Secure Journey to the Cloud (1140)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody hi good afternoon and thank you for coming today um I hope everybody's had a good conference so far yes okay great I've had a great time too well thank you my name is Mecca himeko I'm part of Accenture's security and today we are bringing you this presentation today well actually it's going to be just a discussion just to talk about you know the cloud on our journey to the cloud and how we can do that securely so today I'm joined by my colleague here who would introduce himself shortly but I am I consider myself a cyber security consultant as well as a networking and infrastructure practitioner so I've been with Accenture for 13 years and we do I do a lot of security work so pleasure to be here today and I'm joined by Dan do you want to introduce yourself good afternoon as well thank you guys for joining this session I hope it is interesting and informative we're gonna try to enter we've a bunch of client examples and anecdotes from from some of our experiences to allow you to to hear about some of the lessons learned that we've had over the course of time so those are those are things that you might be able to take away and either repeat when they're good or not repeat when they're bad but by way of introduction I've been with Accenture for about 20 years I look after our cloud security practice globally and I've done a bunch of deployments across all the three major hyper scalars so happy to share some of those learnings with you today yeah I think why don't you have some questions at the end we'll keep trying for questions so feel free to you know should have some questions to me too okay so we thought about just again walking us true what the journey to the cloud looks like Accenture we've been doing cloud work a lot of cloud migrations for quite a while now and so we thought that we should make sure that our security practitioners know how we do that securely make sure that security is part of the whole journey for our clients and so we actually started looking at where we've been over the past few years so I was listening to the keynote today and I had the guy from ABN AMRO he talked about their journey right how they started do it you know what a fall and then moved into agile and now looking to do DevOps and so you know if you guys remember the whole journey right some decades back we started with the mainframe and our shared libraries and you know trying to scale that was a little bit difficult right but we started moving into the physical hosts and started looking more into how do we make that even more skill skill scalable as well as cost-effective and then started looking into this era of the cloud and so here we are with the cloud with the virtual machines you know looking into more more of using micro services to bring our business services to market faster and applications and so even from there looking into the future of how we can use more of the services from the cloud around like server less or you know you're event-driven architectures so that's kind of where we are now you know how do we move how do we get we've got to the cloud how do we enable that securely and then how do we move to make sure we're using the cloud optimally and cost-effective yeah and I think one thing I'll just plug in there is is I think the journey to cloud is is very much like a lot of the other technological progressions that we've seen over the course of time and what I mean by that is is security hasn't necessarily been integrated into what we're doing as a part of cloud migrations natively right so by default and I think we've seen evidence of that in terms of how the CSPs have security services so native security services to market so those are certainly done post some of the business and and functional services so it's almost like we're gonna make sure we don't repeat the same mistakes that we've made over the course of some of the the trends that that Necas mentioned just now and I think we'll look at some of the ways to ensure that we're doing that properly so in addition I mean 94% of enterprises ah or have a cloud strategy right using the cloud right now so let me take a quick poll three questions so the first is who here works for an organization which is our owns one which is currently not using the cloud has no workloads running in the cloud not intending to use a cloud and just zero cloud anybody okay one person interesting and then okay so who here is kind of in the middle you've started to use the cloud or you have a cloud strategy or you have some workloads out there maybe you have a combination of on prime to but you are definitely using the cloud for it some of your workloads I as pass sighs okay great I think most people in of those hands how many have were production workloads in the cloud okay good majority of them good okay anybody here that is all cloud first like all cloud and nothing else everything is in the cloud a couple of hands that's awesome so I think one thing we blend for Accenture is that our clients at various levels of the cloud it's not really a matter of when it well if it's when and how do they do that securely so hopefully today's discussion will help you see how we approach that from our point of view but yeah a couple of I think this shows pretty well that lots of people are thinking about the cloud but in addition to that is enterprise's want to adopt a cloud but we've seen that security is the key challenge for them so there was a poll taken and yes most of them said if that security was the number one thing I was top of mind for the c-suite security privacy compliance when you look at the polls over the course of time it's been the number one or number two inhibitor associated with moving to the cloud and you know one of the things that