real-world cloud infrastructure box - cloud security alliance

© 2010 - 2013 CloudPassage Inc.!

Enterprise Cloud Use Cases

and Security Considerations

Carson Sweet!CEO, CloudPassage!


For This Discussion…

•  We’re talking about cloud infrastructure!–  Cloud-oriented infrastructure delivery –  Infrastructure for any workload, not just web apps –  Everything from the bricks through the app delivery stack

•  We generally consider “cloud-oriented” as…!–  Virtualized servers, networking, & application stacks –  Self-service infrastructure provisioning –  Utility billing / cost structure (pay for what’s used) –  Highly automated management / orchestration –  Public, private, or hybrid infrastructure models


Survey: 2013 Cloud Server Plans

Public CSP

Private Cloud or SDDC

Hybrid Cloud

Temporary workload / big data / analytics 30% 19% 40%

E-commerce applications 34% 15% 40%

Public content hosting (news, blogs, video) 32% 23% 33%

Hosting development and testing environments 48% 19% 38%

Externally-facing applications 50% 25% 38%

Non “core-business” apps (HR, CRM, ERP, email) 43% 19% 23%

Source: 2012 CloudPassage Survey of information technology, security and compliance managers (n=201)!

% of respondents anticipating use of cloud environments for delivery!


Dev/Test in Public Clouds

production-01

production-02

production-03

production-04

production-05

production-06

dev-01

dev-02

dev-03

qa-01

qa-02

qa-03



production-01

production-02

production-03

production-04

production-05

production-06

dev-01

dev-02

dev-03

qa-01

qa-02

qa-03

production-07

production-08

production-09

production-10

production-11

production-12

dev-01

dev-02

dev-03

qa-01

qa-02

qa-03



Drivers / Benefits •  Decreases IT workload •  Self-sufficient BU developers •  Opens datacenter capacity •  Reduces configuration efforts

Security Considerations •  Public cloud server exposures •  Visibility into misconfigurations •  Production data in test/dev •  Tracking server launches/clones


Big Data Analytics

quant-1

analytics slave

cluster

production-01

production-02

production-03

production-04

production-05

production database

cluster

map-reduce (e.g. hadoop)

quant-2

quant-3

quant-(n) …

data pump


Big Data Analytics Drivers / Benefits •  Massive new capabilities •  Leverage yrs of collected data •  Previously unattainable intel •  Product enhancements, risk

intelligence, BI, BPM… •  Cloud analytics = scalable!

Security Considerations •  Your data, public cloud •  Analytics engine contains IP •  Geographic data hosting •  Integrity is paramount


Private IaaS / PaaS Clouds

Drivers / Benefits •  Increased hardware utilization •  Self-service provisioning •  Decreases IT workload •  Rapid scalability / elasticity Security Considerations •  Limited-to-no change control •  Flattened network architecture •  Not everyone knows security •  Cloud-capable security tools •  Raw tech & ops scaling issues


Cloud Infrastructure Security Pain

•  Meeting Compliance & Best Practices!–  PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST

•  Too many systems & high velocity of change!–  “Dynamic” is core to cloud, is the new mode of operation –  Security orchestration & automation are underserved needs

•  Rounding out public CSP security basics!–  Customers are responsible for the bulk of security –  Very different operating environment

•  Existing products don’t work well (or at all)!–  Technology was designed for a different time, operating model –  Do not match up to dynamic cloud operational models


Existing Approaches Fall Short

Cloud Provider A

www-4 www-5 www-6

Cloud Provider B

www-7 www-8 www-9 www-10

Private Datacenter

www-1 www-2 www-3

Dependence on

Hardware and

Network Control

Not Portable to

Multiple Cloud

Environments

No Usage-based,

Metered Licensing

Cloud Provider A

www-4 www-5 www-6

Cannot Handle

Elasticity or Automatic

Provisioning Scenarios


Architecting Next-Gen Cloud Security

Halo

Halo Daemon!•  Ultra light-weight agent •  Installed on server images •  Automatically provisioned!

www-1

www-1

Halo Grid!•  Elastic compute grid •  Hosted by CloudPassage •  Diverts 95% or more of analytics

cycles from VM daemons

(U.S. Patent No. 8,412,945)


www-1

Halo Compute!

