1. Security & Compliance for
Enterprise Cloud Infrastructure
Carson Sweet
CEO, CloudPassage
carson@cloudpassage.com

2. Agenda
• Evolving cloud use cases and trends
• System and data protection, then and now
• Pros and cons of common “next-generation”
system and data protection approaches
• CloudPassage approach to cloud application
infrastructure protection
• Discussion, Q&A
2

3. Top Cloud Infrastructure Use Cases
3
Dev-
Test
Big
Data
ITaaS
Shared infrastructure, automated, self-
service IT-as-a-Service (a.k.a. private cloud)
Move development and test environments
to public IaaS providers
Leverage shared private cloud or public
IaaS resources for big-data analytics

4. ITaaS / Private Cloud
Drivers / Benefits
• Increased hardware utilization
• Self-service provisioning
• Decreases IT workload
• Rapid scalability / elasticity
Security Considerations
• Limited-to-no change control
• Flat network architecture
• Not everyone knows security
• Cloud-capable security tools
• Raw tech & ops scaling issues

5. Dev/Test in Public Clouds
Drivers / Benefits
• Decreases IT workload
• Self-sufficient BU
developers
• Opens datacenter capacity
• Less configuration effort
Security Considerations
• Public cloud exposures
• Visibility / oversight
• Production data in test/dev
• Intellectual property

6. Big Data Analytics
Drivers / Benefits
• Massive new capabilities
• Leverage collected data
• Previously unattainable intel
• Product enhancements, risk
intelligence, BI, BPM, etc.
• Cloud analytics = scalable!
Security Considerations
• Private data, public cloud
• Analytics engine contains IP
• Geographic data hosting
• Integrity is paramount

7. Cloud Infrastructure
Security Challenges
7

8. Cloud Benefits Create Security Headaches
8
Virtualized networks
New topologies
No hardware
Highly dynamic
Shared infrastructure
These cloud
“pros” become
security “cons”

9. What Infrastructure Looked Like
• Traditional datacenter infrastructure model
–Vertical application scalability
–Apps running on hardware “islands”
–Few environments to contend with
• Vertical application architectures
–Scalability via hardware choices & optimization
–Topology and hardware essentially arbitrary
–Physical proximity of application components
9

11. 11
Application A Application B
Application C
Application D
Application E

12. 12
Web Tier VMs
A A
A A
Data Tier VMs
A
A
Web App
Appliance
Crypto
Gateway
Network
Firewall
CRITICAL SUCCESS FACTORS:
• Physical Topology Access
• Hardware Acceleration
Network
IDS / IPS

13. Where Infrastructure Is Going
13
• Infrastructure-as-a-Service (public or private)
– Virtualized sharing of commodity hardware
– ITaaS (opex, scalable, dynamic, self-service)
– Flat physical network, distributed topologies
• Horizontal application architectures
– Scale achieved through cloning workloads
– Physical topology, hardware abstracted
– Wide dispersion of application & data components is
desirable

15. A
A A A
A A A
A
A A
A
A A
A
A A
A A
A A
B
B
B
B
C C
C
C
C
C C
D
D D
D
D
D
D D
D D
D
E
E E
E E E
E E E E
E E E
E E
E
E
E
E
E
E E
E E

16. Web App
Applianc
e
Crypto
Gateway
Network
Firewall
Network
IDS / IPS

17. You must reconcile critical security needs with
new infrastructure delivery parameters
• Strong access control
• Vulnerability, exposure and
threat management
• Protection of data in motion
and at rest
• Security & compliance
intelligence
• Operational oversight
Security Hasn’t Changed
• Must work anywhere with
diminished to no control
• Network security highly limited
• Access to hardware
accelerated appliances limited
• Dramatically higher rate of
code & infrastructure change
Delivery Parameters Have

18. “Next-Generation”
Infrastructure Security
18

19. Next Generation Approaches
• Virtual Appliances
– Existing appliance / gateway solutions
• In-Hypervisor Controls
– Controls deployed in virtualization control planes
• Workload-Based Security
– Deployment of controls within actual workloads
(a.k.a. “microperimeters”)

20. Virtual Appliances
• Benefits
– Mirrors existing models, easy to understand
– Existing vendors may offer this model
• Pitfalls
– No hardware acceleration = scalability challenges
– Topological dependencies hinder workload distribution
– Limited functionality, for the same reasons
• Field Observations
– We’ve only seen network security / WAF appliances, none
operating at significant scale

21. In-Hypervisor Controls
• Benefits
– Services available to all VMs on protected hypervisors
– Cannot be modified from within guest VMs
• Pitfalls
– Often hypervisor-specific, cannot be used in public IaaS
– Significant impact to VM density & performance
• Field Observations
– Useful in data centers / private clouds, not hybrid
– Performance and operational challenges abound

22. Workload-Based Security
• Benefits
– Workload is the intersection of scale, portability, control
– Moves security close to application & data constructs
• Pitfalls
– Resource and performance impacted unless done right
– Not operationally scalable without control automation
• Field Observations
– The model that CloudPassage chose as core design
– Being implemented at large scale in finserv, software

23. CloudPassage Approach to
Workload-Based Security
23

24. CUSTOMER CLOUD / DATACENTER
HOSTING ENVIRONMENTS
www
node1,2,(n)
mysql
node1,2,(n)
mongo-db
node1,2,(n)
HALO HALO HALO
• “Dumb” agents with minimal system
overhead (6 MB in memory, under 0.5% CPU)
• Highly scalable centralized security analytics
absorbs 98%+ of required compute cycles
• Transparently scales to protect a few
workloads to tens of thousands
Halo Architecture

25. “Naked” VM Instance
Operating System
Application Code
System Administration Services
Application
Stack
App Storage
Volume
System Storage
Volume
Halo Security Agent
1
2
4 5
67
Agent activates firewall on boot, applies latest
policies, and orchestrates ongoing policy updates.
1
Halo secures privileged access via dynamic firewall
rules using multi-factor user authentication.
2
Scans O.S. configurations for vulnerabilities and
continuously monitors O.S. state and activity.
3
Application configurations are scanned for
vulnerabilities and are continuously monitored.
4
Cryptographic integrity monitoring ensures app
code and binaries are not compromised.
5
Platform monitors system binary and config files
for correct ACLs, file integrity, and vulnerabilities.
6 3
Application data stores are monitored for access;
outbound firewall rules prevent data extrusion.
7
60 Seconds in the Life of a Halo’ed Workload

26. Halo API
Halo Portal

27. What’s Special about CloudPassage Halo?
• Portable, built-in security & compliance automation
– Control provisioning & management automation built into workloads
– Security & telemetry operates transparently across cloud environments
– Enables public, hybrid cloud compliance (PCI, FFIEC, SOC2, HIPAA, etc)
• Technically, financially, operationally scalable
– Central analytics = low impact to systems, low friction with sysadmins
– Metered usage = pay for what’s used (hourly licensing, volume discounts)
– Automation = built-in controls with zero provisioning or configuration
• Consistency, efficiency through automation
– Security is built directly into the stack, synched every 60 seconds
– REST API and toolkit for extensive integration with existing investments
– One central point of visibility and control for systems across multiple clouds

28. Wrapping Up
• Infrastructure-centric security doesn’t work for cloud
– Your cloud migration will demand new approaches
– Next-generation alternatives have pros and cons
• Workload-based security offers distinct advantages
– Moves security closer to applications
– Enables greater scalability and portability
– Can operate in any infrastructure environment
• Talk to your team and start the process now
– Visit cloudpassage.com for white papers, etc.

29. www.cloudpassage.com