How To Secure Devops
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View How To Secure Devops as PDF for free.
More details
- Words: 4,538
- Pages: 15
Whitepaper ARIA SDS
How to Secure DevOps Across Any Environment with CSPi’s ARIA
Software-Defined Security
Whitepaper ARIA SDS
Executive summary Today, many businesses are doing all they can to roll out a much more scalable and agile DevOps model in an effort to drive the delivery of new applications and take business growth to the next level. The DevOps model delivers features faster with an iterative development approach, a critical component for efficient and effective business outcomes. PLAN
Yet, at the same time, these dynamically built applications can be difficult to secure. Until now, there hasn’t been an easy way for developers to apply the required security features
Iterative Development
without adding intensive coding efforts into their build process.
OPERATE
BUILD
In many cases, potential security issues are an afterthought, considered closer to production release instead of being
DEPLOY
incorporated into the application design. All of this adds significant risk, especially when prototype applications, with limited to no security controls in place, need
Agile DevOps processes help organizations develop and deploy applications quickly and effectively for maximum business advantage.
access to production data for testing purposes. This happens more often than not as concepts need to be proven and then turned into full production applications. Such applications evolve through iterations of continuous development, integration, testing, and deployment. In addition, the ease with which virtualized machines (VMs) and/or Considerations in Security Policies: • What containers should be allowed to be interconnected together and from where? • Or should an Amazon Elastic Compute Cloud (EC2)-hosted container be able to connect back into the private data center, and if so, under what conditions?
containers can be used to build and house applications, as well as access and store data, has complicated the processes related to applying security policies consistently and uniformly. As a result, the concept of enterprise-wide “Secure DevOps” and end-to-end information security can be difficult to achieve. Now with CSPi’s ARIA™ Software-Defined Security (SDS) platform, there is a way to make InfoSec and agile DevOps come together and enable the entire organization to reap the many benefits this combination can provide. This white paper will offer a closer look at the security challenges that exist today, why traditional security tools fall short, and
how a new approach to software defined security can help any organization not only achieve Secure DevOps, but also make breaches irrelevant. 2
Whitepaper ARIA SDS
The need for a new perspective and approach to handling cyber-attacks Every year, the number of cyber-attacks and data breaches reaches new all-time highs. In fact, the evidence shows that the number of attacks – increasingly sophisticated in nature – will continue to climb and pose ever-greater risks to businesses and consumers. •
The first nine months of 2017 had more than 1,000 breaches in the U.S. alone. This number represents a 30 percent increase over 2016, which was itself a record-breaking year.
•
2017 was also notable for the high number of large, high profile breaches that
30%
occurred, including at companies such as Equifax, the IRS, the SEC, and many more. •
Only 33 percent of organizations actually discover successful breaches through their own monitoring or security tools.
•
2016
2017
Cyber attacks and breaches continue to grow
With so many breaches and lost data, it is highly likely that all consumers’ social security numbers (along with other PII data) will be compromised within the next 18 months.
It’s difficult for InfoSec resources to keep up. Cisco’s 2017 cyber security survey
5
1010110 1010110
1010110
,ooo Alerts a day
It is impossible to investigate all intrusion alerts.
shows that an average organization can get 5000 alerts per day from their installed security tools such as firewalls or intrusion protection systems (IPS.) This number is so high that it makes it difficult for analysts to find the proverbial needle in the haystack the one anomaly that could indicate that a breach occurred. With so many alerts, it is not surprising to note that 66 percent of breaches took months, even years to discover. All of this points to the need for a new approach to data breach response, one that makes breaches irrelevant, so that when the inevitable does occur, the data cannot be accessed in a usable form.
People and organizations are not to blame It is important to note that these security challenges are not entirely due to employee shortcomings, or a lack of effort on the part of operations, information security, or application developers.
3
Whitepaper ARIA SDS
Companies today are highly complex environments with IT infrastructure, networks, assets, and data spanning many different organizations and residing in a mix of private, on-premise data centers, public clouds, and hybrid deployments. In their attempt to protect these large, scalable and highly flexible environments, most
$
companies rely on a “stack” of security
Per App. Requirement
discrete tools, such as firewalls,
Forensic Analysis
WAFs, SIEMs, log management tools,
Firewall
antivirus, malware-removal tools,
Anit-Virus Cost
endpointsystems, IAM, DLP and IDS/
Encryption
IPS. While each of these tools are
IPS
valuable in their own way, their lack of orchestration impedes their ability to provide the full security organizations require. This is because they are discrete, or silo’ed, and by design only
On Premises
Data Center
Public Cloud
Complexity
Too many complex security tools are required to be effective
“see” one piece of a potential threat and generate a great deal of noise by issuing intrusion alerts (up to 5,000 a day.) Further, as an organization scales the deployment of these tools from their premises to the public cloud, it becomes not only very costly, but also more challenging and complex to manage. In a cloud deployment an additional, yet often overlooked, cost is that compute cycles must be paid for; as a result, deploying such tools for compute instances that come and go is extremely expensive and time consuming. For tools that are not automated, the effort required to properly configure each one can take hours and rely on highly trained resources. It’s no wonder most organizations don’t even bother trying. The above exposes serious gaps including the need for forensic tools and a means to deploy them cost-effectively to help ensure they can collect the appropriate data to meet compliance with data privacy regulations, avoid fines, and provide accurate auditing. Another variable to consider is the highly virtualized world of data that exists today, and how this information moves across the enterprise. Many security tools do well
4
Whitepaper ARIA SDS
on north-south traffic, but can’t be deployed to properly provide full visibility into east-west traffic flows – leaving sensitive data and critical assets at risk. Add a fast-moving DevOps model into the mix, and this will further increase the number of east-west data connections, with more dynamic traffic patterns. When combined, these issues make it much more unlikely that traditional threat detection tools and systems will identify real cyber-threats without overwhelming security teams between the identified tools gap and the intrusion alert “noise.” The last point worth considering is that most of today’s security tools are installed to identify problems – not prevent them in the first place. Placing the focus on finding the problems rather than better prevention is one of the main culprits driving these issues. The bottom line – it’s the tools and processes that need to change in order to achieve: •
Better orchestration
•
Increase visibility and ability to monitor what’s in the gaps
•
Quicker, easier tool deployment
•
Protect applications and the data within from the start
The compliance challenge A threat surface as broad as the one described leads to breach exposure that represents a difficult compliance challenge. Without fast accurate access to the “who-what-where-when” information related to a potential breach, organizations are hard-pressed to comply with the stringent regulations set out by the EU’s General Data Protection Regulation (GDPR). For example, GDPR requires a threeday breach notification to the appropriate country authorities in any/all EU countries whose citizens’ data was exposed or lost. With the caveat being if an organization can prove those data records were properly encrypted notification is not required. No proof means that the exact details on which citizens were impacted must be provided immediately thereafter. Failure to comply has significant financial consequences. Any organization that has 5
Whitepaper
1010110 1010110 1010
ARIA SDS
a presence in the EU or UK could face a fine of € 20M Euros or four 4% of total revenue (whatever is higher) for each breach. Even those companies without a EU presence aren’t safe. U.S. laws now allow EU countries to create class-action lawsuits against them, which may have to be defended in each country. Finally, 29 U.S. states have similar laws, and depending
GDPR specifies
hour 72 breach notification.