Grid!

User!Portal!

https!

RESTful !API Gateway!

https!

CloudPassage Halo

Lightweight Daemon!

Policies,!Commands,

Reports!

www-1

Halo

Daemons installed via CloudPassage scripts or server management tools like Chef, Puppet, or RightScale.!


www-1

Halo Compute!

Grid!

User!Portal!

https!


https!

CloudPassage Halo

Policies,!Commands,

Reports!

www-1

Halo

Policies & Commands!

Server policies & commands are retrieved securely from the Grid.!

Policy templates can be copied & customized to specific user needs.!


www-1

Halo Compute!

Grid!

User!Portal!

https!


https!

CloudPassage Halo

Policies,!Commands,

Reports!

www-1

Results & Updates!

Halo

Daemon runs commands, applies policies, returns results and status to Grid.!

Examples: server account data, configuration details, network changes, new servers, etc.!


www-1

Halo Compute!

Grid!

User!Portal!

https!


https!

CloudPassage Halo

Policies,!Commands,

Reports!

www-1

Halo

State and Event

Analysis!

Grid analyses data sent by Daemon & issues commands to update security controls.!

Grid provides > 95% of analytics compute power to preserving server VM resources.!


www-1

Halo Compute!

Grid!

User!Portal!

https!


https!

CloudPassage Halo

Policies,!Commands,

Reports!

www-1

Halo

Users receive alerts, reports, etc. via

email, Halo Portal, or Halo REST API.!


www-4

Halo

www-3 www-1

Halo

Halo Compute!

Grid!

User!Portal!

https!


https!

CloudPassage Halo

Policies,!Commands,

Reports!

www-1

Halo

Daemons automatically deployed to servers created via cloud-bursting or server cloning.!

This ensures consistent security by making it part of the cloud stack itself.!

www-2

Halo


Example of Operation (Cloud Web Server)

Cloud Server VM!FW FW

Orchestrate network access control and multi-factor auth

Result: Fully automated, portable, �scalable security & compliance

Data!

App Code!

App Framework!

Operating System !

Monitor sensitive data and prevent

egress Continuously verify application code� is current and �un-tampered Ensure application

stacks locked down, meet compliance & security standards

Verify compliance and harden server

configurations


Why Is This Architecture Better?

•  Portable, built-in security & compliance automation!–  Self-service infrastructure provisioning (private IaaS) –  Controls that transparently move across cloud environments (hybrid) –  Secure, compliant use of cloud service providers (PCI, ISO-27002, SOC2)

•  Technically, financially, operationally scalable!–  Grid architecture = low impact to systems, massive horizontal scalability –  Metered usage = pay for what’s used (hourly licensing, volume discounts) –  Automation = built-in controls with zero provisioning or configuration

•  Consistency, efficiency through automation!–  Security is built directly into the stack; changes, removal instantly detected –  REST API and toolkit for extensive integration with existing tools, processes –  One central point of visibility and control for systems across multiple clouds


This architecture works anywhere…


… and it enables multiple functions.

Server Account Managements

Security Event Alerting

File Integrity Monitoring

REST API Integrations

Cloud Firewall Automation

System & Application Config Security

Multi-Factor Authentication

Vulnerability & �Patch Scanning

HALO PLATFORM

Security moves with distributed workloads and achieves massive horizontal scalability


Key Takeaways

•  Hybrid / multi-cloud infrastructure and constant change will be the norm!

•  Hardware-driven perimeter security models don’t scale, can’t keep up!

•  Security that’s horizontal scalable and are tied to cloud workloads is critical!

•  Whether it’s this approach or another, figure it out and be ready!


Questions & Discussion!

real-world cloud infrastructure box - cloud security alliance

Documents