SlideShare a Scribd company logo

Integrating Security into DevOps

Download as PPTX, PDF
CloudPassage, profile picture
CloudPassage

This document discusses integrating security into DevOps practices. It notes that while DevOps embraces cloud automation and agility, security can slow things down. Traditional security approaches are ill-suited for cloud environments. The document introduces CloudPassage Halo as a security-as-a-service platform that provides automated security controls like firewall management, intrusion detection and vulnerability scanning across cloud infrastructure in a self-service manner. It also describes the CloudPassage Halo architecture and demostrates some of its features. Finally, it promotes the CloudPassage Halo API toolbox and offers six months of free developer access to the platform.

Technology
1 of 38
Downloaded 90 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
© 2013 CloudPassage Inc. Integrating Security Into DevOps Rand Wacker VP Products @randwacker Tatiana Slater Community Manager @Turbo_Tats
© 2013 CloudPassage Inc. Agenda for Today • DevOps & Security – BFFs? • Critical components of application security • CloudPassage Halo Overview • Halo Security API Toolbox • FREE Developer Access
© 2013 CloudPassage Inc. Integrating Security Into DevOps: Automation Is Your Only Hope
© 2013 CloudPassage Inc. Why DevOps Loves Cloud
© 2013 CloudPassage Inc. Why DevOps Hates Security DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz dmz corecore Firewal l Firewal l Waiting for Server Provisioning… Delays in Firewall Updates… Typically 6 weeks to tip up a new server
© 2013 CloudPassage Inc. Poll: Security Concerns • What is your primary concern about securing cloud applications and infrastructure? – Will slow down our pace of development/innovation – Will cost too much – We don’t have the expertise to do it – No concerns, we are actively working to secure them
© 2013 CloudPassage Inc. Cloud Complicates Security
© 2013 CloudPassage Inc. Where Do Existing Solutions Fail? Cloud Provider A www-4 www-5 www-6 Cloud Provider B www-7 www-8 www-9 www-10 Private Datacenter www-1 www-2 www-3 No Network or Hypervisor Access Multiple Cloud Environments Metered Utility Usage Cloud Provider A www-4 www-5 www-6 Temporary & Elastic Deployments
© 2013 CloudPassage Inc. Organizational Ostracism IT Operations DevOps Security Operations
© 2013 CloudPassage Inc. Critical Components of Application and Stack Security
© 2013 CloudPassage Inc. Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes AWS Shared Responsibility Model Customer Responsibility Provider Responsibility Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System
© 2013 CloudPassage Inc. Securing Cloud Applications Whether in a private datacenter or a public cloud, server security is your responsibility, so know your security business drivers: Compliance :: Continuity :: Brand Architect your service to solve these problems in public, private, and hybrid deployments, specifically: Perimeter & Access Control Server Integrity & Intrusion Detection
© 2013 CloudPassage Inc. Virtual Machine Secure the VM, Secure the App FWFW Provision host-based firewalls (inbound and outbound) Automate, Automate, Automate Data App Code App Framework Operating System Track sensitive data and prevent egress Continuously verify applications code is current and un-tampered Ensure application stacks are up-to-date and locked down Secure the OS services and configurations
© 2013 CloudPassage Inc. Cloud Complicates Security • Cloud app architecture more different than just being highly virtualized – Short image lifecycle, auto-scaling, “pets vs cattle” • Traditional security approaches ill-suited to self- service, automated deployments • Security orgs traditionally separate from Dev/Ops teams Security must move at speed of cloud: automated, self-service, metered
© 2013 CloudPassage Inc. Poll: Org Responsibility • Who is in your organization is responsible for securing cloud infrastructure? – Cloud provider – DevOps/application team – IT / central security team – We’re not securing our cloud infrastructure today