upon the state, typically impose fines if its residing citizens have not been notified within 30 days of a breach where their PII/PHI data was exposed – if not encrypted.
Failure to comply may result in fines up to % revenue or
The conflict between business requirements, DevOps methods, and traditional InfoSec approaches
4
20m Euro €
A business is only as strong as the efficiency of its operating model. New applications that help generate additional revenue, or create internal efficiencies, are benefiting from the shortened time to deployment provided by DevOps processes. Yet, it also highlights conflicts between internal stakeholders: •
Business line owners want the applications out faster
•
Developers need the ability to iterate their work quicker with feedback from production environment testing
•
Ops teams responsible for the underlying platform and network are obliging, but InfoSec teams are often left out of the loop until several iterations of the application have been up and running long enough to give the development teams confidence in their design.
It is understandable why some may think that including security prior to final deployment could be a wasted effort, and more importantly, slow down development. However, even early iterations often need to be tested with production data, exposing one of the biggest problems with leaving security out of the planning and build process. To solve this, a school of thought to “shift left” has arisen, and at its core, it believes that application developers can secure their applications just enough for testing with simple vulnerability tools. In reality this is not enough – if an application touches critical data, it also needs advanced security functions, such as proper encryption. 6
Whitepaper ARIA SDS
Application Development Integration Test Fix InfoSec (Ops) Deploy (Ops) Waterfall Model Time DevelOps Model
PLAN
PLAN
OPERATE
BUILD
DEPLOY
OPERATE
PLAN
BUILD
OPERATE
DEPLOY
Prototype
Test with Production Data
1st Iteration of App
PLAN
OPERATE
BUILD
DEPLOY
DEPLOY
2nd Iteration of App
DevOps Model shrinks application timeline and removes InfoSec from early planning discussions. Ultimately creating a barrier to production testing and application deployment.
BUILD
Production App
InfoSec
Yet, very few developers are security experts, nor should they be expected to be. Thus, forcing application developers to learn, in depth, how to implement, iterate, and debug sophisticated security functions would add significant time and effort – running counter to the entire DevOps process and pushing out expected delivery timelines. Additionally, requiring developers to incorporate security features into applications could potentially add significant complexity to their coding approach, as it requires skill sets that are not widely available. The result is delays or an inferior product that will need more iterations to perfect, or both. The DevOps model further makes the entire process much more complicated in two significant ways: 1. Not only do applications need to be secured, but they also need to be secured no matter where they
PLAN
BUILD
OPERATE
Iterative Development
reside – on-premise, in a public cloud, or in a hybrid environment. The data these applications access also
DEPLOY
Application developers lack tools and skills to secure applications during phase.
TEST
needs to be secured no matter where it is stored, how it is being accessed through the network (east-west or north-south), and how it is being used, processed, and
Security considerations are generally not part of the early stages of DevOps models, which contributes to increased vulnerabilities and new risks.
then stored. 2. Also, consider that InfoSec teams are often separate from other lines of business and may only have limited influence over development strategies. 7
Whitepaper ARIA SDS
Without direct up front involvement, InfoSec may have to resort to playing catch-up to discover, monitor, and secure applications well after they’re deployed. Securing applications and data after the fact is a real concern; quite often the only way to apply the appropriate security policies is to shut down the application, which can have a negative impact on the entire business.
Valid security concerns All of these security concerns are well founded and real examples can be pointed to. Take, for example, the deployment of millions of connected cars with no thought of proper security or industrial process and IoT applications that have had to be pulled back to properly secure. In the case of the Equifax breach, many experts believe that it can be attributed to a single overlooked patch on one open-source application. The process should have been simple – install the patch to secure the data accessed by a chain of vulnerable applications, and there would be no data loss. Instead Equifax threw resources at it – literally 172 highly trained InfoSec members on staff – but without the right tools, the odds were against them, and they made the crucial mistake that the underlying data was not properly secured. These examples prove the rule: a single misstep can be disastrous. Like the saying suggests, a chain is only as strong as its weakest link, and in the case of DevOps, any exposure of critical data could lead to a breach – or even the downfall of the entire company. All of this points to the growing need for a simple solution to enable “Secure DevOps”, an approach that provides a best-of-both worlds enables agile software development in a way that results in secure, compliant business solutions deployed with a foolproof methodology.
