Cloud
Open Doors with Cloud Security Posture Management (CSPM)
Gain insights into the importance of being well-architected during the deployment process and how to quickly remediate risks by shifting best practice checks to the earliest phase of the CI/CD pipeline.
Transcript
Vance [00:00] And welcome to the Trend Micro session here at cloud architecture summit. For this session, we have with us two terrific speakers. Aaron Ansari, Vice President of Cloud One and Fernando Cardoso, a Solution Architect for Cloud One. So folks, welcome.
Aaron Ansari [00:16] Hey, Vance. Thanks. Good to be here.
Vance [00:18] Excellent, excellent. You know, we're glad to have Aaron and Fernando with us, Aaron, for his part, as Vice President of Cloud One Conformity, he's got a terrific amount of practical knowledge and experience, which will be on great display this morning. He's developed his skills to deliver tailored solutions to clients. And we're going to hear about a lot of the expertise he's gotten for use cases. In fact, prior to coming to Trend Micro he was at BMW financial services, where he was the Chief Security Architect overseeing development and application security policy standards and guidelines. And He further developed his AppSec portfolio, and prior roles at JP Morgan, Cardinal Health and Huntington bank. And for his part, Fernando brings more than a decade of experience working with cybersecurity. And prior to Trend Micro, he was working with the network engineering team and sales engineering with data centers, cloud DevOps and cybersecurity. So a lot of expertise here for today's session, which is entitled open doors with cloud security, posture management. You know, a lot of the topics that we're looking at here at Cloud Architecture Summit will definitely rely on your ability to ensure security and integrity of access. So we're going to take a look at high velocity releases, how they lead to a fantastic boom in feature rich, up to date apps, but that can often as we all know, introduce quality issues and even risk. So Fernando and Aaron are going to look at best practices to manage risk associated with infrastructure tied to high velocity app updates, and DevOps in particular. And we're also going to get a demo of this great technology from Trend Micro. So a lot going on for folks that are cloud native, as well as folks that are looking to modernize their hybrid applications environment. Quick reminder, before I turn it over to Aaron, and Fernando, we've got a great list of assets that are available right now, no registration required, including that big red button that will get you to the slide deck. So we recommend at your convenience during the session to take a look at the assets there and download at will, because they're all available for you. So with that, let me turn to you guys, tell us about open doors with cloud security, posture management.
Aaron Ansari [02:19] Thanks, Vance. Great to be here and certainly proud represent Trend at this conference. So certainly thankful. With cloud security posture management, I'll get into exactly what it is and what it means a little bit later in the presentation. But I want to kind of just back up a little bit and talk about why DOES this field even exists. And so if you think about what's been happening with the migration to cloud and the company's journey from on-prem to cloud, there's been quite a collection of differences and quite a collection of I'll say, issues or opportunities, depending on how you look at it with that migration. And so Trend Micro with 10s of 1000s of customers that we have such a huge presence in the cloud, lots and lots of data that we're that we're gathering, sanitized and safely, but lots of information and data that we're gathering from our technologies, as well as discussions and conversations with our customers. What we're seeing is a set of common issues. And what I mean by that is, regardless of what vertical you're in, regardless of where you are, there are certain issues that just happen time and time again. And so one of the things that we did was we took and we aggregated those out. And so what we're seeing time and time again, with organizations as they migrate their applications and workloads to the cloud, is issues with storage, problems with the way that they have their key infrastructure set up incorrect login, too many permissions, identity and access management. And regardless of what you're doing and how you're doing it, we're seeing this just continuously. And so what we did was we actually took a lot of that data, and we created a report, that reports called the New Norm for 2020. It was actually released before 2020. I know we're kind of in summer already. But the good news is we got it right, right. So we took all this data, we created this report, and we hit the nail on the head with what is going to happen in 2020, as it relates for security, software, application and network, those sort of things. And so you see we have increased attacks in the DevOps pipeline, serverless platforms. But what we're here to talk about today specifically is that misconfigurations will compound the risk in the cloud. And that's what