© 2013 CloudPassage Inc. New Approach: Security-as-a-Service
© 2013 CloudPassage Inc. Dynamic network access control Configuration and package security Account visibility & control Compromise & intrusion alerting Forensics and security analytics Integration & automation capabilities Systems in IaaS/PaaS clouds must be self- defending with highly automated controls like… How To Secure Cloud Apps
© 2013 CloudPassage Inc. Separate Security Controls Virtual Machine Data App Code App Framework OS FWFW DevOps SecOps The days of perimeter-only defenses are over!
© 2013 CloudPassage Inc. Integrate & Automate Compute Grid CloudPassa geHalo www-4 Halo www-3 www-1 Halo Halo www-2 Halo DevOps Automation Security Monitoring
© 2013 CloudPassage Inc. CloudPassage Halo Overview
© 2013 CloudPassage Inc. CloudPassage Halo Security Platform Server Account Managements Security Event Alerting File Integrity Monitoring REST API Integrations Cloud Firewall Automation System & Application Config Security Multi-Factor Authentication Vulnerability & Patch Scanning Purpose-built for clouds, metered SaaS delivery, transparent operation anywhere
© 2013 CloudPassage Inc. Basic Halo Architecture Halo Halo Daemon • Ultra light-weight agent • Installed on server images • Automatically provisioned Halo Daemon www-1 www-1 Halo Grid • Elastic compute grid • Hosted by CloudPassage • Diverts 95% or more of analytics cycles from VM daemons Halo Grid
© 2013 CloudPassage Inc. www-1 Halo Compute Grid User Portal CloudPassage Halo Policies, Commands, Reports https RESTful API Gateway https www-1 Halo  Web UI + REST API  Light-weight agent  Grid performs analytics  SaaS delivery mysql-1 Halo bigdata-1 Cloud or Data Center Halo
© 2013 CloudPassage Inc. private cloud virtualized or bare metal center Single pane of glass across cloud deployments • Scales and bursts with dynamic cloud environments • Not dependent on chokepoints, static networks or fixed IPs • Agnostic to location, hypervisor or hardware Designed for Portability public cloud Consistent Security Controls Consistent Security Controls
© 2013 CloudPassage Inc. Quick Halo Demo
© 2013 CloudPassage Inc. We all love integration, right? Introducing: Halo Security API Toolbox
© 2013 CloudPassage Inc. Open Source Security Tools Security auditing / reporting Firewall management Forensic analysis Management / Orchestration (Chef, Puppet, RightScale) SIEM Integration (Splunk, SumoLogic, etc) Security dev+test Find us now on GitHub: cloudpassage.com/toolbox
© 2013 CloudPassage Inc. Imports Halo events into Splunk, Sumo Logic, or other logging / SIEM tools Compute Grid CloudPassa geHalo www-4 Halo www-3 www-1 Halo Halo www-2 Halo
© 2013 CloudPassage Inc. Imports Halo events into Splunk, Sumo Logic, or other logging / SIEM tools
© 2013 CloudPassage Inc. Adds or removes IP addresses via API to an IP zone that is used in a Halo firewall policy
© 2013 CloudPassage Inc. Adds or removes IP addresses via API to an IP zone that is used in a Halo firewall policy Load Balancer Halo F W App Server Halo F W App Server Halo F W DB Master Halo F W public cloud
© 2013 CloudPassage Inc.
© 2013 CloudPassage Inc. Easily sends the cryptographic checksum of a suspected compromised file to Virus Total for comparison with other reported cases of known malware.
© 2013 CloudPassage Inc. Want to contribute? github.com/cloudpassage Six-month free developer account
© 2013 CloudPassage Inc. Free Developer Access Halo Professional Developer Account Server integrity & Intrusion detection Firewall management & two- factor access Full API access 6 months free service for developer accounts Available now: cloudpassage.com/OSCON
© 2013 CloudPassage Inc. Wrapping Up
© 2013 CloudPassage Inc. Summary • Real application security is more than just firewalls, patches, and SSH • In the new DevOps and cloud world, security responsibility is shared • Security automation to maintain agility and self- service These days, everyone is a target and security is everyone’s responsibility
Thank You! Open Source Security Tools: cloudpassage.com/Toolbox 6 Months Free Halo Service: cloudpassage.com/OSCON Discuss more: @cloudpassage #CloudSec

