!
© 2010 - 2013 CloudPassage Inc.!
Questions & Discussion!