Trust in the Cloud Mike Foley RSA Virtualization Evangelist 2009/2010/2011 1 2010 VMware Inc. All rights reserved
Agenda How do you solve for Trust = Visibility + Control? What s needed to build a Trusted Cloud? RSA Solutions for Visibility and Control Getting started and continuing your journey to the Trusted Cloud 2
3
The New Layering of IT Presents New Challenges New End User Computing End User Access Transformation Application Transformation New Application Platform Infrastructure Transformation Private Hybrid Cloud Infrastructure Public 4
Virtualization Changes Security Dynamics Perimeter Based Information- Centric Bolted on Embedded Static / Reactive Adaptive & Risk-based 5
What s needed to build the Trusted Cloud? 6
How do I get to Cloud? It starts with a secure infrastructure! A secure foundation you can build on Get your Private Cloud in order before pushing out to the public cloud Work out your user experience locally Work out security best practices Only push out those workloads that have been properly vetted To get to a secure infrastructure Put in as much design effort as you put into storage and networks! Involved your security people at the beginning! This will help you understand What and how you can secure What and how you can monitor 7
a Road Block At the beginning of your journey to a Private or as you get closer to Cloud production it could become 8
9 RSA Solutions for Visibility + Control in Virtualized Environments
RSA envision Uncompromised visibility into VMware operations 10
Visibility and Monitoring: RSA envision Optimized for Complex VMware Environments Consolidated Security Event Log Management Collect logs from EVERYTHING Real-time Monitoring Correlated Alerting Incident Management Reporting and History 11
RSA envision: SIEM for VMware Collecting logs from VMware components VMware vshield VMware vcenter VMware ESX / ESXi VMware View Manager VMware vcloud Director VMware Collector for RSA envision leverages VMware API s via a single, secure connection to retrieve vcenter and ESX / ESXi logs Over 380 unique messages 19 normalized event categories RSA envision Can pull logs from multiple vcenter instances 12
Deep Visibility into VMware Infrastructure VMware vcloud Director VMware vshield Manager VMware View Manager Archer egrc RSA envision 13
Deep visibility into Vblock RSA envision monitors the entire Vblock stack from hardware all the way up to application level Verifies best practices Complements the RBAC security model Applications Virtual Machines Networking vsphere Comprehensive visibility into security events RSA envision Security incident management, compliance reporting UCS Storage 14
envision Dashboard - Monitoring Events in the Virtual Datacenter 15
Apply Patch to Production System - Before Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc Is this an 1 Clone virtual environment A common way to apply patches is to try them out in a test environment 3 Apply sufficiently Patch protected 2 to Test production & Patch environment In a virtual world you can clone in the test system, environment? data and all authorized procedure? Is the test environment Who accessed the data This is difficult and time-consuming in a production controlled? environment, but very easy in a virtual environment Was the VM destroyed after it was used? 16
Apply Patch to Production System - After Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HR Database Name, SSN, DoB, etc HR Database Name, SSN, DoB, etc 3 Apply 1 Patch Clone 2 to Test virtual production Patch environment environment VM Cloned VM Cloned Patch Applied RSA envision logs administrative activity from vcenter. Example: VM being cloned RSA envision Virtual Patch Machine Applied deletion confirmed If this is out of policy Monitoring we of the can test alert environment a security ensures protection analyst of data 17
RSA Archer Governance, Risk and Control Management of your VMware environment 18
Enabling the Cycle of Governance, Control and Visibility RSA Securbook Discover VMware infrastructure Define security policy Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manage security incidents that affect compliance Manual and automated configuration assessment RSA envision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards RSA Archer egrc Remediation of non-compliant controls Solution component automatically assesses VMware configuration and updates Archer 19
RSA Archer egrc for VMware Authoritative Sources PCI, HIPAA, SOX, CSA, VMware Hardening Guide, etc. 10.10.04 Administrator and Operator Logs CxO Control Standard Generalized security controls CS-179 Activity Logs system start/stop/config changes etc. Control Procedure Technology-specific control CP-108324 Persistent logging on ESXi Server VI Admin 20
Distribution and Tracking Control Security Admin Server Admin Project Manager Network Admin VI Admin 21
Securing the Journey to the Cloud IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service IT-AS-ASERVICE IT PRODUCTION Compliance Improve Agility % Virtualized Risk Driven Policies 70% 85% 95% 95% 30% IT and Security Operations Alignment 30% 15% Platinum Gold Gold 15% Percent Virtualize d Lower costs 22 Platinum Visibility into virtualization infrastructure privileged user monitoring access management network security Improve agility Secure multi-tenancy Verifiable chain of trust
