Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security from an Orchestration Perspective: Shifting Left

Similar presentations


Presentation on theme: "Cloud Security from an Orchestration Perspective: Shifting Left"— Presentation transcript:

1 Cloud Security from an Orchestration Perspective: Shifting Left
Jeroen van der Leer / Cheyenne Seur (ABN AMRO) Info Security Europe – CSA Summit – June 5th 2018

2 Introduction 1 2 3 History & Legacy Shifting Left & Orchestration
Approach Jeroen van der Leer Product Development Manager ABN AMRO IT Services / I&PS Product Owner CBSP AWS 1 2 Cheyenne Seur Information Security Risk Analyst ABN AMRO CISO IT Wizard 3

3 History 1st workload live on AWS June 2017 “The cloud moves on”
Nov 2015 AWS Enterprise Agreement Dec 2016 MT IT Decision Azure / AWS Sep 2016 TOPS2020 2013 AWS Sandboxes Feb 2017 Critical workload live on AWS Oct 2017

4 Not sufficiently agile
Private Cloud Legacy Not sufficiently agile Slow delivery of a limited number of technologies Too many silos Building blocks delivered and approved by many API missing Legacy environments not exposed via APIs

5 Vision

6 Dutch Landscape (1)

7 Dutch Landscape (2)

8 Corporate Landscape

9 What is a silo? Definition:
Any management system that is unable to operate with any other system Issue: Silos do not share the goals and priorities of other departments Solution: Break down the silos by introducing DevOps or DevSecOps Of course Information Security or CISO is not a silo in most enterprises… Or is it? For instance: does Information Security have its own conferences? Actually, perhaps breaking down the silos has to be done before introducing DevOps

10 Silo examples – many perspectives
IT as a silo Central IT is often busy keeping legacy systems running but the business is asking for agility. CISO as a silo CISO’s main focus can be Information Security and has selected tools and vendors to ensure systems are kept secure. Silos within IT Service Management would like you to place your offering in their service catalogue and deliver using their request fulfilment tool.

11 Shifting left What is it?
Testing is performed earlier in the software development process An example: Penetration testing often takes place just before going live. What ABN AMRO has witnessed: CICD toolchains which are partially in the cloud DevOps teams want to collaborate with 3rd parties during development Chains may be distributed across multiple public clouds Challenge Connectivity requirements arise earlier, does shifting penetration testing left scale? Development such as cloud based toolchains require penetration testing to shift left as well. But does traditional delivery of such tests scale? Can it be done a different way? An example of a distributed chain is Tweadle: uses Salesforce and AWS

12 ABN AMRO’s Objectives for AWS
PROVISIONING // DEVOPS TEAMS PROVISION OWN INFRASTRUCTURE FLEXIBLE // AVOID UNWANTED STANDARDS SECURE // COMPLIANT WITH STANDARDS FOR CLOUD RISK CONTROL API // EXPOSE ALL PLATFORM FUNCTIONALITY AS AN API AGILE // QUICKLY INTRODUCE AND ADOPT NEW AWS SERVICES Some of these objectives were not a choice ABN AMRO has a history of outsourcing with separate ADM and Infrastructure vendors (Silos!) Building an IT function to deliver public cloud to DevOps teams in a traditional way would have been expensive The only alterative: automate and orchestrate!

13 Automation and Orchestration
Setting up a single task to run on its own. For instance: spinning up a server. Orchestration Automating a lot of things at once. For example: launching a 3-tier architecture, deploying software to it and provisioning a Web Application Firewall to monitor, filter and block traffic to it. Benefit Orchestration helps you maximize cloud investments Problem Automation and certainly Orchestration is impossible to achieve if you don’t break down the silos. Orchestration provides a single and centralized approach to provisioning resources and deploying software. What follows is efficient and more consistent repeatable deployements

14 Quick Summary ORCHESTRATION // TO MAXIMIZE CLOUD INVESTMENTS
SHIFTING LEFT // TESTING TAKES PLACE EARLIER IN THE DEV LIFECYCLE SILOS // DEVOPS AND BREAKING DOWN SILOS GO HAND IN HAND Some of these objectives were not a choice ABN AMRO has a history of outsourcing with separate ADM and Infrastructure vendors (Silos!) Building an IT function to deliver public cloud to DevOps teams in a traditional way would have been expensive The only alterative: automate and orchestrate!

15 Standards for Cloud Risk Control
Control routing path and monitor outbound traffic from CSP Private to CSP Public. Access will be managed based on patterns Control routing path and monitor traffic from CSP Public to AAB on-premises networks Allow only desired network protocols from Internet No direct inbound traffic from CSP Public and Internet (Perimeter Defense) Secure web publishing is handled by application, virtual appliance or cloud service Connectivity controls on AAB public end-point level Only ABN AMRO approved & authorized services can be deployed Periodic credential based vulnerability scanning Data Leakage must be prevented IAM on all accounts and resources Owner/cost tagging for all resources Platform Audit Logs & Platform Security Monitoring Monitor and assess updated CSP Service Terms and Audit Reports Virus/Malware protection Update 1.2: Flex-Zone is used to address the ‘playground’ environment, the old term ‘sandbox’ could easily be confused with a highly regulated and secured environment ( Update 1.2: Control A7 and S16 where introduced

16 Measureable Standards & Guidelines
Standards for Cloud Risk Control F5 : Virus/Malware protection must be present CBSP AWS Standard for Amazon EC2 EC2_025: Ensure XXXXXXXXXX agent is installed and policy assigned Standards for Cloud Risk Control S13: Connectivity controls on AAB public end-point level CBSP AWS Standard for Amazon S3 S3_012: S3 buckets must XXXXXXXXXXXX Standards for Cloud Risk Control A8: Applications with availability ratings of 1 must be actively monitored for DDoS attacks CBSP Standard XXX_002: Create AWS CloudWatch alarm for XXXXXXXXXXXXXX ABN AMRO leverages AWS Config for this

17 Compliance Dashboard in Splunk

18 ABN AMRO’s Objectives for AWS
PROVISIONING // DEVOPS TEAMS PROVISION OWN INFRASTRUCTURE FLEXIBLE // AVOID UNWANTED STANDARDS SECURE // COMPLIANT WITH STANDARDS FOR CLOUD RISK CONTROL API // EXPOSE ALL PLATFORM FUNCTIONALITY AS AN API AGILE // QUICKLY INTRODUCE AND ADOPT NEW AWS SERVICES Effectively we are delivering on all our objectives We’ve done this by breaking down silos which has enabled DevOps. IT, CISO and Business objectives have become aligned. The fact that IT and CISO stand here today is proof of that (the business has paid for our trip which is proof they’re aligned too!) DevOps teams are able to orchestrate their entire IT landscape using a native API which has significantly improved agility without a tradeoff to Security

19 Questions


Download ppt "Cloud Security from an Orchestration Perspective: Shifting Left"

Similar presentations


Ads by Google