So what does effective security look like? If the ultimate goal is enterprise-wide and end-to-end protection of critical data – no matter where it’s used or resides – organizations need to take a much more proactive and automated approach. For example, trends such as virtualization and the proliferation of containers now make security efforts much more challenging, so 8
Whitepaper ARIA SDS
InfoSec teams must do all they can to secure and encrypt critical data at the source (e.g., private data centers, public clouds, or hybrid mixes of on-premise and public cloud deployments). All of this is required to help balance the need to maintain security policies and data protection within a traditional IT infrastructure with the desire for more agile, flexible DevOps practices. This balance has been hard, if not impossible, to achieve – until now.
Organizations need a simple, yet cost-effective solution for enterprise-wide security that meets the following goals: Has no negative impact on business operations and ideally reduces time to secure application deployment. Provides a complete security approach to not only protect east-west and north-south traffic, but also secure all the packet-level data at rest, in motion, and in use. Can be easily deployed in any environment, including private networks and data centers, public clouds, or hybrid environments, and dosen’t require any significant infrastructure changes. Gives developers the tools they need to easily, and quickly secure applications during development without changing the normal development approach, thus ensuring the security of production-level data. Allows the operations team, in particular the InfoSec Ops team, to independently set policies as applications appear and to quickly adapt such rules to application deployment and usage. Programmatically applies the organization’s appropriate security policies to the applications, servers, virtualized machines, cloud instances and containers as they grow and scale. 1010 0110
Offloads core-intensive security functions to allow for such features to run in legacy server environments without application performance issues.
CSPI’s ARIA SDS Platform: A first of its kind enterprise-wide security CSPi’s ARIA Software-Defined Security (SDS) platform is the only security technology that can help companies achieve uncompromised security, enterprise-wide, by protecting applications and making critical data unusable if a breach occurs. At the same time, ARIA brings balance to the need for rapid application development and the necessity to maintain the consistent application of security policies and data security within a traditional IT infrastructure. 9
Whitepaper ARIA SDS
This new security approach essentially enables today’s organizations to truly achieve Secure DevOps with a simple reliable toolset and process. ARIA automatically and uniformly applies the appropriate micro- segmentation and encryption policies – by application, device, or data type accessed anywhere, under any use, and at any time. Additionally, ARIA secures containerized and virtualized deployments as they spawn to automatically to protect the applications, as well as the data they use and produce. ARIA can also properly protect data, often PII in nature, on an application-byapplication basis, using per-tenant encryption. Additionally, it also efficiently allows for selective traffic flows, or copies thereof, to be sent to IDS, DLP, sandboxes or to data recorders, such as our Myricom® nVoy Series InfoSec
solution for detecting breaches of PII/PHI and for forensic analysis when breaches occur. This is critical for verification of encryption of records to ensure PII regulatory compliance and avoid fines.
ARIA
The ARIA SDS platform uses patented technology to execute
Dev
Ops
security services in any environment (public cloud, on-premises, private data center, or hybrid environment). It is comprised of software instances (SDSIs) that can be deployed as agents within containers or VMs as applications are built and provisioned.
ARIA supports the varying business needs in a DevOps model while protecting data enterprise-wide.
These agents can be deployed with routines that include security functions such as encryption algorithms and the engines that run them. Developers can follow very simple steps to connect the SDSi security functions within their applications to enable them to secure the data they access and process. The ARIA SDSIs can also perform services that have no impact on development, including micro-segmentation, policy-triggered flow redirect, flow copying, selective flow blocking, and a variety of value-added functions. All of these services can be configured and provisioned externally by operations or InfoSec teams manually or in fully automated fashion upon application activation. These SDSIs beacon out to and are discovered by the ARIA Orchestrator to enable the fully autonomous detection and configuration of the appropriate protection functions provided by ARIA.
10
Whitepaper ARIA SDS
How it works This approach allows developers to import the ARIA SDSi instances as agents into their applications, and where desired, to use simple connectors to access the desired security services to run within the agents. Once active, these instances beacon out to the ARIA Orchestrator, which can then provision each security feature by profile, by-hand, or programmatically, to preset polices. This allows the InfoSec team to immediately learn of new applications, verify their images to avoid introducing vulnerabilities into the production environment, and make important decisions such as: •
What the applications can connect to
•
How and with what types of security features such as east-west VPN
•
What levels of AES encryption should be used for accessing and replacing data in storage
Policies can be preprogramed so that select east-west communication application flows will be redirected to an application firewall, DLP, or IDS/IPS instance. They can also be duplicated and sent to sandboxes or packet capture recorder devices, such as our Myricom nVoy packet recorder, for advanced security service monitoring, automated breach identification, and verification that if a breach occurs that critical data has been properly encrypted. Security policies can be provisioned on SDSi instances running in any compute infrastructure, which includes public cloud instances and private severs – in bare metal, VMs, or container deployments. As a result, the ARIA platform allows security features and controlling policies to be deployed uniformly end-to-end across any mixed domain. Enterprise Data Center
CSPI’s ARIA Software-Defined Security solution presents a new security approach to overcome previous challenges and deliver true “Secure DevOps.”
