HYBRID AND MULTI-CLOUD SECURITY WITH RIGHTSCALE 1
Jul 20, 2015
HYBRID AND MULTI-CLOUD SECURITY
WITH RIGHTSCALE
1
• Bart Falzarano
• Director of Security and Compliance
• Brian Adler
• Principal Cloud Architect
Panelists
2
POLLING QUESTIONS
82% of Enterprises Want Multi-Cloud
Single private 5%
Single public 10%
No plans 3%
Multiple private 14%
Multiple public 13%
Hybrid cloud 55%
82%
Enterprise Cloud Strategy 1000+ employees
Multi-Cloud
82%
Source: RightScale 2015 State of the Cloud Report
17%
21%
21%
18%
24%
17%
26%
17%
23%
24%
25%
25%
27%
28%
Performance
Governance/control
Managing costs
Managing multiple cloud services
Compliance
Lack of resources/expertise
Security
Cloud Challenges 2015 vs. 2014 % of Respondents Reporting These As Significant Challenges
2015
2014
Security Remains #1 Challenge
Source: RightScale 2015 State of the Cloud Report
6
How RightScale Helps with Cloud Security
Workload Security
Standardized configurations,
track versions, automate
patching
Multi-Cloud Visibility
Govern many clouds with
a single pane of glass
Outage-Proof & DR
Ensure applications stay up
during cloud or data center
outages
Audit & Compliance
Maintain a complete audit trail
and comply with regulations
Network & Data Security
Manage cloud network
configurations and encrypt data
Access Control
Integrate to SSO and control
access to cloud credentials
7
Cloud
Provider P
CI
DS
S1
HIP
AA
SSAE16
ISO
27
00
1
CS
A
Fe
dR
AM
P
FIS
MA
Additional certifications, notes, and
references SOC
1
SOC2 SOC
3
Amazon
AWS ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ITAR, FIPS140-2, DIACAP, MPAA
Amazon AWS GovCloud (US) environment
FedRAMP issued for both AWS GovCloud (US) and AWS US
East/West regions
For complete listing see http://aws.amazon.com/compliance/
Microsoft
Windows
Azure
✔ ✔ ✔ ✔ -
✔ ✔ ✔ ✔ CSA CCM audit completed as part of their SOC2 assessment
For complete listing see http://www.windowsazure.com/en-
us/support/trust-center/compliance/
Rackspace ✔ ✔ ✔ ✔ ✔ ✔
- - - Safe Harbor Certified – EU Directive 95/46/EC on the protection of
personal data
SOC2 -Security and Availability Only
For complete listing see
http://www.rackspace.com/about/whyrackspace/
Compute
Engine
✔ ✔ ✔ ✔ ✔ ✔ - - - Data is encrypted on local ephemeral disk and persistent disk. All
data written to disk in Compute Engine is encrypted at rest using
the AES-128-CBC algorithm
For complete listing
seehttps://cloud.google.com/products/compute-engine/
Cloud Provider Security Certifications Matrix
Audit & Compliance
8
Cloud Security Ecosystem
Cloud Provider
Enterprise
RightScale
3rd Party Vendors
Plan for a Cloud Security Ecosystem
• CMDB
• SIEM /Logging / Auditing
• IdP
• Configuration
Management
• Orchestration Workflows
• Web Application Firewalls
• File-Integrity Monitoring
• Continuous Integration
• Source Code
Repositories
Options Abound
9
o RightScale provides
visibility, governance,
auditing across clouds
o Cloud providers offer
cloud-specific security
options
o 3rd party vendors offer
multi-cloud options
o Ability for segregation of
duties: encryption provider
vs cloud storage provider
Capability Who?
Encrypt data in transit Vendor, Enterprise
Encrypt data at rest Vendor, Cloud, Enterprise
Secure communications RightScale, Cloud, Enterprise, Vendor
Systems Configuration
/Network segmentation
Cloud, Enterprise, RightScale
Integrate with IAM RightScale, Cloud, Enterprise, Vendors
Privileged identity
management
RightScale, Cloud, Enterprise
Backup/Replicate data RightScale, Cloud, Enterprise, Vendor
Coordinate BC & DR RightScale, Cloud, Enterprise, Vendor
Log cloud activity RightScale, Cloud, Enterprise, Vendor
Shared Responsibility for Cloud Security
Visibility
• Can you see all your
cloud accounts and
instances?
• Connect to all your
clouds
• Gain visibility to all your
accounts
You Can’t Control What You Can’t See
10
Many Accounts Across Clouds
AWS Azure Google CloudStack OpenStack vSphere
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account Account
Single pane of glass
• Multi-cloud access
• Public clouds
• Private clouds
• Virtualized
• Control access
• Standardize
configuration
• Patch and update
• Audit trails
RightScale: Multi-Cloud Visibility
11
AWS Azure Google CloudStack OpenStack vSphere
• Mostly the same
• Govern and enforce user access
• Configure Role Management
• Context Based Access Control
• Enable Audit reporting
• 3rd Party Identity Providers
• SSO SAML, MFA, Oauth, ADFS
• But…
• How do you handle multiple clouds and
accounts?
• So how do you control cloud credentials?
Considerations for IAM in Cloud
12
“Should this person (user) who
performs this job function and
therefore has these roles assigned
(role) be allowed to access this type
of data as it applies to this particular
account (context)?”
