Simplicity in Hybrid IT Environments – A Security Oxymoron?
Download as PPTX, PDF1 like386 views
The document discusses the complexities and challenges of managing security in hybrid IT environments, emphasizing the differences between legacy on-premises solutions and cloud-based approaches. It highlights the importance of consistent security policies and controls while addressing organizational concerns regarding compliance and risk management. The need for specialized tools and techniques for cloud solutions is also acknowledged, underscoring the necessity for adaptability in security practices.
![But one size does not fit all
“Most things that we've encountered require a different approach for the
cloud-based solutions, than they do for the on-premises solutions. And
they almost always run into, ‘Oh, yes. But I can't support that’ …
“[For example], ‘we have the best […] security management tool in the
industry,’ ‘Do you support SAP HANA?,’ ‘What's SAP HANA?’…
“Or, ‘We support Amazon Web Services for cloud-based packet inspection.’
‘Does the same system work with my on-premises solution, and put it in
the same console?’ ‘Oh no, you have to have two separate accounts.’
Those are the kinds of conversations that I have all the time…”
-Mid-level management, $1-5bn retailer
11
From recent interviews with enterprise practitioners:
Source: 451 Research Information Security Narratives -: Budgets and Outlook 2016](https://image.slidesharecdn.com/v2crawfordslidestripwire4-17webinar20170502-170504230307/85/Simplicity-in-Hybrid-IT-Environments-A-Security-Oxymoron-11-320.jpg)
Simplicity in Hybrid IT Environments – A Security Oxymoron?
- 1. Simplicity in Hybrid IT Environments: A Security Oxymoron? Scott Crawford – Research Director, Information Security
- 2. Some hybrids are successful… 2 Others, not so much
- 3. Momentum favors the cloud “How would you generally categorize your organization’s information security view of hosted cloud computing solutions (Hosted Private Cloud, IaaS, or PaaS) in terms of your organization’s tolerance for information security risk?” 3 Source: 451 Research Quarterly Advisory Report: Budgets and Outlook – Information Security 2016
- 4. But legacy / on-premises investments aren’t going anywhere soon “Approximately how is your organization’s total information security spending on vendor- based security tools currently distributed across the following locations?” 4 Source: 451 Research Quarterly Advisory Report: Budgets and Outlook – Information Security 2016
- 5. Why maintain the investment? • Realizing its full value • Dependencies • Maturity • Of the technology • Of operations & expertise • The cloud is different… • Regulatory requirements • Ownership & control 5
- 7. So what’s the problem? One set of techniques for legacy/ on-premises One (or more) set(s) of techniques for the cloud 7
- 9. Hint: What are common objectives? • Consistency of control, across both legacy and “new IT” • Assurance of enterprise responsibilities • Demonstrations of adherence to enterprise requirements 9 Security/Compliance Concern Score Encryption 4.33 Identity Management/Authorization/Access Control Tools 4.26 Assumption of Liability for Security Breaches or Outages 4.23 Explicit Contractual Responsibilities for Security Between the Cloud Provider and Customer 4.17 Explicit SLAs 4.12 Data Leakage Prevention (DLP) 4.00 Providing Regular Results of Security Audits from Known Security Testing Companies 3.99 Proven Compliance with Industry Standards 3.92 Auditability 3.91 “Rate the importance of each of the following in addressing organizational concerns around security and compliance with hosted cloud solutions:” Source: 451 Research Quarterly Advisory Report: Budgets and Outlook – Information Security 2016
- 10. Finding common ground • Consistent application of policy • Essential for assuring enterprise compliance obligations, no matter where • Consistent execution of tasks • Completeness of coverage across hybrid environments • Consistent data gathering • For determining priorities for the entire investment 10
- 11. But one size does not fit all “Most things that we've encountered require a different approach for the cloud-based solutions, than they do for the on-premises solutions. And they almost always run into, ‘Oh, yes. But I can't support that’ … “[For example], ‘we have the best […] security management tool in the industry,’ ‘Do you support SAP HANA?,’ ‘What's SAP HANA?’… “Or, ‘We support Amazon Web Services for cloud-based packet inspection.’ ‘Does the same system work with my on-premises solution, and put it in the same console?’ ‘Oh no, you have to have two separate accounts.’ Those are the kinds of conversations that I have all the time…” -Mid-level management, $1-5bn retailer 11 From recent interviews with enterprise practitioners: Source: 451 Research Information Security Narratives -: Budgets and Outlook 2016
- 12. Implementations can be very different Legacy/on-premises infrastructure • Accuracy/depth/breadth of asset discovery • Across a variety of physical assets (hosts, networks, applications) • Balance of speed and accuracy • Policy constraints • Tools often purpose-built Cloud techniques • API-based - ASK the cloud for whatever you want to know • ec2-describe-images --filter “tag-value=prod” • DescribeInstances • DescribeVpnGateways • DescribeFlowLogs • Tools must be able to interact with APIs, automation at scale 12 Example: Asset inventory How well do your preferred tools adapt?
- 13. A small application? No problem. 13
- 15. The long view: Infrastructure’s disappearing act 15 2000s: On-prem virtualization Rise of IaaS, PaaS, growth in SaaS Containers, microservices “Serverless”
- 16. If you think hybrid IT is diverse today… 16 Centralized Distributed IoT
- 17. “Data centers on wheels” 17 • Up to 100 ECUs in some vehicles1 …or with arms …or wings …or legs 1 https://techcrunch.com/2016/08/25/the-biggest-threat- facing-connected-autonomous-vehicles-is-cybersecurity/
- 18. Not just “smart” endpoints • Sophisticated compute near the edge • Data volume, thin pipes, latency • Real-time action & response • Functionality offload for constrained endpoints 18
- 20. Thank you! Scott Crawford Research Director, Information Security Twitter: @s_crawford
- 26. FOUNDATIONAL CONTROLS FOR THE HYBRID ENTERPRISE
- 30. UNIFIED MANAGEMENT Elastic monitoring Cloud policies & platforms Containerization
- 31. To learn more, download the TRIPWIRE FOUNDATIONAL CONTROLS FOR THE HYBRID CLOUD executive brief from the resource widget