1. Hopefully a chuckle while the room fills before we begin
“ For A Moment, I Had A Feeling Of Total Security. Then Someone Said Cloud or DevOps or Self-provisioning (or was it all 3)! “

2. IT Security – The Missing Piece in IT Replatforming
My name is Nick Lee & I’m with CloudPassage.
IT replatforming or Gen 3 as many call it - is all over the news. Personally I think it’s just the press giving a name to something that was already in motion. Today’s conversation is around how security plays into this transformation and the current world of IT, the new world of IT (Gen 3) and the transition between the 2.
Nicholas Lee
Cloud Security Evangelist

3. IT Replatforming – Next Gen, Gen 3…
As I said, I see Gen 3 or IT Replatforming as all over the press. A year ago I called this “What’s Next”, but today I think it should be called “What’s Now”
Call it what you like, but I think we’re all seeing it or at least the piece parts that make up this change. Virtualization, Self-Service, DevOps, Rapid Release, Private Cloud, Public Cloud and Hybrid Cloud I suspect everyone in this room is living through some part of these changes.
Are you watching from the edge, dabbling part way or do you have both feet in it? If you’re not at least dabbling, you might be left behind – or worse yet these decisions might be made for you.

4. What’s Driving IT Replatforming?
The business wants new features faster than ever
New Features = New Revenue
IT has Responded
Virtualization
Self service
Development has Responded
DevOps
Rapid releases
Cloud test & QA
Security has [Not] Responded
Current tools built for Gen 2 data center
In many cases, asking for things to slow down
In other cases, pushed aside in acceptance of risk
Provisioning – Weeks to Minutes
Release Cycle – Quarters to Days
Gen 3 change is being driven by the Business this time and the business as always wants new features to drive new revenue & wants these new features faster than ever to keep pace or be at risk of being passed by their competitors. “New Features = New Revenue” There’s nothing new with that phrase, but now the speed at which it’s happening is being measured with a stop watch, not a calendar
<Advance slide, discuss IT & Dev>
Yet Security professionals are still trying to solve modern problems with legacy processes and legacy security tools. The legacy processes in use were built for a world with slower rate of change. Your security tools may have modern marketing, but under the covers they’re still the same old tools built for a different time – when time was on your side. Story: Symantec’s move to supporting virtualized servers. So in essence your security teams have both hands tied behind their back because of legacy processes and tools that can’t handle the move from of a fast walk to todays sprint. The underlying challenge is - Change Breaks Security
There was a time when Security had the power to at least slow down this movement. But more & more we’re seeing companies where IT Security has lost the political strength to stop this. They’re being told “get on the bus or don’t - but the bus is leaving”
Change Breaks Security

5. Legacy
This is where I started, The Gen 1 datacenter. No Internet, no compliance reporting, DevOps without the name and security was a lock on a door and guy at the gate.

6. Legacy Traditional Data Center Basic Virtualization Bare Metal
The Gen 2 legacy DC was dominated by Bare Metal moving into Basic Virtualization. There was a well defined perimeter to defend and a slow rate of change in the environment. But from the perspective of Development and Security, there was really very little that changed from bare metal to basic virtualization.
When we look at this from today’s perspective this 1st step into virtualization was really the 1st step into the Gen 3 data center or IT Replatforming

7. Modern
UCS Director
But new tools, that enable speed and reduce manpower demands, are rapidly changing the world IT has to support. If this picture reminds you of home, then your internal data center is in definition a private Cloud - whether you like that term or not.
Wikipedia defines Private & Public clouds – A Public Cloud serves many customers, a Private Cloud servers only your company. It does change the nature of the components.

8. Modern
UCS Director
And the world of IT is rapidly becoming extended out to new data centers often in the Public Cloud. The Public Cloud is just a different DataCenter provided by companies like Amazon, Microsoft & IBM.
Sales people and the media are spouting Cloud, Cloud, Cloud or some version of this. In my experience, with customers, the word Cloud is often mis-interpreted as meaning only AWS or it’s rivals. Recently we sponsored an IANs dinner – I asked everyone at the table to define – in their opinion – what Cloud means, only one said private cloud – otherwise it was all AWS, Azure, etc.. But if you’re already embracing Virtualization, self-service provisioning, DevOps and/or rapid QA & Test, you’ve already embracing a version of a private cloud.
These Public Clouds offer the promise of lower costs and speed. According to an AWS SA, you only really get true savings if you’re all in. But by any measure you certainly get speed. Speed to market.