I found is that a lot of times the business wants to move and security practitioners aren't educated on what needs to be done in the cloud so you know the business gets frustrated the business wants to move fast the business wants to release new products I'm going to take things to market and security saying well you know we think you should have X Y & Z which may or may not even relate to what the you know the business is trying to do so I think there's there's a disconnect between security and kind of the the core foundation knowledge level that's required for for security to be successful so there's a bit of a mindset shift that has to happen as a part of this as security practitioners we need to go on that journey with with with the business all right hopefully that's resonating I'm it's yesterday talked about at his keynotes he talked about the shared responsibility and you know I was glad he mentioned that because that's kind of what creates all these gaps like our clients not really understanding what is their responsibility as opposed to what's the public cloud providers responsibility so we've seen that a lot of that cost these gaps that we're seeing driving the metrics here and what I've seen is clients have usually have one of two perspectives they either say oh we're moving to the cloud the provider tells us that the cloud secure we don't have to do anything right and so obviously as soon as you put something on top of what the provider provides you it is no longer their responsibility and in all likelihood it is no longer secure so or the kind of the other end of that trust spectrum is nothing is secure we don't trust the provider we want to understand how we can implement controls that in case there's a provider hypervisor vulnerability or something we want to be gonna have protections to to compensate for things that the provider might fail so it almost seems like there's people at opposite ends very few people in the middle but I think as as folks mature they start to understand that that this is a joint effort from a security standpoint yep and you talked about joint effort so we've looked at some considerations for the cloud for security so a couple of things here obviously as we move to the cloud there's a lot more attack surface expanded a lot more vectors a lot more complexities we're dealing with so how do you tackle all that right how do you make sure that you're all secure end to end and obviously that also so cloud will be driving your digital transformation cloud is basically driving all your intelligent platforms so how do you make sure that there's no security issues with that and our ability things that will throw you out into the news shortly so those are some key considerations we also see that DevOps is a big one right the DevOps people are not quite talking to the security people and so deficit cops is a big discussion point right now I'm just how to integrate and make sure we're all communicating together the security people are talking to the business owners as well so the people that own the applications and the users and educating the users so lots of considerations here ya know I think when you one of the complicating factors is when you look at the volume of cloud services that are released and so a lot of security shops start this process and they say okay there are these core AWS as your Google services that we want to use and and those should be requirements driven from the business right so application or business units want to do analytics in a cloud and so therefore we need this set of services say on Google I think what you'll find is that security or ease want to have the controls for those services performed upfront and then have some sort of validation if those controls stay in place and are operating as intended pretty pretty common kind of perspective the thing that we've seen over and over again is that core set of services as soon as they start using those there's adjacent services to all of those that they want to start using and so then that expands the the the set of services that are in scope for security to have some sort of perspective on how to use securely and and what we find is that there's a there's a pretty big gap in terms of the ability for security organizations to scale to meet those kind of service introduction demands and so you know one of the things that we'll talk about in here is neck invention in terms of DevOps is how do you start to automate some of that security so that is you're deploying services you've got the right guard rails in place to at least have a degree of confidence that you're preventing you know inadvertent volar abilities or misconfigurations from exposing you know your data your clients data etc and also we we saw in the previous slide that the multi cloud strategy so that's that it makes it more complex so 86% I think we showed all the enterprises are considering a multi cloud so that means there's a combination of you know the cloud providers it could also be a combination of on-prem hybrid as well as a public cloud so how do you now provide that visibility across them that's a key consideration and also if you want to use you know you're using your SAS your is your paths how do you provide a consistent security across all that so that's a key consideration so so I think when you when you start to look at how we've looked at controls in the past and how we need to look at controls as we move forward historically we kind of batched up you know we need we need controls associated with the CISSP domains or some sort of AI sonís some sort of security framework right and so these were things that we bashed up linearly and deployed into environments or you know frankly we bolted on after afterwards and in terms of the deployment lifecycle and in what we're seeing is the in order