SlideShare ist ein Scribd-Unternehmen logo

Key Elements of Multi-Cloud Security for 2017

RightScale
RightScale

In today’s cloud-first environment, enterprises are embracing a heterogeneous cloud strategy that spans multiple public clouds as well as private clouds. This creates complexities for enterprise IT teams who need to ensure security across all of their applications and all of their infrastructure resources. We will help you understand how to approach multi-cloud security in 2017.

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
KEY ELEMENTS OF MULTI-CLOUD SECURITY FOR 2017 1
o Bart Falzarano • Director, Security and Compliance, RightScale o Brian Adler • Director, Enterprise Architecture, RightScale Panelists
o The State of Multi-Cloud Security o How to Think About Multi-Cloud Security o Key Elements • Visibility • Identity and Access Control • Workload Security • Data Security • Network Security • Business Continuity/Disaster Recovery • Audit • Evolving Cloud Technologies/Services • Compliance Agenda
Single private 6% Single public 9% No plans 3% Multiple private 11% Multiple public 16% Hybrid cloud 55% Enterprise Cloud Strategy 1000+ employees Multi-Cloud 82% 82% of Enterprises Still Want Multi-Cloud Source: RightScale 2016 State of the Cloud Report
17% 23% 26% 24% 25% 25% 28% 27% 15% 23% 24% 26% 26% 26% 29% 32% Performance Governance/control Complexity of building a private cloud Managing costs Managing multiple cloud services Compliance Security Lack of resources/expertise Cloud Challenges 2016 vs. 2015 2016 2015 Lack of Resources/Expertise is Now #1 Challenge, Not Security Source: RightScale 2016 State of the Cloud Report
47% 2014 Central IT Concerns About Security Decline 41% 2015 Enterprise Central IT Rating Cloud Security as Significant Challenge Source: RightScale 2016 State of the Cloud Report 37% 2016
Decentralized Cloud Management 7
Security Services (similar but different capabilities) 8 Security Features AWS Azure Google IAM ✔ ✔ ✔ Encryption in DBaaS ✔ ✔ ✔ Key Management as a Service ✔ ✔ ✔(beta) Hardware Key Modules HSMs ✔ ✔ Security Assessment ✔ ✔ ✔ Configuration Governance ✔ ✔ Audit Trails ✔ ✔ ✔ DDoS Protection/ WAF ✔ ✔ ✔
Cloud Security Ecosystem Cloud Provider Enterprise RightScale 3rd Party Vendors Plan for a Cloud Security Ecosystem • CMDB • SIEM /Logging / Auditing • IdP • Configuration Management • Orchestration Workflows • Web Application Firewalls • File-Integrity Monitoring • Continuous Integration • Source Code Repositories Shared Responsibility Model
VISIBILITY
Visibility • Can you see all your cloud accounts and instances? • Connect to all your clouds • Gain visibility to all your accounts You Can’t Control What You Can’t See 11 Many Accounts Across Clouds AWS Azure Google CloudStack OpenStack vSphere Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account AccountAccount
Single pane of glass • Multi-cloud access • Public clouds • Private clouds • Virtualized • Control access • Standardize configuration • Patch and update • Audit trails RightScale: Multi-Cloud Visibility 12 AWS Azure Google CloudStack OpenStack vSphere
IAM
1) What directory services solution are you using to store your users’ identities? AD or LDAP 2) How will you federate the users’ identities? SAML, WS- Fed, Oauth, OpenID? 3rd party IdP (Okta, One Login, Ping Identity, etc.) or ADFS? 2FA or MFA? 3) Need to address User Authentication, Authorization, Account Management, Auditing/logging 4) IAM Integrations accomplished through identity mappings, grafts and tie-ins • Microsoft Active Directory • commercial directory services leader • over 90% market share • LDAP Considerations for IAM 14