More Related Content

What's hot (20)

PDF
DevOps Powerpoint Presentation Slides
SlideTeam
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PDF
DevOps
ARYA TM
 
PPTX
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
Simplilearn
 
PPTX
DevOps Foundation
Homepree Rloy
 
PPTX
DevSecOps
Joel Divekar
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PDF
DevOps - A Gentle Introduction
Ganesh Samarthyam
 
PDF
DevOps - A Gentle Introduction
CodeOps Technologies LLP
 
PPTX
DevOps
Yoshan madhumal
 
PPTX
DevOps
Gehad Elsayed
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PDF
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
PPTX
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
PPTX
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
DevOps Powerpoint Presentation Slides
SlideTeam
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevOps
ARYA TM
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
Simplilearn
 
DevOps Foundation
Homepree Rloy
 
DevSecOps
Joel Divekar
 
2019 DevSecOps Reference Architectures
Sonatype
 
DevOps - A Gentle Introduction
Ganesh Samarthyam
 
DevOps - A Gentle Introduction
CodeOps Technologies LLP
 
DevOps
Yoshan madhumal
 
DevOps
Gehad Elsayed
 
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
Robert Grupe, CSSLP CISSP PE PMP
 
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 

Similar to Integrating Security into DevOps (20)

PPT
Securing Servers in Public and Hybrid Clouds
RightScale
 
PPTX
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
PPTX
Meeting PCI DSS Requirements with AWS and CloudPassage
CloudPassage
 
PDF
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale
 
PPTX
Webinar compiled powerpoint
CloudPassage
 
PPTX
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
PDF
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
VMware Tanzu
 
PPTX
stackArmor - Security MicroSummit - McAfee
Gaurav "GP" Pal
 
PPTX
Securing Your Cloud Servers with Halo NetSec
CloudPassage
 
PDF
A Discussion of Automated Infrastructure Security with a Practical Example
Deborah Schalm
 
PDF
A Discussion of Automated Infrastructure Security with a Practical Example
DevOps.com
 
PDF
Halo Installfest Slides
CloudPassage
 
PDF
Integrating Security into your Development Pipeline
DevOps.com
 
PPTX
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
PDF
A Different Approach to Securing Your Cloud Journey
Cloudflare
 
PDF
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
PDF
Automating Security in Cloud Workloads with DevSecOps
Kristana Kane
 
PDF
3 steps to gain control of cloud security
SBWebinars
 
PDF
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
PDF
Head in the Clouds? Let’s get serious about how to benefit from Cloud platfor...
Digital Transformation EXPO Event Series
 
Securing Servers in Public and Hybrid Clouds
RightScale
 
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Meeting PCI DSS Requirements with AWS and CloudPassage
CloudPassage
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale
 
Webinar compiled powerpoint
CloudPassage
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
VMware Tanzu
 
stackArmor - Security MicroSummit - McAfee
Gaurav "GP" Pal
 
Securing Your Cloud Servers with Halo NetSec
CloudPassage
 
A Discussion of Automated Infrastructure Security with a Practical Example
Deborah Schalm
 
A Discussion of Automated Infrastructure Security with a Practical Example
DevOps.com
 
Halo Installfest Slides
CloudPassage
 
Integrating Security into your Development Pipeline
DevOps.com
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
A Different Approach to Securing Your Cloud Journey
Cloudflare
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Automating Security in Cloud Workloads with DevSecOps
Kristana Kane
 
3 steps to gain control of cloud security
SBWebinars
 
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Head in the Clouds? Let’s get serious about how to benefit from Cloud platfor...
Digital Transformation EXPO Event Series
 
Ad

More from CloudPassage (19)

PDF
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
PPTX
CloudPassage Careers
CloudPassage
 
PPTX
Transforming the CSO Role to Business Enabler
CloudPassage
 
PPTX
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
PPTX
SecDevOps: The New Black of IT
CloudPassage
 
PPTX
Technologies You Need to Safely Use the Cloud
CloudPassage
 
PPT
Cloud Security: Make Your CISO Successful
CloudPassage
 
PDF
Secure Cloud Development Resources with DevOps
CloudPassage
 
PPTX
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
PPTX
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
PPTX
Security that works with, not against, your SaaS business
CloudPassage
 
PDF
What You Need To Know About The New PCI Cloud Guidelines
CloudPassage
 
PPTX
What You Haven't Heard (Yet) About Cloud Security
CloudPassage
 
PPTX
Delivering Secure OpenStack IaaS for SaaS Products
CloudPassage
 
PPTX
CloudPassage Overview
CloudPassage
 
PPTX
PCI and the Cloud
CloudPassage
 
PPTX
Automating Security for the Cloud - Make it Easy, Make it Safe
CloudPassage
 
PPTX
BSides SF - Automating Security for the Cloud
CloudPassage
 
PPTX
BayThreat Why The Cloud Changes Everything
CloudPassage
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
CloudPassage Careers
CloudPassage
 
Transforming the CSO Role to Business Enabler
CloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
SecDevOps: The New Black of IT
CloudPassage
 
