Copyright 2012 EMC Corporation. Todos os direitos reservados.

Transcription

1 Copyright 2012 EMC Corporation. Todos os direitos reservados. 1

2 GERENCIANDO E PROTEGENDO SUA INFRAESTRUTURA EM NUVEM Perspectiva dos Riscos da Segurança na Nuvem Nak Y. Kwak Brazil & SOLA nak.kwak@rsa.com Copyright 2012 EMC Corporation. Todos os direitos reservados. 2

3 How can I trust virtualization and cloud? 3

4 Assess and Measure Risk Data Sensitivity Workload IP Business Requirements Job Security?! 4

5 What are my options? 5

6 Options Virtual Datacenter Self-Service Private Cloud Public Cloud Hybrid Cloud 6

7 How do I get there? 7

8 It starts with infrastructure Design Build in, don t bolt on Control Limit access Automate, Orchestrate Isolate Leverage new tools Monitor Log & Report on out of policy actions Measure Compare to policy 8

9 Design with security in mind Spend the time up front to assess your environment Know when and where to implement security controls Involve all concerned parties Trade off speed bumps for road blocks! 9

10 Control Limit access like you would for a physical datacenter Leverage orchestration & automation Secure infrastructure Leverage role-based access controls 10

11 You re only as secure as your infrastructure Administrator consoles are not protected in a consistent manner Frequently only Username/Password Use of shared passwords Responsibility is with each vendor to secure vcenter Server Server Management Consoles ESXi Management Network or ESX Service Console Network Switch Consoles 11

12 Consolidate and secure access to management consoles Management LAN Logs SSL VPN supporting Two-Factor Authentication vcenter Server ESXi Management Network or ESX Service Console SIEM Server Management Consoles Network Switch Consoles 12

13 The Great Wall Designed to protect against intrusions Defensive in nature A perimeter solution Defense in Depth 13

14 14

15 The first (and sometimes last!) approach to virtualization security 15

16 Isolation Intra-VM network traffic User roles Storage 16

17 Building security into the infrastructure vapp and VM layer APP APP APP APP OS OS OS OS ENGINEERING FINANCE Virtual and Cloud Infrastructure Physical Infrastructure 17

18 Monitor Log all datacenter actions Network monitoring Alerting Fine grained auditing of activity in the virtual environment 18

19 Applying a patch to a production system BEFORE Production Datacenter HR Application Server VM PATCH Test Datacenter HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc 12 3 Authorized procedure? Test environment sufficiently protected and controlled? Who accessed the data in the test environment? Clone Test Apply patch virtual to environment production environment Was the VM destroyed afterwards? 19

20 Applying a patch to a production system AFTER Production Datacenter HR Application Server VM PATCH Test Datacenter HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc 12 3 Apply Clone Test patch virtual to environment production environment VM VM Cloned with patch cloned SIEM logs admin activity from vcenter If this is out of policy we can alert a security analyst Patch applied VM deletion confirmed Data protected by monitoring test environment 20

21 Unauthorized admin/misconfiguration PCI Network Non-PCI Network Transaction Mgmt Application Contains Credit Card numbers Transaction DB If permissions are set VM Authorized up moved incorrectly, by PCI host, an RSAVCE\david.bp network unauthorized admin? admin can misconfigure a VM If SIEM the can logs administrator check what activities against or action a were is not authorized, performed watchlist and of SIEM authorized can alert PCI a security Hosts by whom or analyst Admins 21

22 Measure View of compliance across the business Map assets to business context Map testable controls to regulations and standards 22

23 RSA Archer: Mapping VMware security controls to regulations and standards Authoritative Sources PCI, HIPAA, SOX, CSA, VMware Hardening Guide, etc Administrator and Operator Logs CxO Control Standard Generalized security controls CS-179 Activity Logs system start/stop/config changes etc. Control Procedure Technology-specific control CP Persistent logging on ESXi Server VI Admin 23

24 Integrating RSA Archer & EMC/VMware Measure IT INFRASTRUCTURE Pass the audit ENTERPRISE COMPLIANCE NCM SCA vcm DPA RSA Archer Standards IT Assets Automated Scans Reports Data Feed Manager Database CSV Scan critical IT assets automatically Check compliance status Return assessment results Import results automatically Map to other solutions or policies Show relevant reports in dashboard 24

25 What else can I do? 25

26 Apply the same Rules to Data Design Control Isolate Monitor Measure 26

27 The biggest source of security breaches? Lost or stolen laptops. 95% of lost laptops are never recovered. 70% of these aren t encrypted. Data Sources: OSF Data loss DB,, Ponemon Institute

28 Virtual Desktops = Governance vshield protected network RSA SecurID Endpoint with NO sensitive data The endpoint is changing Mac iphone/ipad Android BYOD Virtual Desktop access to sensitive data No USB via policy Or USB secured via RSA DLP Network access controlled via vshield The process is fully logged to SIEM Application with sensitive data 28

29 What about customer data? 29

30 Tokenization What is it? The replacement of sensitive ( clear text ) data with another, unrelated value Also called substitution, Pad, proxy, token No Mathematical relationship between the clear text data and the token Think of it as a giant cross-reference table Card Number Token Value

31 Defining Secure Multi-Tenancy User-Centric Mostly provided by vcloud today vcloud abstracts vcenter activity End User does not log into vcenter vcloud provides isolation Networks Storage VM Separate logins Perceived separation Management-Centric Much deeper level of isolation needed Possible admin isolation Possible storage isolation for legal reasons Tools need to be able to label/id tenants Encryption/key management Real need for proof of isolation at the vcloud AND vcenter level Measurement becomes critically important 31

32 At the beginning of the journey to a Private Cloud or as it gets closer to production it could become a Road Block 32

33 Tech is easy Business is hard! 33

34 Twite por uma chance de ganhar um Iomega Desktop Hard Drive 1TB! As respostas corretas participarão do sorteio acima. O ganhador será anunciado no fim do evento. É preciso estar presente para receber o prêmio. Copyright 2012 EMC Corporation. Todos os direitos reservados. 34

35