Hardening the cloud : Assuring agile security in high-growth environments
1 like149 views
The document outlines security strategies for cloud migration and highlights key challenges such as the scarcity of skills, necessary changes in application architecture, and the need for increased automation. It emphasizes principles like building security into every layer, effective communication, and visibility in configuration management. The document also provides practical steps and recommendations for enhancing security practices within cloud environments.
Hardening the cloud : Assuring agile security in high-growth environments
- 1. SESSION ID:SESSION ID: #RSAC Aaron McKeown Hardening the Cloud: Assuring Agile Security in High-Growth Environments (Moving from span ports to virtual appliances) CSV-F01 Lead Security Architect Xero
- 3. Beautiful cloud-based accounting software Connecting people with the right numbers anytime, anywhere, on any device 3 1,450+ staff globally $474m raised in capital $202m sub revenue FY16 $1tr incoming and outgoing transactions in past 12 mths 450m incoming and outgoing transactions in past 12 mths All figures shown are in NZD
- 4. 2009 2010 2011 2012 2013 2014 2015 2016 862,000+ Subscribers globally
- 5. #RSAC Public Cloud Migration 5 Supporting the next wave of growth Reducing our cost to serve Improving data protection Eliminating scheduled downtime Maintaining and improving security
- 6. #RSAC Key Challenges 6 Skills are scarce Regional representation and recommendations Application architecture has to change Automation is key Third-party commercial models need to change Need to focus on visibility
- 7. #RSAC Challenge #1: Skills are scarce 7 Challenge #1: Skills are scarce Make an initial investment in education Join industry groups and forums Selective engagement of contractors Promotion of industry wide cyber skills
- 8. #RSAC Challenge #2: Regional representation 8 Challenge #2: Regional representation and recommendations Build a strong relationship with AWS Reach out to your contacts Look at alternatives Build a communication path to remote organizations
- 9. #RSAC Challenge #3: Application architecture changes 9 Challenge #3: Application architecture has to change Work in cross-functional teams Deliver in short, frequent cycles Communicate quickly and effectively Build and deliver “security as a service”
- 10. #RSAC Challenge #4: Automation is key 10 Challenge #4: Automation is key Make automation a core principle Start with basic use of CloudFormation Use a code repository Build a Continuous Integration (CI) and Continuous Delivery (CD) system
- 11. #RSAC Challenge #5: Focus on visibility 11 Challenge #5: Need to focus on visibility CloudTrail is enabled by default for all accounts Track configuration drift Get the development teams invested Extended into a virtual team
- 12. #RSAC Challenge #6: Third-party commercial models 12 Challenge #6: Third-party commercial models need to change Do what we advise others to do, use the cloud Work with our technology partners and vendors Move from perpetual licenses, to core based licenses Address commercial and legal issues first
- 13. #RSAC Key Principles 13 Repeatable, automated build and management of security systems Accelerated pace of security innovation On-demand security infrastructure that works at any scale
- 14. #RSAC Key Learnings 14 Security by design- what’s that? Communication is key Welcome to the cloud - “Where’s my span port?” Measure & Test, monitor everything
- 15. #RSAC Key Learnings: Security by design 15 Security by design- what’s that? Build security into every layer Treat your infrastructure as code Iterate, iterate, iterate Build security into the product lifecycle
- 16. #RSAC Key Learnings: Communication is key 16 Communication is key Make everyone a spokesperson Evangelize and sell your service Communicate success (as well as failure) Documentation is critical
- 17. #RSAC Key Learnings: Measure everything 17 Measure & test, monitor everything How do you know what normal looks like? Continually track configuration drift Do a gap analysis Perform internal and external testing
- 18. #RSAC Key Learnings: Where’s my span port? 18 Welcome to the cloud - “Where’s my span port?” Change your way of thinking Expand your scope of responsibility It is a shared journey for all Use cross-functional teams
- 19. #RSAC The New Paradigm of Shared Responsibility 19 AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Xero Applications & Content Security IN the Cloud Security OF the Cloud Xero + Partner Ecosystem Inventory & Config Data Encryption
- 20. #RSAC Security as a Service 20 VPN connectivity Host Based Security Web Application Security and Delivery Shared Key Management Services Secure Bastion Access Proxy Services Security Operations and Consulting Services
- 21. #RSAC Multi-Factor Authentication 21 The decision to utilize MFA was a core component of security design User awareness was initially an issue Some users refused to utilize the system Multiple MFA systems already in place Enable the MFA enhanced features
- 22. #RSAC Configuration Drift Management 22 Finding the needle in an automated and freedom-to-deploy haystack Used Netflix Security Monkey to track, monitor, and action key AWS resource changes Watchers configured across all AWS accounts Started as an internal Cloud Security tool Adoption was driven by the product teams Risk and compliance utilization for best practice review
- 23. #RSAC Host Security Automation 23 Next layer of defense at the host level Used to monitor, notify, and action instance-level configurations, vulnerabilities and integrity Automated roll-out and integration with all hosts Make use of the cloud Adopt elasticity and automation Accelerated pace of development
- 24. #RSAC Apply What You Have Learned Today 24 • Activate multi-factor authentication • Enable CloudTrail • Start your first automation! • Define your principles • Develop a security architecture • Start to track your configuration drift • Measure, test & monitor everything • Build a culture of communication • Automate more! WEEK 1 MONTH 3 MONTH 6
- 25. www.xero.com @xero Aaron McKeown Lead Security Architect Xero