Public Cloud
Premises NSX
C EC2
SIA VM VM VM VM
SIA
C APP1
Symmetric encrypted VPN Path
APP2
Highly Encrypted Data-at-Rest Path SOS Orchestrator 11
Whitepaper ARIA SDS
Improving server performance and security Some advanced security functions, including encryption, key management and tokenization, are server core-intensive, and many installed servers will not have enough performance to run existing applications in addition to these security functions without adding additional CPU processing cores. To avoid forcing a wholesale server upgrade, the ARIA SDS platform seamlessly interfaces with CSPi’s Myricom ARC Series Secure Intelligent Adapter (SIA) to offload specified security functions, such as encryption services as well as packet filtering, select packet stream duplication, and packet stream redirecting functions. The benefits are that encryption can be run at line rates completely offloaded from the server cores – allowing optimal application operation. As with any other network adapter, the ARC SIA inserts into a server’s PCIe slots and provides services within or between containers or VMs on the same device, or throughout the network to remote containers or VMs. The SIA also provides 1/10/25G multi-port NIC functionality, allowing such servers to run at higher rates across the network. Security policies are provisioned directly on the adapter in the same manner as they are on the SDSi instances by the ARIA Orchestrator – allowing for seamless end-to-end security policy to be deployed across cloud and legacy environments without constraint. Secure encryption engine and key cache functions available on the Myricom ARC SIA: 1. Securely receive and store keys within its own hardware based trust zone. 2. Keys are used locally - within its own cores to perform the crypto functions vs. openly on the host. 3. Per application and/or per tenant encryption - at the appropriate level of protection. 4. Support for open encryption models and standards including AWS and KMIP based services 5. Locally house Key Management Functions (KMS) to serve keys as required, as noted in Function 1
12
Whitepaper ARIA SDS
The ARC SIA secures the data by not only storing the keys, but also executing them locally. If the server is breached, the keys are out of harms’ way, preventing a hacker from reading in use keys. This avoids a critical vulnerability with most software encryption applications that run on the server: once on the server, an attacker has the ability to access the keys in use, and once the attacker has the keys, they can use them to access this application’s data on any device they have hacked into – enterprise-wide. The SIA approach provides the ultimate in the security of critical applications: 1. Executes crypto functions within storage arrays at line rates without forcing upgrades to the array CPU, allowing faster and safer data transfer. 2. Works within any application server to perform crypto applications securely with high performance. 3. Works with standard KMS servers and can host these functions within the SIA for secure local use. 4. FIPs version available that hardens all such functions from tampering. The ARC SIA can also run third-party applications, such as KMS, firewalls, DLP, and others, using the adapter processor cores, thereby off-loading the overloaded server CPU cores and leverage its memory the same way they would on an X86 server. The benefit is they no longer compete for the cores in the resident host.
Network Driven Security For organizations that have invested in a VMWare NSX architecture, ARIA can be deployed within it, allowing it to leverage NSX’s ability to access specific traffic flows between any VM, intra-server, or inter-server, to map them through an ARIA instance and take advantage of security features provided by the ARIA platform. NSX installations leveraging ARIA can experience a ten-fold improvement in application performance by offloading key security functions, such as encryption and key management, from the server to the SIA.
13
Whitepaper ARIA SDS
As described earlier, the SIA can provide security services VM-to-VM on the same device, or out through the network to remote VMs as directed by NSX. ARIA further allows security policies to be enforced beyond NSX domains into containerized/ other DevOps worlds in the public as well as private cloud infrastructures.
The CSPi ARIA SDS Platform Benefits •
Visibility and provisioning of a wide range of security policies across virtual environments in public and/or private clouds.
•
Simple drop-in and connection of ARIA SDSi agents within containers and applications as development steps that allow developers a simple consistent way to roll in security capabilities with little effort or knowledge and no need to preconfigure.
•
Secure DevOps with ARIA Easy Application Security
The ability for InfoSec teams to come in after development and run auto-discovery of the ARIA instances to provision any new applications with the appropriate security features.
•
101 01101
The redirecting of certain traffic flows cost-effectively to centralized advanced security functions such as those provided by, application
Imprenetable Data Protection Automatic Policy Application
firewalls, IDS/IPS, DLP, or the Myricom nVoy series for automated breach identification and proof that critical data has been properly encrypted to meet regulatory notification deadlines and avoid fines. •
Offloading of core-intensive services, like encryption, to an intelligent Myricom ARC Series SIA – handling up to 50Gbps line rate.
•
Breach-proof server applications by performing key storage and execution encryption safely off server, so that keys are not exposed if the server is breached.
•
Deployment within NSX environments – allowing it to transparently map network flows to ARIA security services.
•
Ability to deploy the Myricom ARC SIA in public cloud-dedicated host servers as well as in private data centers.
14
Whitepaper ARIA SDS
•
Ten-fold cost reduction in deploying crypto services by offloading server cores and avoiding server upgrades.
As a result, CSPi’s ARIA solution provides the critical functionality needed to fully secure a DevOps environment, to simplify how application developers and InfoSec teams focus on their responsibilities and activities.
Comprehensive security solutions. Complete business results. To overcome security challenges and provide a more effective approach, today’s companies require efficient and effective security solutions, capable of protecting their most critical data and allowing for the rapid scale, deployment, and management of their business data – no matter where it travels or resides. CSPi’s ARIA solution delivers on this potential, while also giving developers and InfoSec team members a proven way to achieve Secure DevOps and all of its related benefits.
To learn more about ARIA, or how CSPi is changing the way today’s leaders manage security, please visit our website at www.cspi.com.
About CSPi CSPi (NASDAQ: CSPi) is a global technology innovator driven by a long history of business ingenuity and technical expertise. A market leader since 1968, we are committed to helping our customers meet the demanding performance, availability, and security requirements of their complex network, applications and services that drive success. CSPi Corporate Headquarters 175 Cabot Street - Suite 210 Lowell, MA 01854
CSPi High Performance Products
CSPi Technology Solutions
800.325.3110 (US & Canada)
800.940.1111
[email protected]
[email protected] [email protected]
800.325.3110 (US & Canada)
www.linkedin.com/company/csp-inc
@ThisIsCSPi
[email protected]
www.cspi.com
All companies and logos mentioned herein may be trademarks and/or registered trademarks of their respective companies.
