VMware Compliance Reference Architecture

Framework Overview

Jerry Breaud, VMware

Allen Shortnacy, VMware

SEC5428

#SEC5428

2

Agenda

VMware Compliance Reference Architecture Framework

Compliance Reference Architecture Methodology

NSX Service Composer for Compliance Architectures

Network Virtualization

NSX Network Services

Other VMware Product Capabilities Relative to Compliance

Summary

Next Steps VMworld and Beyond

3

Competing Concerns – Pick Any 2

“Are you getting the maximum efficiency

out of your infrastructure?”

“How quickly can IT respond to LOB

requests?”

• Legislative Compliance • Security – Corp Assets & IP

• Risk Reduction • SLAs & Business Continuity

?

4

Infrastructure

Requirements

Access

Control

Segmentation

Remediation

Automation

Policy

Management

Audit

Common

Control

Frameworks

Regulations,

Standards,

Best Practices

Reference

Architectures

PCI Zone

VMware vSphere

Security & Compliance Influence Design of the SDDC

5

VMware Compliance Reference Architectures

Reference

Architectures VMware Partners

Auditors

Product

Applicability

Architecture

Design

Auditor

Validated

Referfence

Architecture

6

Technology Solution Categories Mapped to Regulations

Description ISO

PCI

HIP

AA

SANS

CSA

FIS

MA LOW

FIS

MA M

OD

FIS

MA H

IGH

FedRAMP LOW

FedRAMP M

OD

PCI

Requirements

NIST

RequirementsCommon Required Technical Security Solutions1 VAM Vulnerability Assessment and Management Identify and track vulnerabilities 6.2, 6.5, 6.6, 11.2 RA-5

2 PT Penetration Testing Validate vulnerabilities 11.3 CA-2

3 SEIM Security Event Information Monitoring Log and correlate environment data 10, A.1.3 SI-4, AU-2/3/6/10/12

4 IPS Intrusion Prevention System Identify attacks 11.4 SI-3, SI-4

5 FIM File Integrity Monitoring Identify changed files 11.5 SI-7

6 2FA Two Factor Authentication Authenticate users 8.3 IA-2

7 IdM Identity Management Provision and deprovision users 8.1, 8.2, 8.5.1 IA-4

8 AAA Authentication, Authorization, Accounting (3A) Identity interaction nonrepudiation 7, 8.5 IA-5, AC-3

9 FW Network (N) and Host (H) Firewall Segment and protect networks 1 SC-7

10 AV Server and Endpoint Antivirus Protect against malware 5 SI-3

11 BU System Backups Systems survivability 10.5.3, 12.9.1 CP-9

12 DARE Data At Rest Encryption Protect data 3.4, 3.5, 3.6 SC-12/13/28, IA-7

13 DIME Data In Motion Encryption Protect data 2.3, 4, 8.4 SC-9/12/13, IA-7

14 DBM Database Monitoring Protect database environment 10, A.1.3 SI-4

15 CM Configuration Management Protect infrastructure 2.1, 2.2 SI-2, SA-10, CM-1/2/6

16 PM Patch Management Protect infrastructure 6.1 CM-2, SI-2

17 WAF* Web Application Firewall Protect user services 6.6 SI-3, SI-4, SC-7

18 DLP** Data Leakage Protection Identify sensitive data

* Specifically called out in some authorities and implied control in others. Highly recommended where the Internet will be the primary use case.

** Not specifically called out in any authority.

7

DLP Encryption

BC DR

Anti Virus Endpoint Protection

Firewall

AAA

Identity and

Access 2 Factor AuthN

File Integrity Monitoring

IPS/IDS

SIEM

Penetration Testing

Vulnerability Assessment

Patch Mngmnt

Config Mngmnt

DB/App Monitor

Technology Solution Categories

8

Remediation

Automation

Audit Policy

Privileged User Control

Segmentation

Compliance Use Cases

9

Compliance Regulations

HIPAA HITECH

FISMA FedRAMP

NERC FINRA

FFIEC

PCI DSS

10

Compliance Reference Architecture Methodology

Dynamic Composition with Line of Sight

• Regulatory Specificity for Audit

• Regulation Independent Use Case Controls

• Technology Partner Choice

• Process Methodology for Delivery and Maturity

11

11

Compliance Challenges: Many Systems - Dashboards of Wonder

Vulnerability

Mgmt System

Antivirus

System

Firewall

vCenter

IDS System

DLP System

12

VMware NSX

VMware NSX

Logical

Switch

Logical

Router

Logical

Firewall

Logical

Load Balancer

• No multicast requirement

• Bridge Physical - Virtual

• GSLB & L7 LB

• SSL Termination

Logical

VPN • Site-to-Site

• Remote Access Gateway

• Distributed & Line Rate

• Identity Aware

• Distributed L3

• Perimeter Routing

NSX API

NSX Controller

NSX vSwitch – vDS on ESXi

NSX Service Composer

Extensibility

Any Network Hardware

13

NSX Service Composer

Security services can now be consumed more efficiently in the

software-defined data center.

Apply.

Apply and visualize

security policies for

workloads, in one place.

Automate.

Automate workflows

across different

services, without

custom integration.

Provision.

Provision and monitor

uptime of different

services, using one

method.

