CloudCamp Chicago May 2014 Full speaker deck, with lightning talks: "Reasoning About Enterprise Application Security in a Cloudy World" - Steve Binderup, Cloud Security Advocate at Elastica @stevebinderup "Effectively Designing & Implementing Hybrid Solutions: A Real-World Hybrid Use Case" - Eric Dominguez, Director of Sales Engineering at ServerCentral "A Hybrid Strategy" - Chris Swan, CTO at Cohesive @cpswan "It’s Time to Go Public With Cloud" - Trevor Hess, Consultant at 10th Magnitude @trevorghess "Welcome to the Farm (or why a hybrid cloud makes sense)" - Jay O'Connor, Director of Engineering at Belly @jdoconnor Interested in speaking, sponsoring, or attending the next CloudCamp? Contact CohesiveFT!

1. Sponsored by
Hosted by
CloudCamp Chicago
!
!
“Public, Private or Hybrid?”
#cloudcamp
@CloudCamp_CHI

2. Emcee
!
Ryan Koop
CohesiveFT
!
!
Tweet: @RyanKoop
#cloudcam
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

3. … sponsored by you!
Mircea Husz - HP
Leonard Salva - Century Link / Savvis
Eric Peebles - ArtisanalTechnology Solutions
Mark Calaguas
Brandon Pittman -VMware
Michael Basil - UprisingTechnology, Inc.
Matthew Hess - Northwestern University

4. Mark your calendars -
CloudCamp Chicago on July 24

5. 6:00 pm Introductions
6:10 pm: Lightning Talks
"Reasoning About Enterprise Application Security in a Cloudy
World" - Steve Binderup, Cloud Security Advocate at Elastica
@stevebinderup
"Effectively Designing & Implementing Hybrid Solutions:A Real-
World Hybrid Use Case" - Eric Dominguez, Director of Sales
Engineering at ServerCentral
"A Hybrid Strategy" - Chris Swan, CTO at CohesiveFT
@cpswan
“It’s Time to Go Public With Cloud" - Trevor Hess, Consultant -
at 10th Magnitude @trevorghess
“Welcome To The Farm (or why a hybrid cloud makes sense)” -
Jay O'Connor, Director of Engineering at Belly @jdoconnor
6:45 pm: Unpanel
7:30 pm: Unconference / Networking, drinks and pizza
Agenda Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

6. “Reasoning About Enterprise
Application Security in a Cloudy
World”
!
Steve Binderup, Cloud Security Advocate
Elastica
!
Tweet: @stevebinderup
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

7. Reasoning About Enterprise Application
Security in a Cloudy World
Steve Binderup/Cloud Security Advocate / www.elastica.net

8. T H R E A T L I F E C Y C L E
BEFORE
Controls
DURING
Identification
AFTER
Response
Firewalls, NGFW IDS/IPS, AV, AMP Forensics, IR Tools
Rethinking Security: Being Threat Centric

9. Key Cybersecurity Hurdles
Prolifera)on
of
New
Technologies
Evolu)on
of
Threat
Landscape
Increase
of
Complexity

10. GRC: What Matters?
Compliance:
Highly
complex,
one-­‐size
fits
all,
dynamic.
What
do
you
ul)mately
care
about:
Transparency.
Have
to
understand
risks
we
are
trying
to
mi)gate.

11. Traditional Security Operation Center (SOC)
5
DLP
Firewall
IDS/IPS

12. Key Enterprise SaaS Security Challenges
Make
it
work
vs.
Approval
No
Visibility
App
/
Ac)on
No
Events
for
SEIM
to
Consume

13. Where Controls are Lost
7
Layer
On
Prem
IaaS
PaaS
SaaS
App/Data
Middleware
OS
Virtual
Physical

14. ESTABLISH SECURITY BASELINE CHOOSE AND APPLY
COMPENSTATING CONTROLS
Gartner Public Cloud Management Lifecycle
INCIDENT DETECTION INCIDENT RESPONSE MANAGEMENT

15. Establish a Security Baseline
9
Baseline: Need to understand where you are right now
Basic Discovery: Table stakes (any Firewall / NGFW can do it)
Interesting challenge: Audit (what’s enterprise ready for you specifically?)
ADMINISTRATIVE INFORMATIONALACCESS
BUSINESS DATA
SERVICE
COMPLIANCE

16. Choose and Apply Compensating Controls
10
VISIBILITY
ACTION
User
Service
Object
Ac)on

17. Incident Detection
11
Policies and controls identify specific tangible behaviors. But what
about sophisticated threats that fall outside their scope?
SIGNATURES
HEURISTiCS
BEHAVIOR-­‐
BASED
ANALYSIS
ANOMALY
DETECTION