15
How to Secure DevOps Across Any Environment with CSPi’s ARIA
Software-Defined Security
Whitepaper ARIA SDS
Executive summary Today, many businesses are doing all they can to roll out a much more scalable and agile DevOps model in an effort to drive the delivery of new applications and take business growth to the next level. The DevOps model delivers features faster with an iterative development approach, a critical component for efficient and effective business outcomes. PLAN
Yet, at the same time, these dynamically built applications can be difficult to secure. Until now, there hasn’t been an easy way for developers to apply the required security features
Iterative Development
without adding intensive coding efforts into their build process.
OPERATE
BUILD
In many cases, potential security issues are an afterthought, considered closer to production release instead of being
DEPLOY
incorporated into the application design. All of this adds significant risk, especially when prototype applications, with limited to no security controls in place, need
Agile DevOps processes help organizations develop and deploy applications quickly and effectively for maximum business advantage.
access to production data for testing purposes. This happens more often than not as concepts need to be proven and then turned into full production applications. Such applications evolve through iterations of continuous development, integration, testing, and deployment. In addition, the ease with which virtualized machines (VMs) and/or Considerations in Security Policies: • What containers should be allowed to be interconnected together and from where? • Or should an Amazon Elastic Compute Cloud (EC2)-hosted container be able to connect back into the private data center, and if so, under what conditions?
containers can be used to build and house applications, as well as access and store data, has complicated the processes related to applying security policies consistently and uniformly. As a result, the concept of enterprise-wide “Secure DevOps” and end-to-end information security can be difficult to achieve. Now with CSPi’s ARIA™ Software-Defined Security (SDS) platform, there is a way to make InfoSec and agile DevOps come together and enable the entire organization to reap the many benefits this combination can provide. This white paper will offer a closer look at the security challenges that exist today, why traditional security tools fall short, and
how a new approach to software defined security can help any organization not only achieve Secure DevOps, but also make breaches irrelevant. 2
Whitepaper ARIA SDS
The need for a new perspective and approach to handling cyber-attacks Every year, the number of cyber-attacks and data breaches reaches new all-time highs. In fact, the evidence shows that the number of attacks – increasingly sophisticated in nature – will continue to climb and pose ever-greater risks to businesses and consumers. •
The first nine months of 2017 had more than 1,000 breaches in the U.S. alone. This number represents a 30 percent increase over 2016, which was itself a record-breaking year.
•
2017 was also notable for the high number of large, high profile breaches that
30%
occurred, including at companies such as Equifax, the IRS, the SEC, and many more. •
Only 33 percent of organizations actually discover successful breaches through their own monitoring or security tools.
•
2016
2017
Cyber attacks and breaches continue to grow
With so many breaches and lost data, it is highly likely that all consumers’ social security numbers (along with other PII data) will be compromised within the next 18 months.
It’s difficult for InfoSec resources to keep up. Cisco’s 2017 cyber security survey
5
1010110 1010110
1010110
,ooo Alerts a day
It is impossible to investigate all intrusion alerts.
shows that an average organization can get 5000 alerts per day from their installed security tools such as firewalls or intrusion protection systems (IPS.) This number is so high that it makes it difficult for analysts to find the proverbial needle in the haystack the one anomaly that could indicate that a breach occurred. With so many alerts, it is not surprising to note that 66 percent of breaches took months, even years to discover. All of this points to the need for a new approach to data breach response, one that makes breaches irrelevant, so that when the inevitable does occur, the data cannot be accessed in a usable form.
People and organizations are not to blame It is important to note that these security challenges are not entirely due to employee shortcomings, or a lack of effort on the part of operations, information security, or application developers.
3
Whitepaper ARIA SDS
Companies today are highly complex environments with IT infrastructure, networks, assets, and data spanning many different organizations and residing in a mix of private, on-premise data centers, public clouds, and hybrid deployments. In their attempt to protect these large, scalable and highly flexible environments, most
$
companies rely on a “stack” of security
Per App. Requirement
discrete tools, such as firewalls,
Forensic Analysis
WAFs, SIEMs, log management tools,
Firewall
antivirus, malware-removal tools,
Anit-Virus Cost
endpointsystems, IAM, DLP and IDS/
Encryption
IPS. While each of these tools are
IPS
valuable in their own way, their lack of orchestration impedes their ability to provide the full security organizations require. This is because they are discrete, or silo’ed, and by design only
On Premises
Data Center
Public Cloud
Complexity
Too many complex security tools are required to be effective
“see” one piece of a potential threat and generate a great deal of noise by issuing intrusion alerts (up to 5,000 a day.) Further, as an organization scales the deployment of these tools from their premises to the public cloud, it becomes not only very costly, but also more challenging and complex to manage. In a cloud deployment an additional, yet often overlooked, cost is that compute cycles must be paid for; as a result, deploying such tools for compute instances that come and go is extremely expensive and time consuming. For tools that are not automated, the effort required to properly configure each one can take hours and rely on highly trained resources. It’s no wonder most organizations don’t even bother trying. The above exposes serious gaps including the need for forensic tools and a means to deploy them cost-effectively to help ensure they can collect the appropriate data to meet compliance with data privacy regulations, avoid fines, and provide accurate auditing. Another variable to consider is the highly virtualized world of data that exists today, and how this information moves across the enterprise. Many security tools do well
4
Whitepaper ARIA SDS
on north-south traffic, but can’t be deployed to properly provide full visibility into east-west traffic flows – leaving sensitive data and critical assets at risk. Add a fast-moving DevOps model into the mix, and this will further increase the number of east-west data connections, with more dynamic traffic patterns. When combined, these issues make it much more unlikely that traditional threat detection tools and systems will identify real cyber-threats without overwhelming security teams between the identified tools gap and the intrusion alert “noise.” The last point worth considering is that most of today’s security tools are installed to identify problems – not prevent them in the first place. Placing the focus on finding the problems rather than better prevention is one of the main culprits driving these issues. The bottom line – it’s the tools and processes that need to change in order to achieve: •
Better orchestration
•
Increase visibility and ability to monitor what’s in the gaps
•
Quicker, easier tool deployment
•
Protect applications and the data within from the start
The compliance challenge A threat surface as broad as the one described leads to breach exposure that represents a difficult compliance challenge. Without fast accurate access to the “who-what-where-when” information related to a potential breach, organizations are hard-pressed to comply with the stringent regulations set out by the EU’s General Data Protection Regulation (GDPR). For example, GDPR requires a threeday breach notification to the appropriate country authorities in any/all EU countries whose citizens’ data was exposed or lost. With the caveat being if an organization can prove those data records were properly encrypted notification is not required. No proof means that the exact details on which citizens were impacted must be provided immediately thereafter. Failure to comply has significant financial consequences. Any organization that has 5
Whitepaper
1010110 1010110 1010
ARIA SDS
a presence in the EU or UK could face a fine of € 20M Euros or four 4% of total revenue (whatever is higher) for each breach. Even those companies without a EU presence aren’t safe. U.S. laws now allow EU countries to create class-action lawsuits against them, which may have to be defended in each country. Finally, 29 U.S. states have similar laws, and depending
GDPR specifies
hour 72 breach notification.
