Security Across the Cloud Native Continuum with ESG and Palo Alto Networks

1. Security Across the Cloud Native Continuum with ESG and Palo Alto Networks

2. Today’s Speakers Doug Cahill Practice Director and Senior Analyst, Enterprise Strategy Group John Morello VP, Product, Twistlock, Palo Alto Networks

3. © 2019 by The Enterprise Strategy Group, Inc. Cloud-native (adj.) - applications built on an elastic, microservices-based architecture and managed via agile DevOps processes. … but not necessarily deployed in and delivered from a public cloud

6. © 2019 by The Enterprise Strategy Group, Inc. Containers Have Moved from Dev and Test to Production 37% of organizations running containers in production report being ahead or significantly ahead of app deployment schedules 76% 21% 3% Yes, we currently use containers for production applications We plan to use containers for productionapplications in the next 12 months (dev/test/staging only) No, but we are interested in containers

7. © 2019 by The Enterprise Strategy Group, Inc. Serverless functions are quickly being adopted Yes, we use serverless extensively, 35% Yes, we use serverless on limited basis, 18% We plan to start using serverless in the next 12-24 months, 16% We are evaluating serverless, 28% We have no plans to use serverless, 3% Don’t know, 1%

8. © 2019 by The Enterprise Strategy Group, Inc. Production Server Workloads are, and will be, a Heterogenous Mix Serverless, 15% Serverless, 20% Containers, 23% Containers, 26% Virtual machines, 34% Virtual machines, 30% Bare metal servers, 28% Bare metal servers, 23% Percent of production workloads runon each server type today: Percent of production workloads runon each server type in 24 months: 0% 20% 40% 60% 80% 100%

10. © 2019 by The Enterprise Strategy Group, Inc. 26% 30% 33% 33% 35% 35% 43% We have not experienced any challenges Our existing security tools do not support cloud native environments Meeting prescribed best practices for the configuration of cloud- resident workloads and the use of cloud APIs Lack of visibility into the activity of the infrastructure hosting our cloud-native applications Our application development and DevOps teams do not involve our cybersecurity team due to fear of being slowed down Lack of understanding of the threat types, and attack vectors and methods specific to our cloud-native applications Use of multiple cybersecurity controls increases cost and complexity Maintaining security consistency across our own data center and public cloud environments where our cloud-native applications… TOP CHALLENGES The People, Process, and Technology Concerns of Securing Cloud-native Apps

11. © 2019 by The Enterprise Strategy Group, Inc. Less Control, More Concern The elements of cloud-native Apps of most concern Serverless cloud functions, 29% Cloud service provider, 23% Application code, 15% Application containers, 15% Orchestration platform, 9% Docker host layer, 6% Other, 1% Don’t know, 2%

12. © 2019 by The Enterprise Strategy Group, Inc. 22% 26% 26% 26% 27% 28% 29% 32% 32% An infectedcontainer cancross-contaminate other containers Automating the integrationof container security controls via ourcontainer orchestration platform Portability makes containers more susceptible to “in motion” compromises There is a lack of mature cybersecuritysolutions forcontainers The speed atwhichcontainers are built and deployed results in security controls not being included fromthe outset The potentialfor container sprawl couldresult in poorly managedcontainers leaving our production environment(s) vulnerable Our current server workload security solutiondoes notsupport or offerthesame functionality forcontainers, requiring that we use a separate container security solution adding costand… We needtoverify images storedina container registry meetour security and compliance requirements tobe trusted for production Aligning the implementationarchitecture of a container security controlwithour intended containerdeploymentmodel Container Security In addition to process and technology, alignment with deployment plans is a top security concern

13. © 2019 by The Enterprise Strategy Group, Inc. Top-of-Mind Attack Types Run the Gamut 43% 43% 43% 44% 45% 46% 48% 49% 49% 54% 40% 46% 47% 45% 47% 43% 44% 40% 42% 38% 17% 12% 11% 11% 8% 12% 8% 10% 9% 9% The misuse of a privileged account by… Ransomware Mis-configured cloud services,… “Zero day” exploits that take… Attacks that results in the loss of data… The misuse of a privileged accounts,… Malware Exploits that take advantage of known… Targeted penetration attacks Exploits that take advantage of known… 0% 20% 40% 60% 80% 100% Veryconcerned Somewhat concerned Not concerned

