Security that works with, not against, your SaaS business
-
Upload
cloudpassage -
Category
Technology
-
view
367 -
download
1
Transcript of Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
Dave Shackleford, Lead Faculty, IANS
Rand Wacker, VP Products, CloudPassage
10/2/2013
Copyright © 2013 IANS. All rights reserved. 2
Who We Are
Dave ShacklefordLead Faculty at IANS
Rand WackerVP of Products at CloudPassage
Copyright © 2013 IANS. All rights reserved. 3
Virtualization: First step to Cloud
• Security is in upheaval
• We must adapt to cloud disruption
• Check out Dave’s Cloud Security classes with SANS
Copyright © 2013 IANS. All rights reserved. 4
Overview for Today
• Business imperatives for SaaS
• Cloud-based delivery architecture
• Security complexity in agile cloud environments
• Customer case studies with Halo Enterprise
• Q&A
© 2013 CloudPassage Inc.
Two Sides of the SaaS Coin
What Custs Fear– Loss of data / I.P.
– Their brand being caught up in a compromise
– Failing their own audits
– Having to migrate to another provider later…
What You Want– Recurring revenue
– Organic incremental sales
– Nothing to ship, one codebase to support
– Higher profit margins at scale…
Data protection is often a new business
challenge for software providers.
© 2013 CloudPassage Inc.
SaaS Adoption and Fear Trends
SaaS is the primary cloud investment
• 82% of companies use SaaS providers
• 50% use SaaS for business-critical apps
Source: North Bridge Capital “Future of the Cloud” survey (June 2012)
Security, compliance still top concerns
• 55% consider security a major issue
• 38% view compliance as show-stopper
© 2013 CloudPassage Inc.
SaaS Adoption and Fear Trends
SaaS is the primary cloud investment
• 82% of companies use SaaS providers
• 50% use SaaS for business-critical apps
Source: North Bridge Capital “Future of the Cloud” survey (June 2012)
Security, compliance still top concerns
• 55% consider security a major issue
• 38% view compliance as show-stopper
Companies want to use SaaS
but fear security issues.
SaaS providers who get security right are at a
massive advantage over competitors.
© 2013 CloudPassage Inc.
What SaaS Customers Demand
27002
Maintaining compliance is more complex in dynamic cloud-based
environments.
© 2013 CloudPassage Inc.
Cloud Accelerates SaaS Dev
• SaaS feature development must stay ahead of competition
• DevOps and cloud architectures enable agile development
• Accelerates time-to-market, but complicates security…
© 2013 CloudPassage Inc.
Poll: SaaS Challenges• What are your biggest challenges in
building/transitioning to a SaaS business model? (Select all that apply)– Organizational expertise in building SaaS offerings– Security of service/customer data– Transitioning customers from perpetual to
subscription– Cannibalization of existing revenue streams– Other
Cloud Security Challenges
• There are many security challenges in cloud computing• Some are more technical
– Tracking data migration from abc (mobility)– Data/customer segmentation (Multi-tenancy)– Identity and Access Management– Incident response in multitenant environments
• Some are more “macro” level issues:– Policy and Risk Assessment– Governance– Audit requirements– Compliance
“If you’re a large enterprise, somebody in your organization is using cloud computing, but they’re not telling you.”
--James Staten, principal analyst at Forrester Research
The Role of Virtualization in the Cloud
• Virtualization is a cloud enabler– Pooled resources– Abstracted components and applications– Shared infrastructure– Resource and data migration and replication
• Virtualization technologies have security issues, too:– More complexity, more moving parts– New configuration controls– Segmentation and separation– Monitoring
Multi-tenancy: Security Issues
• One physical platform may host numerous distinct entities’ data and services
• Critical needs arise for:– Segmentation & Isolation– Policy boundaries– Monitoring (availability/security)– Management
• Needs may differ for private vs. public cloud types
Visibility
• Visibility is a challenge in cloud
environments – why?– Customers do not have visibility into the
internal security controls in place at a cloud
provider facility– Cloud providers need controls that are
flexible and dynamic across different
environments
Copyright © 2013 IANS. All rights reserved. 18
Gaining Additional Visibility
• SaaS environments will employ IaaS principles and infrastructure to host VMs and application instances
• Monitoring these instances can be a challenge as they migrate and balance across clusters
• Traditional tools for monitoring (IDS, for example) may have difficulty “following” systems or gaining visibility into virtual environments
• Monitoring at the individual VM level makes more sense in a cloud infrastructure
Change Management in the Cloud
• Change management is one of the most important operational aspects of the cloud
• Cloud computing is built on a foundation of consistency and uniformity– Changes can affect this dramatically
• Issues:– Virtualized infrastructure increases the rate of change due
to dynamic nature– Virtualization and multi-tenancy add new levels of
complexity• App Virtual OS Virtual Hardware Storage
Hypervisor Platform Physical Hardware
Automation and DevOps
• In many SaaS cloud environments today, numerous small/rapid code pushes are becoming necessary– Automating this process with proper test and risk
assessment is key
• DevOps strives for a number of goals and focal areas:– Automated provisioning– No-downtime deployments– Monitoring– “Fail fast and often”– Automated builds and testing
Copyright © 2013 IANS. All rights reserved. 21
Traditional Security Breaks Cloud Ops
• Many traditional security tools and controls are not well-suited to dynamic cloud operational environments
• In general, many network-focused and larger architectural controls can be slow to change/adapt– Orchestration tools can help, but API support is
required
Copyright © 2013 IANS. All rights reserved. 22
Host-Based Security in Cloud Environments
• For truly dynamic SaaS deployments, security architecture will be a balance of network and host controls– Many are leaning more toward local system security
controls, though
• Some of the challenges include:– Resource utilization– Integration with virtualization platforms– Testing with SaaS application instances– Manageability
Host-based Security Agents
• The biggest issue with host-based security agents is resource consumption– Too much RAM, CPU, etc. – This is a serious issue in virtualized environments
• A lightweight, specially-adapted agent is needed• Tight integration with the OS kernel and
components is also key– Local scans and monitoring need to be as low-impact
as possible– Scalability and centralized control are critical
© 2013 CloudPassage Inc.