we're going to hit on as we go through this presentation. So what we're seeing, as I mentioned earlier, is regardless of where your organization is, in relation to its migration to the cloud, and the reality is some parts of your business are likely at different stages, meaning some business units could be cloud native, or cloud first. And other business units could be cloud curious, you're going to have these opportunities or these issues as they relate to the configurations. And so what we've done is taken that data, we've taken that information, and we've added it on to the fact that the cloud providers are just providing more and more services and more and more complex ways to build out applications in their environments. And so when you overlap and combine those two, you get more complexity. You have many more companies making their migration towards the cloud. You have kind of that opportunity for those misconfigurations that we predicted back in November. And so there's this burgeoning field that's now come out of it. Of course, once Gartner gives it a name It's kind of official. And in 2019, the name was given Cloud Security Posture Management. So you see the definition that's listed up here. But the point behind it is there's this need for the management or to use the definition with the term, of the configuration that you're doing and building out in your cloud environment. And if you step back, just kind of minor step back, you understand when you are working with your cloud provider that the onus is on you for certain things. Sure, the cloud provider is there to give you a set of infrastructures, give you the hardware give you the compute those sorts of pieces, but there's a large burden that's put on you to ensure that your application is up to speed. To ensure that the operating system is patched correctly, to ensure that the identity and the secrets and all that sort of stuff is taken care of. That's not the cloud providers duty. And so when that burden is put on you, and you're doing your migration in the cloud, and you've got this new set of technologies and this new field to work towards, there's a lot that you have to take care of. And so let's take a look back of the way that things used to be. And this isn't necessarily meant to be a walk down memory lane. But if you remember, you procure a server from Dell, or HP or get shipped to you, some team would come and rack and stack it, another group would come in and kind of harden it and work on the OS, the other group would go through and make certain that the security settings and those sorts of components were tested and approved correctly. Then we'd apply the middleware and certain pieces of architecture that needed to be applied there from a software perspective, database team would come in and configure and set up sequel or whatever database technology that's being utilized, application team would come in, and then kind of build the application. And then finally, you go for lunch. And that's a lot of different resources and a lot of different people and a lot of different teams that are responsible for that.
Aaron Ansari [07:09] That's gone away now. Now, the way that you're doing it with Cloud is that it might even be a single person, that's going to one screen taking that five week process and boiling it down to five minutes. And adding the storage and adding the database all with a click of a mouse and a button. And the opportunity to have these configurations and expertise that's gone with that becomes kind of glaring and becomes the misconfiguration. And so then you stack on the development that needs to happen there, you've got development teams that aren't security focused, that just simply want to build, build, build, quickly, quickly, quickly, velocity, high speed, stand up, con-bonds, and DevOps, all the way to make the velocity of the releases that they're doing as fast and as frequently as possible, you introduce many different opportunities for issues to happen. And so what ends up happening is you've got limited visibility, right? Because teams are all operating in different places, and kind of all over the board from a technology perspective, as well as from an enterprise across your enterprise perspective. You've got the expertise that comes with the various different teams that are doing things. And when you have issues that are introduced early on, say you're using software defined infrastructure, infrastructure as code, and that template came from a download that somebody did off of GitHub or off of Stack Overflow. You've got issues that are all the way at the beginning of the genesis of your application and those compound, once you launch your application. So you've missed out on kind of that expertise and that visibility that comes with all those various teams that did it the old way. And so you've got issues that have to go with your containers, you've got issues that are tied with your storage, you've got issues that are tied with PKIs and keys not being rotated frequently. Does this ring a bell? Right? These are the things that we saw in the very first slide, when we're talking about top misconfigurations within the cloud.