17. © 2019 by The Enterprise Strategy Group, Inc. Agile and DevOps Adoption are in Lock Step Yes, we employ agile extensively, 31% Yes, we employ agile in a limited fashion, 21% We plan to employ agile in the next 12- 24 months, 16% We are interested in agile, 28% We do not employ agile and have no plans to do so, 3% Don’t know, 1% Yes, we employ DevOps extensively, 34% Yes, we employ DevOps in a limited fashion,… We plan to employ DevOps in the next 12-24 months, 16% We are interested in DevOps, 25% We do not employ DevOps and have no… Don’t know, 1% AGILE ADOPTION DEVOPS ADOPTION 17

18. © 2019 by The Enterprise Strategy Group, Inc. We have incorporated security into our DevOps processes extensively, 36% We have incorporated security into our DevOps processes in a limited fashion, 19% We plan to incorporate security into our DevOps processes, 22% We are evaluating security use cases that can be incorporated into our DevOps processes, 20% We have not yet discussed how security fits with our DevOps processes, 2% Growing Adoption of DevSecOps Need for specificity of uses and repeatability via security-as-code 18

21. © 2019 by The Enterprise Strategy Group, Inc. Sample Secure DevOps Use Cases Agile User Stories by Environment DEV - SDLC integrated AppSec • Composition analysis • Static code analysis TEST - Reduce attack surface at build-time • Eliminate known vulnerabilities • Harden configurations of workloads and services PROD - Policy-based runtime controls • Least privilege, anti-threat, anomaly detection, auditing • Policy by tag, and thus templates, for consistency 21

22. © 2019 by The Enterprise Strategy Group, Inc. More Apps Will be Secured via DevSecOps Over Time 7% 27% 26% 34% 8%1% 7% 24% 33% 35% 1% Less than 10% of apps 10% to 25%of apps 26% to 50%of apps 51% to 75%of apps More than 75% Don’t know Percent of production cloud-native applications secured via DevSecOps today (N=200) Percent of production cloud-native applications secured via DevSecOps 24 months from now (N=352) 22

24. Security Across the Cloud Native Continuum

25. Software is eating the world Every org is becoming a software org Software orgs need modern tools DevOps, containers, and cloud native are those tools The world is dangerous ‘Democratization’ of sophisticated attacks Security teams and SOCs overloaded Your own software is the softest target

26. Think about your cloud native infrastructure… it’s abstraction on top of abstraction, especially from a networking standpoint Everything is ephemeral and everything is constantly changing — many more entities to secure Security is largely in the hands of the developer Security needs to be as portable as the applications Cloud Native Makes It Harder...

27. The nature of cloud native applications allows for a new approach to security Apply machine learning to understand actual runtime behavior Build models of what applications should do to detect and prevent what they shouldn’t …But Also Easier

28. Defining the Cloud Native Continuum Isolation Compatibility Control Density Agility Simplicity

29. Virtual Machines • Greatest levels of isolation, compatibility and control • Full control of the OS, full control of the platform • Can be operated in stateful or stateless fashion • Suitable (but not always optimized) for any type of workload

30. Containers • Increased agility, with decreased control • User still responsible for underlying infrastructure - but you lose the OS control of VMs • Can be complex due to broad configurability • Control can be shared between Developers and traditional operations

31. Containers-as-a-Service • Less control than containers with roll-your- own orchestration, but simpler to operate • More platform lock-in vs. containers or VMs • CaaS bundles runtime, management and orchestration - along with small levels of host control • Developer led infrastructure

32. Serverless • The simplest, most agile technology on the continuum • No control (or often visibility) into the underlying host environment • Devs just build - push functions to the platform • Optimized for on-demand, highly scalable tasks

33. Enabling Better Defense The nature of cloud native technologies allows for a new approach to security Machine learning and automation take manual configuration out of the picture Whitelist what applications should do to detect and prevent what they shouldn’t 33

34. New World Security Shift security left – modeling integrated into CI/CD Policy custom tailored for each application, each build Security that automatically scales with the environment 34

35. In Conclusion • The cloud-first lens: Broad adoption of cloud services has created a cloud security readiness gap, imperative to retool • The cloud-native lens: The rise of microservices is adding complexity and heterogeneity • The DevSecOps lens: A secure DevOps program starts with a cultural shift to treating security a as team sport en route to a full lifecycle approach • The security-as-code lens: Scaling across projects requires repeatability

36. Get Started Take a test drive Prisma Cloud 30-day Free Trial https://marketplace.paloaltonetworks.com/s/product-rdl

37. THANK YOU paloaltonetworks.com Twitter: @PaloAltoNtwks

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks

Esté a ler uma amostra.

Confira estes a seguir

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Security Across the Cloud Native Continuum with ESG and Palo Alto Networks (20)

Mais de DevOps.com (20)

Mais recentes (20)