CloudCamp Chicago May 2014
Full speaker deck, with lightning talks:
"Reasoning About Enterprise Application Security in a Cloudy World" - Steve Binderup, Cloud Security Advocate at Elastica @stevebinderup
"Effectively Designing & Implementing Hybrid Solutions: A Real-World Hybrid Use Case" - Eric Dominguez, Director of Sales Engineering at ServerCentral
"A Hybrid Strategy" - Chris Swan, CTO at Cohesive @cpswan
"It’s Time to Go Public With Cloud" - Trevor Hess, Consultant at 10th Magnitude @trevorghess
"Welcome to the Farm (or why a hybrid cloud makes sense)" - Jay O'Connor, Director of Engineering at Belly @jdoconnor
Interested in speaking, sponsoring, or attending the next CloudCamp? Contact CohesiveFT!
3. … sponsored by you!
Mircea Husz - HP
Leonard Salva - Century Link / Savvis
Eric Peebles - ArtisanalTechnology Solutions
Mark Calaguas
Brandon Pittman -VMware
Michael Basil - UprisingTechnology, Inc.
Matthew Hess - Northwestern University
5. 6:00 pm Introductions
6:10 pm: Lightning Talks
"Reasoning About Enterprise Application Security in a Cloudy
World" - Steve Binderup, Cloud Security Advocate at Elastica
@stevebinderup
"Effectively Designing & Implementing Hybrid Solutions:A Real-
World Hybrid Use Case" - Eric Dominguez, Director of Sales
Engineering at ServerCentral
"A Hybrid Strategy" - Chris Swan, CTO at CohesiveFT
@cpswan
“It’s Time to Go Public With Cloud" - Trevor Hess, Consultant -
at 10th Magnitude @trevorghess
“Welcome To The Farm (or why a hybrid cloud makes sense)” -
Jay O'Connor, Director of Engineering at Belly @jdoconnor
6:45 pm: Unpanel
7:30 pm: Unconference / Networking, drinks and pizza
Agenda Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI
6. “Reasoning About Enterprise
Application Security in a Cloudy
World”
!
Steve Binderup, Cloud Security Advocate
Elastica
!
Tweet: @stevebinderup
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI
7. Reasoning About Enterprise Application
Security in a Cloudy World
Steve Binderup/Cloud Security Advocate / www.elastica.net
8. T H R E A T L I F E C Y C L E
BEFORE
Controls
DURING
Identification
AFTER
Response
Firewalls, NGFW IDS/IPS, AV, AMP Forensics, IR Tools
Rethinking Security: Being Threat Centric
10. GRC: What Matters?
Compliance:
Highly
complex,
one-‐size
fits
all,
dynamic.
What
do
you
ul)mately
care
about:
Transparency.
Have
to
understand
risks
we
are
trying
to
mi)gate.
12. Key Enterprise SaaS Security Challenges
Make
it
work
vs.
Approval
No
Visibility
App
/
Ac)on
No
Events
for
SEIM
to
Consume
13. Where Controls are Lost
7
Layer
On
Prem
IaaS
PaaS
SaaS
App/Data
Middleware
OS
Virtual
Physical
14. ESTABLISH SECURITY BASELINE CHOOSE AND APPLY
COMPENSTATING CONTROLS
Gartner Public Cloud Management Lifecycle
INCIDENT DETECTION INCIDENT RESPONSE MANAGEMENT
15. Establish a Security Baseline
9
Baseline: Need to understand where you are right now
Basic Discovery: Table stakes (any Firewall / NGFW can do it)
Interesting challenge: Audit (what’s enterprise ready for you specifically?)
ADMINISTRATIVE INFORMATIONALACCESS
BUSINESS DATA
SERVICE
COMPLIANCE
16. Choose and Apply Compensating Controls
10
VISIBILITY
ACTION
User
Service
Object
Ac)on
17. Incident Detection
11
Policies and controls identify specific tangible behaviors. But what
about sophisticated threats that fall outside their scope?
SIGNATURES
HEURISTiCS
BEHAVIOR-‐
BASED
ANALYSIS
ANOMALY
DETECTION
18. Incident Response Management
12
Attackers are constantly evolving and adapting. Threats will
eventually get through. The question is no longer “What if?”, but
“What now?”
INFORMATION
ASYMMETRY
FAVORS
ATTACKERS
PRE-‐THINK
RESPONSE;
HARD
TO
DO
AFTER
THE
FACT
INTEGRATE.
DON’T
BOLT
ON
20. Thank you
TAKEAWAYS
SaaS
Security
and
GRC
Problem
Mul)faceted
Consider
full
threat
lifecycle:
Before,
During,
AZer
Visibility
and
Ac)on
are
Key
Pillars
Sbinderup@elas)ca.co
21. “Effectively Designing &
Implementing Hybrid Solutions:A
Real-World Hybrid Use Case”
!
Eric Dominguez, Director of Sales Engineering
ServerCentral
!
Tweet:
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI
36. Hybrid strategy
Public Private
Green field
System of engagement
Big data
Public facing
Sensitive data
Specific control needs
Tight integration
Repatriation
44. Conclusion
• Hybrid cloud is a bill of goods
• A hybrid strategy gets your app to where it
needs to be
• Cost of variance should be compared to cost
of uniformity – pick your own winner
• Connectivity can be ordered a la carte
(and might not even come with the set menu
anyway)
46. “It’s Time to Go Public With Cloud”
!
Trevor Hess, Consultant
10th Magnitude
!
Tweet: @trevorghess
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI
54. “Welcome To The Farm (or why a
hybrid cloud makes sense)“
!
Jay O’Connor, Director of Engineering
Belly
!
Tweet: @jdoconnor
#cloudcamp
Sponsored by
Hosted by
#cloudcamp
@CloudCamp_CHI