Aaron Ansari [08:58] And so what you need to do to move towards a better or more secure or more, I'll say operational excellent posture, is to have some sort of central repository, a place that you can look at your monitoring of your entire cloud infrastructure. You've got to tie in some automated checks and compliance to work with that, because the cloud and the cloud architecture team can't be doing this all manually. You've got to overlay compliance on top of that to migrate to some standard, and it might not be a federal standard, but it could be a cloud posture standard like AWS well architected framework, or the tenets of great architecture from Azure. And you got to kind of build and migrate towards Dev Sec Ops, S.E.C. ops there. And when you start doing that, when you start building things with near real time or real time visibility, you get to have that expertise. And you get to have that visibility that you're so missing in your environment. And that you can then overlay or align with one of the cloud provided frameworks to truly showcase that you're doing the best practices and to truly showcase that you are building that shared responsibility model correctly and taking it as seriously as possible as you build things out.
Aaron Ansari [10:09] So as I wrap up my portion of things here, I want you to understand, we've gone through this journey of misconfigurations services, lack of expertise in certain places, old way of doing things, new way of doing things velocity and release, we want to get to where you're putting the security into your DevOps. So you want to do things that are integrating security in a seamless way. So if you've got a integrated development environment, if you've got a ticketing system, you build in your security enhancements as the way that developers look at things now, bugs, you send them bugs, and they squash the bugs. You follow the process that's already been built, and you just integrate security into that process, and then it just takes care of and builds part of that way. And you get as early in the development process as possible. So you get onto those templates, you get to the infrastructure as code and you make security a part of that discussion. And you make the configuration a part of that discussion, which makes it the most secure and the most direct way of going about and mitigating this. And so this is actually my last slide. I'll pass the microphone over to Fernando to talk about this. But what I want to get at is kind of this is the summary, right? So you see everything kind of compounding into a lack of visibility, you see thing compounding into environments that change and are so dynamic and drifting from standards. And there's this need for continuous compliance. So how do you get to where you're truly taking care of these things? Well, the answer comes in Fernando's part right here.
Fernando Cardoso [11:39] Thank you very much, Aaron. And thank you very much for being part of the Cloud Architecture Summit. One of the things that I would like to just come back from like Aaron points, is when we talk about cloud operational excellence. Most the time, the customers, they only look for the integrations in runtime and monitoring when you build things already. But one of the things that we want to bring to customers is like how you can use the API's to really deliver the compliance visibility, security checks, before you start building those infrastructure. One of the things that I'll be showing here is this little lab with some of the integrations through the API's. The first one is the ID plugging directly into VS code. Like a lot of developers and a lot of DevOps teams are using the VS code for programming language, or to create your own cloud formation or Terraform, or any other infrastructure as code. To other pieces like making integration direct in this CI tools. In my lab example, here, I'm using GitLab, but you could be using Jenkins, Circle CI, Travis CI, GitHub actions, and so many other CI/CD technologies that you can make those integration in your pipeline. And the last piece is how you can bring that same visibility for the runtime and monitoring and create a full pipeline protection, like I mentioned before in these slides. Okay, let me just jump to the lab. What we have in this case here, it's like the VS code where I'm creating a very, very simple cloud formation with S3 buckets. And I want to just change this S3 bucket for the 2020, we are not in 2019 anymore. And I will give like a very simple example here, imagine you are creating your S3 buckets, and you want to scan this cloud formation before you send to production environment. In my case, here, I have couple of shoes that I could easily, Oh, let me just save this file. Save this file. And let me create a scanning process for the template scanner. This is a very good example of a CloudFormation template where we could easily create a scanning process directing in the ID, okay, I just change the version of this S3 buckets for 2020. I was using 2019. And I've saved this file. After I save this file, just want to scan the Cloud Conformity with the IDE plugin. If you see here, I could easily see a couple misconfiguration problems direct in the S3 buckets. With a very simple integration, very simple plugging in your IDE, you can get the same visibility before you create the infrastructure in AWS or Azure or GCP, for example. In my case, here, I'm trying to go to the S3 bucket and I have a high risk problem associated with S3 buckets. I have a medium problem with loggin that's not enabled, server side encryption, and a couple other things. If I go back to my CloudFormation, and I just do a little fix, let me just, wrote a very good example here, just adding like a side encryption to my bucket. When I do this specifically change, you can see that we have a high level of vulnerability, right? If I do a new scan after save this S3 bucket, you will be able to see that we removed this high level was basically a easy way to help developers to see how they can fix those problems. Just looking for the shoes. Plus we have a knowledge base that if you click on this link, it will automatically bring you to our knowledge base in Cloud Conformity. We have the steps by steps how to fix and how to solve those problems. Okay, we finished this base of the IDE. Let me push this to production basically. Okay, new version S3. Yes, push this, and they will automatically send it to GitLab. Like I mentioned here before, the first piece, we just saw that with the IDE integration right now we will be looking for the GitLab integration with the APIs.
