A Practical Model for Enterprise Cloud Security
Transcript of A Practical Model for Enterprise Cloud Security
![Page 1: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Nicolas Popp
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
SPO1-W04
SVP Information ProtectionSymantec Corp
![Page 2: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/2.jpg)
#RSAC
Cloud security – Only five years ago!
2
From Love to Trust…
![Page 3: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/3.jpg)
#RSAC
3
2015 Revenue~$ 9 Billion
2015 Revenue~ 0.7 Billion
Certainly not a fad
![Page 4: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/4.jpg)
#RSAC
Why it this happening?
4
![Page 5: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/5.jpg)
#RSAC
What cloud security is about
5
Native security offered by IaaS vendors is inadequate: Shared responsibility model for security
SECURITY FOR CLOUD INFRASTRUCTURE
(CLOUD DATA-CENTER SECURITY)
Sensitive data is stored in SaaS apps – authorized as well as unauthorized apps, sometimes beyond the visibility or control by IT
SECURITY FOR CLOUD APPS (CLOUD ACCESS SECURITY BROKER)
Managing security has become complicated by multiple solutions and need for frequent updates.
MANGING SECURITY FROM THE CLOUD
(CLOUD SOC)
![Page 6: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/6.jpg)
#RSACUse Cases: SaaS Security is about the data(not the network)
• Identity & shadow IT– How do I authenticate, provision , de-provision users ?
– What unauthorized risky cloud service are being?
• Data Protection– What are my users storing in the cloud?
– What are they downloading from the cloud?
– What are they sharing in the cloud?
– How can I protect my critical cloud?
• Threat protection – How do I detect and prevent threat activity in the cloud?
“SaaS security is identity an data centric not network centric”
6
![Page 7: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/7.jpg)
#RSAC
SaaS Security: The Cloud Access Security Broker
DLP(data classification)
Email Gateway
(Email CASB)
Cloud Email Sync N Share
Crypto(data encryption )
Discover Scan(API CASB)
Web Proxy(Proxy CASB)
SaaS
Authentication & Access Management (IDaaS)
Policy
IncidentsCloud SOCOn-premise
Policy & SIEM?? Analytics(threat detection)
Access Protection
Control Points
Data Protection
Cloud Console(policy, incident mgmt.)
Threat Protection(CASB embedded or UEBA)
Endpoint(EP CASB)
On-premise SIEM or UEBA7
![Page 8: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/8.jpg)
#RSAC
Deployment phases & technologies
Shadow IT Discovery
(Proxy logs)
Cloud Data Monitoring(API CASB)
Inline Cloud Data Protection
(Proxy CASB)
Cloud Threat Protection
(UEBA)
8
1 2 3 4
![Page 9: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/9.jpg)
#RSAC
Seeing is believing
Email CASBInline protection of outbound messages from O365 Exchange using cloud DLP and cloud encryption
API CASB Discovery of confidential data at Box by scanning data at rest through the BOX APIs
9
![Page 10: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/10.jpg)
#RSAC
10
The CASB contenders
CSP
You do not need one. I will provide all the security for my cloud (Amazon, SFDC) and beyond (MSFT)
CASB
The security guys cannot execute. You need a brand new control point for the cloud
Network Sec
The firewall (NG) remains the control point, just VPN back home or deploy virtually in the cloud
DLP/Web Sec
The perimeter is dead. Simply extend traditional DLP and web security controls to the cloud
![Page 11: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/11.jpg)
#RSAC
Encryption: cryptic crypto key issues
Key residency
Church versus State
Tokenization versus
encryption
• Guiding principles– Structured data belongs to the app, external encryption or
tokenization is an “unnatural act”
– Files travel across apps and are best served by external encryption (except for DAR)
• Structured data encryption– Compliance: let the CSP encrypt and enforce access policy
– Data residency: the CSP should allow regional deployment
– Trust: CSP should allow you to externally control the keys
• Unstructured data encryption– Key challenge: the data is more “mobile”
– DRM versus Adaptive Encryption
11
![Page 12: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/12.jpg)
#RSAC
2. API CASB
• Tagging• Quarantining• PGP encryption
Cloud Data Encryption
• Native App experience
• Simple policy (DLP drives encryption: 5% only, identity/user trust drives decryption)
• Document access telemetry for audit trails & risk mgmt.
Data
Content Creator or WIN/MAC managed devices
Document Sandbox App
1.DLP +
Crypto Agent
Upload
DLP(classification)
KMS(encryption )
Identity(authentication)
Beyond DRM: adaptive encryption
12
![Page 13: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/13.jpg)
#RSAC
Seeing is believing
Cloud KMS & Encryption for Dropbox
Selective (content-aware) file-encryption in the cloud and mobile access by an external user, with transparent decryption based on authentication policy
13
![Page 14: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/14.jpg)
#RSAC
Cloud SOC
IaaS: Protecting workloads across clouds
14
Public Cloud Private Cloud Public Cloud
• Hybrid cloud: public & private
• Many perimeters
• Single mgmt. & control plane
![Page 15: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/15.jpg)
#RSAC
Use Cases: Workload & network Centric
WORKLOAD PROTECTIONWhat workloads are running in the cloud? What technology stack?