for this to be effective we need to have integration into that process so we're deploying infrastructures code we should be deploying security as code alongside that infrastructure is code and as we look at kind of the the lifecycle of applications the lifecycle of development if everybody thinks about their phone and the number of updates you get to applications as a part of your you know weekly run it's happening on a continual basis and so security needs to be embedded have the same mindset releasing security features or security capabilities or security controls in that same kind of cadence and so it's it's it's it's definitely something that that needs to change I think the other thing is as we look at some of the advancements and some of the capabilities that are offered by this service providers you can get native integration for various security controls whether it's identity or monitoring things that you couldn't necessarily do as quickly using third-party products so it's another it's another benefit of basically taking advantage of the speed at which the the csps are iterating on security services and introducing those into the market so if we if we take a step back and look at how this tends to materialize for clients one of the things that we've seen be really successful within organizations is decomposing each of the different areas that a client needs to think about as a part of defining their security strategy soneca mentioned that a lot of clients are in a multi cloud or have a multi cloud strategy I would argue that very few clients have an actual multi cloud strategy they just find themselves in a multi cloud state so the business has decided that they want to use Google for analytics the corporate functions have decided that they want to use Azure for their dotnet applications their development org is decided they want to use AWS for all net new dev and so you get into the security of course security organization is stuck kind of in the middle of that motion and they're trying to deal with all of these things and how they prioritize these things and ultimately the hope is that you get to some sort of risk based decision approach in terms of how you deal with these things but but as you look at these different considerations there are likely things that are going to change as a part of security organization security philosophy so you may have an organization that's heavy in data protection really you know robust mature capabilities around key management encryption obfuscation all of that stuff one of the things you may see change is that as you move things to the cloud those requirements may shift whether by regulatory or just internal policy and so an easy example of that is tokenization so we've got clients that didn't have tokenization requirements on-premise but in the case of one of our financial services clients as they move any kind of critical financial data to the cloud they want to have that tokenized and so then then you start to look at what are the capabilities natively to be able to tokenize data you know will that service from AWS scale to be able to support the kind of requirements the throughput the file sizes etc that we need to to process or do we need to bring in a third party product and then from that third party product how are we going to integrate with that third party product how are we gonna expose those services to the business or app dev teams that are going to be using those services so there's a bunch of considerations that probably change as you look at you know your risk posture in the vena the cloud versus what you had on Prem so I guess that the next step is a part of once you've decomposed prioritize these things figure out where your focus is maybe identified some investment areas you know you start to look at how you reassemble this and this is a little bit of an eye chart but it's it's something that I kind of want to drive home is this is one of the anchor points for a lot of our clients that have been successful in this journey and so cloud security reference architecture is something that we've developed over a bunch of different patterns and so this is a kind of a representative sample of them we've got it for infrastructure as a service for paths and for staffs there's obviously things that are out of scope as you move up that stack but the other main point here is is you really have to get CSP so you have to get cloud provider specific in order to be successful so as you move left to right we've got the general cloud skirty reference architecture we've got the public version then we've got the ones for each of the three major CSPs there's others for Oracle etc but if you take the AWS reference architecture drive one more step down into the technical instantiation so how do these services how are we actually going to use these services and once you start looking at that you start to see oh so wait a minute there's a difference in terms of the feature set that I get from AWS the feature set that I get from Google the feature set that I get from Microsoft the robustness of the data that you get from each of those services is different so as you look at this this will help to inform the strategy that you started out with on the previous slide and figuring out what those use cases are and then to the you know three or four levels down how you're gonna actually implement those how do you get to the outcomes that you want from a security requirement standpoint based on either native services and we'll look at an exploded version of the AWS one in just a minute but where do you need to plug in or augment with third-party products perhaps right and so the the example I mentioned before in terms of data protection as you look at AWS kms or cloud HSM if you're looking at as your key vault and how you're gonna you