What you get: • SAML/ SSO integration • RBAC -10 specific roles definable at the user level (http://docs.rightscale.com/cm/ref/u ser_roles.html) • Hierarchical organization of accounts • Aggregate accounts across clouds • Security and Governance -standardized, repeatable and consistent process for Authentication, Authorization, Account Management, Auditing/Logging RightScale Multi-Cloud Access Controls 15 SAML Linked Users
WORKLOAD SECURITY
Enforce Policies • Catalog of templates that meet corporate standards • Configured to your security requirements • Define which clouds can be used • Control user options and choices • Orchestrate and automate deployment and operations Workload Security: From Rogue to Policy-Based 17 Basic instances Stacks for Dev or Prod Applications
Standardization • Automate provisioning and configuration • Version-controlled • Follow standards for versions, patches and configuration • Leverage a variety of scripting languages • Modular and auditable • Define Security Configuration Baselines Standardize Server Configurations AWS Azure Google CloudStack OpenStack vSphere Multi-Cloud Image Configuration Scripts Containers 18
Standardize System Configurations 19 Load Balancers App Servers Master DB Slave DB Replicate > DNS Configure a system: Cloud Application Template (CAT) Configure a server: • ServerTemplates (portable) • Docker container (portable) • AMI • CloudFormation • VM template
Increase IT efficiency o Bring your own configuration management o Clone existing architectures o Updates and patches o Monitor and alert o Auto-scale up and down o Keep templates patched o Test patches/updates in the lower tier environments first e.g. test, dev or QA environments Patch and Update
• Ownership and Management of keys is different in cloud • Shared model • Fully maintained and managed by the cloud provider • BYOK • Hardware Security Modules • On-premise • Cloud services (AWS, Azure) • SSH Key Management • RightScale Key Management • Manage your own SSH key pair • Key Management Issues and Challenges in Cloud Services • NISTIR 7956 http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=914304 Key Management 21
DATA SECURITY
Compliance Requirements • PCI E-Commerce • HIPAA / PHI/ 21CFR11 • NPI / PII • FTI IRS PUB1075 • MPAA • Access Controls • MFA/ 2FA used for Authentication • RBAC • Auditing/ Logging • Data Classification / Data Types • Data Encryption • Data-in-transit and Data-at-rest • In process: DEPENDS • Segregate workloads • Do read and understand the Cloud Provider’s • Terms and Agreements • Data Privacy / Data residency policies • Review their security documents Data Security 23
Data Residency with a Global Cloud Platform Amazon Web Services Google Cloud Platform IBM SoftLayer Rackspace Windows Azure Public Clouds Singapore Hong Kong Japan Texas DC Area SF Area Seattle Chicago Dublin London Amsterdam Oregon São Paulo Midwest Beijing Sydney W Europe Private Clouds CloudStack OpenStack vSphere Melbourne Toronto Mexico City Taiwan 24
NETWORK SECURITY
• HTTPS / TLS • SSL -Should not used as SSL has been deprecated • Direct Connections • VPN IPSEC Securely Connecting to Cloud
• AWS DirectConnect • Azure ExpressRoute • Google Carrier Interconnect • SoftLayer DirectLink Direct Connection Options 27 AWS Cage Customer Cage AWS Direct Connect Azure Cage Customer Cage Azure ExpressRoute
Secure Connections to RightScale Platform IPSEC VPN Examples: API calls to RightScale over private VPN connection RightScale Region1 VPN Endpoint RightScale Region2 VPN Endpoint 28 Companyx Facility (n) Companyx Facility (n+1) Companyx VPC network Amazon AWS VPN GW to RightScale example VPN gateway
Comply with policies • Quickly Audit Security Groups • Interactive Network Visualization • Maintain Security and Compliance Network Visibility 29
BUSINESS CONTINUITY & DISASTER RECOVERY
31 SLAs by Cloud Service Level Description AWS Azure Google SoftLayer Uptime SLA 99.95% 99.95% 99.95% 100% Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes downtime Downtime Calculation Any minutes downtime Any minutes downtime 5+ consecutive minutes downtime 30+ consecutive minutes downtime
