1

© 2010 VMware Inc. All rights reserved

Trust in the Cloud

Mike Foley – RSA Virtualization Evangelist

2009/2010/2011

Agenda

� How do you solve for Trust = Visibility + Control?

� What’s needed to build a Trusted Cloud?

� RSA Solutions for Visibility and Control

2

� RSA Solutions for Visibility and Control

� Getting started and continuing your journey to the Trusted

Cloud

3

End User Access

Transformation

Application

New Application PlatformNew Application Platform

New End User ComputingNew End User Computing

The New Layering of IT Presents New Challenges

4

Transformation

Infrastructure

TransformationPrivate

Hybrid

Cloud Infrastructure

Hybrid

Cloud InfrastructurePublic

Virtualization Changes Security Dynamics

Perimeter Based

Information-Centric

5

Bolted on Embedded

Static / Reactive

Adaptive & Risk-based

What’s needed to build the

Trusted Cloud?

6

How do I get to “Cloud”?

� It starts with a secure infrastructure!

� A secure foundation you can build on

� Get your Private Cloud in order before pushing out to the public

cloud

• Work out your user experience locally

• Work out security best practices

• Only push out those workloads that have been properly vetted

7

� To get to a secure infrastructure

• Put in as much design effort as you put into storage and networks!

• Involved your security people at the beginning!

� This will help you understand

• What and how you can secure

• What and how you can monitor

…a Road BlockAt the beginning of your

journey to a Private

Cloud……or as you get closer to

production it could become…

8

production it could become…

RSA Solutions for Visibility + Control in

Virtualized Environments

9

RSA enVision

10

Uncompromised visibility into VMware operations

Visibility and Monitoring: RSA enVision

� Optimized for Complex VMware Environments

� Consolidated Security Event Log Management

• Collect logs from EVERYTHING

� Real-time Monitoring

� Correlated Alerting

11

�

� Incident Management

� Reporting and History

RSA enVision: SIEM for VMware

� Collecting logs from VMware components

VMware vShield VMware vCenter VMware ESX / ESXi

VMware View Manager VMware vCloud Director

• VMware Collector for RSA enVision leverages VMware

12

RSA enVision

• Over 380 unique messages

• 19 normalized event categories

Can pull logs from

multiple vCenter

instances

• VMware Collector for RSA enVision leverages VMware API’s via a single, secure connection to retrieve vCenter and ESX / ESXi logs

Deep Visibility into VMware Infrastructure

VMware vShield

Manager

VMware vCloud

Director

VMware View

Manager

13

����

Archer

eGRC RSA enVision

Deep visibility into Vblock

� RSA enVision monitors the entire Vblock

stack from hardware all the way up to

application level

� Verifies best practices

� Complements the RBAC security model

Comprehensive

visibility into security

Security incident

management, compliance

Applications

14

visibility into security

events

management, compliance

reporting

vSphere

Storage

UCS

Networking

Virtual Machines

RSA enVision

enVision Dashboard - Monitoring Events in the Virtual Datacenter

15

Production Datacenter Test Environment

HR Application Server VM

HR Database Server VM

HR Application Server VM

HR Database Server VM

PATCHPATCH

Apply Patch to Production System - Before

16

A common way to apply patches is to try them out in a test environmentIn a virtual world you can clone the system, data and all

Clone virtual environment1

This is difficult and time-consuming in a production environment, but very easy in a virtual environment

Test Patch2Apply Patch to production environment3Is this an

authorized

procedure?

Is the test environment

sufficiently protected &

controlled?

Who accessed the data

in the test environment?

Was the VM

destroyed after it

was used?

HR Database Server VM

HRDB

Name, SSN, DoB, etc

HR Database Server VM

HRDB

Name, SSN, DoB, etc

Production Datacenter Test Environment

HR Application Server VM

HR Database Server VM

HR Database

HR Application Server VM

HR Database Server VM

HR Database

PATCHPATCH

Apply Patch to Production System - After

17

HR Database

Name, SSN, DoB, etc

HR Database

Name, SSN, DoB, etc

Clone virtual environment1 Test Patch2Apply Patch to production environment3

VM ClonedRSA enVision logs administrative

activity from vCenter. Example: VM being cloned

Patch AppliedMonitoring of the test environmentensures protection of data

VM Cloned

Patch Applied RSA enVision

If this is out of policy we can alert a security

analyst

Virtual Machine

deletion confirmed

RSA Archer

18

Governance, Risk and Control Management of your VMware environment

Enabling the Cycle of Governance, Control and Visibility

Discover VMware

infrastructure

Define security policy

Manage security

incidents that

Manual and automated

configuration

Over 100 VMware-specific

controls added to Archer

library, mapped to

regulations/standards

RSA Securbook

19

Remediation of

non-compliant controls

RSA Archer eGRCincidents that

affect compliance

configuration

assessment

Solution component

automatically assesses

VMware configuration and

updates Archer

RSA enVision collects,

analyzes and feeds security

incidents from RSA, VMware

and ecosystem products to

inform Archer dashboards

RSA Archer – eGRC for VMware

CxO

Authoritative SourcesPCI, HIPAA, SOX, CSA,

VMware Hardening Guide, etc.“10.10.04 Administrator and Operator Logs”

Control StandardGeneralized security controls

“CS-179 Activity Logs – system start/stop/config

20

VI Admin

“CS-179 Activity Logs – system start/stop/config changes etc.”

Control ProcedureTechnology-specific control

“CP-108324 Persistent logging on ESXi Server”

Distribution and Tracking Control

Security Admin

ServerAdmin

21

Project Manager

Admin

NetworkAdmin

VIAdmin

30%

IT PRODUCTIONIT-AS-A-

SERVICE95%

GoldPlatinum

Compliance

Risk Driven Policies

IT and Security Operations Alignment

15%

30%

IT ProductionLower Costs

IT-As-A-ServiceImprove Agility

PlatinumPlatinum

70%

Business ProductionImprove Quality Of Service

% Virtualized

85%95%

Securing the Journey to the Cloud

22

15%Percent

Virtualize

d Lower costs Improve agility

GoldPlatinumOperations Alignment15%

GoldGold

• Secure multi-tenancy• Verifiable chain of

trust

• Visibility into virtualization infrastructure

• privileged user monitoring

• access management• network security

Device Discovery + Configuration Measurement

RSA Solution for Cloud Security and Compliance

Automated Automated Automated Automated

Measurement Measurement Measurement Measurement

AgentAgentAgentAgent

Guided Remediation

23

23

VMware-specific

Controls

RSA Archer eGRCRSA Archer eGRCRSA Archer eGRCRSA Archer eGRC

RSA RSA RSA RSA enVisionenVisionenVisionenVision

alerts

Use Case: Reducing Risk of VM Theft

RISK

Securing virtual infrastructure is often a check list of best

practices. Hardening VMware environment is complex and difficult

to verify. What can I do to limit the risk of VM theft from my

datacenter?

Need to take preventative steps that limit access to VM files,

such as:

24

such as:

•Disable Datastore Browser

•Limit Storage User Access•Limit use of service console•Use least privileged role concept for system and data access

Use Case: Reducing Risk of VM Theft

SOLUTION

•Archer has built in control procedures to check for VM file access and other best

practices

•From a centralized console security and IT ops can easily see if controls enforce

25

Results: Security and compliance best practices directly

aligned with regulations and company policies are implemented

and verified

policy

•Solution identifies VMware devices, assesses configuration status, and informs responsible

administrator

•enVision monitors to ensure security events

not disrupting compliance posture

RSA and VMware View

26

A solution for better security of desktops

vShield protected network

How VMware View + RSA address better security?

RSA SecurID™

27

No USB or only secure USB allowed via RSA DLP

Network access controlled via VMware vShield

The process is fully logged by RSA enVision

Endpoint with NOsensitive data

Virtual Desktop

sensitive data

Virtual Desktop with access to sensitive data

Application with sensitive data

The endpoint is changing

Mac

iPhone/iPad

Android phones and tablets

BYOC

VMware

Infrastructure

Visibility + Control for VMware View

RSA Archer Compliance

RSA DLP for protection of data

in useValidated with Vblock

28

Clients

VMware

View Manager

Compliance Dashboard

RSA SecurIDfor remote

authentication

RSA enVision log management for

� VMware vCenter & ESX(i)� VMware View� RSA SecurID� RSA DLP� Active Directory

Data Loss Prevention

29

RSA and VMware working together to secure data in a private cloud

Trust Zone

- PCI

� Classify files within VMs

� RSA DLP classification

technology embedded into

VMware vShield App with

Data Security

� Classify files within VMs

� RSA DLP classification

technology embedded into

VMware vShield App with

Data Security

Content Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware InfrastructureContent Aware Infrastructure

Powered byPowered byPowered byPowered by

Trust Zone

- SOX

Trust Zone

- PII

VMware vShield App: Built-in Data Classification via RSA DLP

30

VMware vSphere 5 + vShield App with Data

Security

Data Security

� No agents or 3

rdparty

software

� Includes 80+ expert RSA

policies out of the box

� Consistent classification

across both physical and

virtual environments

Data Security

� No agents or 3

rdparty

software

� Includes 80+ expert RSA

policies out of the box

� Consistent classification

across both physical and

virtual environments

RSA DLP + VMware vShield

Discovery of sensitive data at the virtualization layer

RSA DLP VMware vShield

Discover sensitive data � �

Endpoint enforcement of policies at application � �

31

Network enforcement of policies � �

Scanning of SharePoint or Lotus Notes � �

Fingerprint files and databases � �

Custom content discovery � �

Best Practices

32

Protecting Your Management Consoles

Management LAN

ESX Service Console

vCenter Server

SSL VPN supporting Two-Factor

Authentication

33

Remote desktop into your Management LAN via VPN

Console

Server Management Consoles

Network Switch

Consoles

RSA enVision

I’m overwhelmed, where do I

start?

34

RSA Security Practice of EMC Consulting

Strategy ImplementDesign OperateRealm

MetricsPolicy Compliance DeploymentPlanning RoadmapIncident

ResponseSOC

Service DeskScope

World Class Virtualization

Best Practices

Proven Methodologies

Information Security Expertise

35

Security Strategy Virtual Desktop Security Policy DevelopmentPrivate Cloud SecuritySpecialty Areas

Solution Components

Security Assessment

for Virtualized Environments

Securely Managing Virtualization

Best Practices & Safeguards

Security

for VDI Environments

Thinking Ahead

36

Some closing thoughts on the future of security and virtualization

vApp and VM layer

More Effective Security In Virtualized Environments

Today most security is enforced by the OS and application stack. This is:

• Ineffective

• Inconsistent

APP

OS

APP

OS

APP

OS

APP

OS

Building in information security Virtual and Cloud

37

• Inconsistent

• Complex

Physical Infrastructure

Building in information security enforcement in the infrastructure layer ensures:

• Consistency

• Simplified security management

• Much higher level of visibility into security operations

Virtual and Cloud

Infrastructure

Leverage new tools and capabilities for better security

� Automation and orchestration to provide consistent, measurable

tasks

� Tasks should be a “foreach” loop

• Example PowerShell: Foreach ($host in $vmhosts {do task})

� Use VMware Orchestrator to limit general access to vCenter to just

those functioned required to do a job

• This helps to focus on “out of policy” actions, bringing them to the forefront

38

� Leverage capabilities of RSA and VMware to provide a secure

environment that provides value to the business

Looking to the future

� The ability to conclusively “tag” components of the virtual

infrastructure, specifically virtual machines

� Leverage Hardware Root of Trust

� Richer information about events from the virtual infrastructure

• “Mike changed the network settings” is not good enough!

• What did “Mike” change?

� Not just alert, but take action

39

� Not just alert, but take action

• Automated remediation

• Dealing with “social engineering” events

� Leverage the new layer of defense in depth to greater use

40

Thank You

谢谢谢谢谢谢谢谢您您您您

41

© 2010 VMware Inc. All rights reserved

http://rsa.com/rsavirtualization