Most businesses operate on cloud-based and on-premises servers. This hybrid environment allows for easy access to important data but often creates complexity in properly managing and securing your assets. Now consider IoT devices on your network, and this hybrid environment becomes nearly impossible to maintain. Scott Crawford, Research Director at 451 Research, and David Meltzer, Chief Technology Officer at Tripwire, discuss how to simplify modern network complexities with essential security controls.

1. Simplicity in Hybrid IT Environments:
A Security Oxymoron?
Scott Crawford – Research Director, Information Security

2. Some hybrids are successful…
2
Others,
not so
much

3. Momentum favors the
cloud
“How would you generally
categorize your organization’s
information security view of
hosted cloud computing
solutions (Hosted Private Cloud,
IaaS, or PaaS) in terms of your
organization’s tolerance for
information security risk?”
3
Source: 451 Research Quarterly Advisory
Report: Budgets and Outlook – Information
Security 2016

4. But legacy /
on-premises
investments aren’t
going anywhere soon
“Approximately how is your
organization’s total information
security spending on vendor-
based security tools currently
distributed across the following
locations?”
4
Source: 451 Research Quarterly Advisory
Report: Budgets and Outlook – Information
Security 2016

5. Why maintain the investment?
• Realizing its full value
• Dependencies
• Maturity
• Of the technology
• Of operations &
expertise
• The cloud is different…
• Regulatory requirements
• Ownership & control
5

6. “The” cloud?
6
Different
implementations
Different
services
Different
approaches to
management

7. So what’s the problem?
One set of techniques for legacy/
on-premises
One (or more) set(s) of techniques for
the cloud
7

8. So simplify!
8

9. Hint: What are common objectives?
• Consistency of control,
across both legacy and
“new IT”
• Assurance of enterprise
responsibilities
• Demonstrations of
adherence to enterprise
requirements
9
Security/Compliance Concern Score
Encryption 4.33
Identity Management/Authorization/Access
Control Tools
4.26
Assumption of Liability for Security Breaches or
Outages
4.23
Explicit Contractual Responsibilities for
Security Between the Cloud Provider and
Customer
4.17
Explicit SLAs 4.12
Data Leakage Prevention (DLP) 4.00
Providing Regular Results of Security Audits
from Known Security Testing Companies
3.99
Proven Compliance with Industry Standards 3.92
Auditability 3.91
“Rate the importance of each of the following in addressing
organizational concerns around security and compliance with hosted
cloud solutions:”
Source: 451 Research Quarterly Advisory Report: Budgets and Outlook – Information
Security 2016

10. Finding common ground
• Consistent application of
policy
• Essential for assuring
enterprise compliance
obligations, no matter
where
• Consistent execution of tasks
• Completeness of coverage
across hybrid environments
• Consistent data gathering
• For determining priorities
for the entire investment
10

11. But one size does not fit all
“Most things that we've encountered require a different approach for the
cloud-based solutions, than they do for the on-premises solutions. And
they almost always run into, ‘Oh, yes. But I can't support that’ …
“[For example], ‘we have the best […] security management tool in the
industry,’ ‘Do you support SAP HANA?,’ ‘What's SAP HANA?’…
“Or, ‘We support Amazon Web Services for cloud-based packet inspection.’
‘Does the same system work with my on-premises solution, and put it in
the same console?’ ‘Oh no, you have to have two separate accounts.’
Those are the kinds of conversations that I have all the time…”
-Mid-level management, $1-5bn retailer
11
From recent interviews with enterprise practitioners:
Source: 451 Research Information Security Narratives -: Budgets and Outlook 2016

12. Implementations can be very different
Legacy/on-premises infrastructure
• Accuracy/depth/breadth of asset
discovery
• Across a variety of physical assets
(hosts, networks, applications)
• Balance of speed and accuracy
• Policy constraints
• Tools often purpose-built
Cloud techniques
• API-based - ASK the cloud for
whatever you want to know
• ec2-describe-images --filter
“tag-value=prod”
• DescribeInstances
• DescribeVpnGateways
• DescribeFlowLogs
• Tools must be able to interact
with APIs, automation at scale
12
Example: Asset inventory
How well do your preferred tools
adapt?

13. A small application? No problem.
13

14. That escalated quickly…
14

15. The long view:
Infrastructure’s
disappearing act
15
2000s: On-prem
virtualization
Rise of IaaS,
PaaS, growth in
SaaS
Containers,
microservices
“Serverless”

16. If you think hybrid IT is diverse today…
16
Centralized Distributed
IoT

17. “Data centers on wheels”
17
• Up to 100 ECUs in some
vehicles1
…or with
arms
…or
wings
…or
legs
1 https://techcrunch.com/2016/08/25/the-biggest-threat-
facing-connected-autonomous-vehicles-is-cybersecurity/

18. Not just “smart” endpoints
• Sophisticated compute near the edge
• Data volume, thin pipes, latency
• Real-time action & response
• Functionality offload for constrained endpoints
18

19. Will you be
ready?
19

20. Thank you!
Scott Crawford
Research Director, Information Security
Twitter: @s_crawford

26. FOUNDATIONAL CONTROLS
FOR THE HYBRID ENTERPRISE

28. •
•
•
•
•
•
•
•
•
•
•
•

29. •
•
•
•
•
•
•
•
•
•
•
•

30. UNIFIED MANAGEMENT
Elastic monitoring
Cloud policies
& platforms
Containerization

31. To learn more, download the
TRIPWIRE FOUNDATIONAL CONTROLS FOR THE HYBRID CLOUD
executive brief from the resource widget

32. tripwire.com | @TripwireInc