Fernando Cardoso [16:24] Here, you'll be able to see, like, for example, the pipeline is running. And if we click in this pipeline, they have two major states, any other pipeline that the company would probably have like 10, or 15 different states, my environment here is just choose simply states. The first one, let's do a scanning process in my CloudFormation template. In my case, here, I'm just looking for high level vulnerabilities. Because I remove the high level vulnerability with information in the IDE, I don't have more high level vulnerabilities in the CloudFormation. And this is why they pass and they give you the information as a job success. But if I have any specific problem with over high risk of vulnerability, they will automatically stop that in my pipeline here in GitLab or any other CI technology. Right now, where they are doing, they are creating S3 buckets in my cloud environment. Let's finish here a little bit. And we will be able to see them in AWS environment this S3 buckets being created. Okay, right now, they just finish the job success to create a S3 buckets. And if we go to my S3 buckets, let me just set the date here. So the new version, and it would be able to see the IDN webinar 2020. They just created S3 buckets. But remember, when we did the scan, we found couple issues associated with this specific bucket. If we go right now to our Conformity and we open the environment, you will be able to see that we have IDN webinar 2020 that was just created by me. And they have some specific problems with like a medium of vulnerabilities. And a couple other things. This is before. This is like couple issues that we saw before in the IDE plugin. The good point about this, is like you are not just seeing the vulnerabilities in the IDE or in the CI but you are also looking for real time change in your cloud infrastructure.
Fernando Cardoso [19:02] Now, if we move a little bit forward, there's a couple other activities that customers are doing through the APIs. They're creating your own dashboards using our APIs'. Getting that information using a simple container to bring those data and pushing those data to like Elasticsearch and reference systems to create your own dashboards. This is a good example that to show you guys right now. Because we are API driven first, everything that you see in our console you can do through the APIs. And you also can get all the details about the security events and security findings associated with the compliance piece. Here is a little bit information about the dashboard that you can build using our APIs'. This is one example of customers using our APIs' to create their own dashboards and create what would be the best way for them to see and bring visibility to their teams. But this is a very good example showing how many success, how many fails, how many supress checks they have, how many AWS well architected frameworks they have failed base in the AWS well architected framework report.
Fernando Cardoso [20:19] Here, it's like a full or one shot visibility across multiple compliance checks like AWS well architect, NIST SOC2, ISO27001, PCI, HIPAA, and so many others. And if you go a little bit more down, you'd be able to see it, how many fails or how many misconfigurations, basically, in every single compliance standards, and how many misconfiguration baited into service like Ec2, IAM, EBS, VPC, and so many other service. This is a very good example how you can use the API's informations to create the whatever you want, or whatever automation you need, and whatever visibility you need for your DevOps teams or cloud architect teams. I just want to say thank you very much. And I hope this session has helped you a lot in how to create a better cloud security strategy for your infrastructure as a code pipelines, and how you can monitor any specific misconfigurations in the cloud infrastructure. Thank you very much, everybody.
Vance [21:28] Fernando, Aaron, thank you very much for a great look at a very vexing problem, I think for a lot of cloud professionals, whether they be the architecture level or even just that the deliver the app faster level. I think that whole issue of secure and getting that more streamlined and visible, holds up a lot of great ideas. So thank you very much for a great session.
