Cloud-Konzepte und IT-Sicherheit ein Widerspruch?€¦ · Cloud-Konzepte und IT-Sicherheit – ein...
Transcript of Cloud-Konzepte und IT-Sicherheit ein Widerspruch?€¦ · Cloud-Konzepte und IT-Sicherheit – ein...
Cloud-Konzepte und IT-Sicherheit –ein Widerspruch?
Ralf Sydekum
Manager Systems Engineering DACH
| © F5 NETWORKS2
Wie halten Sie es mit der Cloud Security?
A A - Sehr wichtig und bedarf mehr Aufmerksamkeit als Security im RZ
B B - Darum kümmert sich der Cloud Provider, ich muss nichts machen
C C - Oh Mann, mit Security in der Cloud geht der ROI nicht auf
D D - Unsere Security Policies im RZ müssen auch in der Cloud gelten
| © F5 NETWORKS3
Applications Are the Most Valuable Asset of the Modern Enterprise
Physical Capital
Carnegie
Rockefeller
Ford
Human Capital
McKinsey & Company
IBM
Application Capital
Uber
Starbucks
Nike
| © F5 NETWORKS4
The number of applications is booming
250M 1.7B
2018
2020
| © F5 NETWORKS5
New architectures
Distributed deployments
Expanding threat surface area
Inadequate visibility
of customers can report the number of applications in their portfolio with confidence 0%
of all cyber-threats target applications and application identities86%
of app workload instances are container-based, growing to 95% by 202185%
of customers are adopting multi-cloud87%
Challenge: Applications are a Source of Enterprise Risk
| © F5 NETWORKS6
Cloud Migration Strategies for Digital Transformation
RETIRE(decommission)
RETAIN(revisit)
REHOST(lift-and-shift)
REPLATFORM(lift-tinker-and-shift)
REPURCHASE(shop-and-drop)
REFACTOR(rewrite/decouple)
Application Architecture Traditional monolithic Microservices
L2-L3 Networking Switching and routing SDN
ADC & Security Policies IT tickets Automation
Operational Control NetOps and SecOps AppDev and DevOps
| © F5 NETWORKS7
47%
Type of application
42%
Determined by IT
44%
Case by case, per application
Choose the Best Cloud for the Application
44%
Type of end user of the application
Different apps – Different needs – Driving hybrid / Multi-cloud strategy
Source: State Of Application Services Report, F5 Networks, January 2019
| © F5 NETWORKS8
LEAD TO MULTI-CLOUD SPRAWL
• Different feature sets
• Different APIs
• Preventing easy app migration and
portability
• Falling short on security and
regulatory compliance
Native App ServicesNative app services in public clouds
Domain specific app services in private clouds
| © F5 NETWORKS9
MUSIC STREAMING SERVICES
• Playlist to customise user experience
• Incompatible playlist implementation
• Playlist migration impossible, lock-in
A Simple Analogy
Domain specific playlists
making migration difficult
PlaylistPlaylist
| © F5 NETWORKS10
MULTI-CLOUD APP SERVICES CONSISTENCY
• Unified and consistent application
services
• Application migration and portability
• Best-of-breed ADC and application
security
F5 App ServicesF5 app services consistency across all clouds
| © F5 NETWORKS11
Application Services Portfolio
| © F5 NETWORKS12
F5 Multi-Cloud Application Services
Client
Application Services
On-premises Private cloud Public cloud Co-located SaaS Containers
SaaS
| © F5 NETWORKS13
Protecting Applications in Multi-Cloud ArchitectureMOVING TO A PERIMETER-LESS SECURITY MODEL
Traditional network-based perimeter security Zero-trust and per-app security
| © F5 NETWORKS14
Data Sanitisation
98.6M bots observed
52% of Internet traffic is bot related,30% of which are bad
Over 50% web app breaches
involve the usage of bots
| © F5 NETWORKS15
The Business Impact of Bad Bots
$$$
