Secure Your Enterprise Apps! A journey in automating application security and deploying policy control in a cloud world Scott Ryan – Global Technical Solution Architect @saryan210 BRKCLD-2431 #CLUS Agenda • The Changing Landscape and Security Threats • The Journey to Automating Policy to Securely Deploy Applications and Services • Application and Service Deployment Rationalization • Operational Shifts “People, Process, and Tools” • Securing the Application Development Lifecycle • Automating Policy to Securely Deploy Applications and Services • Conclusion #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot# BRKCLD-2431 by the speaker until June 16, 2019. #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Security Threats and Changing Landscape The Changing Landscape Devices / Users Devices Network NetworK Users Anywhere / Anything As-a-Service Model Identity-as-a-Service Software Defined Unmanaged IOT Devices As-Code Storage Applications Storage Applications Anywhere Data Protection Secure SDLC Regulations (GDPR) Cloud Native & Data Virtualization Microservice Storage-as-a-Service Compute Architecture Compute Serverless Compute Containers #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cost of Data Breaches • Average total cost of a data breach: $3.86M • Average cost per lost or stolen record: $148 • The mean time to identify (MTTI) was 197 days • The mean time to contain (MTTC) was 69 days • Average cost of a breach with Automation $2.88M • Without automation, estimated cost is $4.43M • $1.55M Net Difference #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Application Security Trends Application Microservices Devices Vulnerabilities NetworK Vulnerabilities Serious application security Users More vulnerabilities per line of vulnerabilities continues to code than traditional applications increase at a rate that makes remediation nearly impossible Reusable Software Mobile Applications Vulnerabilities Storage Applications Vulnerabilities 70% of applications comprised 85% of mobile apps of reusable software (3rd party, violated one or more of Open Source) that inherit these the OWASP Mobile Top 10 vulnerabilities Compute Embed Security Testing Embed security within the SDLC process with monitoring to achieve significantly better application security and **Reference – “2018 Application Security Statistics Report” compliance #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Top Application Security Challenges • Manual and complex identity and access management for users/devices and applications from anywhere • Limited Realtime Visibility, Monitoring, and Enforcement consistency • Mapping Business Policy to Application Deployment Policy • Not all applications are equal “Cloud Enabled vs. Cloud Native” • Lack of automating security testing and embedding security into the Application Development Lifecycle • Changing the Operational organization, process, and culture #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Journey to Securing Enterprise Applications in a Cloud World Journey to Securing Enterprise Applications in a Cloud World Current State Future State • Manual and complex identity and access management for • Deploy segmentation and automate Identity and users/devices and applications from anywhere Access Control • Limited Security Visibility, Monitoring, and Enforcement • Automate realtime visibility and monitoring tools consistency into the Application Development Lifecycle • Automating security into the Application Development • Automate security enforcement into the Lifecycle Application Development Lifecycle • Mapping Business Policy to Application Deployment • Integrate ITSM tools to automated business policy Security Policy into security enforcement policies • Not all applications require the same security “Cloud • Deploy the proper security architecture and Enabled vs. Cloud Native” enforcement for your cloud applications • Complex SECOPS and NETOPS process and culture • Align your operational Process, People and Tools to provide the agility and security needed to support a DevOps and SecDevOps environment for cloud applications. #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 The Journey to the • Static Future State • Scripting/Templates • Automation The beginning of the Journey is different for • Orchestration many • Intent / Policy BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 • Increase agility to deploy The Journey to the applications while increasing security and Future State compliance. • Driving consistency in securing applications deployed anywhere and Benefits and Drivers accessed from anywhere • Securing Enterprise Cloud Applications with an Intent Driven Process and Architecture BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Align your The Journey Organizations and Culture Automate Visibility and Application Automate Monitoring Tools & Services Segmentation Deployment Rationalization Automate Policy Enforcement Automate Identity and Access Control Deploy consistent Application & Security Architectures #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 The Journey to the Future State • Simplify • Rationalization • Define Classification • Define Policy • Define Policy Enforcement • Automate within the How do you get there!!! Deployment Lifecycle • Align Organization and Culture to an Intent Based process and architecture BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Application and Service Deployment Rationalization Application and Service Deployment Options As-a-Service Multicloud Cloud Enabled Cloud Native Data Center Edge Branch Enterprise IOT Mobile Office Campus #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Cloud Enabled Cloud Native Application Architecture Application Architecture HTTP HTTP API Gateway Presentation Layer RPC HTTP AMQP HTTP Service Service Service Service Database Access AMQP Monolith Microservice Policy Enforcement “Cloud Enabled” “Cloud Native” #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Application and Service Deployment Rationalization Automating Application and Service Lifecycle for NetOPS and SecOPS SecDevOps Approach - Continuous Integration and Delivery Pipeline (CI/CD) Build Deploy Operate Component Commit/ Integration E2E Acceptance Design Code Unit Test Deploy Test Merge Test Test Sanity Test TLP Security Security Secure Secure Security Secure Security Vulnerability Integration Solution Deploy Design Coding Test Case Pipeline Sanity Tests Check Tests Tests DevOps + Security Model = SecDevOps #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Application and Service Deployment Rationalization Application and Service Deployment Multicloud Where? Data Center Edge Branch Enterprise IOT Mobile Office Campus #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Application and Service Deployment Rationalization Application and Service Deployment Secure Coding App Vulnerability Checking Multicloud Segmentation What? Realtime Visibility and Analytics Identity and Access Control Data Center Edge Branch Enterprise IOT Mobile Office Campus #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Application and Service Deployment Rationalization Application and Service Deployment – Policy Enforcement Multicloud Policy Enforcement Data Center Edge Branch Enterprise IOT Mobile Office Campus #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Application and Service Deployment Rationalization Evolution of Security for SecOps and DevOps teams Identity and Segmentation Realtime Access Control Visibility and Analytics Application Secure Vulnerability Coding Checking and Programming #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Operational Shifts “People, Process, and Tools” Security is beyond architecture and technology BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 People Security is beyond Tools & architecture and technology Technology Process BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Business People Development Roles & Responsibility Operations Security BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Innovation Acceleration and Individual Priorities Business Developers Operations Team Security Team Speed to Market Freedom to access One consistent Visibility and control while while retaining the best platforms environment to across one hybrid brand trust and and tools for eliminate silos and environment without compliance increased agility drive efficiency slowing innovation #CLUS BRKCLD-2431 © 2019 Cisco and/or its affiliates. All rights reserved.