Aaron Ansari [21:47] You're welcome. Very glad to be here. Thank you.
Fernando Cardoso [21:51] Yeah, you're very welcome. Thank you so much.
Vance [21:54] Aaron, Fernando. You really bring up a lot of great implementation issues, a lot of secret sauce and automation. And we're going to get to those in a minute. But just at the top level, you both mentioned the issues of security misconfiguration. And I think the big question is, how do you start? Do you look at your infrastructure or your policy or your app? Or how do you get your brain around what to do next?
Aaron Ansari [22:16] That's a great question. And the recommendation and the advice that we give is kind of first, that assessment. Getting an understanding of where you think your development and your pipeline is being built out, is the first step or milestone. And then getting that checked or vetted, either via technology or by some partner or a third party, is probably the next step to go to. Odds are though, when a third party or somebody else comes in to do the assessment with you or with the work that you're doing. They're going to be using a cloud posture technology just like ours, because we power many of those. Fernando, I think you had some other advice as part of it, too.
Fernando Cardoso [22:54] Yeah, for sure. One of the fun effects when we talk about misconfiguration, and it was reading an article from Gartner, they mentioned about 99% of the companies in 2023, they will be having specifically problems with misconfiguration because the failing process that they have with development, and DevOps and pipelines. And they mentioned like in 2024 80% of those problems will be fixed by using CSPM technology. This is shows how the CSPM technology will become the new normal for companies to start looking for misconfigurations in the cloud, but not just to detect them in the runtime environment OR in production environments, but moving a little bit like a shift to left, and detecting those specifically problems with the infrastructure as a code in the IDE in the CI/CD pipelines, and also in the production environment. When you have this fully visibility of your infrastructure. It's the way how becomes to make much easier than compliance and how to follow specific frameworks like AWS well-architecture or Azure well architected framework too.
Vance [24:10] Wow, excellent, excellent. You know, you may know that we've got a lot of different job titles here at the Cloud Architecture Summit. We've certainly got the folks that care about security, they day and Night. But we've also got the architect and the apps folks and even some general IT operations people. So let me just give you an opportunity here. So many different technologies and features you talked about with Trend Micro Cloud One, talk about some of the specific tools that you're finding are becoming most useful to the customers you have now. And how Cloud One is integrated them together into a much more seamless or intelligent way to deal with these issues.
Fernando Cardoso [24:46] That is a very good question. And one of the main points about the Cloud One platform, it's not just protecting one little piece of your high level strategy of hybrid cloud environments. Our goal with the Cloud One platform, it is protecting, sees your physical server that you have in your data center, and to your lambda functions that you have native last or in Azure or GCP. It is like how we can bring to the market to help companies to migrate or to do the cloud integration or cloud native usage of applications in the cloud with a single security platform. And that's our main goal and how are we removing the frictions between the security teams and DevOps. Also, we are doing a lot of automations. And trying to help cybersecurity teams between builds in more with developers and cloud architects too.
Vance [25:43] You both mentioned DevOps and this transition or pivot to DevSecOps. This is certainly top of mind. This is a question. We've had difficulty in getting from DevOps to DevSecOps, how is Trend Micro helping integrate security into our processes?
Aaron Ansari [26:00] As I mentioned, weaving it in to the process that exists today is one of the most delicate but one of the best things if you can get it right. There are a couple ways to do it. There are some operational things you have to do. There are teams that you have to get to know there's processes that you have to get to understand. There are some technology things that you have to do or technological things that you have to do. You got to understand ticketing systems, work queues, development environments, all that sort of stuff. But when you start to speak security in the way that developers speak, they're developing. And you start to overlay security findings with the way that the developers developed by bugs and feature requests and enhancements and those sorts of things. That's probably the number one success that we've seen our customers do is utilizing their ticketing systems, making the security requests be enhancements or bugs or patches, and leveraging the relationships between the teams.
