Dueling Banjos - Cloud vs. Enterprise Security: Using Automation and (Sec)DevOps NOW

Similar documents
BRINGING NETWORKS TO THE CLOUD ERA

From Zero to Secure in 1 Minute

The State of Application Delivery in 2015

Visions of Clouds and Cloud Security. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Service Orchestration

Data Center Virtualization and Cloud QA Expertise

SDN PARTNER INTEGRATION: SANDVINE

Software Defined Network (SDN)

Stackato PaaS Architecture: How it works and why.

Designing Virtual Network Security Architectures Dave Shackleford

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

SOFTWARE DEFINED NETWORKING

EVOLVED DATA CENTER ARCHITECTURE

HOW SDN AND (NFV) WILL RADICALLY CHANGE DATA CENTRE ARCHITECTURES AND ENABLE NEXT GENERATION CLOUD SERVICES

Virtualization and Cloud: Orchestration, Automation, and Security Gaps

Group-Based Policy for OpenStack

Use Case Brief CLOUD MANAGEMENT SOFTWARE AUTOMATION

How to Grow and Transform your Security Program into the Cloud

Horizontal Integration - Unlocking the Cloud Stack. A Technical White Paper by FusionLayer, Inc.

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Introduction to Software Defined Networking

Intel IT s Cloud Journey. Speaker: [speaker name], Intel IT

AppStack Technology Overview Model-Driven Application Management for the Cloud

(R)Evolution im Software Defined Datacenter Hyper-Converged Infrastructure

Implementing Software- Defined Security with CloudPassage Halo

Service Automation to implement and operate your Cloud initiatives

You ll need to have: It d be great if you have:

Software Defined Networking (SDN) and OpenStack. Christian Koenning

Thank you for joining us today! The presentation will begin shortly. Thank you for your patience.

From 0 to Secure in 1 Minute APPSEC IL Moshe Ferber CCSK, CCSP

Challenges in Deploying Public Clouds

Chapter 11 Cloud Application Development

OpenStack. Orgad Kimchi. Principal Software Engineer. Oracle ISV Engineering. 1 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Cisco Prime Network Services Controller. Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems

Drive new Revenue With PaaS/IaaS. Ruslan Synytsky CTO, Jelastic

RightScale mycloud with Eucalyptus

Dynamic L4-L7 Service Insertion with Cisco ACI and A10 Thunder ADC REFERENCE ARCHITECTURE

RIDE THE SDN AND CLOUD WAVE WITH CONTRAIL

HO5604 Deploying MongoDB. A Scalable, Distributed Database with SUSE Cloud. Alejandro Bonilla. Sales Engineer abonilla@suse.com

Assignment # 1 (Cloud Computing Security)

Cisco ACI and F5 LTM Integration for accelerated application deployments. Dennis de Leest Sr. Systems Engineer F5

Apache Stratos Building a PaaS using OSGi and Equinox. Paul Fremantle CTO and Co- Founder, WSO2 CommiCer, Apache Stratos

SDN CONTROLLER. Emil Gągała. PLNOG, , Kraków

Delivering Managed Services Using Next Generation Branch Architectures

APP DEVELOPMENT ON THE CLOUD MADE EASY WITH PAAS

SDN Software Defined Networks

OpenFlow and Software Defined Networking presented by Greg Ferro. Software Defined Networking (SDN)

BROCADE NETWORKING: EXPLORING SOFTWARE-DEFINED NETWORK. Gustavo Barros Systems Engineer Brocade Brasil

Automating Network Security

A new era of PaaS. ericsson White paper Uen February 2015

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

HAWAII TECH TALK SDN. Paul Deakin Field Systems Engineer

Outline. Why Neutron? What is Neutron? API Abstractions Plugin Architecture

Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES

Use Case Brief NETWORK SECURITY

Plan for Success with a Hybrid Cloud! Thanks to IBM Power Systems OpenStack SoftLayer and UrbanCode

Increased Security, Greater Agility, Lower Costs for AWS DELPHIX FOR AMAZON WEB SERVICES WHITE PAPER

The Path to the Cloud

Build and Manage Private and Hybrid Cloud. Urban Järund, Sr Regional Services Manager Nordics, Red Hat

Using SouthBound APIs to build an SDN Solution. Dan Mihai Dumitriu Midokura Feb 5 th, 2014

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Simplifying Private Cloud Deployments through Network Automation