Architect for SLAs • HA/DR reference architectures • Cross-region and cross- cloud • Auto-scale to meet demand • Hybrid cloudbursting • Monitor and automate failover • Hot, warm, and cold DR scenarios Implement DR Architectures for your Apps 32 Load Balancers App Servers Slave DB Master DB App Servers Slave DB < Replicate Replicate > Load Balancers PRIMARY WARM DR DNS
Ensure availability o Separate management plane from cloud and cloud applications o RightScale platform is fully redundant o Automate failover processes for hot, warm or cold DR Outage-Proof with Independent Control Plane
AUDIT
Approach: • Feed audit trails from individual clouds to SIEM • Feed audit trails from CMP to SIEM • Feed audit trails from instances / servers to SIEM Multi-Cloud Logging and Audit Trails 35 Cloud Management Platform Cloud SIEM or Centralized Logging Facility Cloud Cloud Cloud Cloud Cloud Audit entries are exportable via an API
Ensure compliance o See who changed what and when o Provide audit logs and reports to satisfy regulators o Available via API to integrate with other systems Gain Visibility with Audit Trails
EVOLVING CLOUD TECHNOLOGIES/ SERVICES
Function-as-a-Service /Serverless 38 App OS Hypervisor App OS App OS x86 storage networking compute virtualization Cloud Provider’s responsibility Your responsibility Your business logic is in your Apps OS Hypervisor OS OS x86 storage networking compute virtualization Cloud Provider’s responsibility Focus on your business logic operating system < >< > <Fn>
• API Gateway • Lambda Functions • IAM • IdP for Authentication • SAML Token • Authorization • Auditing/Logging Microservices 39 Client-side/ front-end App Restful API/ backend services SAML IdP AWS IAM Security Token Service 1 2 4 3 AWS Cloud Watch
COMPLIANCE
Cloud Provider Certifications Matrix 41 Certification AWS Azure Google SoftLayer PCI DSS1     HIPAA     SSAE16 SOC1 (Type II)     SSAE16 SOC2 (Type II)     SSAE16 SOC3 (Type II)     ISO 27001     ISO 27017     ISO 27018     FedRAMP    FISMA    
• RightScale Certifications/ Compliance • State of the Cloud Report • www.rightscale.com/2016-cloud-report • Private and Hybrid Cloud Whitepaper • www.rightscale.com/private-hybrid-cloud-whitepaper Questions? 42 SSAE16 SOC1 and SOC2 Type 2 Reports of Compliance PCI DSS SAQ A-EP v3.2 Compliant for our E-commerce systems EU Privacy Shield (pending)
EXTRAS
Challenges • Difficult to implement, manage, and support • Difficult to scale and/ or extend to other CSPs • No direct coupling between AD and AWS IAM Integrating IAM 44 ADFS AWS STS A D SQ L 1 2 3 4 5 6 Your Environment SAML 7 AWS AWS account 123456789012 AWS account 111122223333 IAM roles=> ADFS-Production ADFS-DEV IAM roles=> ADFS-Production ADFS-DEV IAM role=> ADFS-DEV IAM role=> ADFS-DEV AWS account 777788889999 AWS account 444455556666 AD group memberships=> AWS-Production AWS-DEV User object attribute 123456789012 111122223333
• Asymmetric keys private/public • Key Management • NISTIR 7966 http://tinyurl.com/lhtujnv • Key storage options • Key Management-as-a-Service • AWS, Azure • Multi-tenant • Hardware Security Modules • On-premise • Cloud services (AWS) • RightScale • Encryption of keys -MUST Key Management 45
• Data privacy legislation differs around the world • Evaluate encryption options where you manage the keys (a la Amazon Aurora) so vendor can’t give data in case of subpoena • What is the CSP’s data retention period? • What country is the CSP headquartered out of? • Which jurisdiction covers the contract between you and the CSP? Data Residency: Impact of Safe Harbor 46
47 o Cloud Trails o Azure Diagnostics o Google Cloud Logging (beta) o SoftLayer Audit Trails What Audit Tools by Provider?

