Chris Swan, CTO, @cpswan Application centric: How the cloud has changed the way we deploy, secure and connect
Apr 14, 2017
Chris Swan, CTO, @cpswan
Application centric: How the cloud has changed the way
we deploy, secure and connect
© 2015
Google moves its corporate apps to the Internet
2
Google Inc., taking a new approach to enterprise security, is moving its corporate applications to the Internet. In doing so, the Internet giant is flipping common corporate security practice on its head, shifting away from the idea of a trusted internal corporate network secured by perimeter devices such as firewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials. The new model — called the BeyondCorp initiative — assumes that the internal network is as dangerous as the Internet.
(Wall Street Journal | “Google Moves Its Corporate Applications to the Internet” | May 11, 2015 )
© 2015
Setting the scene
© 2015
Traditional apps
4
Business applications are collections of (virtual) servers
Is the “right” traffic going to/from our servers?
Database Tier
AppServer Tier
Web Tier
= type of server
© 2015
Modern architectures don’t change things that much
5
Micro services based applications are collections of services
Is the “right” traffic going to/from our services?
Persistence services
Business services
Front end services
= type of server
© 2015
Enterprise data center
6
Perimeter Security
Enterprise data centers are filled with these applications, often left insecure by lack of focus on interior network paths.
20% of Security Spend is on
“interior”, yet 80% of the network traffic.
80% of Security Spend is on perimeter, 20% of traffic.
© 2015
Hard on the outside, soft on the inside
7
Perimeter Security
Hacker Penetration
© 2015
One penetration creates major “East-West” exposure
8
Perimeter Security
On average undetected for
234 days!
© 2015
Cloud architectures have been different
© 2015
2006 – The lonely (and exposed) VM
VM
© 2015
2008 - Overlays
VM VM VM
VM
© 2015
2009 - VPCs
VM VM VM VM
© 2015
Containment often not enough – overlays stayed
VM
VM VM VM VM
© 2015
Lots of people did something like this
VM
© 2015
Some even did something like this
VM VM
© 2015
And the really large (or paranoid) might do this
VM
VM
© 2015
Or even this
VM VM
© 2015
Thankfully almost nobody tries to do this
© 2015
What was that perimeter made of?
A quick detour to the worlds of:
Unified Threat Management (UTM) and Application Delivery Controllers (ADC)
© 2015
Unified Threat Management
Firewall
NIDS/NIPS
AV
Anti Spam
VPN
DLP
Load Balancer
UTM
© 2015
Application Delivery Controllers
Cache
TLS offload
Compression
WAF
Multiplexing
Load Balancer
ADC
Traffic Shaping
© 2015
The UTM & ADC delivery model
© 2015
SDN and NFV
© 2015
Networks made from and configured by software
© 2015
We can put a bunch of ‘network’ onto a VM
Firewall
VPN
Switch
Router
© 2015
And add more functions into containers
Firewall
VPN
Switch
Router Cache
TLS offload
WAF
Load Balancer
NIDS/NIPS
© 2015
This could be thought of as an app centric perimeter
© 2015
But it refactors very readily into microservices
© 2015
The audit paradox
© 2015
Building in
CC photo by WorldSkills
© 2015
What building in looks like
© 2015
Bolting on
CC photo by arbyreed
© 2015
What bolting on looks like
© 2015
PaaS gives us the chance to ‘bolt in’
© 2015
But Docker adoption shows a movement against opinionated platforms
© 2015
If a security event happens and it isn’t monitored
© 2015
Some challenges remain
© 2015
ToDo: SecDevOps
APIs are necessary but not sufficient: Need to have them integrated into the overall system Control metadata (and its mutability): Must be visible and understandable Security events need to be captured: Then turned into something humans can action