9. Modern
UCS Director
Maybe the Cloud is not something you’re embracing, but you need to understand it. You need to understand how it affects the decisions you make today and not just in security. E.g. what does the selection of IaaS versus PaaS mean in the long term scheme to your Apps, your monitoring & your security? In this case, a PaaS typically does not allow you to add agents for any security or monitoring products – how would that choice affect your long term needs?
It can’t just be about what you’ve got today, like it or not some form of cloud, just like some form of virtualization is coming.
If you are forced into a Cloud move will you be forced to support multiple solutions?
The other thing to keep in mind is the decision to move to the Cloud may not be made BY you, it might be made FOR you.

10. “Either you will or your replacement will”
Security Must: Embrace Both Legacy and Modern IT
“Either you will or your replacement will”
Legacy
Modern
Legacy
Modern
Seeks control to avoid risk
Waterfall approach
Low rate of change
Data centers / colo
Approval-driven
Stringent change control
Network-centric security
IT focused (less customer-centric)
More centralized IT operations
Embraces risk to gain agility
Fast-iteration approach
High rate of change
SDDC / cloud
Learning-driven
Little or no change control
System & app-centric security
Business focused (closer to customer)
More distributed IT operations
Legacy IT Change was a causal jog whereas Modern IT change [charge] is more of a sprint. The rate of change/charge is accelerating. The winners will be those who embrace change and make the right choices. But which choices?
Regardless of what you call it or where you place it, these changes are coming. A former VP of mine once told a group of us, “Either you will use this or your replacement will.” In this case he was referring to our use of SFDC, but this could be how Cloud is positioned to you.
No transformation is ever immediate or absolute. Change comes over time. So let’s talk about that transformation and how it affects security.

11. Greenfield Applications Core Business Applications
IT Replatforming
Greenfield Applications
Experiments
Any New Application
High-Risk Migrations
Low-Risk Migrations
Innovation
“BUSINESS AS USUAL”
Core Business Applications
Last Legacy Project
Modern
Some of your Core Business Apps will always remain Snowflakes as they are now. But those legacy applications will rapidly roll into maintenance only modes as new Cloud optimized apps take their place.
Initially this replatforming will start with experiments and innovation. Some of this innovation will show itself as Shadow IT, possibly outside of your control and planning.
Greenfield applications, that offer low risk, will be targeted using technologies that support rapid development, burst optimized design and an ability to run wherever the business wants them, in your data center, in your private cloud, some ones public cloud or a hybrid version of these (burst, idle infrastructure).
Burst and contract can produce huge cost savings – reducing idle servers for an infrequent burst need. Burst is where the cloud shines [in my opinion], but where legacy security tools fall very short.
Eventually all New Application development which will embrace these concepts from the ground up and followed lastly the Core Business applications which will either migrate to these new standards or be frozen in time.
Legacy

12. IT Security Replatforming
Securing DevOps
Trusting Security to Protect your
High-Risk Apps Wherever they Reside
New Security Tool Research
Full IT Security
Replatforming
“BUSINESS AS USUAL”
Experiments with Public Security
Securing Low-Risk Apps
Network Security
Modern
Security has to parallel the Datacenter model or it will fall behind maybe even be left out completely (“Embracing Risk to Gain Agility)”
While your current investment in Network Security will most certainly outlive your legacy Server Security investment; even your network security will eventually cover an increasingly smaller portion of your companies application assets.
The limited server protection you’ve already deployed with legacy security tools will almost certainly be replaced by new - purpose built Agile Security tools. Your legacy security tools and in many cases their companies too will go the way of the dinosaurs just as the VT100 did. (show of hands, who used a VT100?)
During this transformation, we need to decide how clearly we see the future for our applications as we invest in new security solutions.
Do the [security] tools I’m investing in today work in any datacenter option the business may demand?
Will I be in a Public Cloud someday? Do I want to support 2 security tool sets? Will I be in a Hybrid cloud environment someday?
Will I have to support elastic bursting and contraction – does my industry have this need? Do the tools I am selecting support these demands?
How will Rapid Development’s evolution affect my decisions on infrastructure and security?
How do these tools support the rapid pace in user device demands? What is the next user device?
Do they support my existing apps and eventually my new apps with the same tool, same infrastructure and the same SMEs?
We all must make security tool decisions which do not limit the other choices we need to make or are forced to make.
Legacy
Server Security for Critical Apps

13. Legacy Application Development (traditional waterfall)J D F M A S O N
Analysis and design
Coding & implementation
Quality testing
Staging and release R1
This is the world I grew up in, where I started programming and it has lasted for decades, but time has made it process heavy and too slow to react to todays business demands.

