Comprehensive Cloud Security Requires an Automated Approach

Andras Cser, VP and Principal Analyst Forrester Research

Carson Sweet, CEO and Co-founder CloudPassage November 12, 2013

Cloud Security: Automation and Centralization Matters

Andras Cser, VP and Principal Analyst

November 12, 2013

 Why is Cloud Security Important Challenges with Cloud Security Forresters Recommendations

Agenda

2013 Forrester Research, Inc. Reproduction Prohibited

 Why is Cloud Security Important Challenges with Cloud Security Recommendations

Agenda

2013 Forrester Research, Inc. Reproduction Prohibited

Cloud-based Services Employed Regularly

Which of the following cloud-based services have you employed on a regular basis?"
Compute (e.g., Amazon EC2, Microsoft Azure VM Role) Storage Relational database (e.g. SQL Azure) Development tools/IDE (e.g. Cloud9, Cloud Foundry) Social (e.g., Salesforce Chatter) Messaging Content management Message queuing Integration (e.g., Dell Boomi, IBM Cast Iron) Application-level caching Content delivery network Mobile back end BPM Nonrelational database Don't know Other 3% 2% 26% 23% 23% 21% 18% 16% 14% 33% 33% 31% 37% 42% 50% 49%

Base = 175 software developers from companies with 1,000 or more employees
Source: Forrsights Developer Survey, Q1 2013
2013 Forrester Research, Inc. Reproduction Prohibited 5

Which of the following initiatives are likely to be your IT organization's top project and organizational priorities over the next 12 months? Increase our use of software-as-a-service (cloud applications)

Critical or High priority

48%

Low priority

35%

Not on our agenda

15%

Don't know

1%

Base: 1,176 North American and European IT decision-makers at firms with 1,000 or more employees

Source: Forrester Software Survey, Q4 2012

2013 Forrester Research, Inc. Reproduction Prohibited 6

Why Cloud Security is like a two component glue, a unique blend:

A: The Cloud is not just a new delivery platform B: Cloud Security is NOT just continuing security and extending it to the cloud
2013 Forrester Research, Inc. Reproduction Prohibited 7

Cloud Pulls the CISO in Many Directions

1. Cloud Offers Irresistible Benefits 2. LOB procures cloud services

CISO and Security Organization Changes, aka Uneven Handshake

5. Security Struggles to Reduce Cloud Security Risks
2013 Forrester Research, Inc. Reproduction Prohibited

4. Data Center Is Loosely Coupled

3. CISO Cant Say No All the Time

8

Cloud Security Means a Lot of Things to a Lot of People

What interfaces our company has to have to work well with our Cloud Providers? (Security To the Cloud) How can a Cloud Provider (like Amazon Web Services or SalesForce.com) prove to us that they are secure? (Security In the Cloud) How can our company make its internal (and in some cases, Cloud Provider) security better? (Security From the Cloud) What are the organizational implications of Cloud and Cloud Security to our IT security organization?
9

2013 Forrester Research, Inc. Reproduction Prohibited

Cloud Security Prepositions

 Why is Cloud Security Important Challenges with Cloud Security Recommendations

Agenda

2013 Forrester Research, Inc. Reproduction Prohibited

11

General Challenges with Cloud Security

Ease of Use for End Users (you cant control end users)
Cloud security should not require users to change behaviors or tools

Inconsistent Control (you dont own everything)

The only thing you can count on is guest VM ownership

Elasticity (not all servers are steady-state)

Cloudbursting, stale servers, dynamic provisioning

Scalability (highly variable server counts)

May have one dev server or 1,000 production web servers

Portability (same controls work anywhere)

Nobody wants multiple tools or IaaS provider lock-in

2013 Forrester Research, Inc. Reproduction Prohibited

12

Challenges with Cloud Security

Data protection Workload separation and multi tenancy Information Rights Management SaaS providers dont help much with security related
concerns

Network Security Identity and Access Management (IAM) and Privileged Identity Management (PIM) Business Continuity and Disaster Recovery (BCDR) Log Management (SIEM)
13

2013 Forrester Research, Inc. Reproduction Prohibited

Cloud Does NOT Shift the Responsibility of Data Protection

When data is transferred to a

cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data.
Cloud Security Alliance, Guidance v3.0

2013 Forrester Research, Inc. Reproduction Prohibited

14

 Why is Cloud Security Important Challenges with Cloud Security Protecting Data In the Cloud Recommendations

Agenda

2013 Forrester Research, Inc. Reproduction Prohibited

15

When it comes to responsibilities

How do we avoid this?

Whos Responsible for IaaS Security?

AWS Shared Responsibility Model
Customer Responsibility Data App Code App Framework Operating System

the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software... it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management. Amazon Web Services: Overview of Security Processes

Virtual Machine Provider Responsibility Hypervisor Compute & Storage Shared Network

Physical Facilities

Think Security From the Cloud

Typical questions and requirements: How can you source security services from MSSPs? How can you protect security and data at our cloud providers? In general: How do we integrate on existing onpremise security with the MSSPs security products?

Do your homework

Get as much detail around security from your SaaS provider as you can between you and your IaaS/PaaS provider

Set clear boundaries for security responsibilities

Data protection, data protection, data protection Dont build your own tools Apply comprehensive approach to cloud security Centralize and scale security policy management for
your cloud

Automate your security (you cant manually configure thousands of servers)

19

2013 Forrester Research, Inc. Reproduction Prohibited

 2013 Forrester Research, Inc. Reproduction Prohibited

20

Thank you
Andras Cser +1 617.613.6365 acser@forrester.com

Security automation for virtualized & cloud environments

Problem: Infrastructure Security Is Behind

Infrastructure more distributed and dynamic than ever Current security models neither dynamic nor distributed Perimeters, appliances, hardware reliance, stable
configurations, change control, endpoint security solutions all marginalized to worthless in new models

Without infrastructure security, all other security measures are weak (castle on sand, not bedrock)

Security teams cant assure security or compliance, being dragged behind business

The Old Model: everything behind firewall, low rate of change, very few infrastructure stacks

The New Model: multiple stacks, broadly distributed, legacy approaches fail

Security Buyer Challenges

Achieving compliance in cloud environments
PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST

Disparate systems & high rate of change

Dynamic is core to cloud, new mode of operation Security orchestration & automation underserved needs

Existing products dont work well (if at all)

Technically designed for a different time
Do not match up to dynamic cloud operational models

Why Do Existing Solutions Fail?

Network & hardware dependencies

Cannot operate across cloud models

Lack of meteredusage licensing

Cannot handle elasticity or wide distribution

How we built high-scale security & compliance automation

Objective: Consolidate & Automate Controls

Halo Security Automation Platform

Automation Needs To Work Anywhere

Automation Must Extend Current Tools

Security Automation Outcomes

Massive reduction in security ops overhead

Automated control deployment & orchestration Consolidation of otherwise disparate functions Single point of security & compliance management

Security and compliance consistency

Security & compliance thats truly built-in
Eliminates opportunities for human error Deploy once, certify many (complex compliance)

Enables safe use of cloud models

Security teams have confidence in controls Cloud projects dont require manual intervention

Key Takeaway:

Automating security enables saying yes to cloud, improves security, and makes complex compliance achievable.

Questions?