18. Incident Response Management
12
Attackers are constantly evolving and adapting. Threats will
eventually get through. The question is no longer “What if?”, but
“What now?”
INFORMATION
ASYMMETRY
FAVORS
ATTACKERS
PRE-­‐THINK
RESPONSE;
HARD
TO
DO
AFTER
THE
FACT
INTEGRATE.
DON’T
BOLT
ON

19. Cloud Services Security Problem
13
Visibility
Security
Compliance
Risk
Governance

20. Thank you
TAKEAWAYS
SaaS
Security
and
GRC
Problem
Mul)faceted
Consider
full
threat
lifecycle:
Before,
During,
AZer
Visibility
and
Ac)on
are
Key
Pillars
Sbinderup@elas)ca.co

21. “Effectively Designing &
Implementing Hybrid Solutions:A
Real-World Hybrid Use Case”
!
Eric Dominguez, Director of Sales Engineering
ServerCentral
!
Tweet:
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

22. A Real-World Hybrid Use CaseE

23. HYBRID CLOUD
YOU KEEP USING THAT WORD. I DO NOT
THINK IT MEANS WHAT YOU THINK IT MEANS

26. CAN I
HAVE MY RED
CARD NOW?

27. “A Hybrid Strategy”
!
Chris Swan, CTO
CohesiveFT
!
Tweet: @cpswan
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

28. A hybrid cloud
or a hybrid strategy?
Chris Swan
CTO CohesiveFT
@cpswan

29. Hybrid cloud is about common
software stack
Public Private
Sponsored by:

30. Hybrid cloud is about resources
outside your own data centre
Public
Hybrid
Private
Sponsored by:

31. Hybrid cloud is about common
management and governance
Public Private
Single pane of glass
Sponsored by:

32. Hybrid cloud is about common APIs
Public Private
Sponsored by:

33. Hybrid cloud is about common
networking
Public Private
Overlay network
Sponsored by:

34. And you can have multi cloud nirvana
if you just buy all the stuff

35. Enough of hybrid cloud
What about a hybrid strategy

36. Hybrid strategy
Public Private
Green field
System of engagement
Big data
Public facing
Sensitive data
Specific control needs
Tight integration
Repatriation

37. A hybrid strategy is workload
dependent
Public Private
?

38. Very few workloads need both at once
Public Private
&?

39. Faster, cheaper and more expedient
than removing variation?
Public Private
Tolerance of variation
Public Private

40. But… not all that is private is cloud
Private

41. And that new app might need old data
Public

42. And there’s no need to do this
Public Private

43. To get this
Public

44. Conclusion
• Hybrid cloud is a bill of goods
• A hybrid strategy gets your app to where it
needs to be
• Cost of variance should be compared to cost
of uniformity – pick your own winner
• Connectivity can be ordered a la carte
(and might not even come with the set menu
anyway)

45. Thanks for listening
@cpswan

46. “It’s Time to Go Public With Cloud”
!
Trevor Hess, Consultant
10th Magnitude
!
Tweet: @trevorghess
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

47. IT’S%TIME%TO%GO%
PUBLIC%WITH%
CLOUD

48. SO%WHY%PUBLIC?

49. STORAGE

50. MOBILE%APPS

51. JUST%CODE

52. FOCUS%ON%TESTS,%NOT%ENVIRONMENTS

53. TO%SUM%UP
• Let$Azure$take$care$of$
the$Flickr$for$pieces$and$
parts$of$your$loosely7
coupled$architecture$
• Level$up$your$capabili:es$
by$taking$advantage$of$a$
scale$and$featureset$that$
would$take$millions$to$
invest$in$privately.$
• Focus$on$what$makes$
you$amazing$

54. “Welcome To The Farm (or why a
hybrid cloud makes sense)“
!
Jay O’Connor, Director of Engineering
Belly
!
Tweet: @jdoconnor
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

55. Welcome To The Farm
(or why a hybrid cloud makes sense)

57. Livestock
Vs
Pets

58. Popular Hybrids

59. Popular Hybrids

60. Popular Hybrids

61. Popular Hybrids
Your
infrastructure

62. Public
Commodity Cheap Replaceable

63. Private
SecureExpensive Fixable

64. Playing Nice
Tunnel everything
Draw easy lines
Hide complexity with apps

65. I mentioned
nothing
about
planting crops

66. jay@bellycard.com
@jdoconnor

67. Un-panel Discussion
!
!
!
volunteer to join the panel & ask
questions from the floor!
!
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

68. Unconference
!
Small groups & discussions, network
!
Pizza’s almost here!
!
!
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI

69. Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI