CLOUD SECURITY Timothy Brown Director, Security & Virtualization Network Utility Force

About Your Presenter Walker and Associates has been around for more than 40 years, handling the needs of communications carriers and the Federal Government as a Value Added Distributor (Warehousing, Networking, Design Services, Reselling) Network Utility Force is a consulting company focused on network and security infrastructure. We enable companies to make the most of their infrastructure. Our team collectively has over 100 years of service provider and enterprise engineering experience. I (Tim Brown) am ex-OEM, ex-service provider, ex-VAR and have been involved in network engineering since 1995.

Today’s Presentation Fundamental questions (but there are many others): Is being in the cloud less secure than having gear at my facility? What new threats do I face by moving to the cloud? How can all this “as-a-service” stuff help me do my job?

How do you normally protect an asset? Infrastructure security (power, cooling, entrance points, …) Physical security Network security Systems security Application security Data security (storage, databases)

Cloud has us think of things a little differently Generate revenue from “functions” Decompose the true cost/effort of delivering a given function, make that something we can sell (“de”-commoditize) The security needs of DoD are fundamentally different from a web hosting provider Move to automation, immutability Services don’t prevent you from rolling your own (and in DoD case, you use SCCA)

Looking at five options today Amazon’s AWS Google Cloud Microsoft Azure Virtualized security within your existing facilities Carriers/Hosting

One axis: How “automatable” is the solution With cloud computing and virtualization, world is moving to a more “repeatable, immutable” model Applications no longer monolithic Systems are heading to a distributed world We could evaluate these items on many axes. But some of the more important things that differentiate clouds

Cloud Platforms and Security Features

All clouds offer some high level segmentation and network virtualization “Buckets” of resources Projects, VPCs, granularity Whitebox or software switches, special hypervisor features MAC learning, custom drivers Custom firewalls/packet processors

Network Features Amazon AWS Custom route tables DHCP Options Elastic IPs Flexible NAT Cloud Firewall Peering Flow Monitoring Google Cloud Cloud Load Balancing Cloud CDN Cloud InterconnectMicrosoft Azure ExpressRoute Load Balancing/Application Gateway Network Watcher

Logging and Monitoring Amazon AWS CloudTrail CloudWatch Log Aggregation Google Cloud Stackdriver (AWS+GCP) – Error reporting, trace, debugger, API frontends Microsoft Azure Azure Monitoring Application Insights Log Analytics System Center Operations Manager

Access Control Amazon AWS IAM MFA Directory Service Google Cloud Cloud IAM Cloud IAP Cloud DLP Key Vaults Microsoft Azure Key Vault Active Directory

Border Protection Approach

Historical approach to security: protect the border

Segmentation Approach

Segmentation approach

Microsegmentation Approach

Microsegmentation

Typical Architectures

AWS

Some terminology changes

AWS Architecture Example

AWS Architecture

AWS Compliance GovCloud has achieved FedRAMP High Provisional authorizations for IL4 and soon IL5 (unclassified, IL5 includes unclassified National Security Systems) See https://s3.amazonaws.com/quickstart-reference/enterprise- accelerator/nist/latest/assets/NIST-800-53-Security-Controls- Mapping.xlsx

Google

Google Cloud Architecture

Compliance Has FedRAMP ATO No SRG compliance as far as I know of

Azure

Microsoft Azure Architecture

Azure Compliance DoD IL5, 4 Compliant

You Host It

Comes back to our two views: Segmentation and microsegmentation

Where the security industry is headed

Zero Trust Model

Summary

Thanks