Technologies You Need to Safely Use the Cloud
CloudPassage
 
Cloud Security: Make Your CISO Successful
CloudPassage
 
Secure Cloud Development Resources with DevOps
CloudPassage
 
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
Security that works with, not against, your SaaS business
CloudPassage
 
What You Need To Know About The New PCI Cloud Guidelines
CloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
CloudPassage
 
CloudPassage Overview
CloudPassage
 
PCI and the Cloud
CloudPassage
 
Automating Security for the Cloud - Make it Easy, Make it Safe
CloudPassage
 
BSides SF - Automating Security for the Cloud
CloudPassage
 
BayThreat Why The Cloud Changes Everything
CloudPassage
 
Ad

Recently uploaded (20)

PDF
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
PDF
CIFDAQ'S Token Spotlight for 16th July 2025 - ALGORAND
CIFDAQ
 
PPTX
Lecture 5 - Agentic AI and model context protocol.pptx
Dr. LAM Yat-fai (林日辉)
 
PDF
Novus-Safe Pro: Brochure-What is Novus Safe Pro?.pdf
Novus Hi-Tech
 
PDF
2025-07-15 EMEA Volledig Inzicht Dutch Webinar
ThousandEyes
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
PDF
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
PPTX
Top Managed Service Providers in Los Angeles
Captain IT
 
PDF
Trading Volume Explained by CIFDAQ- Secret Of Market Trends
CIFDAQ
 
PDF
Arcee AI - building and working with small language models (06/25)
Julien SIMON
 
PDF
GITLAB-CICD_For_Professionals_KodeKloud.pdf
deepaktyagi0048
 
PDF
Rethinking Security Operations - Modern SOC.pdf
Haris Chughtai
 
PPTX
UI5Con 2025 - Beyond UI5 Controls with the Rise of Web Components
Wouter Lemaire
 
PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PPTX
The Yotta x CloudStack Advantage: Scalable, India-First Cloud
ShapeBlue
 
PPTX
TYPES OF COMMUNICATION Presentation of ICT
JulieBinwag
 
PDF
OpenInfra ID 2025 - Are Containers Dying? Rethinking Isolation with MicroVMs.pdf
Muhammad Yuga Nugraha
 
PDF
How a Code Plagiarism Checker Protects Originality in Programming
Code Quiry
 
PDF
Novus Safe Lite- What is Novus Safe Lite.pdf
Novus Hi-Tech
 
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
CIFDAQ'S Token Spotlight for 16th July 2025 - ALGORAND
CIFDAQ
 
Lecture 5 - Agentic AI and model context protocol.pptx
Dr. LAM Yat-fai (林日辉)
 
Novus-Safe Pro: Brochure-What is Novus Safe Pro?.pdf
Novus Hi-Tech
 
2025-07-15 EMEA Volledig Inzicht Dutch Webinar
ThousandEyes
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
Top Managed Service Providers in Los Angeles
Captain IT
 
Trading Volume Explained by CIFDAQ- Secret Of Market Trends
CIFDAQ
 
Arcee AI - building and working with small language models (06/25)
Julien SIMON
 
GITLAB-CICD_For_Professionals_KodeKloud.pdf
deepaktyagi0048
 
Rethinking Security Operations - Modern SOC.pdf
Haris Chughtai
 
UI5Con 2025 - Beyond UI5 Controls with the Rise of Web Components
Wouter Lemaire
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
The Yotta x CloudStack Advantage: Scalable, India-First Cloud
ShapeBlue
 
TYPES OF COMMUNICATION Presentation of ICT
JulieBinwag
 
OpenInfra ID 2025 - Are Containers Dying? Rethinking Isolation with MicroVMs.pdf
Muhammad Yuga Nugraha
 