upon the state, typically impose fines if its residing citizens have not been notified within 30 days of a breach where their PII/PHI data was exposed – if not encrypted.
Failure to comply may result in fines up to % revenue or
The conflict between business requirements, DevOps methods, and traditional InfoSec approaches
4
20m Euro €
A business is only as strong as the efficiency of its operating model. New applications that help generate additional revenue, or create internal efficiencies, are benefiting from the shortened time to deployment provided by DevOps processes. Yet, it also highlights conflicts between internal stakeholders: •
Business line owners want the applications out faster
•
Developers need the ability to iterate their work quicker with feedback from production environment testing
•
Ops teams responsible for the underlying platform and network are obliging, but InfoSec teams are often left out of the loop until several iterations of the application have been up and running long enough to give the development teams confidence in their design.
It is understandable why some may think that including security prior to final deployment could be a wasted effort, and more importantly, slow down development. However, even early iterations often need to be tested with production data, exposing one of the biggest problems with leaving security out of the planning and build process. To solve this, a school of thought to “shift left” has arisen, and at its core, it believes that application developers can secure their applications just enough for testing with simple vulnerability tools. In reality this is not enough – if an application touches critical data, it also needs advanced security functions, such as proper encryption. 6
Whitepaper ARIA SDS
Application Development Integration Test Fix InfoSec (Ops) Deploy (Ops) Waterfall Model Time DevelOps Model
PLAN
PLAN
OPERATE
BUILD
DEPLOY
OPERATE
PLAN
BUILD
OPERATE
DEPLOY
Prototype
Test with Production Data
1st Iteration of App
PLAN
OPERATE
BUILD
DEPLOY
DEPLOY
2nd Iteration of App
DevOps Model shrinks application timeline and removes InfoSec from early planning discussions. Ultimately creating a barrier to production testing and application deployment.
BUILD
Production App
InfoSec
Yet, very few developers are security experts, nor should they be expected to be. Thus, forcing application developers to learn, in depth, how to implement, iterate, and debug sophisticated security functions would add significant time and effort – running counter to the entire DevOps process and pushing out expected delivery timelines. Additionally, requiring developers to incorporate security features into applications could potentially add significant complexity to their coding approach, as it requires skill sets that are not widely available. The result is delays or an inferior product that will need more iterations to perfect, or both. The DevOps model further makes the entire process much more complicated in two significant ways: 1. Not only do applications need to be secured, but they also need to be secured no matter where they
PLAN
BUILD
OPERATE
Iterative Development
reside – on-premise, in a public cloud, or in a hybrid environment. The data these applications access also
DEPLOY
Application developers lack tools and skills to secure applications during phase.
TEST
needs to be secured no matter where it is stored, how it is being accessed through the network (east-west or north-south), and how it is being used, processed, and
Security considerations are generally not part of the early stages of DevOps models, which contributes to increased vulnerabilities and new risks.
then stored. 2. Also, consider that InfoSec teams are often separate from other lines of business and may only have limited influence over development strategies. 7
Whitepaper ARIA SDS
Without direct up front involvement, InfoSec may have to resort to playing catch-up to discover, monitor, and secure applications well after they’re deployed. Securing applications and data after the fact is a real concern; quite often the only way to apply the appropriate security policies is to shut down the application, which can have a negative impact on the entire business.
Valid security concerns All of these security concerns are well founded and real examples can be pointed to. Take, for example, the deployment of millions of connected cars with no thought of proper security or industrial process and IoT applications that have had to be pulled back to properly secure. In the case of the Equifax breach, many experts believe that it can be attributed to a single overlooked patch on one open-source application. The process should have been simple – install the patch to secure the data accessed by a chain of vulnerable applications, and there would be no data loss. Instead Equifax threw resources at it – literally 172 highly trained InfoSec members on staff – but without the right tools, the odds were against them, and they made the crucial mistake that the underlying data was not properly secured. These examples prove the rule: a single misstep can be disastrous. Like the saying suggests, a chain is only as strong as its weakest link, and in the case of DevOps, any exposure of critical data could lead to a breach – or even the downfall of the entire company. All of this points to the growing need for a simple solution to enable “Secure DevOps”, an approach that provides a best-of-both worlds enables agile software development in a way that results in secure, compliant business solutions deployed with a foolproof methodology.
