Getting Started with Cloud Native Security for Security Pros

Transcript

1. An Unexpected Journey How I learnt to ❤ security and

   thrived Akash Mahajan @ Expert Masterclass | Mar 2021

2. Akash Mahajan ★ Co-Founder Kloudle, Appsecco, null.community ★ Published Author

   of Burp Suite Essentials, Security Automation using Ansible ★ Trainer BlackHat, nullcon, c0c0n ★ Technical Reviewer of books/conferences ◦ Terraform Up and Running - Book ◦ DefCon Cloud Village, Recon Village (2019-20) ◦ PyCon India 2020

3. From Coder to Company Creator

4. I want to talk about the future “3 huge shifts

   taking place in the tech world; platforms, app dev and therefore security”

5. PLATFORM SHIFTS 3 Tier to Cloud Native Apps & IaaS

   to CaaS 5 Monoliths to Microservices Virtual Machines on IaaS to Containers on Kubernetes

6. 6 Waterfall DevOps Cloud-Native Ops Cloud Native Developer Head Platforms

   & CloudNative APP LIFECYCLE SHIFT Redefined Roles IT Admin/App Dev turned into DevOps Head of DevSecOps/SRE Enterprise App Developer AppSec Pentester

7. 7 Event & data driven security Perimeter based Application Security

   in Virtual Machines with traditional network and web application firewalls SECURITY ARCHITECTURE SHIFT Perimeter to Data Centric Security Events & Data Firewalls (Network/WAF) Port/Service Allowed API access (HTTPs)

8. What is covered when we say Cloud Native

9. Cloud Native Security requires ★ DevSecOps + DevOps working together

   ★ Immutable Infrastructure for production, usually achieved by Infra as Code (IaC) ★ Continuous Deployment pipelines for infrastructure and code and supporting services ★ Event Driven Security to enable automation for monitoring and response

10. Learn for the cloud ★ To setup Virtual Machines with

    CLI (AWS, Azure, GCP) and with code (Terraform, AWS CDK, Pulumi) ★ Learn using Just in Time security for eg. enable port access using API based on events & triggers ★ Learn deploying complete applications with databases as Docker on VMs and managed services like AWS Fargate, Google Cloud Run ★ Write asynchronous event based cloud functions in Python/NodeJS/Golang for Functions as a Service

11. Go in depth Day2 ops for SREs ❏ Secure access

    to production ❏ How to deploy source code to app using CI/CD ❏ How to do encrypted backups ❏ How to manage vulnerabilities ❏ How to alert, notify and respond ❏ How to define Service Level Objectives

12. Freshers do 3 things now! 2 3 1

13. @makash https://linkedin.com/companies/kloudle @kloudleinc http://linkedin.com/in/akashm