Halo Enterprise automates security for large, complex private, public & hybrid clouds• Visibility & control across any
infrastructure• Less time demanded from DevOps &
Security• More competitive SaaS offerings• Meet compliance needs, remove sales
barriers
Confidential NDA material. Do not distribute.
Security and Compliance AutomationProtect servers and applications in any private,
public, or hybrid cloud environment
Server Account Managements
Security Event Alerting
File Integrity Monitoring
REST API Integrations
Broad set of security controls, critical for securing cloud-hosted applications
Firewall Automation
System & Application Config Security
Multi-Factor Authentication
Vulnerability & Patch Scanning
HALO PLATFORM
z
Private cloud &SDDC
Virtualized & bare-metal datacenterPublic cloud IaaS
Halo security analytics engine
Halo administration web portal
Halo REST API gateway
HALO SECURITY MODULES• Firewall policy orchestration• Multi-factor authentication• File integrity monitoring• Configuration security
monitoring• Software vulnerability scanning• System access management
Workload VM Instance
Operating System
Application Code
System Administration Services
ApplicationEngine
App StorageVolume
System StorageVolume
Halo Daemon
1
Halo activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates.
1
2
Halo secures privileged access via dynamic firewall rules triggered by multi-factor user authentication.
2
4
Application configurations are scanned for vulnerabilities and are continuously monitored.
4
5
Cryptographic integrity monitoring ensures app code and binaries are not compromised.
5
6
Halo monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities.
6
Halo scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity.
3
3
7
Application data stores are monitored for access; outbound firewall rules prevent data extrusion.
7
© 2013 CloudPassage Inc.
Solving Cloud Security Challenges
Cloud Complications
Virtualization and multi-tenancy
Maintaining visibility
Taming change management
Supporting automation & DevOps
CloudPassage Approach
Build security into cloud stack
Design for automation, portability, and scalability
Broad range of security controls
Simplify compliance management
© 2013 CloudPassage Inc.
Poll: SaaS Offerings• Today, what percentage of your
business is from a SaaS offering (vs boxed product or other?)– All– More than half– Less than half– None– Not applicable to our organization
© 2013 CloudPassage Inc.
Case Study: Enabling SaaSification
• Top 10 Fortune’s software list
• Corporate imperative move boxed product to SaaS
• Security is paramount; customers demand SOC2, HIPAA, etc
• Running across mix of AWS, VMware, and others
© 2013 CloudPassage Inc.
Case Study: Enabling SaaSification
Product Line 1
Product Line 2
Product Line 3
SaaS Product 1
SaaS Product 2
SaaS Product 3
Halo automates security and compliance for each
BU running in cloud
Halo security platform
Halo Benefits
• Enable fast and agile DevOps model
• Security built into stack for portability
• Ensures consistency of servers, visibility, and enables rapid response
© 2013 CloudPassage Inc.
Case Study: Securing Acquisitions
• B2B SaaS pioneer
• Core product in virtualized datacenters, traditional security practices
• 20+ acquisitions for growth: most built in public cloud
• Must extend security and compliance across any infrastructure
© 2013 CloudPassage Inc.
Case Study: Securing Acquisitions
Core Product Datacenter& IT Security Operations
Halo provides security and compliance across
all environments
Acquisitions built in public & private clouds
Halo Benefits
• Easily installs into any cloud architecture
• No disruption to development pace
• Extends existing security operations to cloud
Copyright © 2013 IANS. All rights reserved. 37
Summary
• SaaS businesses require strong security
• Cloud-based development complicates traditional security
• Security and compliance must enhance, not slow down, agile SaaS development
• Focus security architecture on automation, portability, and visibility
Copyright © 2013 IANS. All rights reserved. 38
Q&A and Additional Information
Dave Shackleford
Lead Faculty, IANS
@ians_security
cloudpassage.com/saas
Rand Wacker
VP, Producs
@cloudpassage
Securing SaaS whitepaperRequest a Halo demo or free trial