Trust in the Cloud - download3.vmware.comdownload3.vmware.com/elq/pdf/vforum_cn_2011/PDF/Track...
Transcript of Trust in the Cloud - download3.vmware.comdownload3.vmware.com/elq/pdf/vforum_cn_2011/PDF/Track...
1
© 2010 VMware Inc. All rights reserved
Trust in the Cloud
Mike Foley – RSA Virtualization Evangelist
2009/2010/2011
Agenda
� How do you solve for Trust = Visibility + Control?
� What’s needed to build a Trusted Cloud?
� RSA Solutions for Visibility and Control
2
� RSA Solutions for Visibility and Control
� Getting started and continuing your journey to the Trusted
Cloud
3
End User Access
Transformation
Application
New Application PlatformNew Application Platform
New End User ComputingNew End User Computing
The New Layering of IT Presents New Challenges
4
Transformation
Infrastructure
TransformationPrivate
Hybrid
Cloud Infrastructure
Hybrid
Cloud InfrastructurePublic
Virtualization Changes Security Dynamics
Perimeter Based
Information-Centric
5
Bolted on Embedded
Static / Reactive
Adaptive & Risk-based
What’s needed to build the
Trusted Cloud?
6
How do I get to “Cloud”?
� It starts with a secure infrastructure!
� A secure foundation you can build on
� Get your Private Cloud in order before pushing out to the public
cloud
• Work out your user experience locally
• Work out security best practices
• Only push out those workloads that have been properly vetted
7
� To get to a secure infrastructure
• Put in as much design effort as you put into storage and networks!
• Involved your security people at the beginning!
� This will help you understand
• What and how you can secure
• What and how you can monitor
…a Road BlockAt the beginning of your
journey to a Private
Cloud……or as you get closer to
production it could become…
8
production it could become…
RSA Solutions for Visibility + Control in
Virtualized Environments
9
RSA enVision
10
Uncompromised visibility into VMware operations
Visibility and Monitoring: RSA enVision
� Optimized for Complex VMware Environments
� Consolidated Security Event Log Management
• Collect logs from EVERYTHING
� Real-time Monitoring
� Correlated Alerting
11
�
� Incident Management
� Reporting and History
RSA enVision: SIEM for VMware
� Collecting logs from VMware components
VMware vShield VMware vCenter VMware ESX / ESXi
VMware View Manager VMware vCloud Director
• VMware Collector for RSA enVision leverages VMware
12
RSA enVision
• Over 380 unique messages
• 19 normalized event categories
Can pull logs from
multiple vCenter
instances
• VMware Collector for RSA enVision leverages VMware API’s via a single, secure connection to retrieve vCenter and ESX / ESXi logs
Deep Visibility into VMware Infrastructure
VMware vShield
Manager
VMware vCloud
Director
VMware View
Manager
13
����
Archer
eGRC RSA enVision
Deep visibility into Vblock
� RSA enVision monitors the entire Vblock
stack from hardware all the way up to
application level
� Verifies best practices
� Complements the RBAC security model
Comprehensive
visibility into security
Security incident
management, compliance
Applications
14
visibility into security
events
management, compliance
reporting
vSphere
Storage
UCS
Networking
Virtual Machines
RSA enVision
enVision Dashboard - Monitoring Events in the Virtual Datacenter
15
Production Datacenter Test Environment
HR Application Server VM
HR Database Server VM
HR Application Server VM
HR Database Server VM
PATCHPATCH
Apply Patch to Production System - Before
16
A common way to apply patches is to try them out in a test environmentIn a virtual world you can clone the system, data and all
Clone virtual environment1
This is difficult and time-consuming in a production environment, but very easy in a virtual environment
Test Patch2Apply Patch to production environment3Is this an
authorized
procedure?
Is the test environment
sufficiently protected &
controlled?
Who accessed the data
in the test environment?
Was the VM
destroyed after it
was used?
HR Database Server VM
HRDB
Name, SSN, DoB, etc
HR Database Server VM
HRDB
Name, SSN, DoB, etc
Production Datacenter Test Environment
HR Application Server VM
HR Database Server VM
HR Database
HR Application Server VM
HR Database Server VM
HR Database
PATCHPATCH
Apply Patch to Production System - After
17
HR Database
Name, SSN, DoB, etc
HR Database
Name, SSN, DoB, etc
Clone virtual environment1 Test Patch2Apply Patch to production environment3
VM ClonedRSA enVision logs administrative
activity from vCenter. Example: VM being cloned
Patch AppliedMonitoring of the test environmentensures protection of data
VM Cloned
Patch Applied RSA enVision
If this is out of policy we can alert a security
analyst
Virtual Machine
deletion confirmed
RSA Archer
18
Governance, Risk and Control Management of your VMware environment
Enabling the Cycle of Governance, Control and Visibility
Discover VMware
infrastructure
Define security policy
Manage security
incidents that
Manual and automated
configuration
Over 100 VMware-specific
controls added to Archer
library, mapped to
regulations/standards
RSA Securbook
19
Remediation of
non-compliant controls
RSA Archer eGRCincidents that
affect compliance
configuration
assessment
Solution component
automatically assesses
VMware configuration and
updates Archer
RSA enVision collects,
analyzes and feeds security
incidents from RSA, VMware
and ecosystem products to
inform Archer dashboards
RSA Archer – eGRC for VMware
CxO
Authoritative SourcesPCI, HIPAA, SOX, CSA,
VMware Hardening Guide, etc.“10.10.04 Administrator and Operator Logs”
Control StandardGeneralized security controls
“CS-179 Activity Logs – system start/stop/config
20
VI Admin
“CS-179 Activity Logs – system start/stop/config changes etc.”
Control ProcedureTechnology-specific control
“CP-108324 Persistent logging on ESXi Server”
Distribution and Tracking Control
Security Admin
ServerAdmin
21
Project Manager
Admin
NetworkAdmin
VIAdmin
30%
IT PRODUCTIONIT-AS-A-
SERVICE95%
GoldPlatinum
Compliance
Risk Driven Policies
IT and Security Operations Alignment
15%
30%
IT ProductionLower Costs
IT-As-A-ServiceImprove Agility
PlatinumPlatinum
70%
Business ProductionImprove Quality Of Service
% Virtualized
85%95%
Securing the Journey to the Cloud
22
15%Percent
Virtualize
d Lower costs Improve agility
GoldPlatinumOperations Alignment15%
GoldGold
• Secure multi-tenancy• Verifiable chain of
trust
• Visibility into virtualization infrastructure
• privileged user monitoring
• access management• network security
Device Discovery + Configuration Measurement
RSA Solution for Cloud Security and Compliance
Automated Automated Automated Automated
Measurement Measurement Measurement Measurement
AgentAgentAgentAgent
Guided Remediation
23
23
VMware-specific
Controls
RSA Archer eGRCRSA Archer eGRCRSA Archer eGRCRSA Archer eGRC
RSA RSA RSA RSA enVisionenVisionenVisionenVision
alerts
Use Case: Reducing Risk of VM Theft
RISK
Securing virtual infrastructure is often a check list of best
practices. Hardening VMware environment is complex and difficult
to verify. What can I do to limit the risk of VM theft from my
datacenter?
Need to take preventative steps that limit access to VM files,
such as:
24
such as:
•Disable Datastore Browser
•Limit Storage User Access•Limit use of service console•Use least privileged role concept for system and data access
Use Case: Reducing Risk of VM Theft
SOLUTION
•Archer has built in control procedures to check for VM file access and other best
practices
•From a centralized console security and IT ops can easily see if controls enforce
25
Results: Security and compliance best practices directly
aligned with regulations and company policies are implemented
and verified
policy
•Solution identifies VMware devices, assesses configuration status, and informs responsible
administrator
•enVision monitors to ensure security events
not disrupting compliance posture
RSA and VMware View
26
A solution for better security of desktops
vShield protected network
How VMware View + RSA address better security?
