How to Troubleshoot Apps for the Modern Connected Worker
Outpost24 webinar : how to secure your data in the cloud - 06-2018
1. How to secure your data in the cloud
Sergio Loureiro, Director Product Management
1
2. Objective
2
• The lack of visibility and control in hybrid and multi-cloud environment
• Why security automation is mandatory for agile environments?
• Why traditional solutions do not cope with cloud and containers?
• 3 steps plan for data security in AWS, Azure and Docker
8. Securing the Migration Journey to IaaS
8
source: https://www.rightscale.com/lp/state-of-the-cloud
Customer Challenges
- Assess a different kind
of infrastructure
- Time consuming
permission process
- Evaluate configurations
for all instances and
storage
9. Growth of Container Adoption with DevOps Trend
9
Customer Challenges
- Evaluate containers environments
- Evaluate container configurations
and management
source: https://www.docker.com/what-container
10. Security Automation is Mandatory for DevOps
• Auto-Discovery of assets by API
• Security checks automatically launched
• Agentless is less costly to manage and works
with Serverless
• DevOps is changing when, who and how
security management is done
11. Why traditional solutions do not cope with cloud?
• Shared responsibility and new cloud services every week
• Elasticity and Agile
• Changing IPs
• License model
• Cloud Shadow IT
• APIs for everything
• Publicly accessible
• New layer of configuration (and misconfigurations)
12. Overview of AWS and Azure security capabilities
12
AWS
- Security Groups (firewall)
- Trusted Advisor (high level)
- Inspector (assessment)
- Key Management Service
- Identity and Access Management
- Macie (DLP)
- GuardDuty (threat detection)
- Shield (DoS)
- WAF (WAF)
Azure
- Azure Security Center
- Security Groups (firewall)
- Key Vault
- Endpoint Protection
- VM agent
- …
+ Integration with security partner solutions
13. What’s missing from AWS and Azure?
13
1. Putting all security services together
and assessing that continuous changes
are not bringing added risk
2. Workloads (Applications + Data)
security, your own stuff
16. Let’s draw a plan
16
- 1st step: workload security assessment + cloud configuration assessment
- 2nd step: security automation for continuous assessment
- 3rd step: extend to new services
17. 1. Comprehensive Solution
17
Vulnerability Management
identifies vulnerabilities
Application Security
evaluates applications
Cloud & Container Security
assesses configurations and
workloads
Combines all 3 into one solution
18. 2. Continuous Workload Analytics
• Implementation of CIS benchmarks: AWS, Azure, Docker and Kubernetes
• Using the IaaS Provider or Hypervisors APIs
• Auto-discovery for elastic scenarios, zero configuration
• Real-time alerts on configuration issues
19. 3. Extend to new cloud services
• Orchestration possible by API
• Integration on CI/CD setups for containers
• Virtual appliances available for Azure and AWS for private assets
• Managed Services, Snapshot and Professional Services plans available
24. Supporting Material
• EWP web: https://outpost24.com/cloud-security
• EWP white paper - https://marketing.outpost24.com/cloud-security-whitepaper
• AWS best practices white paper - https://marketing.outpost24.com/aws-security-
whitepaper
Looking for more?
• Gartner Cloud Workload Protection Platform (CWPP) research
• Cloud Security Alliance Security Guidance version 4
• Latest CIS benchmarks for Amazon AWS 1.1.0 and Microsoft Azure 1.0.0
• Demo accounts available on request
Customer uncertainty is your entry point
“How quickly are you moving workloads to the cloud?”
“How quickly will your DevOps team migrate to containers?”
“How are you handling security assessments in the cloud?”
“What makes you confident with your cloud provider’s security capabilities?”
Note: this is a Microsoft slide and over-simplified
the “security box means basic protections like AV
Note: this is a Microsoft slide and over-simplified
the “security box means basic protections like AV
Workloads = applications + security + data + OS
Misconfiguration will give access to data, every service can give access to your data
New infrastructure, new security pains, new knowledge
In 2010, AWS was a 200M$ business, last year they did 17B$, Azure is catching up, so currently we are focusing on the top 2
New infrastructure, new security pains, new knowledge
In 2010, AWS was a 200M$ business, last year they did 17B$, Azure is catching up, so currently we are focusing on the top 2
In Gartner’s terms – Outpost24 covers the Core workload protection strategies
In CIS terms – Outpost24 addresses benchmarks for required technologies
In CSA terms – Outpost 24 covers Essential characteristics, PaaS and IaaS service models, and Public-Private-Hybrid deployment models
Outpost24 acquired SecludIT in January 2018, a cloud security pioneer and founding member of CSA
Put data in perspective, all ways of getting to your data
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.