Let’s rethink cloud application security in 2016 - Patrick Kerpan's Secure360 presentation 2016

Let’s rethink cloud
application security in 2016

Tweet along: #Sec360
@pjktech @cohesivenet
About me
Patrick Kerpan
CEO at Cohesive Networks
@pjktech
BANKS

About Cohesive Networks
2,000+ customers
protect cloud-
based applications
User-controlled
security &
connectivity at the
top of the cloud
Cloud is creating
demand for more
connectivity and
security
honest approach to cloud security

Agenda
• data center security is not cloud security
• post-Snowden realities
• application layer network security
• upcoming security compliance regulations
• here’s to a more secure 2016

data center security is not cloud security

modern apps
business applications are collections of servers
Database Tier
AppServer Tier
Web Tier

enterprise data center
enterprise data centers are filled with these applications

data center security: walls
80% of security spend is on perimeter, leaving only 20% for
interior network security
Perimeter Security

data center vulnerability
Hacker Penetration
Perimeter Security

Perimeter Security
data center vulnerability
Vulnerabilities go undetected for an
average of 234 days!

post-Snowden realities

target: governments

target: retail

target: healthcare

target: social media

application layer network security

application segmentation
micro-perimeter around critical apps in any environment

limit server interactions
server traffic must go through a secure app-layer switch

control network flow
traffic only flows in permitted directions, from permitted locations

security for each app
@pjktech

upcoming security compliance regulations

practical, compelling needs
PR.AC-5
NIST Cyber Security
Framework
“Network integrity is
protected, incorporating
network segregation
where appropriate”

PCI DSS
Payment Card Industry
Data Security Standard v3.0
“adequate network
segmentation isolates systems
that store, process, or transmit
cardholder data from those that
do not"

US DHS Guidelines
National Cyber Security
Division
Recommended Practice:
Improving Industrial Control
Systems Cybersecurity with
Defense-In-Depth Strategies

EU Data Protection Directive: 2018
• data processors responsible for data
protection
• tougher penalties: up to €20M
• impacts every entity that holds or
uses European personal data both
inside and outside of EU
• controllers must meet ”reasonable
expectations” of data privacy =
tokenised, encrypted or anonomised
data

Safe Harbor/EU-US Privacy Shield: June
• original agreement between US
and EU to adhere to EU laws &
standards when handling EU
citizen’s data
• US companies can self-certify
they are storing customer data
properly
• voided in October 2015, new
voted expected June 2016

industry-specific guidelines
• Federal Information Security Management Act (FISMA)
• North American Electric Reliability Corp. (NERC)
standards
• Title 21 of the Code of Federal Regulations (21 CFR Part
11) Electronic Records
• Health Insurance Portability and Accountability Act
(HIPAA)
• The Health Information Technology for Economic and
Clinical Health Act (HITECH)
• Patient Safety and Quality Improvement Act (PSQIA,
Patient Safety Rule)
• H.R. 2868: The Chemical Facility Anti-Terrorism
Standards Regulation

broadly applicable laws and regulations
• Sarbanes-Oxley Act (SOX)
• Payment Card Industry Data Security Standard
(PCI DSS)
• Gramm-Leach-Bliley Act (GLB) Act
• Electronic Fund Transfer Act
• Regulation E (EFTA)
• Customs-Trade Partnership Against Terrorism (C-
TPAT)
• Free and Secure Trade Program (FAST)
• Children's Online Privacy Protection Act (COPPA)
• Fair and Accurate Credit Transaction Act (FACTA)
• Federal Rules of Civil Procedure (FRCP)

security takeaways
most standards say:
• encrypt sensitive data in
motion and at rest whenever it
is “reasonable and
appropriate”
• ”reasonable expectation” of
companies to provide data
security

here’s to a more secure 2016

segment and isolate apps

enforce traffic policies with firewalls

detect malicious traffic with NIDS
!
!!
!

limit intra-app network traffic with WAF

create logical subnets
Example app network Subnet - 172.31.1.0/26
VNS3 Controllers
172.31.1.56/29
unassigned
172.31.1.8/29
Web
172.31.1.0/29
App
172.31.1.16/29
unassigned
172.31.1.24/29
MQ
172.31.1.40/29
DB
172.31.1.32/29
unassigned
172.31.1.48/29
Define smaller subnets within an app network range
along with firewall rules

monitor traffic with app-layer switches

build layers of control and access
Provider Owned/Provider Controlled
Provider Owned/User Controlled
VNS3 - User Owned/User Controlled
User Owned/User Controlled
Key security elements must be controlled  
by the customer, but separate from  
the provider
Cloud Edge Protection
Cloud Isolation
Cloud VLAN
Cloud Network Firewall
Cloud Network Service
VNS3 Virtual Firewall
VNS3 Encrypted Overlay
N
etwork
VNS3 NIDS, WAF, e
tc.
Instance
OS Port Filtering
Encrypted Disk

use encrypted overlay networks
• use unique X.509 credentials for each Overlay IP address
• create a secure TLS VPN tunnel between networks
• encrypt all data in motion end-to-end
VNS3 Controller 1
VNS3 Controller 2
VNS3 Controller 3
VNS3 Overlay Network - 172.31.1.0/24
Public IP: 52.1.108.23 Public IP: 54.15.88.193
Public IP: 52.22.100.95
Peered Peered
Overlay IP: 172.31.1.1
Cloud Server A
Cloud Server B
Cloud Server C
Primary DB
Backup DB

Conclusions
• data center security does not work for cloud security
• everyone is liable for weak security - including your
customers
• applications need security via network virtualization
• compliance regulations emphasize network segmentation,
app security and isolation
• app layer switches and network controls can make for a more
secure 2016

Q&A
Stay in touch:
@pjktech
@cohesivenet
contactme@cohesive.net

Let’s rethink cloud application security in 2016 - Patrick Kerpan's Secure360 presentation 2016

Related slideshows

More Related Content

Let’s rethink cloud application security in 2016 - Patrick Kerpan's Secure360 presentation 2016