Empfohlen

10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT Governance10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT Governance
RightScale
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
RightScale
 
Optimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScaleOptimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScale
RightScale
 
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About NowPrepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
RightScale
 
How to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your EnterpriseHow to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your Enterprise
RightScale
 
Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)
RightScale
 
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBMComparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
RightScale
 
How to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale OptimaHow to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale Optima
RightScale
 

Empfohlen

10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT Governance10 Must-Have Automated Cloud Policies for IT Governance
10 Must-Have Automated Cloud Policies for IT Governance
RightScale
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
RightScale
 
Optimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScaleOptimize Software, SaaS, and Cloud with Flexera and RightScale
Optimize Software, SaaS, and Cloud with Flexera and RightScale
RightScale
 
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About NowPrepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
Prepare Your Enterprise Cloud Strategy for 2019: 7 Things to Think About Now
RightScale
 
How to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your EnterpriseHow to Set Up a Cloud Cost Optimization Process for your Enterprise
How to Set Up a Cloud Cost Optimization Process for your Enterprise
RightScale
 
Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)Multi-Cloud Management with RightScale CMP (Demo)
Multi-Cloud Management with RightScale CMP (Demo)
RightScale
 
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBMComparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
Comparing Cloud VM Types and Prices: AWS vs Azure vs Google vs IBM
RightScale
 
How to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale OptimaHow to Allocate and Report Cloud Costs with RightScale Optima
How to Allocate and Report Cloud Costs with RightScale Optima
RightScale
 
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
RightScale
 
Using RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider ToolsUsing RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider Tools
RightScale
 
Best Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceBest Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and Compliance
RightScale
 
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and MoreAutomating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
RightScale
 
The 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for EnterprisesThe 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for Enterprises
RightScale
 
9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage Costs9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage Costs
RightScale
 
Serverless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBMServerless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBM
RightScale
 
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP SuccessBest Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
RightScale
 
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBMCloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
RightScale
 
2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud Report2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud Report
RightScale
 
Got a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP HelpsGot a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP Helps
RightScale
 
How to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale OptimaHow to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale Optima
RightScale
 
Top 10 Cloud Trends for 2018 and Actions You Can Take Now
Top 10 Cloud Trends for 2018 and Actions You Can Take NowTop 10 Cloud Trends for 2018 and Actions You Can Take Now
Top 10 Cloud Trends for 2018 and Actions You Can Take Now
RightScale
 
AWS re:Invent 2017 Recap
AWS re:Invent 2017 RecapAWS re:Invent 2017 Recap
AWS re:Invent 2017 Recap
RightScale
 
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBMCloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
RightScale
 
Enterprise Cloud Strategy: 7 Areas You Need to Re-Think
Enterprise Cloud Strategy: 7 Areas You Need to Re-ThinkEnterprise Cloud Strategy: 7 Areas You Need to Re-Think
Enterprise Cloud Strategy: 7 Areas You Need to Re-Think
RightScale
 
How MSPs Can Be Successful in AWS, Azure, and Google Clouds
How MSPs Can Be Successful in AWS, Azure, and Google CloudsHow MSPs Can Be Successful in AWS, Azure, and Google Clouds
How MSPs Can Be Successful in AWS, Azure, and Google Clouds
RightScale
 
Orchestrating PaaS and IaaS+ with RightScale
Orchestrating PaaS and IaaS+ with RightScaleOrchestrating PaaS and IaaS+ with RightScale
Orchestrating PaaS and IaaS+ with RightScale
RightScale
 
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScale
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScaleManaging Container-as-a-Service and Docker Clusters in the Cloud with RightScale
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScale
RightScale
 
Understanding VMware Cloud on AWS
Understanding VMware Cloud on AWSUnderstanding VMware Cloud on AWS
Understanding VMware Cloud on AWS
RightScale
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Sandro Moreira
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 

Weitere ähnliche Inhalte

Mehr von RightScale

Mehr von RightScale (20)

Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
Should You Move Between AWS, Azure, or Google Clouds? Considerations, Pros an...
 