Fernando Cardoso [26:57] I really believe the companies they should be helping the cybersecurity teams to understand more about development, programming language, scripting, and all those types of things. Because when the cybersecurity starting understanding those type of conversations, it will be much, much easier for them to be included in the DevOps discussions or new applications and all those types of things. It is just like the way how DevOps works, the new culture that they're bringing to companies. I think cybersecurity teams should be involved in this new culture, and starting learning those technologies to help them to ease automate security and how to add a security before in the early stage of the development of the new applications.
Vance [27:47] You know this is an excellent conversation so far guys. Let's go to the demo again this time let's talk about automation, you know, Fernando, you showed and talked about the idea that you can do some automation to shut down vulnerabilities in an app pipeline, talk a little bit more about that. But also, how do the customers set those rules up? Are there triggers or configuration screens? What is the best way for a user to set them up? Or do they come pre-set in Cloud One?
Fernando Cardoso [28:14] Basically, the sample that they gave here is like a simple plugin that you can go to the marked place in the VS code and just download to the Cloud One Conformity. And by default, we use the full profile, but you could use a specific profile, imagine for example your company has a NIST request or AWS well architect, or CIS benchmark and all those type of standards. But you could select those profiles and run against those profiles to find the misconfiguration facing under those standards. While we are looking this specific piece like a misconfiguration in the cloud infrastructure as a code. But we have inside the Cloud One so many other technologies like container security where we can scan the container image before they go to production environment in the Kubernetes clusters. Or for example application security where you can add a security framework library inside your web application and when you deploy that in production, we will be able to monitor it for any specific web attacks. That's one of the ideas of like shifting left, and helping more in the development process.
Vance [29:26] Wow that is a great list. Thanks, Fernando, for that. You know, I think time is just about up, but one other quick question, and you both in some way or another mentioned this idea about the cloud platforms AWS, Google, Azure, they're always changing, always adding some things. And this I thought was really kind of an important question it asks, does Trend Micro continuously update cloud one or our installation so we're always compatible with our public cloud updates?
Aaron Ansari [29:54] So yes, the answer is the software is continually being developed across the multiple components of its platform, to be as up to date as possible. Keeping in mind that the cloud providers and the services are being released at a dizzying rate, we pull an use our customers data to get in there thinking of what's most important to them, and update those products capabilities and features first.
Vance [30:21] Oh fantastic. Well, you know, this has been a great session and I think it really has put a lot of light into how automation and visibility can really help people get from that DevOps area they might be into a truly DevSecOps, that's more in real time of the way applications get built these days. But I wonder if you could suggest the best ways for folks to go forward with Trend Micro? Whether there's a free-trial or some other one on one demos that people could take or what your best next step is for attendees?
Aaron Ansari [30:50] The answer is both. So, we have a proof of concept is available for free for you to try out. As well as some one-on-one meetings that we've got to walk our attendees through to showcase the best components of the platform. And the beauty of it is, some customers won't need each component, some customers will need all of them. So we can kind of select an piece out the best features for each customer.
Vance [31:14] Fantastic, fantastic. Aaron Ansari and Fernando Cardoso at Trend Micro, thanks very much for a great session. Really good look at Cloud One and how it's helping people move from DevOps to DevSecOps. It's been fantastic having you here and it was great to get such great extra info on the Q&A, appreciated your time.
Aaron Ansari [31:33] You're welcome thank you.
Fernando Cardoso [31:34] Thank you.
Vance [31:35] Oh, our pleasure, for sure guys. And just quick reminder we get these great links right underneath including the link to the free trial and some other ways to engage with Trend Micro Cloud One right now here in the breakout room along with some terrific downloads and PDFs, and other sort of guides to give you a better look at just the rich offerings that are going on Cloud One and how companies are using it. And also we didn't have room for everything that's going on in the Cloud One if you could tell by the session this morning so here's a slide that will take you to some other great resources directly from the Trend Micro website, you download the slides here from Aaron and Fernando and all these links will be live. Thanks again everyone.