Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next? Security!
Download as PPTX, PDF0 likes384 views
The document discusses the implications of cloud adoption for security, highlighting the evolution of cloud service providers and their role in transforming security practices. It outlines the benefits of cloud and hybrid infrastructures, the importance of integrating various security tools, and the challenges posed by traditional security paradigms. Additionally, it provides a comparative analysis of security capabilities between AWS and Azure, emphasizing the necessity for continuous workload analytics and proactive security management.
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next? Security!
- 1. Cloud Providers ate hosting companies’ lunch, what’s next? Security! John Stock and Sergio Loureiro, Product Managers 1
- 2. Objective 2 • Short intro on Cloud (IaaS/PaaS) adoption • Overview of cloud provider’ security tools • How to build a SOC with cloud providers’ tools • Benefits and cost analysis for cloud and hybrid infrastructures • Action plan
- 3. Cloud Providers disrupted the hosting market 3 • These are technology companies • They have the expertise • Pay per use business model • Very fast innovation cycle • Tailored for DevOps
- 4. Reasons Security is next 4 Tackling challenges: • Security is main obstacle to cloud adoption • Shared responsibility is great but cloud providers get the headlines Increasing revenues: • Security is an upsell opportunity • Cloud providers already have your data, applications and virtual machines (trust?), so they leverage this • Don’t leave the console!
- 5. First headline back in 2011
- 6. Fast forward to 2018
- 7. Market success in spite of security FUD 7 source: https://www.rightscale.com/lp/state-of-the-cloud Customer Security Challenges - Assess a different kind of infrastructure - Time consuming permission process - Evaluate configurations for all instances and storage - Lack of expertise
- 8. DevOps paradigm shift helped • Ops were not agile enough for Dev • Infrastructure as code • APIs for everything • Need for automation • Value does not come from infrastructure
- 9. Growth of Container Adoption with DevOps Trend 9 DevOps advantages - Easy to package - Small teams - Scalability - Agility AWS and Azure have container services source: https://www.docker.com/what-container
- 10. Traditional Security is disrupted by Cloud • Shared responsibility • New layer of configuration (and misconfigurations) • Elasticity and Agile challenges • Changing IPs for VMs • License model • Cloud Shadow IT • New cloud services every week • APIs for everything publicly accessible
- 11. Overview of AWS and Azure security capabilities 11 AWS - Security Groups (firewall) - Trusted Advisor (high level) - Inspector (assessment) - Key Management Service - Identity and Access Management - Macie (DLP) - GuardDuty (threat detection) - Shield (DoS) - WAF (WAF) Azure - Azure Security Center - Security Groups (firewall) - Key Vault - Endpoint Protection - VM agent - …
- 12. Challenges with AWS and Azure? 2 different approaches 12 AWS: you put all security services together Azure: Security Center wants to be your SOC Google: Command Center me too (alpha)
- 13. IaaS Security = CSPM + CWSS + CWPP 13 • Cloud Security Posture Management • Cloud Workload Security Service • Cloud Workload Protection Platform Some features available on CASB (Cloud Access Security Brokers)
- 14. Cloud Controls - Top 3 Approaches Operations Hygiene Core CWPP Additional • CIS AWS benchmark • CIS Azure benchmark • CIS Docker benchmark • CIS Kubernetes bench.
- 15. CWPP Source: Gartner Market Guide to Cloud Workload Protection Platform 2017
- 16. Examples of CSPM: CIS AWS and CIS Azure Controls
- 17. Let’s draw a SOC for cloud assets 17 1. discovery of assets 2. workload security assessment + cloud configuration assessment 3. security automation for continuous assessment 4. protect, detect, respond, recover 5. extend to new kinds of assets
- 18. With Azure this means 18
- 19. With AWS this means 19 1. Slow start: Trusted Advisor 2. Agent: Inspector (limited set) 3. Log analysis: CloudWatch 4. Automation: CloudFormation, System Manager, Config, OpsWorks 5. Protection: GuardDuty
- 20. Quick features comparison 20 © 2018 Gartner, Inc.ID: 343562 Comparison of Cloud Console and Deployment Security GCP Stackdriver Logging (Cloud Security Command Center in Alpha Stage) AWS AWS CloudWatch, AWS CloudTrail AWS Guard Duty AWS Inspector AWS Trusted Advisor Azure Azure Monitor, Azure Operational Insights Advanced Threat Protection Azure Advisor Azure Security Center Visibility Tools Threat Protection Security Assessment Cloud Configuration Assessment Console and Deployment Security (Cloud Security Command Center in Alpha Stage) CSP Access Transparency AWS Organizations (Service Control Policies) Enterprisewide Policies and Constraints (Access Transparency in Beta Stage) Azure Management Groups © 2018 Gartner, Inc.ID: 343562 Comparison of Instance Security GCPAWS AWS Inspector AWS Systems Manager Azure Azure Security Center Microsoft Antimalware for Azure Update Management (Part of Azure Automation) Vulnerability Assessment Endpoint Protection Patch Management Instance Security Others comparison for Data Protection, Compliance, Logging/alerting, and Network: source Gartner Comparing Security Controls and Paradigms in AWS, Google Cloud Platform and Microsoft Azure
- 21. Let’s draw a SOC for a hybrid infrastructure 21 - 1st option: integrate your cloud SOC with legacy bare metal, virtualized or other cloud? - 2nd option: integrate your on premise SOC with cloud - This is a big difference between Azure and AWS: With Azure security center you can monitor non Azure assets (limited OS set)
- 22. Cost depends on where your data center of gravity is • Cloud in most use cases boils down to outbound bandwidth consumption • Storage and compute are cheap • Cloud security services have a price tag (free tiers are limited, Azure is simple) • Pricing models, e.g. pay per use vs licenses can play too • Example of AWS Inspector for vulnerability assessment • Migration costs Questions • Where are your data sources? • And your security requirements?
