Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security from an Orchestration Perspective: Shifting Left

Published byἈριστόδημε Αντωνοπούλου Modified over 5 years ago

Similar presentations

Presentation on theme: "Cloud Security from an Orchestration Perspective: Shifting Left"— Presentation transcript:

1 Cloud Security from an Orchestration Perspective: Shifting Left
Jeroen van der Leer / Cheyenne Seur (ABN AMRO) Info Security Europe – CSA Summit – June 5th 2018

2 Introduction 1 2 3 History & Legacy Shifting Left & Orchestration
Approach Jeroen van der Leer Product Development Manager ABN AMRO IT Services / I&PS Product Owner CBSP AWS 1 2 Cheyenne Seur Information Security Risk Analyst ABN AMRO CISO IT Wizard 3

3 History 1st workload live on AWS June 2017 “The cloud moves on”
Nov 2015 AWS Enterprise Agreement Dec 2016 MT IT Decision Azure / AWS Sep 2016 TOPS2020 2013 AWS Sandboxes Feb 2017 Critical workload live on AWS Oct 2017

4 Not sufficiently agile
Private Cloud Legacy Not sufficiently agile Slow delivery of a limited number of technologies Too many silos Building blocks delivered and approved by many API missing Legacy environments not exposed via APIs

5 Vision

6 Dutch Landscape (1)

7 Dutch Landscape (2)

8 Corporate Landscape

9 What is a silo? Definition:
Any management system that is unable to operate with any other system Issue: Silos do not share the goals and priorities of other departments Solution: Break down the silos by introducing DevOps or DevSecOps Of course Information Security or CISO is not a silo in most enterprises… Or is it? For instance: does Information Security have its own conferences? Actually, perhaps breaking down the silos has to be done before introducing DevOps

10 Silo examples – many perspectives
IT as a silo Central IT is often busy keeping legacy systems running but the business is asking for agility. CISO as a silo CISO’s main focus can be Information Security and has selected tools and vendors to ensure systems are kept secure. Silos within IT Service Management would like you to place your offering in their service catalogue and deliver using their request fulfilment tool.

11 Shifting left What is it?
Testing is performed earlier in the software development process An example: Penetration testing often takes place just before going live. What ABN AMRO has witnessed: CICD toolchains which are partially in the cloud DevOps teams want to collaborate with 3rd parties during development Chains may be distributed across multiple public clouds Challenge Connectivity requirements arise earlier, does shifting penetration testing left scale? Development such as cloud based toolchains require penetration testing to shift left as well. But does traditional delivery of such tests scale? Can it be done a different way? An example of a distributed chain is Tweadle: uses Salesforce and AWS

12 ABN AMRO’s Objectives for AWS
PROVISIONING // DEVOPS TEAMS PROVISION OWN INFRASTRUCTURE FLEXIBLE // AVOID UNWANTED STANDARDS SECURE // COMPLIANT WITH STANDARDS FOR CLOUD RISK CONTROL API // EXPOSE ALL PLATFORM FUNCTIONALITY AS AN API AGILE // QUICKLY INTRODUCE AND ADOPT NEW AWS SERVICES Some of these objectives were not a choice ABN AMRO has a history of outsourcing with separate ADM and Infrastructure vendors (Silos!) Building an IT function to deliver public cloud to DevOps teams in a traditional way would have been expensive The only alterative: automate and orchestrate!

13 Automation and Orchestration
Setting up a single task to run on its own. For instance: spinning up a server. Orchestration Automating a lot of things at once. For example: launching a 3-tier architecture, deploying software to it and provisioning a Web Application Firewall to monitor, filter and block traffic to it. Benefit Orchestration helps you maximize cloud investments Problem Automation and certainly Orchestration is impossible to achieve if you don’t break down the silos. Orchestration provides a single and centralized approach to provisioning resources and deploying software. What follows is efficient and more consistent repeatable deployements

14 Quick Summary ORCHESTRATION // TO MAXIMIZE CLOUD INVESTMENTS
SHIFTING LEFT // TESTING TAKES PLACE EARLIER IN THE DEV LIFECYCLE SILOS // DEVOPS AND BREAKING DOWN SILOS GO HAND IN HAND Some of these objectives were not a choice ABN AMRO has a history of outsourcing with separate ADM and Infrastructure vendors (Silos!) Building an IT function to deliver public cloud to DevOps teams in a traditional way would have been expensive The only alterative: automate and orchestrate!