know architect something for application owners to use or GCP KMS right is that something that you're gonna duplicate those controls each time you deploy something in one of those cloud environments or do you have tracked at a level and say alright I'm gonna do data protection through this third-party tool and it's going to apply to each of these clouds so I've got one place to define the policy I've got one place to enforce that policy or one place to make changes if I want to change how I'm gonna do to a protection across each of those environments and in all likelihood unless you've got a really strong governance process that's gonna work better than duplicating those maintaining each of those kind of instances of that control and that's only one control right same thing to be said for monitoring same thing could be said for identity and even so with the capabilities you've mentioned here it's it's hard for our clients right because even having the skills to do that for one cloud not to talk of you know we talked about multi cloud that's very challenging so you know having this rest forever like a sec Cho's I'm just having the people to scale them it's very difficult you know ya know it's a great point and the the one of the other kind of really significant things that having a reference architecture like this will do is it gives you some consistency so every conversation that you have with the business with dev teams with operations teams is gonna have the same elements in that conversation so you've got a common taxonomy a common nomenclature in terms of how you're talking about this and hopefully the idea is that that'll drive consistent results in terms of of what you're getting from a security posture standpoint so that this is a bit of an exploded view of the the AWS version of this so it houses all of the native AWS security services aligned to kind of the domains within this reference architecture and then there's a there's a bunch of security considerations over to the right and these will change depending on the security philosophy of the organization so I mentioned before you may have folks that are super heavy identity shop this identity box may you know be three times the size it is because they're focusing on you know dynamic secret's management they're really focused on privileged user management and attestation and things like that you may have others that are really heavy monitoring and into response shops and they they really focus on the detect and respond areas and those may be exploded out just because that's where their skill set lies it's a great way to kind of heat map an organization to say as we look at your readiness for cloud you know you've got some white space in terms of the things that you're able to do today and as you look at transition operations you know either you don't have capacity to run your current security operations environment plus you know what's coming and you start to look at the volume of telemetry and things that come from some chatty cloud services and that can be a really significant uplift for a lot of security operations organizations so you know we've done heat maps on this we've done kind of maturity assessments using this and it just it really helps a client to think you know methodically through what they need due to to be ready for for what's coming I think you know as a necklace my right your left left-hand side and and consider just the three hyper scalars you have a set here for AWS you'd have another set for GCP you'd have another set for a sure and then starting to pick and choose the native services you're going to use and then you start to look at the maturity of the services and so if I pick on Microsoft sorry for any Microsoft folks in the room but if I pick on Microsoft and you look at what you get from a feature standpoint from as your firewall you know is that gonna provide you parity with what you see on premise if you've got you know Paulo and you've got panna panorama and you've got visibility to the enth degree and different capabilities from a malware detonation standpoint and so so know it's not going to is that something you're willing to give up from a from a speed or agility standpoint that's probably a debate between you know the business the app dev teams and the security teams so definitely we want you to use the native securities and use them in the right way but there's also understanding if that covers you completely and making sure that you can use it properly and also if you're extending this to your on-prem data center your public your private cloud how do you do that extension right first is a multi cloud and then extension extending that to your own Prem cloud too so those are key considerations to especially if you're considering like a zero trust approach and then you start to think of where does identity play you know how do you to great with your abs and so on so it can't get complex but this starts to help and you know shows you it's a spot from I guess yeah yeah I think the other it's a great point and when you start to look at you know private cloud public cloud you may have different security requirements depending on which of those environments you're talking about and so then you're gonna get into discussions about do I design for the low waterline for each of those environments and have different configurations depending on it from talking private or public or do a define for kind of the high-water line and say I'm gonna have this consistent security across every environment I don't care if its private dev if it's public test it doesn't matter this is this is where we at and that obviously has probably some cost implications and some operational implications but you know it does simplify that to some degree the conversation and some of the controls that you'll be looking at so this one is just a kind of another example if we if we take you know network security as the as the use case for what we're trying to do there's a bunch of things that you can layer natively and if we talk about you know AWS again for for instance from from a DDoS standpoint it's one of those things that you kind of get by default from the providers so if there's some sort of activity associated with your tenant and they're seeing you know high volumes in the terabit per second terabyte per second type of range there's obviously an external attack going on this is really you know click button if you've got shield advanced excuse me I can help you both on inbound and outbound so this could also be a means for identifying some sort of auto-scaling runaway process that you've got in your environment so there are cost protections associated with some of these things as well that could be extremely useful VPC isolation is another one that's a very simple kind of button click means for isolating apps for isolating data for alien compute instances can be super useful for four levels of protection and then Native you know native laughs so it provides a kind of an exterior protection for applications that are either internally exposed or externally exposed network access control lists and security groups I think when you use those two in conjunction you get a lot of the features of both stateful and stateless firewalls there's complexities associated with really large-scale environments as you look at how do you manage policies across a really large and maybe diverse cloud estate so definitely some some heavy lift there if you if you find yourself in a in a really large-scale deployment and then kind of these blue box blue boxes ahead of or above the the native services we mentioned before there's gonna be gaps either in security requirements either security features that are gonna necessitate third-party products so you may have some sort of you know external ddos / content acceleration capability from the likes of Akamai or others you may have some sort of network virtual appliance or firewall you may have you know VM series from Palo and play and then you may have other things like host-based firewalls AV voluntary monitoring and things that you have to have in place based on either regulations that apply to your organization or just just internal kind of security risk tolerances so just an example of if you took one of those boxes on the previous reference architecture and then I blew it out to say these are places where we can use native services and these are places we're going to augment with with third-party products I think we are preaching consolidation to because with the whole complexity nobody wants to throw in an extra you know thing in their network so the more you can consolidate or find a vendor that provides it all the better for you you use a native security but what do you argument with that and can you get that from basically one sauce I think you'd be better off that way we also look talked about we had talked about using the micro services the contain as a server less so all those you need to also consider how you can securely use them and if the native security is a sufficient for you yep all definitely good points I think the the other interesting thing with regards to BBC isolation when you start to talk about if there is a security event right from an instant response standpoint do you have the the mechanisms in place to contain kind of a blast radius associated with whatever threat is ms trying to you know perform bad things in your environment so yeah I think there's there's lots of really interesting elements associated with this and NECA mentioned kind of multi cloud if we stick with this network example if you think about a sure so they had something called UDR which is user-defined routing so I could basically specify where the traffic was gonna flow between different V Nets and that and that as your subscription for a long time AWS didn't have that so we saw people basically creating transit v pcs right and then they would have a palo vm series sit in there and they could do inspection of that traffic so you could see east-west traffic they've now rolled out things like transit gateways right and so basically how are these environments the service is evolving how does that change your approach to securing those environments you may not put a vm series and that transit VPC now you may just happen at the edge so there's you know basically one of the points is there's so many changes things are rapidly iterating from from the CSP standpoint in terms of services and architectures that you can use it's kind of a constant a constant churn in terms of you know what is the right security architecture based on the available services all right there's gonna be a quiz on this one later No so this is that this is an eye chart I apologize for that but this is just a sample view of kind of the process and tooling approach to injecting security in a CI CD pipeline right so there's a bunch of different places where you perform different security functions whether it's whether it's code that you have developed that is sanctioned by security that you inject into the front end of this so we mentioned guardrails before and so you know there's there's a means for having like a security SDK and you would release the security SDK to application development teams this security SDK allows them to not have to worry about coding monitoring routines or identity routines they can pull these things that security has sanctioned the security is pretest and ideally it shortens their development lifecycle right they'll have to worry about some of the functions that they traditionally had to develop so the other places you've got you know libraries scanning you've got static code scanning the one admonishment the one warning I would give a part of you know everybody talks about shifting left and I would say blindly shifting left doesn't work and the thing that we've seen over and over again is security organizations get so hyped up on shifting left that they start to introduce a ton of noise into the system and the same way your sock analysts get alert fatigue your developers who are not security practitioners who get reports about their code start to get the same kind of fatigue right it's security keeps pounding me with stuff because they're running static code scans on every code commit that I do you have to be really intelligent about where you start doing that and how you surface those findings so if I'm doing static code scanning on commits in a sandbox or an innovation environment or something like that does it make sense to really surface those and give those to developers do they care about it do we as security practitioners care about it you know maybe not if those are isolated environments it's probably not worth shifting left there right you're just gonna introduce a lot of noise and a lot of angst into the system sure for staging for QA for prod clearly definitely the right places to get visibility on anything that's that's vulnerable I would say you know development like late stage development and testing environments are the right place to show if left anything before that you're probably shooting yourself in the foot so I think we'll just talk quickly about a specific client example so there's a client that kind of spans health and financial services that we've been working with for a couple of years now and we've gone on this journey with them it started out as a they called us in to do a policy review there was another consultancy that was in doing some work for them they just kind of wanted a gut check so we did that review that review led us into some security pattern and security control evaluations just to make sure that kind of what was defined in policy was actually being implemented and what we found is that it wasn't and when it was it was being done manually based on some like narrative documentation so what we started to do is was talk to this client about you know how do you automate the security guard rails as a part of service introduction so they've got an AWS environment they've got a Service Catalog in AWS where they release services to developers to trial they have to be sanctioned by security so what we did is we helped accelerate the security control integration into each of those services so before a service shows up in a AWS console or is exposed via API to their development shop we implemented you know threatened border of vulnerability management hooks we implemented security monitoring hooks we implemented identity basically principle of least privilege controls around each of the services that they release so I think at this point we've done 97 of the core AWS services that they're gonna use as a part of what's coming in the demand Channel from from the business so they've got security from the start for all of those different services and then on the back end you basically written AWS config rules to do identification of deviations from that good known baseline and then there's means for invoking some lambda functions to auto remediate any of the deviations so there's a way to do things right up front there's a way to actually control and understand any deviations from that and there's a way to implement Auto remediation for those in kind of a single environment and that extended so we started out doing this in cloud formation templates they've got a multi cloud strategy they want to extend this stuff to some of their Google usage so we converted those CFTs in to terraform and now we're basically you've got that same catalog for a slightly more generic set of controls that can be ported to you know Google to GCP that it was a tangent but that kind of spawned off into some cloud access security broker work so the likes of prisoner SAS and how did a govern data that's leaving their premise and going into SAS environments so data discovery looking at some of the controls around is the data protected adequately in those SAS environments and then we extended that to AWS as a second check for their audit function and so what I mean by that is we have those security guard rails in place we've got config looking at any deviations and we've got lambda Auto remediating and then we had basically the likes of red lock ensuring that that configuration is is maintained from from an audit standpoint so they had kind of two different lenses that they viewed the same security control posture from this particular organization is in a post breach settlement commitment state and so there's some really unique things that we had to figure out for them as a part of how they were gonna operate database activity monitoring was one it's a really challenging thing to do across different data services in in the cloud because it's not just databases where you've got a database engine you've got different data services that don't resemble the same kinds of data services you would get from you know an Oracle database or an another relational database and so what this force is to do is how do you ingest different actions if I create a new DBA that's clearly a significant event based on that person's privileges so how do I alert and confirm or validate but that's an accurate action right and similarly if there's any sort of large data query or data export I need to make sure that that is aligned to some sort of intentional action otherwise there's potential for for some sort of malicious data exfiltration or data exposure similarly that tokenization you know the comment I made early on in the presentation where as this client moved to cloud previously they did not have a tokenization requirement as they moved to cloud that became a requirement so it was both mandated by some of their auditors and some of the post breech agreements and then became internal policy so everything they push out has to have some sort of you know data tokenization filter applied to it we also did container security so this is a client that had deployed twistlock this client hadn't done a great job deploying to the slock and so we kind of came in to the diagnostic identified a bunch of defender nodes that they had deployed that didn't have any container services running in the environment so obviously from a licensing standpoint Palo Alto might not like that very much but we identified areas where they had deployed those defender agents where there weren't container services and the reason for those to be running but there were also a bunch of features that they hadn't enabled one and then to all the output from twistlock wasn't being processed by their security operations team and so there's clearly significant impact if they're not you know actioning some of the output from from the products and then finally kind of zooming out all the way we put ServiceNow automation around everything so their landing zone creation the security associated with kind of all of the things that I mentioned before account creation for innovation sandboxes for dev test fraud staging so just kind of the the overarching automation to ensure that all of that security was deployed with those I think we'll skip through this when there's just you know there's a handful of stages that you go through that have different outputs and potential accelerators a couple of kind of takeaways a couple of key success criteria and we'll talk about another client example in a minute but I think getting your alignment with your policy controls and if I go back to the reference architecture diagram so that reference architecture should kind of sit in the middle of everything you do so upstream from that would be your standards or guidelines your policy and ultimately your cloud security strategy and then downstream from that reference architecture would be your use cases your design patterns and then the security automation or security code that you develop and provide to developers or that you use internally as a security org to make sure that you know what you said you're gonna do from use case sampling is actually implemented and that's where that whole sdk you bundle those security libraries into an sdk that you give to dev teams they're happy you're happy everybody wins the guardrails so I mentioned you know getting the right security in place if you understand what those use cases are developing those guardrails is very simple having consistency based on that security reference architecture make sure that all the components that you need are included in each of those guardrails visibility you know probably one of the biggest concerns in cloud not only from a cloud usage standpoint but what's going on within those environments and then concerns over if you're using PA's services is the right security being applied to the underlying infrastructure etc it's not that tenants concern but obviously has paranoid security practitioners we still kind of worry about that stuff and then automation I don't think we shared a stat about the number of unfilled you know security jobs and in the market forecasted to 20 22 or something but it's it's an obscene number and so the way we break that headcount maaan is through automation so as much of the processes you can automate inject alongside you know the infrastructures it's being deployed the fewer people you need to do the implementation a few people you need to manage it if your people you need to do the operations I think Nick has probably got some points on partnership because she always does yeah so I think these are awesome we feel that even maybe the first number-one point there should be like having the right partner so if you start your journey or you're thinking about your journey or are you already in that maturity somewhere along those lines having the right partner who's going to walk you through what you need to do so we've talked a lot about complexity we've talked a lot about the skills shortage and so who is the right partner for you in your cloud cloud Jaradat just for the security but just the entire migration to the cloud so this partner should be somebody also who can help you choose your right technology partner too so you have you know somebody doing your si and also helping you to choose what's best for you right for your environment so is it you know out of the three public clouds which one should you go to first or which one are you in and which one should you go to next as well as we've talked about the gaps in the controls too so you know what are the right vendors to feel that those gaps so we think that the right partner is very key here ya know that's that's a great point kind of the who's got the battle scars or the experience to take you through that journey just talking about technology NECA it's a it reminds me of a client we when you talk about selecting technology the other thing that we've used that reference architecture for is to map tools so everyone's got investments in a certain security stack right and so if I pick on something like DLP because this is something we had a problem with you've got a certain assumption around how data loss prevention is going to work in your environment as you move to cloud and you start to think about how those environments are elastic and how those environments are somewhat ephemeral you may spin up an environment at night you may shot stuff down on the weekend because you're trying to save costs if you think about DLP and agents reporting back to some sort of central DLP console now you've got a whole different kind of scenario you've got environments that have a ton of compute instances that are no longer reporting so you either need to suppress those alerts you need to change your process or you need to at least have folks in an operational capacity that understand what's going on in those environments so that they're not raising flags about some sort of DLP violation or they're not sending you know admins out to fix an environment that's intentionally shut down so just things like that just examples of situations like that and we see that in almost all of the security domain areas where there's nuances around how things function in the cloud that are different than you know what we're accustomed to the norms in an on-premise environment all right so we just want to use the final few minutes to leave time for questions but just to talk about the client case study I'm Dan has talked about one very detailed I just want to extract that to a thousand level foods and just talk about how we help the client migrate to the cloud and so as Accenture we actually have a big cloud migration group journey to cloud group and this particular client is a health insurance client big one provides insurance to thousands of clients or customers and so they really brought us in to help them on that trip to the cloud because they had some business services they needed to enable you know around you know big data using big data for it using even IOT so just seeing the cloud as an enabler for all that and so what we did was we came in first and started to walk with them around you know what does that look like what is the outcome they're expecting so really is around ultimately what is the business outcome they're expecting and so we're able to put together some a roadmap for them we actually started to look at their current environment assess what it looked like you know started to prioritize them you know what are the key business units that we need targets the key business applications too we also started to do some rationalization of the applications and looking at you know which ones needed modernisations and which ones needed to be rebuilt for the cloud and from there of course having security embedded up front right at the right time and all that and so for them it was really look we want to get the business services out there we want to enable applications but we want to just make sure that they are all secure so we started to walk them through that journey and it was a full transformation of the architecture and their infrastructure really but at the end of the day we also put them on a cloud management platform where they now were able to get on with what they needed to do while we started to manage the platform for them so you talked about lots of our lurtz and you know the fatigue and lack of skills and so we're able to take on most of that for them for this particular client so I think at the end of the day we're able to realize that outcome for them yeah I think it's a it's really interesting you've got traceability from the security controls you implement and how to support a business outcome and I think as security practitioners right we've got a responsibility to make sure that what we're doing is tied to business outcomes and and and that was a really good example of where that was done kind of intentionally from the onset and so justification for security investment in certain security capabilities etc wasn't a problem because we were tied to kind of higher order business outcomes that were you know trying we weren't trying to justify through some sort of security ROI so it was a really effective means for getting the right security embedded into the solution and the journey as they migrated we can take questions for the last five minutes two minutes three questions very clear as Claire's mode any questions yep they think you I think he's explained quite well the whole journey but like you mentioned something about the lack of skills and hopefully I think it's a one of the biggest problems when the organization are moving to the cloud how you guys can help or tackle these specific problem yeah so I think I mean automation is the is the end goal but getting to that point of automation is is sometimes challenging if you take so I mentioned kind of the AWS services guardrails that we created for one client if you take those and and look at the acceleration that that can give to a client's journey it's it's it's pretty significant in terms of the the time savings having those as a baseline that you actually educate security folks on to understand what's being done for ec2 and s3 and all these different services starts to build a little bit more awareness around you know what's what's required for each of those and what the capabilities of each of those services are so it's kind of a kickstart to both getting the right security in and helping enable the security practitioners to grow in their knowledge and understanding of what's required for each of their services so there's obviously you know consultative augmentation that you know we as a consulting firm that could provide that's a short-term fix obviously if you can enable an organization to grow and learn and rescale their folks or upscale their folks that's that's the ultimate goal but I think automation is another key component in accomplishing that good question any other questions okay thank you very much for your time if you have any other questions you didn't want to announce in front of everybody else you feel free to come up to the front thank you

Info

Channel: Palo Alto Networks Ignite

Views: 348

Rating: 5 out of 5

Keywords:

Id: zVMVOfaC9Hg

Channel Id: undefined

Length: 49min 48sec (2988 seconds)

Published: Tue Dec 10 2019