RSA SecurID™
27
No USB or only secure USB allowed via RSA DLP
Network access controlled via VMware vShield
The process is fully logged by RSA enVision
Endpoint with NOsensitive data
Virtual Desktop
sensitive data
Virtual Desktop with access to sensitive data
Application with sensitive data
The endpoint is changing
Mac
iPhone/iPad
Android phones and tablets
BYOC
VMware
Infrastructure
Visibility + Control for VMware View
RSA Archer Compliance
RSA DLP for protection of data
in useValidated with Vblock
28
Clients
VMware
View Manager
Compliance Dashboard
RSA SecurIDfor remote
authentication
RSA enVision log management for
� VMware vCenter & ESX(i)� VMware View� RSA SecurID� RSA DLP� Active Directory
Data Loss Prevention
29
RSA and VMware working together to secure data in a private cloud
Trust Zone
- PCI
� Classify files within VMs
� RSA DLP classification
technology embedded into
VMware vShield App with
Data Security
� Classify files within VMs
� RSA DLP classification
technology embedded into
VMware vShield App with
Data Security
Content Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware Infrastructure
Powered byPowered byPowered byPowered by
Trust Zone
- SOX
Trust Zone
- PII
VMware vShield App: Built-in Data Classification via RSA DLP
30
VMware vSphere 5 + vShield App with Data
Security
Data Security
� No agents or 3
rdparty
software
� Includes 80+ expert RSA
policies out of the box
� Consistent classification
across both physical and
virtual environments
Data Security
� No agents or 3
rdparty
software
� Includes 80+ expert RSA
policies out of the box
� Consistent classification
across both physical and
virtual environments
RSA DLP + VMware vShield
Discovery of sensitive data at the virtualization layer
RSA DLP VMware vShield
Discover sensitive data � �
Endpoint enforcement of policies at application � �
31
Network enforcement of policies � �
Scanning of SharePoint or Lotus Notes � �
Fingerprint files and databases � �
Custom content discovery � �
Best Practices
32
Protecting Your Management Consoles
Management LAN
ESX Service Console
vCenter Server
SSL VPN supporting Two-Factor
Authentication
33
Remote desktop into your Management LAN via VPN
Console
Server Management Consoles
Network Switch
Consoles
RSA enVision
I’m overwhelmed, where do I
start?
34
RSA Security Practice of EMC Consulting
Strategy ImplementDesign OperateRealm
MetricsPolicy Compliance DeploymentPlanning RoadmapIncident
ResponseSOC
Service DeskScope
World Class Virtualization
Best Practices
Proven Methodologies
Information Security Expertise
35
Security Strategy Virtual Desktop Security Policy DevelopmentPrivate Cloud SecuritySpecialty Areas
Solution Components
Security Assessment
for Virtualized Environments
Securely Managing Virtualization
Best Practices & Safeguards
Security
for VDI Environments
Thinking Ahead
36
Some closing thoughts on the future of security and virtualization
vApp and VM layer
More Effective Security In Virtualized Environments
Today most security is enforced by the OS and application stack. This is:
• Ineffective
• Inconsistent
APP
OS
APP
OS
APP
OS
APP
OS
Building in information security Virtual and Cloud
37
• Inconsistent
• Complex
Physical Infrastructure
Building in information security enforcement in the infrastructure layer ensures:
• Consistency
• Simplified security management
• Much higher level of visibility into security operations
Virtual and Cloud
Infrastructure
Leverage new tools and capabilities for better security
� Automation and orchestration to provide consistent, measurable
tasks
� Tasks should be a “foreach” loop
• Example PowerShell: Foreach ($host in $vmhosts {do task})
� Use VMware Orchestrator to limit general access to vCenter to just
those functioned required to do a job
• This helps to focus on “out of policy” actions, bringing them to the forefront
38
� Leverage capabilities of RSA and VMware to provide a secure
environment that provides value to the business
Looking to the future
� The ability to conclusively “tag” components of the virtual
infrastructure, specifically virtual machines
� Leverage Hardware Root of Trust
� Richer information about events from the virtual infrastructure
• “Mike changed the network settings” is not good enough!
• What did “Mike” change?
� Not just alert, but take action
39
� Not just alert, but take action
• Automated remediation
• Dealing with “social engineering” events
� Leverage the new layer of defense in depth to greater use
40
Thank You
谢谢谢谢谢谢谢谢您您您您
41
© 2010 VMware Inc. All rights reserved
http://rsa.com/rsavirtualization