Comprehensive Cloud Security Requires an Automated Approach
Download as PPTX, PDF2 likes1,064 views
The document discusses the importance of cloud security and the need for an automated approach to address its challenges, including data protection and inconsistent control. It emphasizes that while cloud services offer significant benefits, they also complicate security responsibilities and necessitate a comprehensive security strategy. Recommendations include centralizing security policy management, automating security measures, and engaging with cloud service providers for clear security delineations.
Comprehensive Cloud Security Requires an Automated Approach
- 1. Comprehensive Cloud Security Requires an Automated Approach Andras Cser, VP and Principal Analyst Forrester Research Carson Sweet, CEO and Co-founder CloudPassage November 12, 2013
- 2. Cloud Security: Automation and Centralization Matters Andras Cser, VP and Principal Analyst November 12, 2013
- 3. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Forrester’s Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 3
- 4. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 4
- 5. Cloud-based Services Employed Regularly “Which of the following cloud-based services have you employed on a regular basis?" Compute (e.g., Amazon EC2, Microsoft Azure VM Role) 50% Storage 49% Relational database (e.g. SQL Azure) 42% Development tools/IDE (e.g. Cloud9, Cloud Foundry) 37% Social (e.g., Salesforce Chatter) 33% Messaging 33% Content management 31% Message queuing 26% Integration (e.g., Dell Boomi, IBM Cast Iron) 23% Application-level caching 23% Content delivery network 21% Mobile back end 18% BPM 16% Nonrelational database Don't know Other 14% 3% 2% Base = 175 software developers from companies with 1,000 or more employees Source: Forrsights Developer Survey, Q1 2013 © 2013 Forrester Research, Inc. Reproduction Prohibited 5
- 6. “Which of the following initiatives are likely to be your IT organization's top project and organizational priorities over the next 12 months?” Increase our use of software-as-a-service (cloud applications) Critical or High priority 48% Low priority 35% Not on our agenda Don't know 15% 1% Base: 1,176 North American and European IT decision-makers at firms with 1,000 or more employees Source: Forrester Software Survey, Q4 2012 © 2013 Forrester Research, Inc. Reproduction Prohibited 6
- 7. Why Cloud Security is like a two component glue, a unique blend: A: The Cloud is not just a new delivery platform B: Cloud Security is NOT just continuing security and extending it to the cloud © 2013 Forrester Research, Inc. Reproduction Prohibited 7
- 8. Cloud Pulls the CISO in Many Directions 1. Cloud Offers Irresistible Benefits 2. LOB procures cloud services CISO and Security Organization Changes, aka Uneven Handshake 5. Security Struggles to Reduce Cloud Security Risks © 2013 Forrester Research, Inc. Reproduction Prohibited 4. Data Center Is Loosely Coupled 3. CISO Can’t Say No All the Time 8
- 9. Cloud Security Means a Lot of Things to a Lot of People › What interfaces our company has to have to work well with our Cloud Providers? (Security To the Cloud) › › › How can a Cloud Provider (like Amazon Web Services or SalesForce.com) prove to us that they are secure? (Security In the Cloud) How can our company make its internal (and in some cases, Cloud Provider) security better? (Security From the Cloud) What are the organizational implications of Cloud and Cloud Security to our IT security organization? © 2013 Forrester Research, Inc. Reproduction Prohibited 9
- 11. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 11
- 12. General Challenges with Cloud Security › Ease of Use for End Users (you can’t control end users) • Cloud security should not require users to change behaviors or tools › Inconsistent Control (you don’t own everything) • The only thing you can count on is guest VM ownership › Elasticity (not all servers are steady-state) • Cloudbursting, stale servers, dynamic provisioning › Scalability (highly variable server counts) • May have one dev server or 1,000 production web servers › Portability (same controls work anywhere) • Nobody wants multiple tools or IaaS provider lock-in © 2013 Forrester Research, Inc. Reproduction Prohibited 12
- 13. Challenges with Cloud Security › Data protection › Workload separation and multi tenancy › Information Rights Management › SaaS providers don’t help much with security related concerns › › › › Network Security Identity and Access Management (IAM) and Privileged Identity Management (PIM) Business Continuity and Disaster Recovery (BCDR) Log Management (SIEM) © 2013 Forrester Research, Inc. Reproduction Prohibited 13
- 14. Cloud Does NOT Shift the Responsibility of Data Protection › “When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data.” Cloud Security Alliance, Guidance v3.0 © 2013 Forrester Research, Inc. Reproduction Prohibited 14
- 15. Agenda › Why is Cloud Security Important › Challenges with Cloud Security › Protecting Data In the Cloud › Recommendations © 2013 Forrester Research, Inc. Reproduction Prohibited 15
- 16. When it comes to responsibilities… How do we avoid this?
