Best Practices for Workload Security: Securing Servers in Modern Data Center and Cloud
2 likes4,922 views
Presentation slides from Black Hat 2016. Presented by Sami Laine, Principal Technologist at CloudPassage & Aaron McKeown, Lead Security Architect of Xero.
More Related Content
What's hot (20)
Similar to Best Practices for Workload Security: Securing Servers in Modern Data Center and Cloud (20)
More from CloudPassage (17)
Recently uploaded (20)
Best Practices for Workload Security: Securing Servers in Modern Data Center and Cloud
- 5. Data Center, SDDC or Private Cloud Public, Hybrid or Multi-Cloud Traditional IT Delivery Agile IT Delivery Transformation of Enterprise IT Delivery Data Center • Cloud orientation degrades perimeters • Shared responsibility, less visibility & control • Virtual, abstracted, transient workloads • Workloads widely distributed • Large, flat, shared networks • High rate of change • Data center & perimeter orientation • Total ownership, visibility & control • Applications on dedicated hardware • Hardware security appliances • Everything “behind the firewall” • Low rate of change
- 8. Transformation of Enterprise IT Delivery Weeks MinutesHours How long do your most transient workloads live?
- 9. J DF M A M J J A S O N Analysis and design Coding & implementation Quality testing Staging and release R1 Transformation of Application Delivery
- 10. Quality testing Staging and release J DF M A M J J A S O N Analysis and design Coding and implementation R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9 Transformation of Application Delivery
- 11. Quality testing Staging and release J DF M A M J J A S O N Analysis and design Coding and implementation R1 R12R11R10R2 R3 R4 R5 R6 R7 R8 R9 Transformation of Application Delivery
- 14. Traditional Security Is The Square Wheel • Perimeter & network centric • Hardware appliance oriented • Heavy agent footprints • Built for static IP addressing • Not designed for automation • Lacks comprehensive APIs
- 15. 15 | © 2016 CloudPassage Confidential 15 | © 2016 CloudPassage Confidential Agile IT delivery requires a new, agile security approach.
- 16. Re-align Security Delivery To IT Delivery • On-demand, self-service • Automated, rapid expansion • Measured or metered service • Ubiquitous, convenient access • Resource pooled grid • Highly scalable • Design-pattern based • On-demand, Security-as-a-Service • Automated, rapid expansion • Measured or metered service • Ubiquitous, convenient access • Resource pooled grid • Highly scalable • Design-pattern based Agile IT Delivery Agile Security Delivery
- 19. Where Is Your Greatest Security Risk? User Administration Application Code & Data Application Framework VM Guest OS Virtualization Stack Compute/Storage HW Network Infrastructure Physical Environment Customer responsibility Provider responsibility Data Center Colo IaaS VERY LOW VERY LOW VERY LOW VERY LOW HIGH HIGH MEDIUM-HIGH MEDIUM Risk
- 20. Where Is Your Greatest Security Risk? User Administration Application Code & Data Application Framework VM Guest OS Virtualization Stack Compute/Storage HW Network Infrastructure Physical Environment Customer responsibility Provider responsibility Data Center Colo IaaS VERY LOW VERY LOW VERY LOW VERY LOW HIGH HIGH MEDIUM-HIGH MEDIUM Risk
- 24. Securing Servers in Modern Datacenter and Cloud 1. Workload centric 2. Policy driven 3. Automated and integrated with toolchains 4. Attack surface reduction focus 5. Context-aware and works anywhere 6. Security platforms with deep APIs
- 28. Aaron McKeown, Lead Security Architect Cloud security at Xero
- 29. Beautiful cloud-based accounting software Connecting people with the right numbers anytime, anywhere, on any device
- 30. 1,450+ Staff globally $ 474m raised in capital $ 202m sub revenue FY16 23m+ businesses have interacted on the Xero platform $ 1tr incoming and outgoing transactions in past 12 mths 450m incoming and outgoing transactions in past 12 mths All figures shown are in NZD
- 31. 2009 2010 2011 2012 2013 2014 2015 2016 700,000+ Subscribers globally
- 32. Public cloud migration Improving data protection Eliminating scheduled downtime Maintaining and improving security Support the next wave of growth Reducing our cost to serve
- 33. Key challenges Skills are scarce Regional representation and recommendations Application architecture has to change Automation is key Need to focus on visibility Third party commercial models need to change
- 34. Key principles Repeatable and automated build and management of security systems Accelerated pace of security innovation On-demand security infrastructure that works at any scale
- 35. Security as a service VPN connectivity Host Based Security Web Application Security and Delivery Shared Key Management Services Security Operations and Consulting Services Secure Bastion Access Proxy Services
- 36. Multi-Factor Authentication • Secure AWS with: • password + MFA or access key + MFA • Secure ALL systems with MFA • Enable MFA enhanced features • Use multiple MFA systems
- 37. Configuration Drift Management • CloudTrail, Config and the AWS Console provide a lot of great information • Can be hard to find the needle in the haystack… • Use Netflix Security Monkey to provide a “Single Pane of Glass”
- 38. Host Security Automation • Monitor, Detect and Defend at the Host level • Elasticity and Automation are key • Integrate, visibility is important • Use “Defence in Depth” model, protect every layer • Use an agile approach from deployment through to operations
- 39. Key learnings Measure and Test, Monitor Everything Welcome to the cloud - "Where's my span port"? Security by Design - What's that? Communication is Key - Who are your spokespeople?
- 40. Final takeaways Repeatable and automated build and management of security systems Accelerated pace of security innovation On-demand security infrastructure that works at any scale