best practices-managing_security_in_the hybrid cloud
1. 6 BEST PRACTICES FOR
Managing Security
in the Hybrid Cloud
Omer Ganot
Cloud Security PM, AlgoSec
2. • Most organizations are hybrid
• Managing hybrid network security is complex
• Network security is key for protecting your workloads
• Follow the best practices to stay secure in the hybrid network
2 | Confidential
INTRODUCTION
3. AGENDA
Complexities of moving to the cloud
1
2
3
6 best practices
for tighter hybrid cloud security
Q&A
3 | Confidential
4. % OF WORKLOADS RUNNING IN THE PUBLIC CLOUD IN PRODUCTION
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
1-20% 21-40% 41%-60% 61%-80% 81%-100%
2019 2021
• Cloud adoption is accelerating
• 53% of respondents have over 40% of
their workloads in the cloud
• Almost 30% have over 60% in the cloud
Source: CSA State of the cloud survey 2021
5. MANAGING SECURITY IN A HYBRID ENVIRONMENT IS COMPLEX
Multiple Security
Vendors and Controls
3rd party on-prem
Security Vendor Products
Cloud Infra Security Controls
Security Products by Cloud
Providers and 3rd party
Multiple
Stakeholders
CISO
IT / Network Security
Cloud Teams
Security Operations
Application Developers /
DevOps
5
Multiple
Environments
Multi Cloud
Private Clouds
On-Premises
7. WHY YOU SHOULD USE
NGFWS IN THE CLOUD
• Cloud providers’ native network
security controls are not sufficient
• Next-Generation Firewalls are
essential for securing the cloud
• Providing L3-L7 protection
7 | Confidential
8. FOLLOW THE VENDOR BEST PRACTICES TO CHOOSE THE
IDEAL DEPLOYMENT METHOD FOR THE CHOSEN NGFW
8 | Confidential
Source: Check Point Source: Microsoft
10. WHY YOU SHOULD USE
DYNAMIC OBJECTS
• Configuration of traditional
firewalls in the cloud is different
than on premises
• Use dynamic objects in NGFWs
to match cloud assets using
cloud-native categories
10 | Confidential
13. GAIN VISIBILITY OVER YOUR ENTIRE
HYBRID NETWORK
• You can’t protect what you can’t see
• Evaluate security in your cloud services
AND in the path from the internet and data
center clients
• Get a single, unified view for both network
and security elements:
• Public cloud (in many cases multi-cloud)
• On-prem data center
• Private cloud
13 | Confidential
14. Native Cloud Security Controls
(Security Groups/NACL/NSG)
Virtual appliance in the cloud
Traditional FW
Virtual appliance in the SDN fabric
Private cloud SDN – distributed FW
GAIN VISIBILITY OVER YOUR ENTIRE HYBRID NETWORK
14
16. EVALUATE & REMEDIATE RISK ON THE ENTIRE HYBRID NETWORK PATH
Keeping up with risk and compliance is hard
• Identifying risk across the entire hybrid network
• Remediating risk across different controls
• Keeping up with internal and regulatory compliance standards
16 | Confidential
With AlgoSec, you can identify risky security policies, along
with rich data such as affected assets and rule usage
20. CLEANUP CLOUD POLICIES
• Cloud security groups are constantly adjusted so they can rapidly bloat
• SG limit is reached
• It is hard to maintain
• Becomes risky
• Cloud SG cleanup
• Must be accurate, based on validated and detailed flow log data
• Refrain from application outage
• Must be efficient
20 | Confidential
23. MAINTAIN IAC SECURITY IN THE CLOUD
CHALLENGES
• DevOps are mainly focused on business
application infrastructure
• DevOps trust the SecOps to find the security
risks
• SecOps have little control over cloud changes
• DevOps work with specific tools which they like
and are already natural for cloud
• "Classic" DevOps-SecOps risk mitigation
processes are too slow
23 | Confidential
24. MAINTAIN IAC SECURITY IN THE CLOUD- SOLUTION
For existing risks
• Run risk analysis and get detailed risk remediation recommendations
• Implement risk remediation using DevOps native tools and processes
Proactively, before a risk is introduced
• Run what-if risk checks for cloud SG changes as part of code pull request
• Tighten the change to eliminate risk and only then push to production
24 | Confidential
25. SUMMARY
• Hybrid networks are complex and comprise of many
different security controls
• Maintaining security in hybrid networks is a challenge
• Adopt best practices and use the relevant tools and
processes to stay secure
25