Dynamic and Continuous Auditing, Controlling, and Monitoring of all - - PowerPoint PPT Presentation

dynamic and continuous auditing controlling and
SMART_READER_LITE
LIVE PREVIEW

Dynamic and Continuous Auditing, Controlling, and Monitoring of all - - PowerPoint PPT Presentation

Sep 01, 2023 512 likes •760 views

Dynamic and Continuous Auditing, Controlling, and Monitoring of all Tenant Network Flows in Openstack at Scale Jason Rouault Sr. Director, Cloud Engineering and Operations May 10, 2017 Jason Rouault Sr. Director, Cloud Engineering and

slide-1
SLIDE 1

Dynamic and Continuous Auditing, Controlling, and Monitoring of all Tenant Network Flows in Openstack at Scale

Jason Rouault

  • Sr. Director, Cloud Engineering and Operations

May 10, 2017

slide-2
SLIDE 2

Jason Rouault Sr. Director, Cloud Engineering and Operations Richard Eisenberg VP, Client Development Nathan Randall, Sr. DevSecOps Engineer

2

slide-3
SLIDE 3

TWC Introduction Business/Security Problems Defined Solution Requirements Cloudvisory and OpenStack Integration Cloudvisory Overview Demo

Agenda

3

slide-4
SLIDE 4

2nd largest cable provider in US Provides Video, Broadband, Phone, and Business Services 15 Million Subscribers Los Angeles/New York Markets 4 National Data Centers 20+ Market Data Centers

Time Warner Cable

Was acquired by Charter Communications in 2016

4

slide-5
SLIDE 5

OpenStack providing IaaS services

  • Up and running in 2 national datacenters (regions) – Capacity for 15000 VMs
  • 3 PB usable object and block storage
  • Full SDN with Neutron ML2 and VXLAN Overlay
  • CI/CD automation for software deployments. 0-6 weeks behind trunk

Why OpenStack?

Flexible and adaptable infrastructure Self-service Increased speed to market Reduced Costs No Vendor lock-in

Time Warner Cable Cloud Time Warner Cable Cloud

5

slide-6
SLIDE 6

OpenStack providing IaaS services

  • Up and running in 2 national datacenters (regions) – Capacity for 15000 VMs
  • 3 PB usable object and block storage
  • Full SDN with Neutron ML2 and VXLAN Overlay
  • CI/CD automation for software deployments. 0-6 weeks behind trunk

Why OpenStack?

  • Flexible and adaptable infrastructure
  • Self-service
  • Increased speed to market
  • Reduced Costs
  • No Vendor lock-in

Time Warner Cable Cloud Time Warner Cable Cloud

6

slide-7
SLIDE 7

7

OpenStack brings strong features for multi- tenancy and infrastructure abstraction Allow us to deploy workloads with speed and reliability in a structured and repeatable method The architecture introduces risks that traditional perimeter security models are unable to detect and control. Dichotomy of traditional security with the DevOps teams cloud users

Problem Overview

OpenStack: Agile, Reliable, Available and Secure

7

slide-8
SLIDE 8

Visibility

  • DevOps teams have limited visibility and lack of understanding to troubleshoot

application connectivity issues.

  • Lack of visibility is magnified for applications spanning regions and cloud providers
  • Security teams have no easy way to monitor and validate actual application flows

Control

Managing cloud native security controls can be error prone Managing controls does not scale well in large deployments, or across environments Security controls are not dynamic like the cloud applications they are protecting There is no ability to define security trust boundaries across environments

Reporting

Demonstrating compliance is problematic Detecting and responding to bad actors/systems is often too little too late

Business Problems Business Problems

8

slide-9
SLIDE 9

Visibility

  • DevOps teams have limited visibility and lack of understanding to troubleshoot

application connectivity issues.

  • Lack of visibility is magnified for applications spanning regions and cloud providers
  • Security teams have no easy way to monitor and validate actual application flows

Control

  • Managing cloud native security controls can be error prone
  • Managing controls does not scale well in large deployments, or across environments
  • Security controls are not dynamic like the cloud applications they are protecting
  • There is no ability to define security trust boundaries across environments

Reporting

Demonstrating compliance is problematic Detecting and responding to bad actors/systems is often too little too late

Business Problems Business Problems

9

slide-10
SLIDE 10

Visibility

  • DevOps teams have limited visibility and lack of understanding to troubleshoot

application connectivity issues.

