Organizations that are transitioning from a traditional data center to an on-demand IT environment, such as AWS, are quickly finding that automating and scaling legacy security services for comprehensive workload security can be challenging. In light of these challenges, it is necessary to deploy a security solution that employs the same versatility and elasticity as the cloud workloads it is meant to protect. CloudPassage® Halo® provides virtually instant visibility and continuous protection for servers in any combination of data centers, private clouds and public clouds like AWS. Join Xero and CloudPassage to learn about best practices for migrating your security workloads to the cloud.
Join us to learn:
- Best practices for maintaining workload security
- How you can align cloud security deployment methods with on-premises deployment methods
- Key considerations for architecting your infrastructure to scale quickly and securely
Who should attend: CTOs, CIOs, CISOs, Directors and Managers of Security, IT Administers, IT Architects and IT Security Engineers
2. $6.53M 56% 70%
Your Data and IP Are Your Most Valuable Assets
https://www.csid.com/resources/stats/data-breaches/
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-breaches/
Average cost of a
data breach
3. In June 2015, IDC released a report which found that most customers can be more secure
in AWS than their on-premises environment. How?
AWS Can Be More Secure than Your Existing
Environment
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
4. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer Applications & Content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
AWS and You Share Responsibility for Security
5. The AWS infrastructure is protected by extensive network and security
monitoring systems:
Network access is monitored by AWS
security managers daily
AWS CloudTrail lets you monitor
and record all API calls
Amazon Inspector automatically assesses
applications for vulnerabilities
Constantly Monitored
6. The AWS infrastructure footprint protects your data from costly downtime
33 Availability Zones in 12 regions for
multi-synchronous geographic redundancy
Retain control of where your data resides
for compliance with regulatory requirements
Mitigate the risk of DDoS attacks using
services like AutoScaling, Amazon Route 53
Highly Available
7. AWS enables you to improve your security using many of your existing
tools and practices
Integrate your existing Active Directory
Use dedicated connections as a secure,
low-latency extension of your data center
Provide and manage your own encryption
keys if you choose
Integrated with Your Existing Resources
9. Best Practices for Automatic
Security Scaling
Ram Krishnan, Chief Product Officer
CloudPassage
10. Transformation of Enterprise IT Delivery
Traditional IT delivery Agile IT delivery
Data Center
Data Center, SDDC
or Private Cloud
Public, Hybrid
or Multi-Cloud
11. Transformation of Enterprise IT Delivery
Traditional IT delivery
Data center & perimeter orientation
Total ownership, visibility & control
Applications on dedicated hardware
Hardware security appliances
Everything “behind the firewall”
Low rate of change
Agile IT delivery
Cloud orientation degrades perimeters
Shared responsibility, less visibility
& control
Virtual, abstracted, transient workloads
Workloads widely distributed
Large, flat, shared networks
High rate of change
12. J DF M A M J J A S O N
Analysis and design Coding &
implementation
Quality testing Staging and release
R1
Transformation of Application Delivery
13. J DF M A M J J A S O N
Transformation of Application Delivery
Quality testing
Staging and release
Analysis and design
Coding and implementation
14. Traditional Security Tools Don’t Work Anymore
Cloud Security Spotlight Report / April 2016
Q: How well do your
traditional network
security tools /
appliances work in
public cloud
environments?
Not at all
11.28%
Other
2.12%
Not sure
24.96%
They work
just fine
14.01%
Somewhat (but not a
complete solution)
47.63%
59%
traditional tools
work somewhat
or not at all
16. What Does “Agile Security” Mean?
1. Workload centric
2. Policy driven
3. Automated and integrated with toolchains
4. Attack surface reduction focus
5. Context-aware and works anywhere
6. Security platforms with deep APIs
17. Where Is Your Greatest Security Risk?
User administration
Application code & data
Application framework
VM guest OS
Virtualization stack
Compute/storage HW
Network Infrastructure
Physical Environment
Customer responsibility
Data Center Colo IaaS
Provider responsibility Gartner, 2016
18. Where Is Your Greatest Security Risk?
User administration
Application code & data
Application framework
VM guest OS
Virtualization stack
Compute/storage HW
Network Infrastructure
Physical Environment
Customer responsibility
Data Center Colo IaaS Risk
Medium
Medium-high
High
High
Very low
Very low
Very low
Very low
Provider responsibility Gartner, 2016
19. Where Is Your Greatest Security Risk?
User administration
Application code & data
Application framework
VM guest OS
Virtualization stack
Compute/storage HW
Network Infrastructure
Physical Environment
Customer responsibility
Data Center Colo IaaS
Provider responsibility
Risk
Medium
Medium-high
High
High
Very low
Very low
Very low
Very low
Gartner, 2016
20. Containers Containers
Public Clouds Data Centers & Private Clouds
Infrastructure Orchestration
SOC & GRC SystemsSecurity orchestration enginePortal Rest API
Servers Servers
21. Top Enterprise Challenges Addressed by Halo
Workload
Protection
Fast
Microsegmentation
Compromise
Detection
Automated
Compliance
Security at
DevOps Speed
Security
for AWS EC2
23. Beautiful Cloud Based Accounting Software
Connecting people with the right
numbers anytime, anywhere, on
any device
24. 1,450+
staff globally
$474M
raised in capital
$202M
sub revenue FY16
23M+
businesses have interacted
on the Xero platform
$1TR
incoming and outgoing
transactions in past 12 mths
450M
incoming and outgoing
transactions in past 12 mths
All figures shown are in NZD
27. Skills are scarce Regional representation and
recommendations
Application architecture has to
change
Automation is key Need to focus on visibility Third party commercial models
need to change
Key Challenges
28. Repeatable and automated
build and management of
security systems
Accelerated pace of
security innovation
On-demand security
infrastructure that works at
any scale
Key Principles
30. Multi-factor Authentication
Further secure AWS with:
– Password + MFA or access key + MFA
Secure ALL systems with MFA
Enable MFA enhanced features
Use multiple MFA systems
31. AWS CloudTrail, AWS Config and
the AWS Console provide a lot of
great information
Can be hard to find the needle in
the haystack…
Use Netflix Security Monkey to
provide a “Single Pane
of Glass”
Configuration Drift Management
32. Host Security Automation
Host Security Automation
Monitor, Detect and Defend at
the Host level
Elasticity and Automation are key
Integrate, visibility is important
Use “Defense in Depth” model,
protect every layer
Use an agile approach from
deployment through to operations
33. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Xero Applications & Content
Security ON
the Cloud
Security OF
the Cloud
Xero +
Partner
Ecosystem Inventory
& Config
Data
Encryption
The New Paradigm of Shared Responsibility
34. Key Learnings
Security by Design -
What's that?
Communication is
Key - Who are your
spokespeople?
Measure and Test,
Monitor Everything
Welcome to the cloud -
"Where's my
span port"?
35. Repeatable and automated
build and management of
security systems
Accelerated pace of
security innovation
On-demand security
infrastructure that works at
any scale
Final Takeaways