RSA Solution for Cloud Security and Compliance Guided Remediation Automated Measurement Agent Device Discovery + Configuration Measurement RSA Archer egrc VMware-specific Controls alerts RSA envision 2 23
Use Case: Reducing Risk of VM Theft RISK Securing virtual infrastructure is often a check list of best practices. Hardening VMware environment is complex and difficult to verify. What can I do to limit the risk of VM theft from my datacenter? Need to take preventative steps that limit access to VM files, such as: Disable Datastore Browser Limit Storage User Access Limit use of service console Use least privileged role concept for system and data access 24
Use Case: Reducing Risk of VM Theft SOLUTION Archer has built in control procedures to check for VM file access and other best practices From a centralized console security and IT ops can easily see if controls enforce policy Solution identifies VMware devices, assesses configuration status, and informs responsible administrator envision monitors to ensure security events not disrupting compliance posture 25 Results: Security and compliance best practices directly aligned with regulations and company policies are implemented and verified
RSA and VMware View A solution for better security of desktops 26
How VMware View + RSA address better security? vshield protected network RSA SecurID Endpoint with NO sensitive data The endpoint is changing Mac iphone/ipad Android phones and tablets BYOC Virtual Desktop with access to sensitive data No USB or only secure USB allowed via RSA DLP Network access controlled via VMware vshield The process is fully logged by RSA envision Application with sensitive data 27
Visibility + Control for VMware View Validated with Vblock RSA DLP for protection of data in use VMware Infrastructure VMware View Manager RSA Archer Compliance Dashboard Clients RSA SecurID for remote authentication RSA envision log management for VMware vcenter & ESX(i) VMware View RSA SecurID RSA DLP Active Directory 28
Data Loss Prevention RSA and VMware working together to secure data in a private cloud 29
VMware vshield App: Built-in Data Classification via RSA DLP Powered by Content Aware Infrastructure Trust Zone - SOX Trust Zone - PCI Trust Zone - PII VMware vsphere 5 + vshield App with Data Security Classify files within VMs RSA DLP classification technology embedded into VMware vshield App with Data Security No agents or 3 rd party software Includes 80+ expert RSA policies out of the box Consistent classification across both physical and virtual environments 30
RSA DLP + VMware vshield Discovery of sensitive data at the virtualization layer RSA DLP VMware vshield Discover sensitive data Endpoint enforcement of policies at application Network enforcement of policies Scanning of SharePoint or Lotus Notes Fingerprint files and databases Custom content discovery 31
32 Best Practices
Protecting Your Management Consoles SSL VPN supporting Two-Factor Authentication Management LAN vcenter Server ESX Service Console RSA envision Server Management Consoles Network Switch Consoles Remote desktop into your Management LAN via VPN 33
I m overwhelmed, where do I start? 34
RSA Security Practice of EMC Consulting World Class Virtualization Information Security Expertise Best Practices Proven Methodologies Realm Strategy Design Implement Operate Scope Policy Compliance Metrics Planning Roadmap Deployment SOC Service Desk Incident Response Solution Components Security Assessment for Virtualized Environments Securely Managing Virtualization Best Practices & Safeguards Security for VDI Environments Specialty Areas 35 Security Strategy Private Cloud Security Virtual Desktop Security Policy Development
Thinking Ahead Some closing thoughts on the future of security and virtualization 36
More Effective Security In Virtualized Environments Today most security is enforced by the OS and application stack. This is: Ineffective Building Inconsistent in information security enforcement Complex in the infrastructure layer ensures: Consistency Simplified security management Much higher level of visibility into security operations APP OS vapp and VM layer APP OS APP OS APP OS Virtual and Cloud Infrastructure Physical Infrastructure 37
Leverage new tools and capabilities for better security Automation and orchestration to provide consistent, measurable tasks Tasks should be a foreach loop Example PowerShell: Foreach ($host in $vmhosts {do task}) Use VMware Orchestrator to limit general access to vcenter to just those functioned required to do a job This helps to focus on out of policy actions, bringing them to the forefront Leverage capabilities of RSA and VMware to provide a secure environment that provides value to the business 38
Looking to the future The ability to conclusively tag components of the virtual infrastructure, specifically virtual machines Leverage Hardware Root of Trust Richer information about events from the virtual infrastructure Mike changed the network settings is not good enough! What did Mike change? Not just alert, but take action Automated remediation Dealing with social engineering events Leverage the new layer of defense in depth to greater use 39
40
Thank You 谢谢您 http://rsa.com/rsavirtualization 41 2010 VMware Inc. All rights reserved