1. CLOUD SECURITY Timothy Brown Director, Security & Virtualization
Network Utility Force

2. About Your Presenter
Walker and Associates has been around for more than 40 years, handling the needs of communications carriers and the Federal Government as a Value Added Distributor (Warehousing, Networking, Design Services, Reselling)
Network Utility Force is a consulting company focused on network and security infrastructure. We enable companies to make the most of their infrastructure. Our team collectively has over 100 years of service provider and enterprise engineering experience.
I (Tim Brown) am ex-OEM, ex-service provider, ex-VAR and have been involved in network engineering since 1995.

3. Today’s Presentation
Fundamental questions (but there are many others):
Is being in the cloud less secure than having gear at my facility?
What new threats do I face by moving to the cloud?
How can all this “as-a-service” stuff help me do my job?

4. How do you normally protect an asset?
Infrastructure security (power, cooling, entrance points, …)
Physical security
Network security
Systems security
Application security
Data security (storage, databases)

6. Cloud has us think of things a little differently
Generate revenue from “functions”
Decompose the true cost/effort of delivering a given function, make that something we can sell (“de”-commoditize)
The security needs of DoD are fundamentally different from a web hosting provider
Move to automation, immutability
Services don’t prevent you from rolling your own (and in DoD case, you use SCCA)

8. Looking at five options today
Amazon’s AWS
Google Cloud
Microsoft Azure
Virtualized security within your existing facilities
Carriers/Hosting

9. One axis: How “automatable” is the solution
With cloud computing and virtualization, world is moving to a more “repeatable, immutable” model
Applications no longer monolithic
Systems are heading to a distributed world
We could evaluate these items on many axes. But some of the more important things that differentiate clouds

11. Cloud Platforms and Security Features

12. All clouds offer some high level segmentation and network virtualization
“Buckets” of resources
Projects, VPCs, granularity
Whitebox or software switches, special hypervisor features
MAC learning, custom drivers
Custom firewalls/packet processors

13. Network Features Amazon AWS Custom route tables DHCP Options
Elastic IPs
Flexible NAT
Cloud Firewall
Peering
Flow Monitoring
Google Cloud
Cloud Load Balancing
Cloud CDN
Cloud InterconnectMicrosoft Azure
ExpressRoute
Load Balancing/Application Gateway
Network Watcher

14. Logging and Monitoring
Amazon AWS
CloudTrail
CloudWatch
Log Aggregation
Google Cloud
Stackdriver (AWS+GCP) – Error reporting, trace, debugger, API frontends
Microsoft Azure
Azure Monitoring
Application Insights
Log Analytics
System Center Operations Manager

15. Access Control Amazon AWS IAM MFA Directory Service Google Cloud
Cloud IAM
Cloud IAP
Cloud DLP
Key Vaults
Microsoft Azure
Key Vault
Active Directory

16. Border Protection Approach

17. Historical approach to security: protect the border

18. Segmentation Approach

19. Segmentation approach

20. Microsegmentation Approach

21. Microsegmentation

22. Typical Architectures

23. AWS

24. Some terminology changes

25. AWS Architecture Example

26. AWS Architecture

27. AWS Compliance GovCloud has achieved FedRAMP High
Provisional authorizations for IL4 and soon IL5 (unclassified, IL5 includes unclassified National Security Systems)
See accelerator/nist/latest/assets/NIST Security-Controls- Mapping.xlsx

28. Google

29. Google Cloud Architecture

30. Compliance
Has FedRAMP ATO
No SRG compliance as far as I know of

31. Azure

32. Microsoft Azure Architecture

33. Azure Compliance
DoD IL5, 4 Compliant

34. You Host It

35. Comes back to our two views: Segmentation and microsegmentation

37. Where the security industry is headed

38. Zero Trust Model

39. Summary

40. Thanks