How a Code Plagiarism Checker Protects Originality in Programming
Code Quiry
 
Novus Safe Lite- What is Novus Safe Lite.pdf
Novus Hi-Tech
 

Integrating Security into DevOps

  • 1. © 2013 CloudPassage Inc. Integrating Security Into DevOps Rand Wacker VP Products @randwacker Tatiana Slater Community Manager @Turbo_Tats
  • 2. © 2013 CloudPassage Inc. Agenda for Today • DevOps & Security – BFFs? • Critical components of application security • CloudPassage Halo Overview • Halo Security API Toolbox • FREE Developer Access
  • 3. © 2013 CloudPassage Inc. Integrating Security Into DevOps: Automation Is Your Only Hope
  • 4. © 2013 CloudPassage Inc. Why DevOps Loves Cloud
  • 5. © 2013 CloudPassage Inc. Why DevOps Hates Security DB Load Balancer Auth Server App Server DB Load Balancer App Server DB dmz dmz corecore Firewal l Firewal l Waiting for Server Provisioning… Delays in Firewall Updates… Typically 6 weeks to tip up a new server
  • 6. © 2013 CloudPassage Inc. Poll: Security Concerns • What is your primary concern about securing cloud applications and infrastructure? – Will slow down our pace of development/innovation – Will cost too much – We don’t have the expertise to do it – No concerns, we are actively working to secure them
  • 7. © 2013 CloudPassage Inc. Cloud Complicates Security
  • 8. © 2013 CloudPassage Inc. Where Do Existing Solutions Fail? Cloud Provider A www-4 www-5 www-6 Cloud Provider B www-7 www-8 www-9 www-10 Private Datacenter www-1 www-2 www-3 No Network or Hypervisor Access Multiple Cloud Environments Metered Utility Usage Cloud Provider A www-4 www-5 www-6 Temporary & Elastic Deployments
  • 9. © 2013 CloudPassage Inc. Organizational Ostracism IT Operations DevOps Security Operations
  • 10. © 2013 CloudPassage Inc. Critical Components of Application and Stack Security
  • 11. © 2013 CloudPassage Inc. Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...” “…it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.” Amazon Web Services: Overview of Security Processes AWS Shared Responsibility Model Customer Responsibility Provider Responsibility Physical Facilities Hypervisor Compute & Storage Shared Network Virtual Machine Data App Code App Framework Operating System
  • 12. © 2013 CloudPassage Inc. Securing Cloud Applications Whether in a private datacenter or a public cloud, server security is your responsibility, so know your security business drivers: Compliance :: Continuity :: Brand Architect your service to solve these problems in public, private, and hybrid deployments, specifically: Perimeter & Access Control Server Integrity & Intrusion Detection
  • 13. © 2013 CloudPassage Inc. Virtual Machine Secure the VM, Secure the App FWFW Provision host-based firewalls (inbound and outbound) Automate, Automate, Automate Data App Code App Framework Operating System Track sensitive data and prevent egress Continuously verify applications code is current and un-tampered Ensure application stacks are up-to-date and locked down Secure the OS services and configurations
  • 14. © 2013 CloudPassage Inc. Cloud Complicates Security • Cloud app architecture more different than just being highly virtualized – Short image lifecycle, auto-scaling, “pets vs cattle” • Traditional security approaches ill-suited to self- service, automated deployments • Security orgs traditionally separate from Dev/Ops teams Security must move at speed of cloud: automated, self-service, metered
  • 15. © 2013 CloudPassage Inc. Poll: Org Responsibility • Who is in your organization is responsible for securing cloud infrastructure? – Cloud provider – DevOps/application team – IT / central security team – We’re not securing our cloud infrastructure today
  • 16. © 2013 CloudPassage Inc. New Approach: Security-as-a-Service
  • 17. © 2013 CloudPassage Inc. Dynamic network access control Configuration and package security Account visibility & control Compromise & intrusion alerting Forensics and security analytics Integration & automation capabilities Systems in IaaS/PaaS clouds must be self- defending with highly automated controls like… How To Secure Cloud Apps
  • 18. © 2013 CloudPassage Inc. Separate Security Controls Virtual Machine Data App Code App Framework OS FWFW DevOps SecOps The days of perimeter-only defenses are over!
  • 19. © 2013 CloudPassage Inc. Integrate & Automate Compute Grid CloudPassa geHalo www-4 Halo www-3 www-1 Halo Halo www-2 Halo DevOps Automation Security Monitoring
  • 20. © 2013 CloudPassage Inc. CloudPassage Halo Overview
  • 21. © 2013 CloudPassage Inc. CloudPassage Halo Security Platform Server Account Managements Security Event Alerting File Integrity Monitoring REST API Integrations Cloud Firewall Automation System & Application Config Security Multi-Factor Authentication Vulnerability & Patch Scanning Purpose-built for clouds, metered SaaS delivery, transparent operation anywhere