- 23. Simplifying SOC -> SIEM -> Logs -> Bandwidth AWS up to 10 TB Azure up to 10TB $0.087
- 24. Benefits analysis Pros cloud tools • Cloud tools are deeply integrated • Automation Cons cloud tools • Lock in risk (migrating data out of AWS and Azure will cost money) • Hybrid setups (not supported by AWS, 2 SOCs?)
- 25. The way forward
- 26. 1. Integration of tools – Get everything together • Do your cost analysis • Compare traditional security features for CWPP (competition for lunch) • Marketplace tools are available • Deployment model • For CSPM start by CIS benchmarks: AWS, Azure, Docker and Kubernetes • Do an assessment now!
- 27. 2. Continuous Workload Analytics – Shift left • DevOps is changing when, who and how security management is done • Using the IaaS Provider or Hypervisors APIs to integrate • Auto-discovery for elastic scenarios, zero configuration • Integration on CI/CD setups for DevOps, containers • Real-time alerts on configuration issues
- 28. 3. Extend to new cloud services PaaS – Off the beaten track • API discovery and check best practices for every service • Not always possible to install agents • Serverless or FaaS • No best practices available
- 29. Conclusion • Great to have more choice, innovation by cloud providers is welcome • Integrated tools are better, don’t have to manage several point solutions • Lock-in risk = cost you a lot to move data out • Data sovereignty risk / compliance • Hybrid use case is challenging for cloud providers
- 30. Full Stack Cyber Risk Assessment 30 Combines all 3 into one solution Vulnerability Management identifies vulnerabilities Application Security evaluates applications Cloud & Container Security assesses configurations and workloads
- 31. Supporting Material • EWP web: https://outpost24.com/cloud-security • EWP white paper - https://marketing.outpost24.com/cloud-security-whitepaper • AWS best practices white paper - https://marketing.outpost24.com/aws-security- whitepaper Looking for more? • CIS benchmarks for Amazon AWS 1.2.0 and Microsoft Azure 1.0.0 • Gartner Cloud Workload Protection Platform (CWPP) research • Cloud Security Alliance Security Guidance version 4
- 32. Q & A
- 33. Use Case with AWS Elastic Map Reduce (EMR)
- 34. Use Case with AWS Elastic Map Reduce (EMR)
- 35. Use Case with AWS Elastic Map Reduce (EMR)
Editor's Notes
- #2: Bio: PhD, 20 years on security, founder of SecludIt and CSA
- #4: Back in 2009 when I started using AWS, a lot of people did not believe that they could create a new market (IaaS) and disrupt the hosting market. Well, now we have the numbers. The flexibility, agility and cost reduction are advantages that our customers keep telling us. IaaS has been an enabler for innovation and AWS and Azure have been very successful so far.
- #6: Proud to be one of the first to put AWS on the headlines, but a lot of vulnerabilities we’ve found concerned misconfigurations by enterprises using AWS, such as leaving private data in public virtual machines (22%) We’ve published a paper, the results are a bit old but the recommendations still apply.
- #7: Examples of customer misconfigurations putting AWS in the headlines, the low hanging fruit is usually S3 buckets with open permissions
- #8: Let’s stay out of the headlines and the FUD. So, IaaS is a great value proposition. On the other hand, let’s focus on the customer security challenges to be addressed.
- #9: In parallel, we have been assisting to other wave of innovation around DevOps. And cloud has enabled Dev to address Ops in a more agile way.
- #10: Cloud providers have been fueling all these new technological trends and transforming infrastructure in a commodity. And that’s way they are moving from IaaS to PaaS and other opportunities such as security.
- #11: We have reviewed some of the trends beyond AWS and Azure success and why the cloud providers are now starting to provide security tools. On the other hand, traditional security is disrupted by cloud Misconfiguration will give access to data, every service can give access to your data Just a short screenshot of Storage and Database options on AWS. There are many options and each one has a set of security best practices. New security challenges for traditional solutions to be elastic and agile And API bring added attack surface.