Databricks. A Primer

Azure Day Application Development

ViSION Status Update. Dan Savu Stefan Stancu. D. Savu - CERN openlab

Unleash the power of Cisco ACI and F5 Synthesis for Accelerated Application deployments. Ravi Balakrishnan Senior Marketing Manager, Cisco Systems

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

What CSOs Need To Know About Software-Defined Security

Intel IT Cloud Extending OpenStack* IaaS with Cloud Foundry* PaaS

Palo Alto Networks. Security Models in the Software Defined Data Center

THE REVOLUTION TOWARDS SOFTWARE- DEFINED NETWORKING

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

Network Virtualization Solutions - A Practical Solution

JAVA IN THE CLOUD PAAS PLATFORM IN COMPARISON

CoIP (Cloud over IP): The Future of Hybrid Networking

RED HAT CONTAINER STRATEGY

Leveraging SDN and NFV in the WAN

PLATFORM-AS-A-SERVICE, DEVOPS, AND APPLICATION INTEGRATION. An introduction to delivering applications faster

Scalable Network Monitoring with SDN-Based Ethernet Fabrics

Making Leaders Successful Every Day

How To Manage A Cloud System

Databricks. A Primer

Transcription:

Dueling Banjos - Cloud vs. Enterprise Security: Using Automation and (Sec)DevOps NOW SESSION ID: CSV-W02 Rich Mogull Analyst and CEO Securosis @rmogull rmogull@securosis.com Hoff VP Strategy Juniper Networks @Beaker choff@juniper.net

What We Are Going To Discuss Virtualization Cloud Computing Open Source Security Toolsets and Tooling Security APIs and Programmatic Operations Automation Software Defined Security, Compliance & Incident Response [Sec]DevOps!2

What We Are NOT Going To Discuss [In Detail] Developer-centric Software Development Life Cycle Vulnerability Assessment Code Analysis QA/Regression/Unit testing Application Language-specific Security Implementation specifics of continuous integration/continuous delivery except!3

Security Says: ENGLISH Do You Speak It!? DART, Ceylon, GO, F#, OPA, Fantom, Zimbu, X10, Haxe, Chapel Python Ruby node.js Django, Pylons, Mojolicious Erlang CouchDB, Hadoop, Neo4J, MongoDB, Cassandra Scala Clojure Groovy The path of the righteous security man is beset on all sides by the inequities of the selfish and the tyranny of evil developers. Blessed is he who, in the name of scalability and good will, shepherds the weak through the valley of downtime darkness, for he is truly his brother's keeper and the finder of lost vulnerabilities. And I will strike down upon thee with great pwning vengeance and furious anger those who would attempt to poison and destroy my perimeter. And you will know My name is the Compliance Lord when I lay My stateful packet filtering vengeance upon thee.!4

Developers Say: CODE Do You Write It!? Say 'Python' again. Say 'Python' again, I dare you, I double dare you...say Python one more time! #!/usr/bin/python!!for letter in 'Python': # Could Have Lived This Way! print 'Current Letter :', letter!5

Framing the Problem The discipline that is most resistant to change and least likely to adapt is Security This resistance is usually excused due to a lack of trust and a reliance on people because we don t trust security automation. Security continues to rely on a manual supply chain operated by the Meat Cloud Trustable automation and an operational model to support it is needed!6

The Enterprise vs the Cloud Models Cloud is an operational model DevOps represents an operational framework Both enjoy their own definitional perversion Enterprises are adopting Cloud in various forms; Public/Private/Hybrid, IaaS/ PaaS/SaaS The traditional silos and organizational dynamics of enterprises driven by arbitrary economic models are having a rough time with DevOps Why? Because people are conflating the differences in the operational models with the need to adapt their frameworks for servicing it!7

IT Deconstructed Infostructure Content & Context - Data & Information Applistructure Apps & Widgets - Applications & Services Metastructure Glue & Guts - IPAM, IAM, BGP, DNS, SSL, PKI & Abstraction layers Infrastructure Sprockets & Moving Parts - Compute, Network, Storage!8

What This Means To Security Infostructure Applistructure Metastructure Infrastructure Information Security Application Security Network Security Host-based Security Storage Security [Sec]Devops!9

The Challenge In Semantics If we don t have consistency in standards/formats for workloads & stack insertion, we re not going to have consistency in security Inconsistent policies and network topologies make security service, topology & device-specific Fundamentally, we need reusable and programmatic security design patterns; Controls today are CLI/GUI based Few are API-driven or feature capabilities for orchestration, provisioning as the workloads they protect!10

