Good old perimeter security, enforced by traditional firewall protection, is now combined with distributed firewalls, public cloud native security controls and third-party security services. The shared-responsibility security model means that IT organizations need to assume accountability for the data and overall security posture, as this is not exclusively the cloud providers’ responsibility.
2. WELCOME
Have a question? Submit it via the chat tab or email us:
This webinar is being recorded!
The recording will be emailed to you after the webinar
And the slides will be available in the Attachments tab
Follow us online !
2
marketing@algosec.com
3. AGENDA
Who owns cloud security?
Why is it important?01
The complexities of cloud
security02
How visibility and automation
solutions can help you
manage your cloud estate
security
03
3 | Proprietary
4. SECURITY IS THE MAJOR CONCERN IN CLOUD ADOPTION
80.85%
62.48%
57.06%
49.13%
44.29% 43.71%
38.68%
35.01%
32.69%
23.02%
2.32%
Security
concerns
Data loss and
leakage risks
Regulatory
compliance
Integration with
the rest of our IT
environment
Legal concerns Cost Visibility into
resources in the
cloud
environment
Migration of
applications to
the cloud
Lack of expertise
to manage the
cloud
environment
Lack of staff to
manage the
cloud
environment
Other (please
specify)
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
What concerns does your organization encounter when adopting a public cloud platform
(Select all that apply)?
4 | Confidential Source: Cloud Security Alliance (CSA) survey, March 2019
5. WHO IS RESPONSIBLE FOR YOUR CLOUD SECURITY?
Customer Data
Platform, Application, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption &
Data Integrity Authentication
Server-side Encryption
(File System and/or Data)
Network Traffic Protection
(Encryption/ Integrity/ Identity
Compute Storage Database Networking
AWS Global
Infrastructure
Region
Availability zones
Edge location
Source: Amazon Web Services
Customer
Responsible for
security ‘in’ the
cloud
AWS
Responsible for
security ‘of’ the
cloud
5 | Confidential
6. 6 | Confidential
POLL #1
Who owns cloud security risk in your organization?
Information Security
Operational team/DevOps fully owns their apps security
DevSecOps
Please vote using the “Votes“ tab
7. Through 2019, 80%of cloud
breaches will be due to customer
misconfiguration, mismanaged
credentials or insider theft, not
cloud provider vulnerabilities.
80%
MISCONFIGURATION A MAJOR SECURITY RISK
7 | Confidential
8. MISCONFIGURATION A MAJOR OPERATIONAL RISK
20.36% 19.76%
15.32%
12.10%
8.47%
5.24% 5.24%
3.23% 2.22%
1.01%
7.06%
Not sure Operational
human errors
and
mismanagement
of devices
Device
configuration
changes
Faults, errors, or
discards in
network devices
Link failure
caused due to
fibre cable cuts
or network
congestion
Server hardware
failure
Power outages Failed software
and firmware
upgrade or
patches
Security attacks
such as denial of
service (DoS)
Incompatibility
between
firmware and
hardware device
Other (please
specify)
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
What was the main contributor to your network or application
outage in the last year?
8 | Confidential Source: Cloud Security Alliance (CSA) survey, March 2019
9. 9 | Confidential
Public Clouds
Public Clouds
Private Clouds
On-Prem
CLOUD SECURITY COMPLEXITY
Account 1
Account 2
Account 3
VPC/VNET
VPC payroll
Payroll stage
VPC CRM
Sub 1
Sub 2
Sub 3
VNET test1
Germany Central
Website stage
Website production
Security Controls
SG1 SG2 SG3
NACL1 NACL2
AZFW1 AZFW2
NSG1 NSG2
10. MANAGING SECURITY IN THE CLOUD IS COMPLEX
MULTIPLE LAYERS OF SECURITY CONTROLS
Security Products by ISVs
• NG Firewalls
(Checkpoint, Palo-Alto .. )
• WAF (Imperva, F5 .. )
Cloud Infra Security
Controls
• Security Groups
• Permissions
• More..
Security Products by
Cloud Providers
10 | Confidential
11. MANAGING SECURITY IN THE CLOUD IS COMPLEX
MULTIPLE LAYERS OF SECURITY CONTROLS
70.37%
58.48%
45.03%
31.58%
9.55%
4.29%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
Cloud provider's native security
controls )e.g. Security Groups,
Network ACLs)
Cloud provider's additional
security controls (e.g. Azure
Firewall, AWS WAF)
Virtual editions of firewalls (e.g.
