s3 · aws best practices, cis, nist, sox, hippa • continuous auditing and governance open,...
TRANSCRIPT
S3
Cloud Native Apps -- 10,000’s of interconnected, ephemeral resources, configured and exposed by more people
Growing Need for Cloud Policy
© 2017 CloudCoreo 4
Cloud services is a never ending struggle that is hard to operationalize. We have no good ways to ensure that standardized configurations are universally enabled. —FASTLY SECURITY ENGINEERING TEAM
• On-Demand Compliance AWS Best Practices, CIS, NIST, SOX, HIPPA
• Continuous Auditing and Governance Open, customizable rules to provide deployment guardrails
•
VISIBILITY + CONTROL
Community - Marketplace - Insights
1
Disrup)ngtheContentCrea)onParadigm
ContentReachvia100’sof
millionsofnewdisplays
NewContentTypes:VR,4K,
AR
AudienceSegmentGrowth
withGranularTarge)ng
MoreContent
M&E,Adver)sing,Gaming,
Architecture,LifeSciences,
Manufacturing,…
New
ContentDistributors
$20BIndustryandGrowing…inM&EAlone
Infrastructure
Processors
Worksta?ons
Collabora?on
Contracts
LargeFiletransport
Security
ITservicesDesign&
renderapps
Clouds
Storage
Freelance / Workforce
Producers
Storage
Processors
Worksta)on
TransportSecurity
Contracts
Clouds
Marketplace
Community Insights
Marketplace
CommunityInsights
Provisioningclouds,crea)vetools,adjacentservices
Fosteringcollabora)on&connec)ons
Drivingresource&assetmanagement
Geographicfreedom.CAPEXlibera)on.Fluidscalability.Connectedpointsolu)ons.Boostedsecurity.
5
Clouds • Choose your public or private cloud
Tools/Services • Unified owned & 3rd party tools & services
• APIs
Talent & Jobs • Talent and project directories
• Auto-provisioning of resources • Price throttling & cloud cost
optimization
• Digital Escrow • 2D/3D Virtual Workstations • Multi-Tier Storage • Rendering • Collaboration Tools • Resource Management • High Speed Data Transfer
• Usage tracked to build verifiable portfolio
Marketplace
Marketplace
..
Digital Assets • Asset discovery & monetization
Connect&Collaborate
Ar)sts
Studios
Producers
Unions,Guilds,
Associa)ons
Educators
Recruiters
• Collaboration • Connection • Peer Support • Feedback
6
.
Community.
7
.
.Analy)cs
• Tools&servicesusage• Budgetinsights• Assetversioncontrol&historicalrecord
• Security/abuseinsights• Compliance
Customers
• Granularproductusagedetails
• Machineperformancerela)vetotool
Partners
• Networkusageup)me• Granularproductusageandrevenueshare
Facili)es
9
DevOps for the IoT(sorry)
SOFTWARE MATTERS...
...EVERYWHERE
BUT WE’RE OUT OF EMBEDDED DEVS
600k Embedded
8m Web
9m Mobilesource: ARM estimates
$ git push resin
RESIN.IO DELIVERY PIPELINE
ON-DEVICE S/W ARCHITECTURE
add-on functionality containers
EXTENSION CONTAINER(S)RESIN.IO CONTAINER
Resin.io Agent
Language Packages
Language Runtime
OS Packages
Base Image
APPLICATION CONTAINER
User Application
Language Packages
Language Runtime
OS Packages
Base Image
70+ production customers across consumer, commercial
and industrial use cases
CUSTOMERS PARTNERS INVESTORS
RESIN.IO COMMUNITY
DEVELOPERS LOVE RESIN.IO
SIGN UP!
EVOLUTION OF AN IOT PROJECT
DEVICES
DATA & ANALYTICS
1 2 3 4
CONNECTIVITY
2
1
3
Security vulnerabilities go unpatched
Features (or lack thereof) are locked in
Software misconfigurations risk downtime or bricked
devices
WITHOUT A MODERN SOFTWARE DEPLOYMENT STRATEGY...