So what does effective security look like? If the ultimate goal is enterprise-wide and end-to-end protection of critical data – no matter where it’s used or resides – organizations need to take a much more proactive and automated approach. For example, trends such as virtualization and the proliferation of containers now make security efforts much more challenging, so 8
Whitepaper ARIA SDS
InfoSec teams must do all they can to secure and encrypt critical data at the source (e.g., private data centers, public clouds, or hybrid mixes of on-premise and public cloud deployments). All of this is required to help balance the need to maintain security policies and data protection within a traditional IT infrastructure with the desire for more agile, flexible DevOps practices. This balance has been hard, if not impossible, to achieve – until now.
Organizations need a simple, yet cost-effective solution for enterprise-wide security that meets the following goals: Has no negative impact on business operations and ideally reduces time to secure application deployment. Provides a complete security approach to not only protect east-west and north-south traffic, but also secure all the packet-level data at rest, in motion, and in use. Can be easily deployed in any environment, including private networks and data centers, public clouds, or hybrid environments, and dosen’t require any significant infrastructure changes. Gives developers the tools they need to easily, and quickly secure applications during development without changing the normal development approach, thus ensuring the security of production-level data. Allows the operations team, in particular the InfoSec Ops team, to independently set policies as applications appear and to quickly adapt such rules to application deployment and usage. Programmatically applies the organization’s appropriate security policies to the applications, servers, virtualized machines, cloud instances and containers as they grow and scale. 1010 0110
Offloads core-intensive security functions to allow for such features to run in legacy server environments without application performance issues.
CSPI’s ARIA SDS Platform: A first of its kind enterprise-wide security CSPi’s ARIA Software-Defined Security (SDS) platform is the only security technology that can help companies achieve uncompromised security, enterprise-wide, by protecting applications and making critical data unusable if a breach occurs. At the same time, ARIA brings balance to the need for rapid application development and the necessity to maintain the consistent application of security policies and data security within a traditional IT infrastructure. 9
Whitepaper ARIA SDS
This new security approach essentially enables today’s organizations to truly achieve Secure DevOps with a simple reliable toolset and process. ARIA automatically and uniformly applies the appropriate micro- segmentation and encryption policies – by application, device, or data type accessed anywhere, under any use, and at any time. Additionally, ARIA secures containerized and virtualized deployments as they spawn to automatically to protect the applications, as well as the data they use and produce. ARIA can also properly protect data, often PII in nature, on an application-byapplication basis, using per-tenant encryption. Additionally, it also efficiently allows for selective traffic flows, or copies thereof, to be sent to IDS, DLP, sandboxes or to data recorders, such as our Myricom® nVoy Series InfoSec
solution for detecting breaches of PII/PHI and for forensic analysis when breaches occur. This is critical for verification of encryption of records to ensure PII regulatory compliance and avoid fines.
ARIA
The ARIA SDS platform uses patented technology to execute
Dev
Ops
security services in any environment (public cloud, on-premises, private data center, or hybrid environment). It is comprised of software instances (SDSIs) that can be deployed as agents within containers or VMs as applications are built and provisioned.
ARIA supports the varying business needs in a DevOps model while protecting data enterprise-wide.
These agents can be deployed with routines that include security functions such as encryption algorithms and the engines that run them. Developers can follow very simple steps to connect the SDSi security functions within their applications to enable them to secure the data they access and process. The ARIA SDSIs can also perform services that have no impact on development, including micro-segmentation, policy-triggered flow redirect, flow copying, selective flow blocking, and a variety of value-added functions. All of these services can be configured and provisioned externally by operations or InfoSec teams manually or in fully automated fashion upon application activation. These SDSIs beacon out to and are discovered by the ARIA Orchestrator to enable the fully autonomous detection and configuration of the appropriate protection functions provided by ARIA.
10
Whitepaper ARIA SDS
How it works This approach allows developers to import the ARIA SDSi instances as agents into their applications, and where desired, to use simple connectors to access the desired security services to run within the agents. Once active, these instances beacon out to the ARIA Orchestrator, which can then provision each security feature by profile, by-hand, or programmatically, to preset polices. This allows the InfoSec team to immediately learn of new applications, verify their images to avoid introducing vulnerabilities into the production environment, and make important decisions such as: •
What the applications can connect to
•
How and with what types of security features such as east-west VPN
•
What levels of AES encryption should be used for accessing and replacing data in storage
Policies can be preprogramed so that select east-west communication application flows will be redirected to an application firewall, DLP, or IDS/IPS instance. They can also be duplicated and sent to sandboxes or packet capture recorder devices, such as our Myricom nVoy packet recorder, for advanced security service monitoring, automated breach identification, and verification that if a breach occurs that critical data has been properly encrypted. Security policies can be provisioned on SDSi instances running in any compute infrastructure, which includes public cloud instances and private severs – in bare metal, VMs, or container deployments. As a result, the ARIA platform allows security features and controlling policies to be deployed uniformly end-to-end across any mixed domain. Enterprise Data Center
CSPI’s ARIA Software-Defined Security solution presents a new security approach to overcome previous challenges and deliver true “Secure DevOps.”