- #12: AWS and Azure are entering the security market with a bunch of tools with fancy names. I do not have time to go into details on each one, I’ll focus more on workload security and configuration assessment (not network security, data security or compliance) Most part of times these tools have less features but are deeply integrated and fully automated.
- #13: From a customer perspective what are the challenges? AWS: more flexible, more mature tools but you’ve to construct everything and one price and pricing model per feature. For instance inspector is per #VMs and #assessments Azure : everything integrated in the azure security center, hybrid as well and one bundled price for everything. Of course you can get your puzzle wrong but the frame is there with Azure.
- #14: Let’s step back and highlight the requirements for our SOC cloud. According to Gartner you need to take care of 3 things for full stack security. We have been talking a lot about misconfigurations and that’s what the CSPM market is about. Helping customers get their cloud configurations right. CWSS you have to check the configurations, example of your firewalls. And with the shared responsibility model, you are still responsible for the workloads.
- #15: What does that means? The 3 approaches Gartner covers the Core workload protection strategies CIS addresses benchmarks for CSPM To go deeper there is extensive research about cloud security CSA covers Essential characteristics, PaaS and IaaS service models, and Public-Private-Hybrid deployment models Outpost24 acquired SecludIT in January 2018, a cloud security pioneer and founding member of CSA
- #16: Zooming into the pyramid CWPP from Gartner Critical stuff in the bottom of the pyramid AWS and Azure have some solutions for each of these layers.
- #17: Here are some examples of controls of CIS AWS and CIS Azure AWS and Azure do not implement everything
- #18: Getting a more concrete Following the NIST framework, let’s now focus on how to build a First procedure one-shot, then automation
- #19: So, you have to subscribe to the standard tier that has all this. Basically you pay 14.6 dollars for each server per month and that’s all, databases and app services have a price too. Once you’ve done this you have a dashboard with all the categories. Easy and while a lot of features are still in preview this gives us the azure vision. You’ve hygiene that corresponds to CSPM and then threat protection and cloud defense for your workloads. With alerts, metrics.
- #20: Remember the puzzle, with AWS is up to you to build your SOC among these tools. So more flexible and more generic services (not only security) but customers have to build it. I tried to give a plan step by step to help. Trusted advisor is very simple, covers more than security, limited Inspector run on some OS https://docs.aws.amazon.com/inspector/latest/userguide/inspector_supported_os_regions.html, for example 4 windows servers Different pricing models: trusted advisor premium on premium support plans, inspector per agent – assessment, https://aws.amazon.com/inspector/pricing/ Cloudwatch depends on #metrics, #alarms, size of logs, Api, dashborads, #events Guardduty depends on VPC flow log and DNS log analysis and AWS Cloudtrail event analysis ?!
- #21: If you are interest in features comparison and maybe considering Google, Gartner has a long study. I’ve been focusing on configuration assessment and workload assessment, so this boils down to the console and instance security No big differences between Azure and AWS, the antimalware and the non-azure assets that can be monitored. Google is lagging but data tools seems very promising
- #22: Sometimes enterprises have legacy
- #23: I know that not everybody agrees with the storage and compute being cheap, but having managed a small datacenter before and taking into account all the costs and specially if you have elastic consumption With AWS is harder to make a cost analysis Compliance requirements and data sovereignty are important factors that I did not tackle but with regions and data security tools today is possible to address these
- #24: To give you a starting point on the cost analysis and doing a big simplification Inside can make a difference AWS can be hard to estimate outside bandwidth
- #25: Security vendors like us will also put the TTP as a con. You’re not buying a anti-virus from Microsoft to protect Microsoft workloads right? Cost planning with AWS is hard
- #27: Strange thing from AWS and Azure there is no straightforward way to assess for CIS AWS or Azure Agents vs Virtual appliances for Azure and AWS for private workloads (data storage)
- #28: Automation SecDevOps DevOps use case - application security
- #29: It is important to choose a security vendor that follows and adapt to new cloud services. API vs not API checks Full stack CSA Refer to our inclusion on the Gartner report on securing serverless PaaS AWS Lambda started in 2014
- #30: Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc. New services not always covered, speed of innovation vs speed of security
- #31: Focus on identify -> measure / KPIs Support hybrid infra Full stack Orchestration and integration CI/CD possible by API Virtual appliances available for Azure and AWS for private assets (data sovereignty scenarios) Managed Services, Snapshot and Professional Services plans available
- #33: 3 backup questions: -where to start? -it seems that azure has a better approach, what do you think? -devops shift left in all this? Serverless? -I’m migrating to cloud. Most part of my data is on prem but this will change. I did not find the answer to my case?
- #34: Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
- #35: Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
- #36: Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.