Using RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider ToolsUsing RightScale CMP with Cloud Provider Tools
Using RightScale CMP with Cloud Provider Tools
 
Best Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceBest Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and Compliance
 
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and MoreAutomating Multi-Cloud Policies for AWS, Azure, Google, and More
Automating Multi-Cloud Policies for AWS, Azure, Google, and More
 
The 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for EnterprisesThe 5 Stages of Cloud Management for Enterprises
The 5 Stages of Cloud Management for Enterprises
 
9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage Costs9 Ways to Reduce Cloud Storage Costs
9 Ways to Reduce Cloud Storage Costs
 
Serverless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBMServerless Comparison: AWS vs Azure vs Google vs IBM
Serverless Comparison: AWS vs Azure vs Google vs IBM
 
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP SuccessBest Practices for Cloud Managed Services Providers: The Path to CMP Success
Best Practices for Cloud Managed Services Providers: The Path to CMP Success
 
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBMCloud Storage Comparison: AWS vs Azure vs Google vs IBM
Cloud Storage Comparison: AWS vs Azure vs Google vs IBM
 
2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud Report2018 Cloud Trends: RightScale State of the Cloud Report
2018 Cloud Trends: RightScale State of the Cloud Report
 
Got a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP HelpsGot a Multi-Cloud Strategy? How RightScale CMP Helps
Got a Multi-Cloud Strategy? How RightScale CMP Helps
 
How to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale OptimaHow to Manage Cloud Costs with RightScale Optima
How to Manage Cloud Costs with RightScale Optima
 
Top 10 Cloud Trends for 2018 and Actions You Can Take Now
Top 10 Cloud Trends for 2018 and Actions You Can Take NowTop 10 Cloud Trends for 2018 and Actions You Can Take Now
Top 10 Cloud Trends for 2018 and Actions You Can Take Now
 
AWS re:Invent 2017 Recap
AWS re:Invent 2017 RecapAWS re:Invent 2017 Recap
AWS re:Invent 2017 Recap
 
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBMCloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
Cloud Instances Price Comparison: AWS vs Azure vs Google vs IBM
 
Enterprise Cloud Strategy: 7 Areas You Need to Re-Think
Enterprise Cloud Strategy: 7 Areas You Need to Re-ThinkEnterprise Cloud Strategy: 7 Areas You Need to Re-Think
Enterprise Cloud Strategy: 7 Areas You Need to Re-Think
 
How MSPs Can Be Successful in AWS, Azure, and Google Clouds
How MSPs Can Be Successful in AWS, Azure, and Google CloudsHow MSPs Can Be Successful in AWS, Azure, and Google Clouds
How MSPs Can Be Successful in AWS, Azure, and Google Clouds
 
Orchestrating PaaS and IaaS+ with RightScale
Orchestrating PaaS and IaaS+ with RightScaleOrchestrating PaaS and IaaS+ with RightScale
Orchestrating PaaS and IaaS+ with RightScale
 
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScale
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScaleManaging Container-as-a-Service and Docker Clusters in the Cloud with RightScale
Managing Container-as-a-Service and Docker Clusters in the Cloud with RightScale
 
Understanding VMware Cloud on AWS
Understanding VMware Cloud on AWSUnderstanding VMware Cloud on AWS
Understanding VMware Cloud on AWS
 

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Key Elements of Multi-Cloud Security for 2017

