Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Started with Cloud Native Security for ...

Getting Started with Cloud Native Security for Security Pros

This is a presentation for security pros who want to get started with Cloud-native security.

Light on actual resources, we focus on why this is emerging, why it is important, and easy to follow steps.

Skip to slide 10 if are you aren't interested in my career start or the big shifts happening currently.

Akash Mahajan

May 29, 2021
Tweet

More Decks by Akash Mahajan

Other Decks in Technology

Transcript

  1. An Unexpected Journey How I learnt to ❤ security and

    thrived Akash Mahajan @ Expert Masterclass | Mar 2021
  2. Akash Mahajan ★ Co-Founder Kloudle, Appsecco, null.community ★ Published Author

    of Burp Suite Essentials, Security Automation using Ansible ★ Trainer BlackHat, nullcon, c0c0n ★ Technical Reviewer of books/conferences ◦ Terraform Up and Running - Book ◦ DefCon Cloud Village, Recon Village (2019-20) ◦ PyCon India 2020
  3. I want to talk about the future “3 huge shifts

    taking place in the tech world; platforms, app dev and therefore security”
  4. PLATFORM SHIFTS 3 Tier to Cloud Native Apps & IaaS

    to CaaS 5 Monoliths to Microservices Virtual Machines on IaaS to Containers on Kubernetes
  5. 6 Waterfall DevOps Cloud-Native Ops Cloud Native Developer Head Platforms

    & CloudNative APP LIFECYCLE SHIFT Redefined Roles IT Admin/App Dev turned into DevOps Head of DevSecOps/SRE Enterprise App Developer AppSec Pentester
  6. 7 Event & data driven security Perimeter based Application Security

    in Virtual Machines with traditional network and web application firewalls SECURITY ARCHITECTURE SHIFT Perimeter to Data Centric Security Events & Data Firewalls (Network/WAF) Port/Service Allowed API access (HTTPs)
  7. Cloud Native Security requires ★ DevSecOps + DevOps working together

    ★ Immutable Infrastructure for production, usually achieved by Infra as Code (IaC) ★ Continuous Deployment pipelines for infrastructure and code and supporting services ★ Event Driven Security to enable automation for monitoring and response
  8. Learn for the cloud ★ To setup Virtual Machines with

    CLI (AWS, Azure, GCP) and with code (Terraform, AWS CDK, Pulumi) ★ Learn using Just in Time security for eg. enable port access using API based on events & triggers ★ Learn deploying complete applications with databases as Docker on VMs and managed services like AWS Fargate, Google Cloud Run ★ Write asynchronous event based cloud functions in Python/NodeJS/Golang for Functions as a Service
  9. Go in depth Day2 ops for SREs ❏ Secure access

    to production ❏ How to deploy source code to app using CI/CD ❏ How to do encrypted backups ❏ How to manage vulnerabilities ❏ How to alert, notify and respond ❏ How to define Service Level Objectives