Scribd
Upload
91 views40 pages

Cloud Security: Timothy Brown

The document discusses cloud security options including Amazon AWS, Google Cloud, and Microsoft Azure. It addresses fundamental questions about security in the cloud versus on-premises. The presentation outlines how each cloud platform provides network segmentation, logging and monitoring, and access controls. It also discusses different architectural approaches like microsegmentation and typical architectures used by AWS, Google, and Azure. The document notes that AWS and Azure have received FedRAMP compliance while Google Cloud has no SRG compliance. It concludes by discussing the zero trust model and where the security industry is headed.

Uploaded by

pritish kene
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
91 views40 pages

Cloud Security: Timothy Brown

The document discusses cloud security options including Amazon AWS, Google Cloud, and Microsoft Azure. It addresses fundamental questions about security in the cloud versus on-premises. The presentation outlines how each cloud platform provides network segmentation, logging and monitoring, and access controls. It also discusses different architectural approaches like microsegmentation and typical architectures used by AWS, Google, and Azure. The document notes that AWS and Azure have received FedRAMP compliance while Google Cloud has no SRG compliance. It concludes by discussing the zero trust model and where the security industry is headed.

Uploaded by

pritish kene
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 40

CLOUD Timothy Brown

Director, Security & Virtualization


SECURITY Network Utility Force
About Your Presenter

• Walker and Associates has been around for more than 40 years,
handling the needs of communications carriers and the Federal
Government as a Value Added Distributor (Warehousing,
Networking, Design Services, Reselling)
• Network Utility Force is a consulting company focused on network
and security infrastructure. We enable companies to make the
most of their infrastructure. Our team collectively has over 100
years of service provider and enterprise engineering experience.
• I (Tim Brown) am ex-OEM, ex-service provider, ex-VAR and have
been involved in network engineering since 1995.
Today’s Presentation

Fundamental questions (but there are many others):

• Is being in the cloud less secure than having gear at my facility?


• What new threats do I face by moving to the cloud?
• How can all this “as-a-service” stuff help me do my job?
How do you normally protect an asset?
Cloud has us think of things a little
differently
• Generate revenue from “functions”
• Decompose the true cost/effort of delivering a given function,
make that something we can sell (“de”-commoditize)
• The security needs of DoD are fundamentally different from a
web hosting provider
• Move to automation, immutability
• Services don’t prevent you from rolling your own (and in DoD
case, you use SCCA)
Looking at five options today

• Amazon’s AWS
• Google Cloud
• Microsoft Azure
• Virtualized security within your existing facilities
• Carriers/Hosting
One axis: How “automatable” is the
solution
• With cloud computing and virtualization, world is moving to a
more “repeatable, immutable” model
• Applications no longer monolithic
• Systems are heading to a distributed world
Cloud Platforms and Security
Features
All clouds offer some high level
segmentation and network virtualization
• “Buckets” of resources
• Projects, VPCs, granularity
• Whitebox or software switches, special hypervisor features
• MAC learning, custom drivers
• Custom firewalls/packet processors
Network Features

Amazon AWS Google Cloud ExpressRoute


• Custom route tables • Cloud Load Balancing • Custom route tables
• DHCP Options • Cloud CDN • Peering
• Elastic IPs • Cloud Firewall • Load
• Flexible NAT • Cloud Balancing/Application
• Cloud Firewall InterconnectMicrosoft Gateway
• Peering Azure • Network Watcher
• Flow Monitoring
Logging and Monitoring

Amazon AWS Google Cloud Microsoft Azure


• CloudTrail • Stackdriver • Azure Monitoring
• CloudWatch (AWS+GCP) – Error • Application Insights
• Log Aggregation reporting, trace, • Log Analytics
debugger, API • System Center
frontends Operations
Manager
Access Control

Microsoft
Amazon AWS Google Cloud
Azure
• IAM • Cloud IAM • Key Vault
• MFA • Cloud IAP • Active
• Directory • Cloud DLP Directory
Service • Key Vaults • MFA
Border Protection Approach
Historical approach to security: protect
the border
Firewall and router, or jus t firewall

Router

Firewall

Switching
Segmentation Approach
Segmentation approach
Firewall and router, or jus t firewall

Router

Firewall

Firewall

Switching
Microsegmentation Approach
Microsegmentation

Switching

Virtual machine Virtual machine


Typical Architectures
AWS
Some terminology changes

Web
auto scaling group
AZ Data Center
Server Web Web
Server Server
FW
DMZ S ubne t DMZ S ubne t LB
auto scaling group
Subnet VLAN
App App
Server Server WEB WEB

App S ubne t App S ubne t


EC2 instance Server/VM
APP
security group security group
DB DB
Server Server
primary s yn ch ro n o u s
rep licatio n
secondary Security group FW
DB
Databas e S ubne t Databas e S ubne t

Availability Zone A Availability Zone B


ELB Load Balancer COOP data c e nte r
AWS Architecture Example
AWS Architecture
AWS Compliance

• GovCloud has achieved FedRAMP High


• Provisional authorizations for IL4 and soon IL5 (unclassified, IL5
includes unclassified National Security Systems)
• See https://
s3.amazonaws.com/quickstart-reference/enterprise-accelerator/
nist/latest/assets/NIST-800-53-Security-Controls-Mapping.xlsx
Google
Google Cloud Architecture
Compliance

• Has FedRAMP ATO


• No SRG compliance as far as I know of
Azure
Microsoft Azure Architecture
Azure Compliance

• DoD IL5, 4 Compliant


You Host It
Comes back to our two views:
Segmentation and microsegmentation
Firewall and router, or jus t firewall

Router

Firewall

Firewall

Switching
Switching

Virtual machine Virtual machine


Where the security industry is
headed
Zero Trust Model
Summary
Thanks

You might also like