  • 1. KEY ELEMENTS OF MULTI-CLOUD SECURITY FOR 2017 1
  • 2. o Bart Falzarano • Director, Security and Compliance, RightScale o Brian Adler • Director, Enterprise Architecture, RightScale Panelists
  • 3. o The State of Multi-Cloud Security o How to Think About Multi-Cloud Security o Key Elements • Visibility • Identity and Access Control • Workload Security • Data Security • Network Security • Business Continuity/Disaster Recovery • Audit • Evolving Cloud Technologies/Services • Compliance Agenda
  • 4. Single private 6% Single public 9% No plans 3% Multiple private 11% Multiple public 16% Hybrid cloud 55% Enterprise Cloud Strategy 1000+ employees Multi-Cloud 82% 82% of Enterprises Still Want Multi-Cloud Source: RightScale 2016 State of the Cloud Report
  • 5. 17% 23% 26% 24% 25% 25% 28% 27% 15% 23% 24% 26% 26% 26% 29% 32% Performance Governance/control Complexity of building a private cloud Managing costs Managing multiple cloud services Compliance Security Lack of resources/expertise Cloud Challenges 2016 vs. 2015 2016 2015 Lack of Resources/Expertise is Now #1 Challenge, Not Security Source: RightScale 2016 State of the Cloud Report
  • 6. 47% 2014 Central IT Concerns About Security Decline 41% 2015 Enterprise Central IT Rating Cloud Security as Significant Challenge Source: RightScale 2016 State of the Cloud Report 37% 2016
  • 8. Security Services (similar but different capabilities) 8 Security Features AWS Azure Google IAM ✔ ✔ ✔ Encryption in DBaaS ✔ ✔ ✔ Key Management as a Service ✔ ✔ ✔(beta) Hardware Key Modules HSMs ✔ ✔ Security Assessment ✔ ✔ ✔ Configuration Governance ✔ ✔ Audit Trails ✔ ✔ ✔ DDoS Protection/ WAF ✔ ✔ ✔
  • 9. Cloud Security Ecosystem Cloud Provider Enterprise RightScale 3rd Party Vendors Plan for a Cloud Security Ecosystem • CMDB • SIEM /Logging / Auditing • IdP • Configuration Management • Orchestration Workflows • Web Application Firewalls • File-Integrity Monitoring • Continuous Integration • Source Code Repositories Shared Responsibility Model
  • 11. Visibility • Can you see all your cloud accounts and instances? • Connect to all your clouds • Gain visibility to all your accounts You Can’t Control What You Can’t See 11 Many Accounts Across Clouds AWS Azure Google CloudStack OpenStack vSphere Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account Account AccountAccount
  • 12. Single pane of glass • Multi-cloud access • Public clouds • Private clouds • Virtualized • Control access • Standardize configuration • Patch and update • Audit trails RightScale: Multi-Cloud Visibility 12 AWS Azure Google CloudStack OpenStack vSphere
  • 13. IAM
  • 14. 1) What directory services solution are you using to store your users’ identities? AD or LDAP 2) How will you federate the users’ identities? SAML, WS- Fed, Oauth, OpenID? 3rd party IdP (Okta, One Login, Ping Identity, etc.) or ADFS? 2FA or MFA? 3) Need to address User Authentication, Authorization, Account Management, Auditing/logging 4) IAM Integrations accomplished through identity mappings, grafts and tie-ins • Microsoft Active Directory • commercial directory services leader • over 90% market share • LDAP Considerations for IAM 14
  • 15. What you get: • SAML/ SSO integration • RBAC -10 specific roles definable at the user level (http://docs.rightscale.com/cm/ref/u ser_roles.html) • Hierarchical organization of accounts • Aggregate accounts across clouds • Security and Governance -standardized, repeatable and consistent process for Authentication, Authorization, Account Management, Auditing/Logging RightScale Multi-Cloud Access Controls 15 SAML Linked Users