- 17. Who’s Responsible for IaaS Security? AWS Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...” App Code App Framework Operating System Amazon Web Services: Overview of Security Processes Virtual Machine Hypervisor Compute & Storage Shared Network Physical Facilities Provider Responsibility “it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.” Customer Responsibility Data
- 18. Think Security From the Cloud Typical questions and requirements: • How can you source security services from MSSPs? • How can you protect security and data at our cloud providers? • In general: How do we integrate on existing onpremise security with the MSSPs security products?
- 19. Do your homework… › › › › › › › Get as much detail around security from your SaaS provider as you can Set clear boundaries for security responsibilities between you and your IaaS/PaaS provider Data protection, data protection, data protection Don’t build your own tools Apply comprehensive approach to cloud security Centralize and scale security policy management for your cloud Automate your security (you can’t manually configure thousands of servers) © 2013 Forrester Research, Inc. Reproduction Prohibited 19
- 20. © 2013 Forrester Research, Inc. Reproduction Prohibited 20
- 21. Thank you Andras Cser +1 617.613.6365 acser@forrester.com
- 22. Security automation for virtualized & cloud environments
- 23. Problem: Infrastructure Security Is Behind › › › › Infrastructure more distributed and dynamic than ever Current security models neither dynamic nor distributed Perimeters, appliances, hardware reliance, stable configurations, change control, endpoint security solutions… all marginalized to worthless in new models Without infrastructure security, all other security measures are weak (castle on sand, not bedrock) Security teams can’t assure security or compliance, being dragged behind business
- 24. The Old Model: everything behind firewall, low rate of change, very few infrastructure stacks
- 25. The New Model: multiple stacks, broadly distributed, legacy approaches fail
- 26. Security Buyer Challenges › Achieving compliance in cloud environments • PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST › Disparate systems & high rate of change • “Dynamic” is core to cloud, new mode of operation • Security orchestration & automation underserved needs › Existing products don’t work well (if at all) • Technically designed for a different time • Do not match up to dynamic cloud operational models
- 27. Why Do Existing Solutions Fail? Network & hardware dependencies Cannot operate across cloud models Lack of meteredusage licensing Cannot handle elasticity or wide distribution
- 28. How we built high-scale security & compliance automation
- 29. Objective: Consolidate & Automate Controls
- 30. Halo Security Automation Platform
- 32. Automation Needs To Work Anywhere
- 33. Automation Must Extend Current Tools
- 34. Security Automation Outcomes › Massive reduction in security ops overhead • Automated control deployment & orchestration • Consolidation of otherwise disparate functions • Single point of security & compliance management › Security and compliance consistency • Security & compliance that’s truly built-in • Eliminates opportunities for human error • Deploy once, certify many (complex compliance) › Enables safe use of cloud models • Security teams have confidence in controls • Cloud projects don’t require manual intervention
- 35. Key Takeaway: Automating security enables saying “yes” to cloud, improves security, and makes complex compliance achievable.
- 36. Questions?