  • Lack of visibility is magnified for applications spanning regions and cloud providers
  • Security teams have no easy way to monitor and validate actual application flows

Control

  • Managing cloud native security controls can be error prone
  • Managing controls does not scale well in large deployments, or across environments
  • Security controls are not dynamic like the cloud applications they are protecting
  • There is no ability to define security trust boundaries across environments

Compliance

  • Demonstrating compliance is problematic
  • Detecting and responding to bad actors/systems is often too little too late

Business Problems Business Problems

10

slide-11
SLIDE 11

Should leverage cloud native security controls Must not negate self service afforded to cloud users Must have minimal to no impact on workload performance Will scale with our cloud Must be highly available

Solution Requirements Solution Requirements

11

slide-12
SLIDE 12

Installation and Upgrades can be automated with CI/CD tooling (e.g. Ansible, Puppet, etc.) Solution should not hinder ability to upgrade Hypervisor or OpenStack Role based access control (RBAC) for separation of duties Should provide an API for integration with existing systems

Solution Requirements Solution Requirements

12

slide-13
SLIDE 13

Most vendors:

  • Want to take over your SDN
  • r
  • Want to install a VM on each hypervisor
  • r
  • Want to install a kernel module
  • r
  • Want to install an agent on each VM

Narrowing Down the Choices Narrowing Down the Choices

13

slide-14
SLIDE 14

Most vendors:

  • Want to take over your SDN
  • r
  • Want to install a VM on each

hypervisor

  • r
  • Want to install a kernel module
  • r
  • Want to install an agent on each VM

Narrowing Down the Choices Narrowing Down the Choices

Ultimately, we did not like any of these implementation options

14

slide-15
SLIDE 15

Cloudvisory serves as the management plane for network security policies. Neutron API provides the control plane, which controls an agent on each Compute node that implements the data plane for OSI Layer-2/3 network segmentation.

Cloudvisory and OpenStack Cloudvisory and OpenStack

Neutron API

(Control Plane)

Cloudvisory

(Security Management Plane)

Open vSwitch (Data Plane) Open vSwitch (Data Plane) Open vSwitch (Data Plane)

15

slide-16
SLIDE 16

Cloud Security Policy Control Plane

The Cloudvisory Management Framework

Data Plane

P

Project B Policy

P

Project A Policy DB Policy PCI Policy DB TIER WEB Policy WEB TIER

P

16

slide-17
SLIDE 17

Cloud Security Policy Control Plane

The Cloudvisory Management Framework

Data Plane

Security Management Plane

P

Project B Policy

P

Project A Policy DB Policy PCI Policy DB TIER WEB Policy WEB TIER

P

17

slide-18
SLIDE 18

Continuous Discovery & Visualization of:

  • 1. Cloud infrastructure as it changes
  • 2. Policy changes/updates
  • 3. Detection and alerts of non-compliant policies

and data flows

Cloudvisory is: Intelligence

Cloud-Native Security Platform for Hybrid, Multi-Cloud

18

slide-19
SLIDE 19

Hybrid/Multi-Cloud Security Policy

  • 1. Automated security policy provisioning
  • 2. Granular Policy Micro-Segmentation
  • 3. Real-time policy & flow monitoring for

compliance

  • 4. Enforcement and Automated remediation
  • f violations

Cloudvisory is: Consistency and Compliance

Cloud-Native Security Platform for Hybrid, Multi-Cloud

19

P

Project B Policy

P

Project A Policy APP Policy APP TIER DB Policy PCI Policy DB TIER WEB Policy WEB TIER

P

Project C Policy

slide-20
SLIDE 20

Reduce human middleware/lower costs Rapid change management/speed up

  • perations

Harden security Thwart nation state hackers

Cloudvisory Security Platform

Value

20

slide-21
SLIDE 21

Cloudvisory Security Platform Demo

Hybrid & Multi-Cloud Security

Intelligence • Control • Compliance

21

slide-22
SLIDE 22

Better Cloud Security through Automation

  • 1. Simplifies: Singular Interface for Cloud-Native

Policy Automation across providers

  • 2. Discovers and Visualizes: multi-cloud

infrastructures, Context, data flows and critical security violations

  • 3. Automates: Provisioning & rapid change

management of policy and micro-segmentation of workloads

  • 4. Compliance: Real-Time monitoring of flows and

policies for Compliance & Enforcement

  • 5. Cross Discipline: Manages multi-tenant
  • environment. Role-based solution for use by

Dev/Ops, Security and Business

Cloudvisory Security Platform

22

slide-23
SLIDE 23

Should leverage cloud native security controls Must not negate self service afforded to cloud users Must have minimal to no impact on workload performance Will scale with our cloud Must be highly available Installation and Upgrades can be automated with CI/CD tooling (e.g. Ansible, Puppet, etc.) Solution should not hinder ability to upgrade Hypervisor or OpenStack Role based access control (RBAC) for separation of duties Should provide an API for integration with existing systems

Functional/Architectural Requirements Realized

23

Cloudvisory Security Platform