  • 17. Enforce Policies • Catalog of templates that meet corporate standards • Configured to your security requirements • Define which clouds can be used • Control user options and choices • Orchestrate and automate deployment and operations Workload Security: From Rogue to Policy-Based 17 Basic instances Stacks for Dev or Prod Applications
  • 18. Standardization • Automate provisioning and configuration • Version-controlled • Follow standards for versions, patches and configuration • Leverage a variety of scripting languages • Modular and auditable • Define Security Configuration Baselines Standardize Server Configurations AWS Azure Google CloudStack OpenStack vSphere Multi-Cloud Image Configuration Scripts Containers 18
  • 19. Standardize System Configurations 19 Load Balancers App Servers Master DB Slave DB Replicate > DNS Configure a system: Cloud Application Template (CAT) Configure a server: • ServerTemplates (portable) • Docker container (portable) • AMI • CloudFormation • VM template
  • 20. Increase IT efficiency o Bring your own configuration management o Clone existing architectures o Updates and patches o Monitor and alert o Auto-scale up and down o Keep templates patched o Test patches/updates in the lower tier environments first e.g. test, dev or QA environments Patch and Update
  • 21. • Ownership and Management of keys is different in cloud • Shared model • Fully maintained and managed by the cloud provider • BYOK • Hardware Security Modules • On-premise • Cloud services (AWS, Azure) • SSH Key Management • RightScale Key Management • Manage your own SSH key pair • Key Management Issues and Challenges in Cloud Services • NISTIR 7956 http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=914304 Key Management 21
  • 23. Compliance Requirements • PCI E-Commerce • HIPAA / PHI/ 21CFR11 • NPI / PII • FTI IRS PUB1075 • MPAA • Access Controls • MFA/ 2FA used for Authentication • RBAC • Auditing/ Logging • Data Classification / Data Types • Data Encryption • Data-in-transit and Data-at-rest • In process: DEPENDS • Segregate workloads • Do read and understand the Cloud Provider’s • Terms and Agreements • Data Privacy / Data residency policies • Review their security documents Data Security 23
  • 24. Data Residency with a Global Cloud Platform Amazon Web Services Google Cloud Platform IBM SoftLayer Rackspace Windows Azure Public Clouds Singapore Hong Kong Japan Texas DC Area SF Area Seattle Chicago Dublin London Amsterdam Oregon São Paulo Midwest Beijing Sydney W Europe Private Clouds CloudStack OpenStack vSphere Melbourne Toronto Mexico City Taiwan 24
  • 26. • HTTPS / TLS • SSL -Should not used as SSL has been deprecated • Direct Connections • VPN IPSEC Securely Connecting to Cloud
  • 27. • AWS DirectConnect • Azure ExpressRoute • Google Carrier Interconnect • SoftLayer DirectLink Direct Connection Options 27 AWS Cage Customer Cage AWS Direct Connect Azure Cage Customer Cage Azure ExpressRoute
  • 28. Secure Connections to RightScale Platform IPSEC VPN Examples: API calls to RightScale over private VPN connection RightScale Region1 VPN Endpoint RightScale Region2 VPN Endpoint 28 Companyx Facility (n) Companyx Facility (n+1) Companyx VPC network Amazon AWS VPN GW to RightScale example VPN gateway
  • 29. Comply with policies • Quickly Audit Security Groups • Interactive Network Visualization • Maintain Security and Compliance Network Visibility 29
  • 31. 31 SLAs by Cloud Service Level Description AWS Azure Google SoftLayer Uptime SLA 99.95% 99.95% 99.95% 100% Max SLA Credit on monthly bill 30% 25% 50% 5% per 30 minutes downtime Downtime Calculation Any minutes downtime Any minutes downtime 5+ consecutive minutes downtime 30+ consecutive minutes downtime