15 Standards for Cloud Risk Control
Control routing path and monitor outbound traffic from CSP Private to CSP Public. Access will be managed based on patterns Control routing path and monitor traffic from CSP Public to AAB on-premises networks Allow only desired network protocols from Internet No direct inbound traffic from CSP Public and Internet (Perimeter Defense) Secure web publishing is handled by application, virtual appliance or cloud service Connectivity controls on AAB public end-point level Only ABN AMRO approved & authorized services can be deployed Periodic credential based vulnerability scanning Data Leakage must be prevented IAM on all accounts and resources Owner/cost tagging for all resources Platform Audit Logs & Platform Security Monitoring Monitor and assess updated CSP Service Terms and Audit Reports Virus/Malware protection Update 1.2: Flex-Zone is used to address the ‘playground’ environment, the old term ‘sandbox’ could easily be confused with a highly regulated and secured environment ( Update 1.2: Control A7 and S16 where introduced

16 Measureable Standards & Guidelines
Standards for Cloud Risk Control F5 : Virus/Malware protection must be present CBSP AWS Standard for Amazon EC2 EC2_025: Ensure XXXXXXXXXX agent is installed and policy assigned Standards for Cloud Risk Control S13: Connectivity controls on AAB public end-point level CBSP AWS Standard for Amazon S3 S3_012: S3 buckets must XXXXXXXXXXXX Standards for Cloud Risk Control A8: Applications with availability ratings of 1 must be actively monitored for DDoS attacks CBSP Standard XXX_002: Create AWS CloudWatch alarm for XXXXXXXXXXXXXX ABN AMRO leverages AWS Config for this

17 Compliance Dashboard in Splunk

18 ABN AMRO’s Objectives for AWS
PROVISIONING // DEVOPS TEAMS PROVISION OWN INFRASTRUCTURE FLEXIBLE // AVOID UNWANTED STANDARDS SECURE // COMPLIANT WITH STANDARDS FOR CLOUD RISK CONTROL API // EXPOSE ALL PLATFORM FUNCTIONALITY AS AN API AGILE // QUICKLY INTRODUCE AND ADOPT NEW AWS SERVICES Effectively we are delivering on all our objectives We’ve done this by breaking down silos which has enabled DevOps. IT, CISO and Business objectives have become aligned. The fact that IT and CISO stand here today is proof of that (the business has paid for our trip which is proof they’re aligned too!) DevOps teams are able to orchestrate their entire IT landscape using a native API which has significantly improved agility without a tradeoff to Security

19 Questions

Download ppt "Cloud Security from an Orchestration Perspective: Shifting Left"

Similar presentations

System Center 2012 R2 Overview

System Center 2012 R2 Overview
Tom Yarmas CTO – Cloud Technologies U.S. Public Sector Cloud Computing: How to do it right!

Tom Yarmas CTO – Cloud Technologies U.S. Public Sector Cloud Computing: How to do it right!
Lower costs and improve predictability Automation Enable service owners to focus on work that adds business value Reduce error-prone manual activities.

Lower costs and improve predictability Automation Enable service owners to focus on work that adds business value Reduce error-prone manual activities.
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.
Robert Mahowald August 26, 2015 VP, Cloud Software, IDC

Robert Mahowald August 26, 2015 VP, Cloud Software, IDC
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.

DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.
Alfresco on AWS Provisioning and deploying Alfresco solutions on Amazon Web Services.

Alfresco on AWS Provisioning and deploying Alfresco solutions on Amazon Web Services.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
Structured Container Delivery Oscar Renalias Accenture Container Lead (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)

Structured Container Delivery Oscar Renalias Accenture Container Lead (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)
Architecting Enterprise Workloads on AWS Mike Pfeiffer.

Architecting Enterprise Workloads on AWS Mike Pfeiffer.
Clouding with Microsoft Azure

Clouding with Microsoft Azure
SDN & NFV Driving Additional Value into Managed Services.

SDN & NFV Driving Additional Value into Managed Services.
Check Point vSEC STORY [Protected] Non-confidential content.

Check Point vSEC STORY [Protected] Non-confidential content.
If it’s not automated, it’s broken!

If it’s not automated, it’s broken!
READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.

READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.
SUSE Linux Enterprise Server for SAP Applications

SUSE Linux Enterprise Server for SAP Applications
Run Azure Services in your datacenter

Run Azure Services in your datacenter
Hybrid Management and Security

Hybrid Management and Security

Similar presentations

Ads by Google