Cloud Based Security Services Simplification Or Complexity Michael Ferrell Security Solutions Architect MS In Information Security CISSP ISSAP CISA CGEIT 2016 CenturyLink All Rights Reserved The CenturyLink mark pathways logo and certain CenturyLink product names are the property of Cen ID: 766561
Download Presentation The PPT/PDF document "Cloud Based Security Services" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Cloud Based Security Services Simplification Or Complexity Michael Ferrell, Security Solutions ArchitectMS In Information Security, CISSP, ISSAP, CISA, CGEIT © 2016 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice .
Enterprise workloads shifting quickly to cloud 2 The shift of workloads to cloud environments over the next two years is dramatic, from 38% overall today to 56% expected in two years Off-premises workloads also shift from 29% today to 44% in two years Cloud providers will account for 68% of all Cloud workloads, up from 60% today Base=Cloud Adopters Source: 451 Research, Voice of the Enterprise: Cloud Computing, Q2 2015
Security/Compliance is an inhibiting factor Q . Please rate the impact the following have on inhibiting your organization’s use of cloud computing on a 1-10 scale. 3 Source: 451 Voice of the Enterprise, Cloud Computing – Wave 7
Cloud Level Set 4
On-Prem Colocation Public IaaS Public PaaS Public SaaS Molo-Private Data Data Data Data Data Data App App App AppAppAppVMVMVMServicesServicesVMServerServerServerServerServerServerStorageStorageStorageStorageStorageStorageNetworkNetworkNetworkNetworkNetworkNetwork Responsibility 5 Organization controls Provider controls Sharedcontrol Less direct control More trust in provider
Security Versus Compliance 6 Vulnerability assessment Security configuration management Application security Web application firewall (WAF) Endpoint security Advanced anti-malware or advanced persistent threat (APT) protection Data loss prevention (DLP) Data encryption / key management services Security information and event management (SEIM) Identity and access management (IAM) IT governance , risk and compliance (GRC) toolsApplication of organizational policies Service level agreement Execution / QOS Audits, attestations and reports
RiskEvaluate risk and appropriate controls Are today’s controls appropriate to reduce risk? Do they need to change in the cloud? Are controls being executed effectively? Governance becomes greater challengeRogue and shadow cloud usageCan everything fir? May fit, but should it ? Where should it fit? Public? Private? Community? On Prem? Cloud Security Decision P oints
Multiple Providers – Multiple Data Locations 8
VisibilityWhere is the data? Who is using the data? Actions of provider and serviceData Security:Data Sovereignty – Geo political data constraintsMulti-tenancy – concerns/perceptions about comingling of data Provider visibility to data – what can they access and “see” Compliance Auditability – my auditors concerns Sustainability – will provider be there long term?Overall securityControls – can I implement the same compliance/security controls? Threat protection User Behavior analysis Cloud Concerns 9
Cloud controls Common view/tools across multiple cloud environments Cloud based consumption and deployment model Flexible scalingExtensibility across multiple providersSecurity as service models Not all tools are able to run or be deployed in various clouds Cloud vendor specific tools can’t be extended to others Does security as a service model across multiple cloud providers fit companies risk and data model? 10 Desired state Constraints
Extend security from the enterpriseRestrictive not an enable of business Traditional first reaction to introduction of cloudsBecomes the constraint on flexibility in the cloudAdopt similar security from providers Focus becomes result of controls, not the toolsetMapping to existing known tool results often becomes difficultClarity suffersCloud Security BrokersModel uses on site and api to provide visibility into prem and remote activity Allows for more unified visibility and clarity across cloud providers Can tie to on premise applications Approaches 11
Using Provider Services 12
Cloud Security Brokers 13
Controls 14 Audits, attestations and reports Scheduled audits with third-party organizations, regular and irregular reports as required, providing attestation of compliance on request Data IAM, Data loss prevention (DLP), data access logging, encryption in transit and at rest, key management, physical location attestation Connectivity Uptime, performance and external incident response and tracking Server and workload Software asset management, activity and performance logging, user access logging, scheduled patching and maintenance, performance testing Infrastructure (IT hardware) Asset management, monitoring for failure, logged access, logged maintenance, scheduled maintenance and inspection Operational redundancy Contingency planning, power, cooling and connectivity duplication, infrastructure redundancy, failover testing Physical security Cameras, perimeter alarm systems, secure entryways, security personnel, access logging
Tool Type AreasDescription Identity Control access and authentication Federate with existing, or standalone cross services and providersNetwork/Endpoints Threat detection & prevention, usage From Malware, to host IDS/IPS file integrity, and mobile Virtualization Policy enforcement, access Includes encryption, two man rule policy control, 2FA,. In depth logging , RBAC Cloud infrastructure Monitor and threat Platforms provide compliance, monitoring of workloads, threat intel, vulnerability mgmtCloud data protectionDiscovery, gateways, brokers, encryptionDetect & monitor cloud usage, provide policy based data encryption, data centric multi deviceCloud ApplicationsPass through to cloud servicesCloud based gateway to SaaS, IaaS, PaaS with monitoring and rulesIncident ResponseCovers threat management, intel, response Ties often to asset management, and launching scans for newly discovered or changing vulnerabilities and threatsRepresentative Cloud Based Security Tools15
Software Defined Networking 16
Consistent policy Centralized “control”Example: SOHO and multiple similar locations Security across allOr security missing ?Ability to isolate vulnerable systems Or compromised hostsOr specialized segmentsSND Security Promises 17
Security in SDN 18 Controllers are General Purpose Computing Devices
The model changesNot a physical barrierSimilar to cloud Applications and controllersHave complete control of the networkInmates have the keys? If compromised, whole network may be compromisedGeneral Purpose Computing PlatformsUsed for controllersWhat will hackers target! Issues with SDN Security 19
20