13
• Using Amazon IAM
with RightScale
o Our support portal page
contains information on
using Amazon AWS IAM
with RightScale
o By following this
configuration guideline we
do not require our
customers to register their
master AWS Access ID
and Secret key account
with us.
Secure AWS Access Control
http://support.rightscale.com/06-FAQs/How_do_I_use_Amazon_IAM_with_RightScale%3F
Control Cloud Credentials
What you get:
• Aggregate accounts
across clouds
• Hierarchical organization
of accounts
• Security and access
controls
• SSO integration
RightScale Multi-Cloud Access Controls
14
User B User A User E User D User C
Enterprise Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Account 2 Account 1
RightScale
Access
Control
Authenticate with
passwords or SSO
Authenticate with cloud
credentials
• AD Agents/Connectors
• Okta, Ping Identity, OneLogin
• Enterprise Directory Services
• Active Directory Federation Services ADFS
• Large Scale Provisioning
• RightScale API for user provisioning
• AD / LDAP integration
http://tinyurl.com/m269g4j
Active Directory / LDAP Integration
15
• Asymmetric keys private/public
• Key Management
• NISTIR 7966 http://tinyurl.com/lhtujnv
• Key storage options
• Hardware Security Modules
• On-premise
• Cloud services
• RightScale
• Encryption of keys -MUST
Key Management -- SSH
16
Enforce Policies
• Catalog of templates that
meet corporate standards
• Configured to your
security requirements
• Define which clouds can
be used
• Control user options and
choices
• Orchestrate and automate
deployment and
operations
Workload Security: From Rogue to Policy-Based
17
Basic instances
Stacks for Dev or Prod Applications
Standardization
• Automate provisioning and
configuration
• Version-controlled
• Follow standards for
versions, patches and
configuration
• Leverage a variety of
scripting languages
• Modular and auditable
• Define Security
Configuration Baselines
Standardize Server Configurations
AWS Azure Google CloudStack OpenStack vSphere
Multi-Cloud Image
Configuration Scripts Containers
18
Standardize System Configurations
19
Load Balancers
App Servers
Master DB Slave DB
Replicate >
DNS
Configure a system: Cloud Application Template (CAT)
Configure a server: • ServerTemplates (portable)
• Docker container (portable)
• AMI
• CloudFormation
• VM template
Increase IT efficiency
o Bring your own
configuration management
o Clone existing
architectures
o Updates and patches
o Monitor and alert
o Auto-scale up and down
Patch and Update
Compliance
Requirements
2
1
o PCI E-Commerce
o HIPAA / PHI/
21CFR11
o NPI / PII
o FTI IRS PUB1075
o MPAA
oData Protection / Encryption
• In-transit: MUST
• At rest: MUST
• In process: DEPENDS
oConsiderations in the Cloud
• Select the right cloud provider
• Some cloud providers encrypt by default
• Review their security documents
• Most Cloud Providers will sign BAA
• Segregate workloads
Data Security
Data Residency with a Global Cloud Platform
Amazon Web Services
Google Cloud Platform
IBM SoftLayer
Rackspace
Windows Azure
Public Clouds
Singapore
Hong Kong
Japan
Texas
DC Area SF Area
Seattle
Chicago
Dublin
London
Amsterdam
Oregon
São Paulo
Midwest
Beijing
Sydney
W Europe
Private Clouds
CloudStack
OpenStack
vSphere
Melbourne
Toronto
Mexico City
Taiwan
22
• HTTPS / TLS
• IP address White Listing
• Private Network connections –Direct Connect, ExpressRoute,
etc.
• VPN IPSEC
Secure Cloud Connections
23
AWS Cage
Customer Cage
AWS Direct
Connect
Azure Cage
Customer Cage
Azure
ExpressRoute
Restful APIs
Comply with policies
• Quickly Audit Security
Groups
• Interactive Network
Visualization
• Maintain Security and
Compliance
Network Visibility
24
Architect for SLAs
• HA/DR reference
architectures
• Cross-region and cross-
cloud
• Auto-scale to meet
demand
• Hybrid cloudbursting
• Monitor and automate
failover
• Hot, warm, and cold DR
scenarios
Implement DR Architectures for your Apps
25
Load Balancers
App Servers
Slave DB Master DB
App Servers
Slave DB
< Replicate Replicate >
Load Balancers
PRIMARY WARM DR
DNS
Ensure availability
o Separate management
plane from cloud and
cloud applications
o RightScale platform is fully
redundant
o Automate failover
processes for hot, warm or
cold DR
Outage-Proof with Independent Control Plane
Ensure compliance
2
7
o See who changed what
and when
o Provide audit logs and
reports to satisfy
regulators
o Available via API to
integrate with other
systems
Gain Visibility with Audit Trails
Optimize cloud spend
o Visibility
o Planning and forecasting
o Budgets and cost controls
o Allocations
o Chargeback and
showback
o Optimize spend
Track all Cloud Usage and Costs
• RightScale Certifications
• State of the Cloud Report
• www.rightscale.com/2015-cloud-report
• Private and Hybrid Cloud Whitepaper
• www.rightscale.com/private-hybrid-cloud-whitepaper
Questions?
29
SSAE16 SOC1 and
SOC2 Type II PCI DSS SAQ C Compliant U.S.-EU Safe Harbor Framework
and U.S.-Swiss Safe Harbor
Framework