dynamic and continuous auditing controlling and
play

Dynamic and Continuous Auditing, Controlling, and Monitoring of all - PowerPoint PPT Presentation

Dynamic and Continuous Auditing, Controlling, and Monitoring of all Tenant Network Flows in Openstack at Scale Jason Rouault Sr. Director, Cloud Engineering and Operations May 10, 2017 Jason Rouault Sr. Director, Cloud Engineering and


  1. Dynamic and Continuous Auditing, Controlling, and Monitoring of all Tenant Network Flows in Openstack at Scale Jason Rouault Sr. Director, Cloud Engineering and Operations May 10, 2017

  2. Jason Rouault Sr. Director, Cloud Engineering and Operations Richard Eisenberg VP, Client Development Nathan Randall, Sr. DevSecOps Engineer 2

  3. Agenda TWC Introduction Business/Security Problems Defined Solution Requirements Cloudvisory and OpenStack Integration Cloudvisory Overview Demo 3

  4. Time Warner Cable 2 nd largest cable provider in US Provides Video, Broadband, Phone, and Business Services 15 Million Subscribers Los Angeles/New York Markets 4 National Data Centers 20+ Market Data Centers Was acquired by Charter Communications in 2016 4

  5. Time Warner Cable Cloud Time Warner Cable Cloud OpenStack providing IaaS services • Up and running in 2 national datacenters (regions) – Capacity for 15000 VMs • 3 PB usable object and block storage • Full SDN with Neutron ML2 and VXLAN Overlay • CI/CD automation for software deployments. 0-6 weeks behind trunk Why OpenStack? Flexible and adaptable infrastructure Self-service Increased speed to market Reduced Costs No Vendor lock-in 5

  6. Time Warner Cable Cloud Time Warner Cable Cloud OpenStack providing IaaS services • Up and running in 2 national datacenters (regions) – Capacity for 15000 VMs • 3 PB usable object and block storage • Full SDN with Neutron ML2 and VXLAN Overlay • CI/CD automation for software deployments. 0-6 weeks behind trunk Why OpenStack? • Flexible and adaptable infrastructure • Self-service • Increased speed to market • Reduced Costs • No Vendor lock-in 6

  7. Problem Overview OpenStack brings strong features for multi- tenancy and infrastructure abstraction Allow us to deploy workloads with speed and reliability in a structured and repeatable method The architecture introduces risks that traditional perimeter security models are unable to detect and control. Dichotomy of traditional security with the DevOps teams cloud users OpenStack: Agile, Reliable, Available and Secure 7 7

  8. Business Problems Business Problems Visibility • DevOps teams have limited visibility and lack of understanding to troubleshoot application connectivity issues. • Lack of visibility is magnified for applications spanning regions and cloud providers • Security teams have no easy way to monitor and validate actual application flows Control Managing cloud native security controls can be error prone Managing controls does not scale well in large deployments, or across environments Security controls are not dynamic like the cloud applications they are protecting There is no ability to define security trust boundaries across environments Reporting Demonstrating compliance is problematic Detecting and responding to bad actors/systems is often too little too late 8

  9. Business Problems Business Problems Visibility • DevOps teams have limited visibility and lack of understanding to troubleshoot application connectivity issues. • Lack of visibility is magnified for applications spanning regions and cloud providers • Security teams have no easy way to monitor and validate actual application flows Control • Managing cloud native security controls can be error prone • Managing controls does not scale well in large deployments, or across environments • Security controls are not dynamic like the cloud applications they are protecting • There is no ability to define security trust boundaries across environments Reporting Demonstrating compliance is problematic Detecting and responding to bad actors/systems is often too little too late 9

  10. Business Problems Business Problems Visibility • DevOps teams have limited visibility and lack of understanding to troubleshoot application connectivity issues. • Lack of visibility is magnified for applications spanning regions and cloud providers • Security teams have no easy way to monitor and validate actual application flows Control • Managing cloud native security controls can be error prone • Managing controls does not scale well in large deployments, or across environments • Security controls are not dynamic like the cloud applications they are protecting • There is no ability to define security trust boundaries across environments Compliance • Demonstrating compliance is problematic • Detecting and responding to bad actors/systems is often too little too late 10