14. Modern Application Development (agile / iterative)J D F M A S O N R1 R2 R3 R4 R5 R6 R7 R8 R9
R10
R11
R12
Modern Application Development or DevOps as it’s commonly called today moves at a significantly faster pace. We have customers like Netflix that are releasing new images a day and rolling over all 50,000 servers every 48hours. Others, like CloudPassage, are slower – more deliberate, with weekly pushes of new code, but our release cycles, testing, QA and marketing concerns cause our releases to be more quarterly and coordinated which by DevOps standards is slow, by traditional standards is fast.
One huge advantage of DevOps and Cloud Programming techniques such as Micro Services is that it allows you to take a risk, where a mistake, instead of hanging around for months or more, can be fixed in minutes without affecting the entire application.
Analysis and design
Coding and implementation
Quality testing
Staging and release

15. Modern Application Development (agile / iterative)J D F M A S O N
App 1
App 2 R1
R12
R11
R10 R2 R3 R4 R5 R6 R7 R8 R9
App 3
And we all know it’s not as simple as this happening to one app at a time, it’s all of them happening in what seems like a huge randomized cycle.
And your security teams are tasked with securing all of them at the speed rapid development is moving. And not just when they go to production, but in Test & QA as well so security is not new just when you go Live, but is part of the cycle from the very origins of the code.
App 4
App n
Analysis and design
Coding and implementation
Quality testing
Staging and release

16. Weaving Security & Compliance into Modern AppDev / DevopsJ D F M A S O N R1 R2 R3 R4 R5 R6 R7 R8 R9
R10
R11
R12
Core security policies already implemented, regardless of environment
Security unit-testing cases required, or code is rejected (yes, really)
All of this feeds into SIEM and GRC tools
Security has to be an Upfront process, “Set it & Forget it”. You can’t be chasing this rabbit, you need to be enabling it or else you’ve already lost the race.
Auto code testing is critical, but like everything else it needs to be automated such that developers don’t see it as a hindrance or they won’t invoke the test. CSC/Fortify Example – only done at Build command.
DevOps needs to be protected throughout the cycle, from test to production, not just after its ready to go live. After the fact additions of Security invalidate all testing and aren’t fast enough to prevent theft of IP in Test & QA.
Testing security should be part of testing your code – it needs to be done on every cycle and from different perspectives to be effective. Security packaged with your code ensures this part of your layered defense happens every cycle.
Code & infrastructure policies ensured using DevOps-style automation
Staging smoke tests include automated pen-testing, vulnerability assessment, policy validation, security baselines (against gold master)
Analysis and design
Coding and implementation
Quality testing
Staging and release

17. You Need Security That Embraces Both Modern and Legacy IT
Everything “behind the firewall”
Complete visibility & control
Fewer changes at slower pace
IT largely calls the shots
Natural physical segmentation
More controlled, paced cadence
Assets are everywhere
Inconsistent visibility & control
More & faster changes (by OOM)
Business units run their own IT
Physical constructs are gone (portability)
As-fast-as-automation-allows
Your new security tool choices must support what you have today and what you need to support in the future, at least what you can envision of it. Otherwise you’ll be supporting multiple environments, multiple infrastructures and SMEs wasted on obsolete technologies as well as spending an enormous amount of capital on multiple environments.
My one take away from everything I see happening around me in IT especially in IT Security is it’s happening too fast to accurately predict even what’s around the next corner with any degree of accuracy. As Yoda said, “Choose Wisely.”

18. 8 Keys to Securing the Transformation of IT
Built directly into core environments
Security that operates anywhere
Context-aware operation
Orchestration of many functions
Deep automation of each function
Instant and long-term scalability
Alignment with DevOps models
API-based integration capabilities
What must-have capabilities should your new security purchases provide you?
This is the most profound IT transformation you’re likely to see in your career…make it count!

19. Questions/Thoughts/Comments?
This is one mans opinion, I’m very interested in your thoughts, your perspective on this Gen 3, IT Replatforming – is it coming, is it here, will it endure? We have a few minutes and I’d like to hear what you think and I’m sure you’re peers in the room would like to hear that too.