4. What Drives Cloud Adoption?
• Developers are the driving force behind cloud adoption
• Main reason developers are using cloud services?
Innovation
ability to move
fast
deploy
infrastructure
without IT
overhead
ship code without
delays
9. Aligning DevOps with Security
Critical questions to answer:
1. What are we protecting?
2. What controls must be in place?
3. How do you integrate security into your daily workflow?
11. Rules of the Road
No Yes
1 Random opinions
Everyone works from same
security blueprint
2 General set of controls
Controls specific
to your cloud blueprint
3 Security gateways and overlays
Security is part of
immutable infrastructure
4 Periodic audits
Security testing part of
regression framework
5
Vulnerabilities are escalated
and negotiated for resolution
Vulnerabilities are bugs
Critical vulnerabilities are critical bugs
12. Perception vs Reality
Our ability to accurately estimate
attack surface is compromised by
our weak sense of perception
More reliable approach:
1. Identify your cloud assets
2. Measure your exposure
3. Implement controls
14. Enumerate Your Cloud Footprint
Generalize common workloads into infrastructure-’blueprints’
Blueprint Driven Approach
Key target assets
Across the Full Stack
1. Magento application and plugins
2. PHP
3. Apache
4. NGINX
5. Redis
6. Maria DB, Elastic Search
7. Linux OS and system tools
8. AWS services
EC2 instances
EC2 instances
VPC
Route 53
Users
Internet
gateway
ELB
MariaDB
MariaDB
AvailabilityzoneAAvailabilityzoneB
Auto scaling
group
Apache PHP
Auto scaling
group
EC2 instances
EC2 instances
FPM
S3
15. Threat model
Identify Most Relevant Threats
Create a threat model for these blueprints
Blueprint
Threat
Model
Blueprint
Threat
Model
Exposure analysis
Post compromise
analysis
Configuration &
Vulnerability Coverage
Required Threat Coverage
(pre-compromise)
Required Threat Coverage
(post-compromise)
Required threat analytics
pre-compromise
post-compromise
Required incident analytics
Required data-sources
Pre compromise
analysis
16. Integrated Alert Logic Controls for Broad Coverage
Build Coverage Model Blueprint
3-Tier Classic
Web
Micro-
service
E-Com
Blueprint
CMS
Blueprint
Magento
Blueprint
Wordpress
Blueprint
Drupal
Blueprint
OWASP Top 10
SQL-Injection attacks
LAMP target coverage
Critical application coverage
Deep HTTP inspection with anomaly detection
Supervised Machine learning
Data-driven intrusion defense
Coverage for key app components
17. Full Stack Security Coverage
Pre-compromise Compromise Lateral Movement
Incident
Investigation
System
Visual | Context | Hunt
Collect
web, host,
network
data
Automatic
Detection
Block | Alert | Log
ML Algorithms
Rules & Analytics
SECURITY
EXPERTS
Assess
Exposure
Block
Critical
Attacks
18. Cloud Security Maturity Model
Basic Cloud
Security Tooling
2
2. Basic Cloud Security
• Agile development team,
coupled to immature security
program
• Minimal use of cloud provider
and OSS security tools
Traditional Security
1. Non-Cloud Native
• Lift & Ship infrastructure
migration
• Traditional on-premises
security tools and processes
• Limited agility
1
DevOps
Integration
3
3. Cloud Native Security
• Security infrastructure part of
deployment pipeline
• Full stack protection across
networks, systems and
applications
• Security does not slow down
innovation
SecDevOps
Integration
D
4. Cloud Security Lifecycle
• Security process part of
continuous integration pipeline
• Mature security assessment
and testing program part of
code deployment process
• Maximum agility and security