Real-World Cloud Infrastructure Box - Cloud Security Alliance
Transcript of Real-World Cloud Infrastructure Box - Cloud Security Alliance
![Page 1: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/1.jpg)
© 2010 - 2013 CloudPassage Inc.!
Enterprise Cloud Use Cases
and Security Considerations
Carson Sweet!CEO, CloudPassage!
![Page 2: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/2.jpg)
© 2010 - 2013 CloudPassage Inc.!
For This Discussion…
• We’re talking about cloud infrastructure!– Cloud-oriented infrastructure delivery – Infrastructure for any workload, not just web apps – Everything from the bricks through the app delivery stack
• We generally consider “cloud-oriented” as…!– Virtualized servers, networking, & application stacks – Self-service infrastructure provisioning – Utility billing / cost structure (pay for what’s used) – Highly automated management / orchestration – Public, private, or hybrid infrastructure models
![Page 3: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/3.jpg)
© 2010 - 2013 CloudPassage Inc.!
Survey: 2013 Cloud Server Plans
Public CSP
Private Cloud or SDDC
Hybrid Cloud
Temporary workload / big data / analytics 30% 19% 40%
E-commerce applications 34% 15% 40%
Public content hosting (news, blogs, video) 32% 23% 33%
Hosting development and testing environments 48% 19% 38%
Externally-facing applications 50% 25% 38%
Non “core-business” apps (HR, CRM, ERP, email) 43% 19% 23%
Source: 2012 CloudPassage Survey of information technology, security and compliance managers (n=201)!
% of respondents anticipating use of cloud environments for delivery!
![Page 4: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/4.jpg)
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
production-01
production-02
production-03
production-04
production-05
production-06
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
![Page 5: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/5.jpg)
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
production-01
production-02
production-03
production-04
production-05
production-06
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
![Page 6: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/6.jpg)
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
production-01
production-02
production-03
production-04
production-05
production-06
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
production-07
production-08
production-09
production-10
production-11
production-12
dev-01
dev-02
dev-03
qa-01
qa-02
qa-03
![Page 7: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/7.jpg)
© 2010 - 2013 CloudPassage Inc.!
Dev/Test in Public Clouds
Drivers / Benefits • Decreases IT workload • Self-sufficient BU developers • Opens datacenter capacity • Reduces configuration efforts
Security Considerations • Public cloud server exposures • Visibility into misconfigurations • Production data in test/dev • Tracking server launches/clones
![Page 8: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/8.jpg)
© 2010 - 2013 CloudPassage Inc.!
Big Data Analytics
quant-1
analytics slave
cluster
production-01
production-02
production-03
production-04
production-05
production database
cluster
map-reduce (e.g. hadoop)
quant-2
quant-3
quant-(n) …
data pump
![Page 9: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/9.jpg)
© 2010 - 2013 CloudPassage Inc.!
Big Data Analytics Drivers / Benefits • Massive new capabilities • Leverage yrs of collected data • Previously unattainable intel • Product enhancements, risk
intelligence, BI, BPM… • Cloud analytics = scalable!
Security Considerations • Your data, public cloud • Analytics engine contains IP • Geographic data hosting • Integrity is paramount
![Page 10: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/10.jpg)
© 2010 - 2013 CloudPassage Inc.!
Private IaaS / PaaS Clouds
Drivers / Benefits • Increased hardware utilization • Self-service provisioning • Decreases IT workload • Rapid scalability / elasticity Security Considerations • Limited-to-no change control • Flattened network architecture • Not everyone knows security • Cloud-capable security tools • Raw tech & ops scaling issues
![Page 11: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/11.jpg)
© 2010 - 2013 CloudPassage Inc.!
Cloud Infrastructure Security Pain
• Meeting Compliance & Best Practices!– PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST
• Too many systems & high velocity of change!– “Dynamic” is core to cloud, is the new mode of operation – Security orchestration & automation are underserved needs
• Rounding out public CSP security basics!– Customers are responsible for the bulk of security – Very different operating environment
• Existing products don’t work well (or at all)!– Technology was designed for a different time, operating model – Do not match up to dynamic cloud operational models
![Page 12: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/12.jpg)
© 2010 - 2013 CloudPassage Inc.!
Existing Approaches Fall Short
Cloud Provider A
www-4 www-5 www-6
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Dependence on
Hardware and
Network Control
Not Portable to
Multiple Cloud
Environments
No Usage-based,
Metered Licensing
Cloud Provider A
www-4 www-5 www-6
Cannot Handle
Elasticity or Automatic
Provisioning Scenarios
![Page 13: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/13.jpg)
© 2010 - 2013 CloudPassage Inc.!