How do I harden these workloads?
How do I protect against vulnerability (patching)?
NETWORK PROTECTIONHow do I protect a multi-workloads system (EW segmentation)?
How do I lock down my IaaS perimeters?
SOC MONITORING & RESPONSEHow do I monitor all layers (workloads, segments, IaaS)?
How do I detect threats from monitoring?
15
Automation (DevOps Integration)
• Workloads are templated and built• Velocity of deployments (3 pushes a day
to 100s of pushes a day)• Security agents are part of orchestration• Policy are suggested based on workload and
workload interactions
![Page 16: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/16.jpg)
#RSAC
The new perimeters
IaaS Discovery APIs
Workload + agent Worlkoad DiscoveryGather Instance lifecycle eventsDiscover software on virtual instances
Host-Based perimeterHarden OS, white-listing, app-level controlFile & system integrity monitoringAnti-virus & APT Vulnerability patching (iand virtual patching)
Micro Segment PerimeterEW traffic policy
HIPS policy
Network policy
IaaS Perimeter Security
IaaSNetwork Perimeter NS traffic policy
Micro-segment
Firewall telemetry
CLOUD SOC+ Monitoring through network & host-based telemetry
+ Event correlation & UEBA
+ Incident investigation
+ Threat response
Segment telemetry
Workload telemetry
Network policy
MONITORING & RESPONSE
ENFORCEMENT SECURITY POLICY
16
![Page 17: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/17.jpg)
#RSAC
Seeing is believing
Amazon Workloads Security
Discovering you amazon workloads and applying host and application level controls to protect them
17
![Page 18: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/18.jpg)
#RSAC
The need for security analytics (UEBA)
• Identity & data as new threat planes– SaaS networks are opaque
– From detecting bad IP addresses to bad users!
– From netflow to data flow
• Physical Scaling: SIEM versus Big Data– Telemetry explosion
– Open source architectures (Hadoop, Spark,…)
• Logical Scaling: SIEM versus ML– SIEM & Correlation rules: building a haystack
– ML: finding the needles
18
![Page 19: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/19.jpg)
#RSAC
UEBA: key concepts
19
• The user is the entity to profile and risk-score
• Refine risk score based on user behavioral change
• Refine risk score based on peer comparison
• Correlate across all user activity and behavioral anomalies
Single data-source
User Entity Behavioral Analytics
![Page 20: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/20.jpg)
#RSAC
UEBA: Cloud threat detection example
20
Potential malicious insider
12/9 WorkdayNico had a bad review and
was put on HR program
1/9 VPN & AD logs : Nico shows increased login activity and
abnormal hours access (self & peer) across SFDC, Box, Workday
1/13 DLP incidents:DLP incidents shows changed
and abnormal data movements (print, personal
email, removable media)
1/15: Firewall logs: Nico shows abnormal
bandwidth consumption in comparison to peers
1/12 SaaS activity APIs: Nico shows increased download
activity of confidential documents across SFDC & Box
![Page 21: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/21.jpg)
#RSAC
Identity(user & SaaS access)
API CASB(data at rest)
Cloud Activity(SaaS -level activity )
Proxy/EP CASB(data in motion & use)
Privileged access events
Virtualized workload activity
Cloud
SOC
Will IaaS & SaaS security mgmt. converge?
Virtualized network activity
Vulnerability & Threat
intelligence
21
Cloud SOC
![Page 22: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/22.jpg)
#RSAC
Conclusion: cloud security is an evolution
• From network to identity & data-centric security– Says the DLP guy!
• From one BIG to many smaller perimeters– More perimeters with smaller diameters
(containers, workloads,, micro-segments + user, device/app sandboxing, data encryption…)
• From SIEM to Big Data security analytics– The explosion and complexity of security
telemetry drive the need for big data and machine learning in the SOC
22
![Page 23: A Practical Model for Enterprise Cloud Security](https://reader034.fdocuments.net/reader034/viewer/2022051522/58a1a13e1a28ab746f8beb47/html5/thumbnails/23.jpg)
#RSAC
Applying what you have learned
• Develop a holistic cloud security strategy that includes: – The protection of corporate SaaS applications
– The protection of corporate workloads and systems running in public or private IaaS
– New security management & monitoring services in the cloud
• Plan for a Cloud Access Security Broker– Evaluate a phased approach (access & discovery first)
– Plan for active controls (DLP, encryption), understand implementation options (API, proxy, EP)
• Understand IaaS workloads security– The workload and SDN-centric security controls that compliance and security will require
• Consider big data security analytics– Integrate big data architectures & machine learning as part of your SIEM/SOC strategy
23