Cloud-Konzepte und IT-Sicherheit –ein Widerspruch?

Ralf Sydekum

Manager Systems Engineering DACH

| © F5 NETWORKS2

Wie halten Sie es mit der Cloud Security?

A A - Sehr wichtig und bedarf mehr Aufmerksamkeit als Security im RZ

B B - Darum kümmert sich der Cloud Provider, ich muss nichts machen

C C - Oh Mann, mit Security in der Cloud geht der ROI nicht auf

D D - Unsere Security Policies im RZ müssen auch in der Cloud gelten

| © F5 NETWORKS3

Applications Are the Most Valuable Asset of the Modern Enterprise

Physical Capital

Carnegie

Rockefeller

Ford

Human Capital

McKinsey & Company

IBM

Application Capital

Facebook

Uber

Starbucks

Nike

| © F5 NETWORKS4

The number of applications is booming

250M 1.7B

2018

2020

| © F5 NETWORKS5

New architectures

Distributed deployments

Expanding threat surface area

Inadequate visibility

of customers can report the number of applications in their portfolio with confidence 0%

of all cyber-threats target applications and application identities86%

of app workload instances are container-based, growing to 95% by 202185%

of customers are adopting multi-cloud87%

Challenge: Applications are a Source of Enterprise Risk

| © F5 NETWORKS6

Cloud Migration Strategies for Digital Transformation

RETIRE(decommission)

RETAIN(revisit)

REHOST(lift-and-shift)

REPLATFORM(lift-tinker-and-shift)

REPURCHASE(shop-and-drop)

REFACTOR(rewrite/decouple)

Application Architecture Traditional monolithic Microservices

L2-L3 Networking Switching and routing SDN

ADC & Security Policies IT tickets Automation

Operational Control NetOps and SecOps AppDev and DevOps

| © F5 NETWORKS7

47%

Type of application

42%

Determined by IT

44%

Case by case, per application

Choose the Best Cloud for the Application

44%

Type of end user of the application

Different apps – Different needs – Driving hybrid / Multi-cloud strategy

Source: State Of Application Services Report, F5 Networks, January 2019

| © F5 NETWORKS8

LEAD TO MULTI-CLOUD SPRAWL

• Different feature sets

• Different APIs

• Preventing easy app migration and

portability

• Falling short on security and

regulatory compliance

Native App ServicesNative app services in public clouds

Domain specific app services in private clouds

| © F5 NETWORKS9

MUSIC STREAMING SERVICES

• Playlist to customise user experience

• Incompatible playlist implementation

• Playlist migration impossible, lock-in

A Simple Analogy

Domain specific playlists

making migration difficult

PlaylistPlaylist

| © F5 NETWORKS10

MULTI-CLOUD APP SERVICES CONSISTENCY

• Unified and consistent application

services

• Application migration and portability

• Best-of-breed ADC and application

security

F5 App ServicesF5 app services consistency across all clouds

| © F5 NETWORKS11

Application Services Portfolio

| © F5 NETWORKS12

F5 Multi-Cloud Application Services

Client

Application Services

On-premises Private cloud Public cloud Co-located SaaS Containers

SaaS

| © F5 NETWORKS13

Protecting Applications in Multi-Cloud ArchitectureMOVING TO A PERIMETER-LESS SECURITY MODEL

Traditional network-based perimeter security Zero-trust and per-app security

| © F5 NETWORKS14

Data Sanitisation

98.6M bots observed

52% of Internet traffic is bot related,30% of which are bad

Over 50% web app breaches

involve the usage of bots

| © F5 NETWORKS15

The Business Impact of Bad Bots

$$$

Polluted business analytics

Can not assess business trends

Paying for void traffic

in cloud

Intellectual property

gets stolen

Losing reputation over

automated transactions

(sneaker bots)

| © F5 NETWORKS16

Unified Bot Protection

Monetisation analytics

WAF

Anti Bot

MobileIntelligence feeds

Programmability

| © F5 NETWORKS17

Protecting APIs Monetisation

APIs growth is immense

Monetising APIs is being adopted by all industries

APIs are subject to the same

attacks as traditional applications

| © F5 NETWORKS18

• Impact to API = Immediate revenue loss

• Failure to meet regulations has a huge cost penalty− PCI, PSD2, GDPR…

• 3rd-party end points and mobile devices cannot be managed

The Business Impact of an Unsecured API

$$$

| © F5 NETWORKS19

• Bot Protection

• Advanced WAF (OWASP and Conviction)

• Behavioural DoS protection with TLS

fingerprinting

• Intelligence feeds

• Identity and access management

• Enforcement of schema and OpenAPI

Unified API Protection

{API} {API}

WAF

| © F5 NETWORKS20

Innovation Through Decryption

80% of outbound traffic is encrypted

100% of incoming traffic is encrypted in modern enterprises

100% of malware exploits are via

encrypted traffic

| © F5 NETWORKS21

• Overloaded with encryption sprawl

• Performance hit with encryption

• Low ranking on search engines

• Challenge evaluating new solutions easily − Can not be achieved without breaking the network

− 2 to 3 security solutions evaluated per year

Move from this...

Outbound Inbound

| © F5 NETWORKS22

... to this: SSL Orchestrator

Freedom to evaluate and innovate

One place to manage encryption

Reuse legacy and reduce footprint

Dynamic chaining based on criteria

Outbound Inbound

| © F5 NETWORKS23

The Zero Trust Access

Single point of control for identities

Federated access

Control the perimeter

| © F5 NETWORKS24

Zero Trust for a Multi-Cloud Perimeter

AuthN/Z

Access Proxy

Contextual Access

WAF

Access Proxy

Contextual Access

WAF

| © F5 NETWORKS25

Your Business Challenges – Our Solution

Help me with zero trust

Visibility everywhere

| © F5 NETWORKS26

Traditional Deployment of Application Services

NetOps

SecOps

IT tickets

Deploying and managing

application services

Request deployment and monitoring

of application services

VIPRION or

BIG-IP

app

Slow time-to-market and problem resolution leading to frustration with app teams

AppDev

| © F5 NETWORKS27

Business Agility with App-centric Management

RETAIN

REHOST

REPLATFORM

GUI and dashboards

Preparing application

services templates

Select and monitor application

services via self-service portal

app

app

app

Faster time-to-market, increased deployment cadence, quicker problem resolution

NetOps

SecOps AppDev

DevOps

| © F5 NETWORKS28

App Services

App ServicesApp Services

App-centric Management with BIG-IQ

VIPRION or

BIG-IP

BIG-IQ

Per-app visibility and analytics

App Services

Catalogue

SecOpsNetOpsAppDev AppDev DevOps

| © F5 NETWORKS29

F5 Automation Toolchain

AS3

Application services Deploy app services on

BIG-IP using declarative

REST APIs

CLOUD

TEMPLATES

Start BIG-IP

InstancesPublic and

private clouds

TS

Telemetry Streaming Export of BIG-IP

events and statistics

to external analytics

platforms

DO

Declarative

OnboardingInitial config of

BIG-IP instances

F5 API SERVICES GATEWAY

https://github.com/f5networks

48 repositories

| © F5 NETWORKS30

Digital Transformation made simpler & safer with F5

RETAIN

REHOST

REPLATFORM

REFACTOR

MODERN APP

Licensing models

Application services

Eco-SystemsMigration Deployment & consumption models

| © F5 NETWORKS31