Architecting Next-Gen Cloud Security
Halo
Halo Daemon!• Ultra light-weight agent • Installed on server images • Automatically provisioned!
www-1
www-1
Halo Grid!• Elastic compute grid • Hosted by CloudPassage • Diverts 95% or more of analytics
cycles from VM daemons
(U.S. Patent No. 8,412,945)
![Page 14: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/14.jpg)
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Lightweight Daemon!
Policies,!Commands,
Reports!
www-1
Halo
Daemons installed via CloudPassage scripts or server management tools like Chef, Puppet, or RightScale.!
![Page 15: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/15.jpg)
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
Policies & Commands!
Server policies & commands are retrieved securely from the Grid.!
Policy templates can be copied & customized to specific user needs.!
![Page 16: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/16.jpg)
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Results & Updates!
Halo
Daemon runs commands, applies policies, returns results and status to Grid.!
Examples: server account data, configuration details, network changes, new servers, etc.!
![Page 17: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/17.jpg)
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
State and Event
Analysis!
Grid analyses data sent by Daemon & issues commands to update security controls.!
Grid provides > 95% of analytics compute power to preserving server VM resources.!
![Page 18: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/18.jpg)
© 2010 - 2013 CloudPassage Inc.!
www-1
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
Users receive alerts, reports, etc. via
email, Halo Portal, or Halo REST API.!
![Page 19: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/19.jpg)
© 2010 - 2013 CloudPassage Inc.!
www-4
Halo
www-3 www-1
Halo
Halo Compute!
Grid!
User!Portal!
https!
RESTful !API Gateway!
https!
CloudPassage Halo
Policies,!Commands,
Reports!
www-1
Halo
Daemons automatically deployed to servers created via cloud-bursting or server cloning.!
This ensures consistent security by making it part of the cloud stack itself.!
www-2
Halo
![Page 20: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/20.jpg)
© 2010 - 2013 CloudPassage Inc.!
Example of Operation (Cloud Web Server)
Cloud Server VM!FW FW
Orchestrate network access control and multi-factor auth
Result: Fully automated, portable, �scalable security & compliance
Data!
App Code!
App Framework!
Operating System !
Monitor sensitive data and prevent
egress Continuously verify application code� is current and �un-tampered Ensure application
stacks locked down, meet compliance & security standards
Verify compliance and harden server
configurations
![Page 21: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/21.jpg)
© 2010 - 2013 CloudPassage Inc.!
Why Is This Architecture Better?
• Portable, built-in security & compliance automation!– Self-service infrastructure provisioning (private IaaS) – Controls that transparently move across cloud environments (hybrid) – Secure, compliant use of cloud service providers (PCI, ISO-27002, SOC2)
• Technically, financially, operationally scalable!– Grid architecture = low impact to systems, massive horizontal scalability – Metered usage = pay for what’s used (hourly licensing, volume discounts) – Automation = built-in controls with zero provisioning or configuration
• Consistency, efficiency through automation!– Security is built directly into the stack; changes, removal instantly detected – REST API and toolkit for extensive integration with existing tools, processes – One central point of visibility and control for systems across multiple clouds
![Page 22: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/22.jpg)
© 2010 - 2013 CloudPassage Inc.!
This architecture works anywhere…
![Page 23: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/23.jpg)
© 2010 - 2013 CloudPassage Inc.!
… and it enables multiple functions.
Server Account Managements
Security Event Alerting
File Integrity Monitoring
REST API Integrations
Cloud Firewall Automation
System & Application Config Security
Multi-Factor Authentication
Vulnerability & �Patch Scanning
HALO PLATFORM
Security moves with distributed workloads and achieves massive horizontal scalability
![Page 24: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/24.jpg)
© 2010 - 2013 CloudPassage Inc.!
Key Takeaways
• Hybrid / multi-cloud infrastructure and constant change will be the norm!
• Hardware-driven perimeter security models don’t scale, can’t keep up!
• Security that’s horizontal scalable and are tied to cloud workloads is critical!
• Whether it’s this approach or another, figure it out and be ready!
![Page 25: Real-World Cloud Infrastructure Box - Cloud Security Alliance](https://reader033.fdocuments.net/reader033/viewer/2022051420/627e481f41b08e28380a5943/html5/thumbnails/25.jpg)
© 2010 - 2013 CloudPassage Inc.!
Questions & Discussion!