  • 32. Architect for SLAs • HA/DR reference architectures • Cross-region and cross- cloud • Auto-scale to meet demand • Hybrid cloudbursting • Monitor and automate failover • Hot, warm, and cold DR scenarios Implement DR Architectures for your Apps 32 Load Balancers App Servers Slave DB Master DB App Servers Slave DB < Replicate Replicate > Load Balancers PRIMARY WARM DR DNS
  • 33. Ensure availability o Separate management plane from cloud and cloud applications o RightScale platform is fully redundant o Automate failover processes for hot, warm or cold DR Outage-Proof with Independent Control Plane
  • 34. AUDIT
  • 35. Approach: • Feed audit trails from individual clouds to SIEM • Feed audit trails from CMP to SIEM • Feed audit trails from instances / servers to SIEM Multi-Cloud Logging and Audit Trails 35 Cloud Management Platform Cloud SIEM or Centralized Logging Facility Cloud Cloud Cloud Cloud Cloud Audit entries are exportable via an API
  • 36. Ensure compliance o See who changed what and when o Provide audit logs and reports to satisfy regulators o Available via API to integrate with other systems Gain Visibility with Audit Trails
  • 38. Function-as-a-Service /Serverless 38 App OS Hypervisor App OS App OS x86 storage networking compute virtualization Cloud Provider’s responsibility Your responsibility Your business logic is in your Apps OS Hypervisor OS OS x86 storage networking compute virtualization Cloud Provider’s responsibility Focus on your business logic operating system < >< > <Fn>
  • 39. • API Gateway • Lambda Functions • IAM • IdP for Authentication • SAML Token • Authorization • Auditing/Logging Microservices 39 Client-side/ front-end App Restful API/ backend services SAML IdP AWS IAM Security Token Service 1 2 4 3 AWS Cloud Watch
  • 41. Cloud Provider Certifications Matrix 41 Certification AWS Azure Google SoftLayer PCI DSS1     HIPAA     SSAE16 SOC1 (Type II)     SSAE16 SOC2 (Type II)     SSAE16 SOC3 (Type II)     ISO 27001     ISO 27017     ISO 27018     FedRAMP    FISMA    
  • 42. • RightScale Certifications/ Compliance • State of the Cloud Report • www.rightscale.com/2016-cloud-report • Private and Hybrid Cloud Whitepaper • www.rightscale.com/private-hybrid-cloud-whitepaper Questions? 42 SSAE16 SOC1 and SOC2 Type 2 Reports of Compliance PCI DSS SAQ A-EP v3.2 Compliant for our E-commerce systems EU Privacy Shield (pending)
  • 44. Challenges • Difficult to implement, manage, and support • Difficult to scale and/ or extend to other CSPs • No direct coupling between AD and AWS IAM Integrating IAM 44 ADFS AWS STS A D SQ L 1 2 3 4 5 6 Your Environment SAML 7 AWS AWS account 123456789012 AWS account 111122223333 IAM roles=> ADFS-Production ADFS-DEV IAM roles=> ADFS-Production ADFS-DEV IAM role=> ADFS-DEV IAM role=> ADFS-DEV AWS account 777788889999 AWS account 444455556666 AD group memberships=> AWS-Production AWS-DEV User object attribute 123456789012 111122223333
  • 45. • Asymmetric keys private/public • Key Management • NISTIR 7966 http://tinyurl.com/lhtujnv • Key storage options • Key Management-as-a-Service • AWS, Azure • Multi-tenant • Hardware Security Modules • On-premise • Cloud services (AWS) • RightScale • Encryption of keys -MUST Key Management 45
  • 46. • Data privacy legislation differs around the world • Evaluate encryption options where you manage the keys (a la Amazon Aurora) so vendor can’t give data in case of subpoena • What is the CSP’s data retention period? • What country is the CSP headquartered out of? • Which jurisdiction covers the contract between you and the CSP? Data Residency: Impact of Safe Harbor 46
  • 47. 47 o Cloud Trails o Azure Diagnostics o Google Cloud Logging (beta) o SoftLayer Audit Trails What Audit Tools by Provider?