Public Cloud
Premises NSX
C EC2
SIA VM VM VM VM
SIA
C APP1
Symmetric encrypted VPN Path
APP2
Highly Encrypted Data-at-Rest Path SOS Orchestrator 11
Whitepaper ARIA SDS
Improving server performance and security Some advanced security functions, including encryption, key management and tokenization, are server core-intensive, and many installed servers will not have enough performance to run existing applications in addition to these security functions without adding additional CPU processing cores. To avoid forcing a wholesale server upgrade, the ARIA SDS platform seamlessly interfaces with CSPi’s Myricom ARC Series Secure Intelligent Adapter (SIA) to offload specified security functions, such as encryption services as well as packet filtering, select packet stream duplication, and packet stream redirecting functions. The benefits are that encryption can be run at line rates completely offloaded from the server cores – allowing optimal application operation. As with any other network adapter, the ARC SIA inserts into a server’s PCIe slots and provides services within or between containers or VMs on the same device, or throughout the network to remote containers or VMs. The SIA also provides 1/10/25G multi-port NIC functionality, allowing such servers to run at higher rates across the network. Security policies are provisioned directly on the adapter in the same manner as they are on the SDSi instances by the ARIA Orchestrator – allowing for seamless end-to-end security policy to be deployed across cloud and legacy environments without constraint. Secure encryption engine and key cache functions available on the Myricom ARC SIA: 1. Securely receive and store keys within its own hardware based trust zone. 2. Keys are used locally - within its own cores to perform the crypto functions vs. openly on the host. 3. Per application and/or per tenant encryption - at the appropriate level of protection. 4. Support for open encryption models and standards including AWS and KMIP based services 5. Locally house Key Management Functions (KMS) to serve keys as required, as noted in Function 1
12
Whitepaper ARIA SDS
The ARC SIA secures the data by not only storing the keys, but also executing them locally. If the server is breached, the keys are out of harms’ way, preventing a hacker from reading in use keys. This avoids a critical vulnerability with most software encryption applications that run on the server: once on the server, an attacker has the ability to access the keys in use, and once the attacker has the keys, they can use them to access this application’s data on any device they have hacked into – enterprise-wide. The SIA approach provides the ultimate in the security of critical applications: 1. Executes crypto functions within storage arrays at line rates without forcing upgrades to the array CPU, allowing faster and safer data transfer. 2. Works within any application server to perform crypto applications securely with high performance. 3. Works with standard KMS servers and can host these functions within the SIA for secure local use. 4. FIPs version available that hardens all such functions from tampering. The ARC SIA can also run third-party applications, such as KMS, firewalls, DLP, and others, using the adapter processor cores, thereby off-loading the overloaded server CPU cores and leverage its memory the same way they would on an X86 server. The benefit is they no longer compete for the cores in the resident host.
Network Driven Security For organizations that have invested in a VMWare NSX architecture, ARIA can be deployed within it, allowing it to leverage NSX’s ability to access specific traffic flows between any VM, intra-server, or inter-server, to map them through an ARIA instance and take advantage of security features provided by the ARIA platform. NSX installations leveraging ARIA can experience a ten-fold improvement in application performance by offloading key security functions, such as encryption and key management, from the server to the SIA.
13
Whitepaper ARIA SDS
As described earlier, the SIA can provide security services VM-to-VM on the same device, or out through the network to remote VMs as directed by NSX. ARIA further allows security policies to be enforced beyond NSX domains into containerized/ other DevOps worlds in the public as well as private cloud infrastructures.
The CSPi ARIA SDS Platform Benefits •
Visibility and provisioning of a wide range of security policies across virtual environments in public and/or private clouds.
•
Simple drop-in and connection of ARIA SDSi agents within containers and applications as development steps that allow developers a simple consistent way to roll in security capabilities with little effort or knowledge and no need to preconfigure.
•
Secure DevOps with ARIA Easy Application Security
The ability for InfoSec teams to come in after development and run auto-discovery of the ARIA instances to provision any new applications with the appropriate security features.
•
101 01101
The redirecting of certain traffic flows cost-effectively to centralized advanced security functions such as those provided by, application
Imprenetable Data Protection Automatic Policy Application
firewalls, IDS/IPS, DLP, or the Myricom nVoy series for automated breach identification and proof that critical data has been properly encrypted to meet regulatory notification deadlines and avoid fines. •
Offloading of core-intensive services, like encryption, to an intelligent Myricom ARC Series SIA – handling up to 50Gbps line rate.
•
Breach-proof server applications by performing key storage and execution encryption safely off server, so that keys are not exposed if the server is breached.
•
Deployment within NSX environments – allowing it to transparently map network flows to ARIA security services.
•
Ability to deploy the Myricom ARC SIA in public cloud-dedicated host servers as well as in private data centers.
14
Whitepaper ARIA SDS
•
Ten-fold cost reduction in deploying crypto services by offloading server cores and avoiding server upgrades.
As a result, CSPi’s ARIA solution provides the critical functionality needed to fully secure a DevOps environment, to simplify how application developers and InfoSec teams focus on their responsibilities and activities.
Comprehensive security solutions. Complete business results. To overcome security challenges and provide a more effective approach, today’s companies require efficient and effective security solutions, capable of protecting their most critical data and allowing for the rapid scale, deployment, and management of their business data – no matter where it travels or resides. CSPi’s ARIA solution delivers on this potential, while also giving developers and InfoSec team members a proven way to achieve Secure DevOps and all of its related benefits.
To learn more about ARIA, or how CSPi is changing the way today’s leaders manage security, please visit our website at www.cspi.com.
About CSPi CSPi (NASDAQ: CSPi) is a global technology innovator driven by a long history of business ingenuity and technical expertise. A market leader since 1968, we are committed to helping our customers meet the demanding performance, availability, and security requirements of their complex network, applications and services that drive success. CSPi Corporate Headquarters 175 Cabot Street - Suite 210 Lowell, MA 01854
CSPi High Performance Products
CSPi Technology Solutions
800.325.3110 (US & Canada)
800.940.1111
[email protected]
[email protected] [email protected]
800.325.3110 (US & Canada)
www.linkedin.com/company/csp-inc
@ThisIsCSPi
[email protected]
www.cspi.com
All companies and logos mentioned herein may be trademarks and/or registered trademarks of their respective companies.
15
Related Documents
How To Secure Devops
August 2019 22
Devops Kkk.pdf
December 2019 12
Quick Guide To Secure Communication
May 2020 11
How To
April 2020 47