We ought to think about security like this: Working with VMware vshield REST API in perl. Richard Park, Sourcefire

or this AWS Security : A Practitioner s Perspective. Jason Chan, Netflix!12

What s Missing? Instrumentation that is inclusive of security Intelligence and context shared between infrastructure and applistructure layers Maturity of automation mechanics and frameworks Standard interfaces, precise syntactical representation of elemental security constructs < We need the EC2 API of Security An operational security methodology that ensures a common understanding of outcomes & DevOps culture in general!13

So? Regardless of whether you re an Enterprise or a Cloudyrprise or a Hybridprise, there are various levels of sophistication and maturity that exist There are plenty of Enterprises who have their operational security house in order and plenty of Cloudyprises who fall over constantly and vicey-versey The Operational Model doesn t dictate the success of the Operational Framework but the converse is true Changing how, where and when security is done requires a different framework for doing it. And who does it. This is [Sec]DevOps.!14

[Sec]DevOps & The $64,000 Security Question What would you do differently and how if you took your most important assets from behind your firewall and processes and plugged them directly into the Internet?! What if these assets are sprinkled around in your virtualized Data Centers, multiple Public Cloud IaaS providers, and linked to one or more SaaS providers and you need to manage workloads and security at scale.! Are you still going to use the Meat Cloud?!15

A Real Scenario The scenario: 24 data centers, 4 of them connected via a VPN a public IaaS cloud (Hybrid) Massive private WAN with complex routing, DNS and load-balanced infrastructure and virtualized overlay networking (SDN) 1000 distributed firewalls a combination of physical & virtual 10,000 hosts bare metal and virtualized with 2 hypervisors Custom-written orchestration system Internally-deployed, self-service Private Cloud and integrated Platform-as-a- Service 500 firewall policy changes a week!16

This is real today. We call it Software Defined Security!17

Welcome to SecOps/SecDevOps 3 Pull secure credentials 5 Pull configuration 1 2 Inject startup script 4 Register with config mgmt server!18

DEMO Completely automated and consistently and persistently enforced.

How do you do this without automation?! More work, less effective, less consistent.

Software Defined Security in Action Meet SecuritySquirrel, the first warrior in the Rodent Army (apologies to Netflix). The following tools are written by a short, red-headed analyst with a shorter temper and a Ruby-for-Dummies book. Automated security workflows spanning products and services.!21

Problem: Identify Unmanaged Servers 1 Scan the network 2 Scan again and again for all the parts you missed 3 Identify all the servers as best you can 4 Pull a config mgmt report 5 Manually compare results!22

The Software Defined Security Way DEMO 1. Get list of all servers from cloud controller (can filter on tags/os/etc). Single API call 2. Get list of all servers from Chef Single API call 3. Compare in code!23

Problem: Compromised Server Incident Response 1 Detect Compromise 4 Image 2 Pull server information (If you have it) 5 Analyze = Hours! 3 Quarantine 6 Recover Each step is manual, and uses a different set of disconnected tools!24

The Software Defined Security Way!25 1. Pull metadata 2. Quarantine DEMO 3. Swap control to security team 4. Identify and image all storage 5. Launch and configure analysis server 6. Can re-launch clean server instantly

The Only Difference is the APIs and Program Flow

A Software Defined Security Rainbow Unicorn Automating a secure vulnerability assessment involving a cloud service and two commercial security products. Open firewall, open host firewall, trigger scan, close firewalls. DEMO!27

Our Call to Action

I, Network Engineer s/network/security Kurt Bales, Senior Network Engineer blogger at "www.network-janitor.net" *Borrowed from Jeremy Schulman, Juniper Networks!29

An Engineer s Approach: Get started "day one" using Python interactive shell Do it the way a network engineer thinks and interacts with the network, not like a Programmer/API Do not require knowledge of XML, Junos, NETCONF Give me "CLI access" if I get stuck, but no CLI screen-scraping Give me access both config and operational data in standard Python types like dictionary (hash) and list Make it Open-Source so I don't have to wait for "The Vendor" to add/ fix things *Borrowed from Jeremy Schulman, Juniper Networks!30

If Yan Can Cook, You Can Too!!31

Dueling Banjos - Cloud vs. Enterprise Security: Using Automation and (Sec)DevOps NOW SESSION ID: bla bla Rich Mogull Analyst and CEO Securosis @rmogull rmogull@securosis.com Hoff VP Strategy Juniper Networks @Beaker choff@juniper.net http://github.com/securosis/securitysquirrel

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information