  • 22. © 2013 CloudPassage Inc. Basic Halo Architecture Halo Halo Daemon • Ultra light-weight agent • Installed on server images • Automatically provisioned Halo Daemon www-1 www-1 Halo Grid • Elastic compute grid • Hosted by CloudPassage • Diverts 95% or more of analytics cycles from VM daemons Halo Grid
  • 23. © 2013 CloudPassage Inc. www-1 Halo Compute Grid User Portal CloudPassage Halo Policies, Commands, Reports https RESTful API Gateway https www-1 Halo  Web UI + REST API  Light-weight agent  Grid performs analytics  SaaS delivery mysql-1 Halo bigdata-1 Cloud or Data Center Halo
  • 24. © 2013 CloudPassage Inc. private cloud virtualized or bare metal center Single pane of glass across cloud deployments • Scales and bursts with dynamic cloud environments • Not dependent on chokepoints, static networks or fixed IPs • Agnostic to location, hypervisor or hardware Designed for Portability public cloud Consistent Security Controls Consistent Security Controls
  • 25. © 2013 CloudPassage Inc. Quick Halo Demo
  • 26. © 2013 CloudPassage Inc. We all love integration, right? Introducing: Halo Security API Toolbox
  • 27. © 2013 CloudPassage Inc. Open Source Security Tools Security auditing / reporting Firewall management Forensic analysis Management / Orchestration (Chef, Puppet, RightScale) SIEM Integration (Splunk, SumoLogic, etc) Security dev+test Find us now on GitHub: cloudpassage.com/toolbox
  • 28. © 2013 CloudPassage Inc. Imports Halo events into Splunk, Sumo Logic, or other logging / SIEM tools Compute Grid CloudPassa geHalo www-4 Halo www-3 www-1 Halo Halo www-2 Halo
  • 29. © 2013 CloudPassage Inc. Imports Halo events into Splunk, Sumo Logic, or other logging / SIEM tools
  • 30. © 2013 CloudPassage Inc. Adds or removes IP addresses via API to an IP zone that is used in a Halo firewall policy
  • 31. © 2013 CloudPassage Inc. Adds or removes IP addresses via API to an IP zone that is used in a Halo firewall policy Load Balancer Halo F W App Server Halo F W App Server Halo F W DB Master Halo F W public cloud
  • 33. © 2013 CloudPassage Inc. Easily sends the cryptographic checksum of a suspected compromised file to Virus Total for comparison with other reported cases of known malware.
  • 34. © 2013 CloudPassage Inc. Want to contribute? github.com/cloudpassage Six-month free developer account
  • 35. © 2013 CloudPassage Inc. Free Developer Access Halo Professional Developer Account Server integrity & Intrusion detection Firewall management & two- factor access Full API access 6 months free service for developer accounts Available now: cloudpassage.com/OSCON
  • 36. © 2013 CloudPassage Inc. Wrapping Up
  • 37. © 2013 CloudPassage Inc. Summary • Real application security is more than just firewalls, patches, and SSH • In the new DevOps and cloud world, security responsibility is shared • Security automation to maintain agility and self- service These days, everyone is a target and security is everyone’s responsibility
  • 38. Thank You! Open Source Security Tools: cloudpassage.com/Toolbox 6 Months Free Halo Service: cloudpassage.com/OSCON Discuss more: @cloudpassage #CloudSec

Editor's Notes

  • #20: JSON formattedBi-directional
  • #29: For example, we’ve got the Halo Event Connector. We can detect a lot of security events with Halo through our Configuration Security Monitoring, File Integrity Monitoring and our Security Events module, and a lot of our customers need those to feed into tools that they use to manage logs across their environment. So, we wrote a script and some documentation to make that easier. We started with our direct partners, but the script can easily work with many other tools. We’ve made it available open-source so our customers can change it to fit their needs and integrate with whatever tool they need to use. https://support.cloudpassage.com/entries/22030408-Intro-to-the-Halo-API
  • #30: For example, we’ve got the Halo Event Connector. We can detect a lot of security events with Halo through our Configuration Security Monitoring, File Integrity Monitoring and our Security Events module, and a lot of our customers need those to feed into tools that they use to manage logs across their environment. So, we wrote a script and some documentation to make that easier. We started with our direct partners, but the script can easily work with many other tools. We’ve made it available open-source so our customers can change it to fit their needs and integrate with whatever tool they need to use. https://support.cloudpassage.com/entries/22030408-Intro-to-the-Halo-API