Network Security Requirements and Solutions

Critical Criteria For (Cloud)

Workload Security

Steve Armendariz

Enterprise Sales Director

Act 1 - Tenants of Traditional Server Security

•

Servers in a trusted network

•

Segmentation for added protection

•

Anti-malware (virus) for all servers,

added security capability for critical

servers

•

Security had time to plan, test &

deploy for each new application

•

Provisioned with plentiful overhead

Act 2 - Server Virtualization – A New Dawn

•

Economic benefit to adoption

•

Combatting data center sprawl

•

Physical servers more powerful

•

Pressure applied on Security to be:

• Faster

• More efficient

• More accurate

Virtualization

Impacts

Traditional Security

•

Servers in a trusted network

•

Segmentation for added protection

(shared hardware = segmentation

challenges)

•

Anti-malware (virus) for all servers,

added security products for critical

servers

(difficult given VM density, overhead

impact and licensing)

•

Security had time to test & deploy for

each new application

(policies and images became more

powerful)

•

Provision with plentiful overhead

Act 3 - Server Workloads - The Next Wave

• Utility Computing

• Cloud servers or “Cloud server workloads in the data center, public cloud,

private cloud or any combination

• These server workloads are:

• On-demand, Elastic and Agile

• Cloned, Orchestrated and Automated

• Often short-lived

• Can be “containers” (i.e. Docker)

• Possibly never patched

Critical Server Instances

Data Center Architecture Changes

Semi-critical

Server Instances

On-server security:

-

Anti-Malware

-

Vulnerability Scan

Critical

Server Instances

On-server security:

-

Anti-Malware

-

Vulnerability Scan

-

Config. Monitor

-

HIPS/HIDS

-

FIM

Internet

Data Center

Public Cloud

Some Semi-critical

Server Instances

On-server security:

-

Anti-Malware

-

Vulnerability Scan

Server Workloads Break

Security

•

Servers in a trusted network

(Cloud viewed as non-trusted)

•

Segmentation for added protection

(shared hardware = segmentation

challenges)

•

Anti-malware (virus) for all servers,

added security products for critical

servers

(difficult given VM density, overhead

impact and licensing)

•

Security had time to test & deploy for

each new application

(Security must move faster often with

little lead time)

•

Provision with plentiful overhead

(at odds with VM density)

Servers viewed as

• Public Cloud servers only accessible from inside the data center’s

trusted network

• Positioned by many cloud providers to resolve “Tenant #1”

• “Servers in a trusted network…”

• Issues

• Can be cost prohibitive

• May impact performance

• Does not mitigate security issues

Are Data Center Networks Really

Secure?

Workload Security – The New Tenants

• Embrace the “Workload as an Application Building Block”

philosophy

• Take advantage of automation and orchestration

• Small footprints matter

• Minimize staff overhead

• Total visibility

The Basics Still Apply

• Use server (host) firewalls

• Reduce attack surface

• Manage East-West traffic

• Require multi-factor authentication

for server logins

• Monitor configurations for “drift”

• Discover & address vulnerabilities

• Monitor system file integrity

Approaches to Workload Security

• Do it manually with multiple security tools

• Too time consuming

• Many consoles, difficult integration

• Use orchestration tools with multiple security tools

• Many consoles, difficult integration

• Set of security tools can consume more resources than what

they’re protecting

CloudPassage Halo: Instant Layered Security

for Every Server Workload

• One tool providing 8 layers of

visibility & enforcement

• Using less compute resources

than a single-layer point

product

• Highly automated; “set and

forget” security

• Add to gold images, protects

servers at instantiation

CloudPassage Halo

• A Security Orchestration

Framework

• Integrated and layered security

• Automated into your workflow

• Visibility

• See vulnerabilities, configuration

errors, file integrity, access – no

matter where the workload is

• Apply controls – even

quarantine workloads

• Compliance

• Drive automation to audits

• Continuous vs. point-in-time

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)