Network Security Requirements and Solutions

Transcription

1 Critical Criteria For (Cloud) Workload Security Steve Armendariz Enterprise Sales Director CloudPassage October 3, #NTXISSACSC3

2 Does anyone remember when server security was EASY? NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 2

3 Times have changed! NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 3

4 Classic Data Center #NTXISSACSC3 NTX ISSA Cyber Security Conference October 2-3,

5 Act 1 - Tenants of Traditional Server Security Servers in a trusted network Segmentation for added protection Anti-malware (virus) for all servers, added security capability for critical servers Security had time to plan, test & deploy for each new application Provisioned with plentiful overhead Servers viewed as investments NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 5

6 Act 2 - Server Virtualization A New Dawn Economic benefit to adoption Combatting data center sprawl Physical servers more powerful Pressure applied on Security to be: Faster More efficient More accurate Traditional tools proved adequate NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 6

7 Virtualization Impacts Traditional Security Servers in a trusted network Segmentation for added protection (shared hardware = segmentation challenges) Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing) Security had time to test & deploy for each new application (policies and images became more powerful) Provision with plentiful overhead (at odds with VM density) NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 7

8 Act 3 - Server Workloads - The Next Wave Utility Computing Cloud servers or Cloud server workloads in the data center, public cloud, private cloud or any combination These server workloads are: On-demand, Elastic and Agile Cloned, Orchestrated and Automated Often short-lived Can be containers (i.e. Docker) Possibly never patched Part of an overall movement of deploying and updating faster (DevOps) NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 8

9 Data Center Architecture Changes Public Cloud Data Center Critical Server Instances Internet Critical Server Instances Some Semi-critical Server Instances On-server security: - Anti-Malware - Vulnerability Scan Semi-critical Server Instances On-server security: - Anti-Malware - Vulnerability Scan On-server security: - Anti-Malware - Vulnerability Scan - Config. Monitor - HIPS/HIDS - FIM Non-Critical Server Instances - Anti-Malware NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 9

10 Server Workloads Break Security Servers in a trusted network (Cloud viewed as non-trusted) Segmentation for added protection (shared hardware = segmentation challenges) Anti-malware (virus) for all servers, added security products for critical servers (difficult given VM density, overhead impact and licensing) Security had time to test & deploy for each new application (Security must move faster often with little lead time) Provision with plentiful overhead (at odds with VM density) Servers viewed as application building blocks NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 10

11 Cloud VPC = Bringing The Trusted Network Back? Public Cloud servers only accessible from inside the data center s trusted network Positioned by many cloud providers to resolve Tenant #1 Servers in a trusted network Issues Can be cost prohibitive May impact performance Does not mitigate security issues NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 11

12 Are Data Center Networks Really Secure? NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 12

13 Workload Security The New Tenants Embrace the Workload as an Application Building Block philosophy Take advantage of automation and orchestration Small footprints matter Minimize staff overhead Total visibility Limit server communication Integrate versus manage stand-alone NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 13

14 The Basics Still Apply Use server (host) firewalls Reduce attack surface Manage East-West traffic Require multi-factor authentication for server logins Monitor configurations for drift Discover & address vulnerabilities Monitor system file integrity Monitor security logs Dump anti-malware (if you can) Radical Thought!!!! NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 14

15 Approaches to Workload Security Do it manually with multiple security tools Too time consuming Many consoles, difficult integration Use orchestration tools with multiple security tools Many consoles, difficult integration Set of security tools can consume more resources than what they re protecting Use CloudPassage Halo NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 15

16 CloudPassage Halo: Instant Layered Security for Every Server Workload One tool providing 8 layers of visibility & enforcement Using less compute resources than a single-layer point product Highly automated; set and forget security Add to gold images, protects servers at instantiation NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 16

17 CloudPassage Halo A Security Orchestration Framework Integrated and layered security Automated into your workflow Visibility See vulnerabilities, configuration errors, file integrity, access no matter where the workload is Apply controls even quarantine workloads Compliance Drive automation to audits Continuous vs. point-in-time NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 17

18 CloudPassage Halo Architecture NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 18

19 Questions NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 19

20 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) Thank you NTX ISSA Cyber Security Conference October 2-3, #NTXISSACSC3 20