Palo Alto Networks, Check
Point, Barracuda) deployed in
the cloud environment
Hosts based enforcement Don't know Other (please specify)
What network security controls do you currently use to secure your public cloud
deployments? (Select all that apply)
11 | Confidential Source: Cloud Security Alliance (CSA) survey, March 2019
12. MANAGING SECURITY IN THE CLOUD IS COMPLEX
Multiple stakeholders
12 | Confidential
Multiple Stake
Holders
Cloud Teams
IT /
Network Security
CISO
Security OperationsApplication
Developers /
DevOps
12 | Confidential
13. MANAGING SECURITY IN THE CLOUD IS COMPLEX
Multiple stakeholders
35.59%
28.24%
15.28%
6.00%
3.87% 3.87% 3.48% 3.68%
Information Security IT Operations Cloud team within the
IT department
Application Owners /
Developers / DevOps
Managed Service
Provider
CISO Not sure Other (please specify)
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
Which team is responsible for managing security in the public cloud (please select
the primary team)?
13 | Confidential Source: Cloud Security Alliance (CSA) survey, March 2019
14. MANAGING SECURITY IN THE CLOUD IS COMPLEX
Multiple Layers of
Security Controls
3rd party Security
Vendors Products
Cloud Infra Security
Controls
Security Products by
Cloud Providers
Multiple
Stakeholders
CISO
IT / Network Security
Cloud Teams
Security Operations
Application Developers /
DevOps
Multiple
Clouds
Public Clouds
Private Clouds
ACI
14 | Confidential
15. Instant visibility Risk analysis
Compliance
Central policy
management
ALGOSEC SIMPLIFIES CLOUD SECURITY
Across Multiple Layers
of Security Controls
Multiple
Stakeholders
Across Hybrid and
Multiple Clouds
ACI
15 | Confidential
16. VISIBILITY INTO YOUR
CLOUD ESTATE
• End-to-end network visibility
• Visibility into your estate
• What assets do I need to protect?
• What security controls do I have in each VPC/VNET?
• Change monitoring – what was recently
changed? By whom?
16 | Confidential
17. END-TO-END NETWORK VISIBILITY
Across the hybrid estate
Native Cloud Security Models
(Security Groups/NACL/NSG)
Virtual security
device in the cloud
Traditional FW
Virtual appliance in the SDN fabric
Private cloud SDN – distributed FW
17 | Confidential
18. VISIBILITY INTO YOUR CLOUD ESTATE
03
Easy Navigation
01
Know what you
need to protect
02
Security controls in
each VPC/VNET
04
Change monitoring
18 | Confidential
19. RISK ANALYSIS
• What is my overall risk level?
• Which areas should I focus on?
01
At-a-glance security
posture view
02
Risk notifications
and remediation
• Network risks – native cloud controls
and security devices
• Storage permissions (public/private)
• IAM
• Account setting
• Sensitive Data not encrypted
• Key management
• Audit trail not enabled
Actionable risk management
19 | Confidential
20. CENTRAL POLICY MANAGEMENT: THE CHALLENGE
• Similar security controls in multiple accounts, regions, VPCs/VNETs
• … that should include the same rules
• … but with some specific per-policy rules
• Result: an admin maintains many (many!) copies of the same policy
20 | Confidential
Public Clouds
BU 1
BU 2
BU 3
VPC payroll
Central Germany
Website stage
Website production
AZFW1 AZFW2
NSG1 NSG2
21. CENTRAL MANAGEMENT OF NETWORK POLICIES
21 | Confidential
Easy provisioning of on-
prem network rules
and virtual firewalls
03
Across accounts,
regions, VPCs, VNETS
01
02.
02
Easy management of
rules in similar SGs
22. CENTRAL MANAGEMENT OF NETWORK POLICIES
22 | Confidential
Easy provisioning of on-
prem network rules
and virtual firewalls
03
Across accounts,
regions, VPCs, VNETS
01
02.
02
Easy management of
rules in similar SGs
24. 24 | Confidential
POLL #2
Who is responsible for security related cloud configurations ?
(e.g. security groups, encryption settings)
Information Security solely
Operational teams/DevOps solely
Information Security provide automation tools for DevOps to provision
Please vote using the “Votes“ tab
25. MATCH SOLUTION TO YOUR
ORGANIZATION AND PROCESSES NEEDS
“Similar purpose security
policies are managed per
each region, VPC”
• SecOps need change
monitoring; risk analysis,
risk management solution
• DevOps need a solution for
what-if risk check before
deploying their app.
“DevOps configure security
configs, but SecOps are
responsible for security”
“All security changes are
going through SecOps”
Need a good change
management solution
Need a good central
management solution
25 | Confidential
26. SUMMARY
• Responsibility for security in the cloud is up to us
(IT and security personnel)
• Cloud security is complex:
• Multi-security controls
• Problematic visibility
• Multiple stake-holders
Hence introducing a security risk
• Easy to achieve agility, harder to keep it secure
• AlgoSec is your partner for:
• Risk and compliance management
• Cloud Security Policy Management
• Support for hybrid cloud and multi-clouds
26 | Confidential
28. Q & A
Submit your questions via the chat
Request a Demo: marketing@algosec.com
29. 29
JOIN OUR COMMUNITY
Follow us for the latest on security policy management trends, tips & tricks,
best practices, thought leadership, fun stuff, prizes and much more!