Polluted business analytics
Can not assess business trends
Paying for void traffic
in cloud
Intellectual property
gets stolen
Losing reputation over
automated transactions
(sneaker bots)
| © F5 NETWORKS16
Unified Bot Protection
Monetisation analytics
WAF
Anti Bot
MobileIntelligence feeds
Programmability
| © F5 NETWORKS17
Protecting APIs Monetisation
APIs growth is immense
Monetising APIs is being adopted by all industries
APIs are subject to the same
attacks as traditional applications
| © F5 NETWORKS18
• Impact to API = Immediate revenue loss
• Failure to meet regulations has a huge cost penalty− PCI, PSD2, GDPR…
• 3rd-party end points and mobile devices cannot be managed
The Business Impact of an Unsecured API
$$$
| © F5 NETWORKS19
• Bot Protection
• Advanced WAF (OWASP and Conviction)
• Behavioural DoS protection with TLS
fingerprinting
• Intelligence feeds
• Identity and access management
• Enforcement of schema and OpenAPI
Unified API Protection
{API} {API}
WAF
| © F5 NETWORKS20
Innovation Through Decryption
80% of outbound traffic is encrypted
100% of incoming traffic is encrypted in modern enterprises
100% of malware exploits are via
encrypted traffic
| © F5 NETWORKS21
• Overloaded with encryption sprawl
• Performance hit with encryption
• Low ranking on search engines
• Challenge evaluating new solutions easily − Can not be achieved without breaking the network
− 2 to 3 security solutions evaluated per year
Move from this...
Outbound Inbound
| © F5 NETWORKS22
... to this: SSL Orchestrator
Freedom to evaluate and innovate
One place to manage encryption
Reuse legacy and reduce footprint
Dynamic chaining based on criteria
Outbound Inbound
| © F5 NETWORKS23
The Zero Trust Access
Single point of control for identities
Federated access
Control the perimeter
| © F5 NETWORKS24
Zero Trust for a Multi-Cloud Perimeter
AuthN/Z
Access Proxy
Contextual Access
WAF
Access Proxy
Contextual Access
WAF
| © F5 NETWORKS25
Your Business Challenges – Our Solution
Help me with zero trust
Visibility everywhere
| © F5 NETWORKS26
Traditional Deployment of Application Services
NetOps
SecOps
IT tickets
Deploying and managing
application services
Request deployment and monitoring
of application services
VIPRION or
BIG-IP
app
Slow time-to-market and problem resolution leading to frustration with app teams
AppDev
| © F5 NETWORKS27
Business Agility with App-centric Management
RETAIN
REHOST
REPLATFORM
GUI and dashboards
Preparing application
services templates
Select and monitor application
services via self-service portal
app
app
app
Faster time-to-market, increased deployment cadence, quicker problem resolution
NetOps
SecOps AppDev
DevOps
| © F5 NETWORKS28
App Services
App ServicesApp Services
App-centric Management with BIG-IQ
VIPRION or
BIG-IP
BIG-IQ
Per-app visibility and analytics
App Services
Catalogue
SecOpsNetOpsAppDev AppDev DevOps
| © F5 NETWORKS29
F5 Automation Toolchain
AS3
Application services Deploy app services on
BIG-IP using declarative
REST APIs
CLOUD
TEMPLATES
Start BIG-IP
InstancesPublic and
private clouds
TS
Telemetry Streaming Export of BIG-IP
events and statistics
to external analytics
platforms
DO
Declarative
OnboardingInitial config of
BIG-IP instances
F5 API SERVICES GATEWAY
https://github.com/f5networks
48 repositories
| © F5 NETWORKS30
Digital Transformation made simpler & safer with F5
RETAIN
REHOST
REPLATFORM
REFACTOR
MODERN APP
Licensing models
Application services
Eco-SystemsMigration Deployment & consumption models
| © F5 NETWORKS31