DEVICES
DATA & ANALYTICS
1 2 3 4
CONNECTIVITY
2
1
3
EVOLUTION OF AN IOT PROJECT
DEVICESDEVICES
DATA & ANALYTICS
1 2 3 4
CONNECTIVITY
2
1
3
RESIN.IO + SAFE, ITERATIVE IOT SOFTWARE CODE
4
EVOLUTION OF AN IOT PROJECT
Design and evolve your network like software
Ratul MahajanCofounder and CEO
Network engineering today
Deviceconfigura.ons
Many policy concerns Many protocols Many vendors
Low-level directives
Policyintent
Network complexity results in …
Outages
Network complexity results in …
Outages
Securitybreaches
Network complexity results in …
Outages
Securitybreaches
Lackofagility
It can take a few weeks for even minor changes
SW2
Things will get worseSW
HW HW
SW1
Disaggregation of HW and SW Deployment speed, automation
Transition to hybrid cloud Scale (devices / engineer)
SW2
Things will get worseSW
HW HW
SW1
Disaggregation of HW and SW Deployment speed, automation
Transition to hybrid cloud Scale (devices / engineer)
Network complexity
Ability to handle complexity
Time à
Outages and breaches reside in this gap
Inten:onet mission Transformnetworkengineeringbyintroducing
cu:ng-edgeHWandSWengineeringapproaches
Continuous integration Unit testing
Formal methods “What if” analysis
High-level specification ……
Inten.onetanalysisengine
Inten:onet pla;orm
Viola.ons,erroneousconfigura.onlines
Desiredstate&correctnesscriteria(rou.ng,security,fault-tolerance,...)
Configura.on&state
Inten:onet pla;orm
Plannedconfigura.on
Correctnesscriteria
Inten.onetanalysisengine
Continuous integration for the network
Backup
Things will get worse Disaggregated HW/SW
Hybrid cloud More automation
Finer-grained policies More frequent changes
Higher complexity Higher risk of catastrophic events Manual reasoning cannot scale
Ineffectiveness of superficial analysis
Inten:onet mission Transform network engineering by introducing
cutting-edge HW and SW engineering approaches
Core technologies Formal models of network behavior
Analysis using constraint solvers High-level languages Automatic synthesis
Practices Continuous integration
Unit and functional testing Change and predictive analysis High-level design specification
How To Avoid Network Outages
“While there's a lot of hype about hacking and DDoS ….. more than 50% of outages will be caused by change/configuration/release integration.”
Whatcausesthemajorityoffirewallbreaches?It’stemp.ngtoassumethathacking…..99%offirewallbreacheswillbecausedbysimplefirewallmisconfiguraBons.
hJp://www.networkcompu.ng.com/networking/how-avoid-network-outages-go-back-basics/257686406
hJp://www.infosecurity-magazine.com/opinions/to-err-is-human-to-automate-divine/
How To Avoid Network Outages
“While there's a lot of hype about hacking and DDoS ….. more than 50% of outages will be caused by change/configuration/release integration.”
Whatcausesthemajorityoffirewallbreaches?It’stemp.ngtoassumethathacking…..99%offirewallbreacheswillbecausedbysimplefirewallmisconfiguraBons.
hJp://www.networkcompu.ng.com/networking/how-avoid-network-outages-go-back-basics/257686406
hJp://www.infosecurity-magazine.com/opinions/to-err-is-human-to-automate-divine/
JuniperResearch
Why configura:on is hard
Large,complexinfrastructureSophis.catedSLOs
Richpolicies
Low-leveldesignlanguagesCrudeanalysistools
Diverseprotocols,vendors
Networks are complex and fragile
Outages
Securitybreaches
ComplianceviolaBons
Networks are complex and fragile
Securitybreaches
ComplianceviolaBons
Nopeaceofmind
Outages
Comprehensive analysis
Compliance and best prac:ces Data flow
Change analysis Fault tolerance
Unique capabili:es compared to monitoring
Proactive protection • Erroneous configuration never reaches the network
Guaranteed correctness
• Strong, formal guarantees on data flow and compliance Agility
• Rapid evolution without fear of outages and breaches
Use case (1/3)
Inten.onetservice
Plannedconfigura.on
Correctnesscriteria
Deploy
Pre-deploymentcorrectnesscerBficaBonConBnuousintegraBon
Use case (2/3)
Inten.onetservice
Plannedconfigura.on
Currentconfigura.on
Func.onaldifferences
PreventcollateraldamagePredicBveanalysis
Use case (3/3)
SpeednetworkdesignSafemigraBontonewdesigns
Inten.onetservice
Newnetworkdesign Answers
Queriesontrafficflow
Example issues in customer networks
Sensitive, internal resources were accessible from outside
[bad firewall rules]
Neighboring networks could hijack internal IP address
space [bad routing filters]
IPSec tunnels were not being established
[bad VPN keys]
Non-compliant AAA settings [bad AAA configuration]
In the words of our customers
“The Intentionet report was mind blowing.”
“You guys have a tiger by the tail here. Very excited
for your startup.”
“This is incredible data and I can't wait to broaden to the rest of our network.”
“One of my NOC guys stopped by today to ask
what voodoo I was using to find such things :)”
Demo
Inten:onet design engine
High-levelspecifica.on(e.g.,thisishowpacketsshouldflows)Generateslow-levelconfigura.on(e.g.,Cisco,Juniper,…)Provablycorrectandevolu.on-friendlyWell-receivedpapersattopresearchvenues(SIGCOMM,PLDI)