  11. Solution Requirements Solution Requirements Should leverage cloud native security controls Must not negate self service afforded to cloud users Must have minimal to no impact on workload performance Will scale with our cloud Must be highly available 11

  12. Solution Requirements Solution Requirements Installation and Upgrades can be automated with CI/CD tooling (e.g. Ansible, Puppet, etc.) Solution should not hinder ability to upgrade Hypervisor or OpenStack Role based access control (RBAC) for separation of duties Should provide an API for integration with existing systems 12

  13. Narrowing Down the Choices Narrowing Down the Choices Most vendors: • Want to take over your SDN or • Want to install a VM on each hypervisor or • Want to install a kernel module or • Want to install an agent on each VM 13

  14. Narrowing Down the Choices Narrowing Down the Choices Most vendors: • Want to take over your SDN or • Want to install a VM on each hypervisor or • Want to install a kernel module or • Want to install an agent on each VM Ultimately, we did not like any of these implementation options 14

  15. Cloudvisory and OpenStack Cloudvisory and OpenStack Cloudvisory Cloudvisory serves as the management plane for (Security Management Plane) network security policies. Neutron API provides the Neutron API control plane , which controls (Control Plane) an agent on each Compute node that implements the data plane for OSI Layer-2/3 Open vSwitch Open vSwitch Open vSwitch network segmentation. (Data Plane) (Data Plane) (Data Plane) 15

  16. Cloud Security Policy Control Plane The Cloudvisory Management Framework Data Plane P P Project A Policy Project B Policy P WEB TIER DB TIER WEB Policy DB Policy PCI Policy 16

  17. Cloud Security Policy Control Plane The Cloudvisory Management Framework Data Plane Security Management Plane P P Project A Policy Project B Policy P WEB TIER DB TIER WEB Policy DB Policy PCI Policy 17

  18. Cloudvisory is: Intelligence Cloud-Native Security Platform for Hybrid, Multi-Cloud Continuous Discovery & Visualization of: 1. Cloud infrastructure as it changes 2. Policy changes/updates 3. Detection and alerts of non-compliant policies and data flows 18

  19. Cloudvisory is: Consistency and Compliance Cloud-Native Security Platform for Hybrid, Multi-Cloud Hybrid/Multi-Cloud Security Policy P P 1. Automated security policy provisioning Project A Policy Project B Policy 2. Granular Policy Micro-Segmentation 3. Real-time policy & flow monitoring for compliance 4. Enforcement and Automated remediation of violations P Project C Policy WEB TIER DB TIER APP TIER WEB Policy APP Policy DB Policy PCI Policy 19

  20. Cloudvisory Security Platform Value Reduce human middleware/lower costs Rapid change management/speed up operations Harden security Thwart nation state hackers 20

  21. Cloudvisory Security Platform Demo Hybrid & Multi-Cloud Security Intelligence • Control • Compliance 21

  22. Better Cloud Security through Automation Cloudvisory Security Platform 1. Simplifies : Singular Interface for Cloud-Native Policy Automation across providers 2. Discovers and Visualizes: multi-cloud infrastructures, Context, data flows and critical security violations 3. Automates : Provisioning & rapid change management of policy and micro-segmentation of workloads 4. Compliance: Real-Time monitoring of flows and policies for Compliance & Enforcement 5. Cross Discipline : Manages multi-tenant environment. Role-based solution for use by Dev/Ops, Security and Business 22

  23. Functional/Architectural Requirements Realized Cloudvisory Security Platform Should leverage cloud native security controls Must not negate self service afforded to cloud users Must have minimal to no impact on workload performance Will scale with our cloud Must be highly available Installation and Upgrades can be automated with CI/CD tooling (e.g. Ansible, Puppet, etc.) Solution should not hinder ability to upgrade Hypervisor or OpenStack Role based access control (RBAC) for separation of duties Should provide an API for integration with existing systems 23

Recommend


More recommend