Cloud Security for Life Science R&D

Cloud Security for Life Science R&D

• 1.
  1 slideshare.net/chris_dag chris@bioteam.net@chris_dag
• 2.
  Not an expert. Not a pundit. 2 Just a cynical practitioner (with a view inside many organizations …)
• 3.
  3 Today’s DebateQuestion: Heartbleed, Russian hackers, Target, HomeDepot, and iCloud breaches - Have the recent high visibility cases of intrusions and data theft altered your plans to move to the cloud?
• 4.
  4 My Answer: Nope. Not really.
• 5.
  Why 5 My$.02 on why I don’t see major cloud roadmap changes Same Threat Abandon Hope Get Over Yourself Additional Capability If the adversary is a state actor or backed by sovereign nation resources YOU WILL BE COMPROMISED Location is irrelevant at this threat level IaaS providers run at exa-scale in one of the most hostile environments imaginable. I trust their engineering and operational controls/rigor more than your local stuff (And I’ve seen your local stuff … ) Some cloud environments offer security related capabilities that would be impractical or impossible to deploy in-house The building blocks exist and keep getting better. The design patterns and best practices are coalescing Hard; Not Impossible Heartbleed? Hackers? Malware? Social Engineering? We face these threats in ANY environment (local / cloud)
• 6.
  Why 6 My$.02 on why I don’t see major cloud roadmap changes Same Threat Abandon Hope Get Over Yourself Additional Capability If the adversary is a state actor or backed by sovereign nation resources YOU WILL BE COMPROMISED Location is irrelevant at this threat level IaaS providers run at exa-scale in one of the most hostile environments imaginable. I trust their engineering and operational controls/rigor more than your local stuff (And I’ve seen your local stuff … ) Some cloud environments offer security related capabilities that would be impractical or impossible to deploy in-house The building blocks exist and keep getting better. The design patterns and best practices are coalescing Hard; Not Impossible Heartbleed? Hackers? Malware? Social Engineering? We face these threats in ANY environment (local / cloud)
• 7.
  Get Over Yourself ‣ Warning flags go off in my head whenever I see IT staff demanding security controls that they themselves have been unable to deploy within their own tiny empires. Is that politics, fear or empire preservation that I’m smelling? ‣ 100% virtual and “software defined everything” is a huge advantage when it comes to inventory management, automation, configuration management and systems orchestration – Advantage: cloud provider ‣ I feel comfortable stating that the large IaaS providers have better, broader and more comprehensive security engineering, operational controls, event logging, incident response and configuration management than the rest of us mere mortals who operate at a MUCH smaller scale ‣ Lets talk about Heartbleed as an example … 7 Engineering and Operational Rigor
• 8.
  Additional Capability Canyou do this in-house across your global R&D infrastructure? 8 “Software defined EVERYTHING” offers advantages AWS IAM ‣ Ultra fine-grained identity management and role-based access control ‣ Can link or federate IAM IDs to Active Directory etc. ‣ Individual credentials per user, team, application, workflow, pipeline or collaboration ‣ Incredible control over what each credential set is allowed to see / do / AWS CloudTrail ‣ Systemic audit log of every API access call made across your global cloud footprint ‣ Every user, every device, every IP address, every location across the globe ‣ Delivered directly to your log analytics or incident management platform of choice (even off-site) AWS VPC ‣ Software defined subnets allow for role-based logical segmentation ‣ Software defined routing rules and policies control traffic within and between subnets ‣ Software defined ACL and network egress/ingress rules can be applied to VPCs, subnets and even individual services
• 9.
  Hard. Not impossible. ‣ The beauty of IaaS cloud platforms is that they provide the basic building blocks that we then assemble into architectures that perform useful functions ‣ Of course, this means that much of the responsibility for security falls on our shoulders. Can’t blame the provider if we screw up badly enough … ‣ Running securely on IaaS platforms is largely a function of starting with the proper building blocks and gluing them together with proper monitoring, logging, configuration control and operational oversight ‣ Huge risk: Cloud access barrier is so low that we need to watch out for “scientists with departmental credit cards” doing stupid/unsafe things. • The role of IT will change. Instead of being the gatekeepers our new role is going to evolve towards being responsible for cloud architectures and “best practices”. The scientists will control (W)hat, (W)here and (H)ow large 9 We have the technology …
• 11.
  IaaS Cloud Sobriety ‣ Any oaf can sell virtual servers and block storage and call it a “cloud” ‣ A real IaaS environment for secure R&D requires far more building blocks ‣ Quite a few outfits are just slapping marketing lipstick on top of OpenStack or VMWare and excreting hype-filled press releases ‣ In 2014 I generally only work with 2 providers: • Amazon Web Services: By far the largest set of building blocks and still the best environment for undifferentiated / flexible scientific computing environments. Nobody comes close when it comes to the breath and depth of service offerings • Google: Less “general purpose” than Amazon but still the Real Deal. There are significant and compelling engineering, performance, pricing, capability and service offerings that can be very very attractive for R&D and informatics use cases 11
• 12.
  12 slideshare.net/chris_dag chris@bioteam.net@chris_dag