Subscribe to our YouTube channel for a
wide range of educational videos
presented by Professor Wool
youtube.com/user/AlgoSeclinkedin.com/company/AlgoSec
facebook.com/AlgoSec
twitter.com/AlgoSec
www.AlgoSec.com/blog
30. ALGOSUMMIT
THE PREMIER EVENT FOR
ALGOSEC CUSTOMERS & CHANNEL PARTNERS
30
APAC - Bangkok | April 1-5
EMEA - Lisbon | May 20-23
2019
www.algosec.com/algosummit
UPCOMING WEBINARS
April 17
Boosting Network Security with
ChatOps
April 24
Firewall Rule Recertification
May 1
Full Hybrid Cloud Survey Report
(CSA)
This is a survey ran by CSA with AlgoSec over 600 respondents.
So we asked people what their main concerns are with cloud adoption.
In the past we used to see cloud migration and operations as a major issue. Now we see this has gone down a bit.
In fact, security, compliance and data leaks becomes the top most concerning issues for IT professionals.
So – who owns cloud security?
In early days this issue was unclear and AWS has tried to make some order into it. Coined the term “shared responsibility”
AWS/cloud provider – responsibility of the cloud – infra.
Customer – responsibility in the cloud – OS, networking etc. but basically – the policy of cloud configuration and the configuration of security controls in the cloud.
Not as aggressive as the claim for on-prem, which talks about over 90% of cases related to misconfiguration.
There are multiple complexities to managing security in the cloud. First is the multi-layers of security controls.
So we have the cloud infrastructure itself, we have security groups protecting our assets as well as network ACLs, we have many configurations of the cloud infra to take care of, e.g. making sure storage is encrypted or that we do not provide public access to sensitive data.
Another layer is the security controls of the cloud provider. For example we have Azure Firewall just announced or Amazon WAF.
And a third layer is security products or controls that are provided by ISVs, or third parties: such as NG firewalls; WAFs, CASB and more.
Native security control – free of charge but also:
Limited in scale
limited in functionality
So we see organizations using also paid tools. And they often set coarse and fine granularity of policies to make some order into the two.
Multiple stake holders – no single point of control .
In the past – security responsible for FW, WAF or other. IT/dev need to ask for change request.
Today - cloud teams have often full permissions to change security constructs,
DevOps tools include security constructs and configurations as part of the application code, etc.
Security teams have limited visibility and control.
Visibility – across multi-clouds, accounts, VPCs, security controls,
Compliance: both corporate policy and regulation
Risk analysis and risk management
Central policy management – get similar policy elements managed in a single place with similar look&feel
Similified estate
See what assets you need to protect, see what security controls you have to protect them.
We can see the overall estate or <click> and see and navigate across our estate.
- Also – change monitoring is very important. As we have multiple people from different departments that are working with the cloud and making changes, we need a good auditing tool to see what has changed.
When we want to manage risk we need few things:
At a glance – shows us a broad view of our status; do we have a problem? Where we have a problem
Detailed risk alerts. We are talking about network risks, storage permissions …. And per each risk we need to know what triggered it; and we want to know what assets are impacted by that risk.
The combination of all of that brings us to an actionable risk management solution.
There are multiple complexities to managing security in the cloud. First is the multi-layers of security controls.
So we have the cloud infrastructure itself, we have security groups protecting our assets as well as network ACLs, we have many configurations of the cloud infra to take care of, e.g. making sure storage is encrypted or that we do not provide public access to sensitive data.
Another layer is the security controls of the cloud provider. For example we have Azure Firewall just announced or Amazon WAF.
And a third layer is security products or controls that are provided by ISVs, or third parties: such as NG firewalls; WAFs, CASB and more.
AlgoSec has a full line up of resources in our website, we welcome you to learn more about our offering by reading
The network security policy management lifecycle whitepaper
Whitepaper: Multi-cloud security network policy and configuration management
Datasheet: Security Policy Management for Hybrid AWS Environments
Our datasheet on how to simplify and accelerate large-scale application migration projects
Link to Prof. Wool’s Educational Whiteboard courses
Link to our Resources and upcoming webinars
Link to follow us on LinkedIn
Now, let’s open up the floor for some Q & A questions.
We welcome you to connect with us through our social networks in LinkedIn, Facebook, Twitter and our blog.
And, before we part – AlgoSummit and Upcoming webinars