A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
0 likes•1,056 views
The document discusses the challenges and strategies for managing network security in hybrid cloud environments, emphasizing the need for a shift in architectural thinking due to the dynamic nature of cloud networks. It highlights various security components and considerations, including the importance of security segregation and the unique features of different cloud network types. Additionally, it outlines best practices for effective security management and emphasizes the necessity of adapting security approaches to fit the software-defined nature of cloud environments.
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
- 1. A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment Nimmy Reichenberg VP Strategy Rich Mogull Analyst and CEO
- 2. 2 | Confidential WHAT IS THE #1 REASON COMPANIES MOVE TO THE CLOUD?
- 3. 3 | Confidential COST AGILITY
- 4. 4 | Confidential AlgoSec simplifies, automates and orchestrates security policy management to enable you to Manage Security at the Speed of Business
- 5. Cloud and DevOps • Cloud is a new operational model. • It requires a re-thinking of fundamental architectures. • DevOps is a new operational framework, highly attuned to cloud. • Both shatter existing security approaches.
- 6. The Technical Security Challenge • The vast majority of information security is really infrastructure-centric security. • Infrastructure-centric security relies on fixed locations of relatively static resources. • Even many of our application security models rely on fixed infrastructure. • It is context-unaware. DevOps and cloud are all about context.
- 8. Network Security Challenges • Virtual networks don’t provide the same visibility. • Cloud networks are managed via APIs. • Cloud networks change constantly, and quickly. • Cloud networks look the same, but aren’t.
- 9. The same words mean different things…
- 10. Cloud Network Types • Network hardware handles config. • Limited customization and IP ranges. • Poor Security segregation. VLAN SDN • Configuration and management abstracted from underlying hardware. • Software-defined and managed. • Massive flexibility.
- 11. Cloud Network Types • Network hardware handles config. • Limited customization and IP ranges. • Poor Security segregation. VLAN SDN • Configuration and management abstracted from underlying hardware. • Software-defined and managed. • Massive flexibility.
- 12. Getting Started • Public Network • Private Network • Hybrid Cloud • Gateways and VPNs • Regions/Locations • Zones (Availability Zones) • Autoscaling • Security Groups
- 13. Public Network
- 14. Private Network
- 16. Hybrid Network • Extends on-premise network • Technically, has to extend a private cloud. but that’s a “purist” definition we don’t use in practice. • Harder to secure, and consistency becomes critical. Each side affects the other. • Best when you need to connect to legacy things.
- 17. Hybrid Connection Options Direct/Private Line VPN VPN
- 18. Network Security Controls Cloud Providers Give You Commercial Options • Perimeter Security • Security Groups • ACLs • Physical Security Appliances • Virtual Security Appliances • Host Security Agents
- 19. How it all works (in Amazon)
- 25. cba Web App cba
- 26. cba Web
- 27. Subnet 1 Subnet 2
- 28. cba Web X X
- 29. Immutable Infrastructure Source Code GitCloudformation Templates Jenkins Functional Tests Chef Recipes Chef Server NonFunctional Tests Security Tests Test Prod Chef Server Chef Server
- 30. Building Your Program • Key considerations: • Provider specific limitations and advantages • Application needs • “New” architectures • Impact of elasticity • How you will manage
- 32. Design the Security Architecture
- 33. Manage Operations • Organizing and staffing • Use dedicated, trained people • Discover • Procurement can help, network scanning can’t (except sometimes for hybrid) • Access requests to data/applications • Integrate with development • Build a handbook of approved patterns • Have a cloud security architect to help with design • Provide automation code and support • Policy enforcement • Limit entitlements for security operations • Template and automate as much as possible • Automate change monitoring/management
- 34. Managing Hybrid • Normalize security • Translate rules based on application needs, don't blindly apply. • Understand the difference between security groups and firewall rulesets. • DON’T JUST CONVERT TO ACL’s • Don’t just drop in virtual appliances out of habit; always start with cloud features • If migrating applications, watch out for network configurations
- 35. The AlgoSec Suite Application-Centric Approach Abstraction of Underlying Network Consistency across Hybrid-Cloud
- 36. The AlgoSec Suite Move servers from on-prem datacenter to AWS
- 37. The AlgoSec Suite Topology Analysis Discovers New Path Proactive Risk and Compliance Assessment Relevant Security Groups Added/Modified On-Prem Firewall Rules Decommissioned Log and Audit Trail Logical Application Connectivity Unchanged!
- 44. Summary • Cloud networks may look the same, but they aren’t. • Segregation is your most powerful security control, and you get it by default. • Hybrid networks are tougher, and need extra security care and feeding. • Once you accept that cloud networking is “software defined everything”, adapting your security knowledge isn’t very difficult.
- 45. SECURITY FUNDAMENTALS STAY THE SAME • Monitoring • Least privileged • Change management • Risk analysis • (Micro) Segmentation • Governance • Compliance 45 | Confidential
- 46. ALL THIS IN A SINGLE PANE Secure Application Connectivity Security Policy Change Management Continuous Compliance and Auditing Security Policy Optimization Security Policy Risk Mitigation Network Segmentation Enforcement
- 47. Rich Mogull Securosis @rmogull Nimmy Reichenberg AlgoSec @algosec Find out more at - www.algosec.com blog.algosec.com