14

Concept – Apply Policies to Workloads

Security Groups

WHAT you want to

protect

Members (VM, vNIC…) and

Context (user identity, security

posture

HOW you want to

protect it

Services (Firewall, antivirus…)

and Profiles (labels representing

specific policies)

APPLY

Define security policies based on service profiles already defined (or

blessed) by the security team. Apply these policies to one or more

security groups where your workloads are members.

15

Software Defined Data Center Anti-Virus (AV), Anti-Malware

Application Delivery Controller (ADC)

Application Whitelisting

Application Firewall

Data Loss Prevention (DLP)

Encryption

File Integrity Monitoring (FIM)

Firewall (Host/Network)

Identity and Access Management

Intrusion Detection/Prevention System (IDS/IPS)

Load Balancer

Network Forensics

Network Gateway (VXLAN)

Network Port Profile

Network Switch

Policy and Compliance Solution

Security Intelligence and Event Management (SIEM)

User Access Control (closest to our SAM)

Vulnerability Management

WAN Optimizer

Web Filter

Extend Platform to Best of Breed Services

Properties of virtual services:

• Programmatic provisioning

• Place any workload anywhere

• Move any workload anywhere

• Decoupled from hardware

• Operationally efficient

16

NSX Integrated Partners

NSX Controller & NSX Manager

NSX API

Partner Extensions

L2 Gateway

Firewall ADC/LB IDS/IPS

+

Cloud Management

Platforms

AV/FIM Vulnerability Management

Security Services

17

Priv User Network Activity

Monitoring

Solution Categories

CMP

vCD, vCAC, etc.

NSX

Service Composer

Automation

vCO, Scripts, etc.

API

REST, Java, .NET

NW Iso

VXLAN, NAT

Firewall

TCP, Identity

VPN

IPsec, SSL

DLP

At Rest, Wire

Priv User AAA, Session

Recording

AV Malware, Whitelist

FIM Config Files,

Registry

IPS/IDS Monitor, Prevent,

Report

Vulnerability Penetration Testing

Next Gen FW App Aware, Fine Grained

App Layer IPS

Encryption VMFS, VMDK, OS

Configuration Management

Patching

SIEM Syslog, Event

Correlation

Platform (Future

NSX Enabled)

Extensibility

NSX

NSX Enabled

Consumption

VMware & Platform Partner

VMware

NSX Enabled Partner

VMware + Customer/ 3rd Party/ Open Src

Platform Partner

Logging

18

Compute Virtualization

The Network is a Barrier to Software Defined Data Center

Any Physical Infrastructure

• Provisioning is slow

• Placement is limited

• Mobility is limited

• Hardware dependent

• Operationally intensive

Software Defined Data Center

SOFTWARE-DEFINED DATACENTER SERVICES

VDC

19

Network and Security Virtualization Must…

1. Decouple

Physical

Virtual

2. Reproduce 3. Automate

Network

Operations

Cloud

Operations

Hardware

independence

Operational benefits

of virtualization

No change to network

from end host perspective

Virtual

Physical

20

VMware NSX

VMware NSX

Logical

Switch

Logical

Router

Logical

Firewall

Logical

Load Balancer

• No multicast requirement

• Bridge Physical - Virtual

• GSLB & L7 LB

• SSL Termination

Logical

VPN • Site-to-Site

• Remote Access Gateway

• Distributed & Line Rate

• Identity Aware

• Distributed L3

• Perimeter Routing

NSX API

NSX Controller

NSX vSwitch – vDS on ESXi

NSX Service Composer

Extensibility

Any Network Hardware

21

Logical Switching and Routing

• Tightly coupled with physical networks

• Hairpins and bottlenecks reduce performance and scale

Before

• Completely decoupled from hardware – Dynamic routing, no Multicast

• Line rate performance with distributed scale out architecture

• Connect existing networks with logical networks – L2 bridging

With NSX

• Speed of provisioning applications across racks, rows or data centers (up to Metro distances)

• Enable higher server utilization, leverage existing physical network, only require basic IP hardware for future purchases

• Create on demand networks to meet application needs

Benefits

Dyn

am

ic R

ou

tin

g

Dynam

ic R

ou

tin

g

Dynam

ic R

ou

tin

g

Physical

Workload

22

Logical Load Balancing

• Physical appliances are costly and create bottlenecks

• Rigid architectures tie the application down

Before

• Cloud level feature set for SLB and GSLB with full HA

• TSAM with enhanced health checks, connection throttling and CLI

• Simplified Deployment in one-armed or inline mode

With NSX

• On demand LB services for any application enabling speedy deployment

• Pay as you go model for services

• Manage multiple LB instances with centralized management

Benefits

Logical

Network

Web1a Web1c Web1b

23

Logical VPN

• VPN Concentrators become bottlenecks and chokepoints

Before

• Per Tenant VPN appliance when needed

• High Performance – hardware acceleration for IPSec and SSL

• Site-2-Site, Client and Cloud VPN extends Corporate LAN

With NSX

• Network can be extended when needed for different use cases

• No investment needed in large VPN Concentrators upfront

Benefits

Public

Cloud

24

NSX Next Generation Firewall

• Scale out architecture “bolted-on” to L3 with limited performance

• Limited visibility and control unless hair-pinning (E/W) to L3

• Error prone, static VLANs and IP/port based policies

Before

• Massive scale and line rate performance

• Virtualization and identity context

• Centralized management across entire Datacenter

With NSX

• Simplified operations – single policy definition

Benefits

Physical View

Web

App

DB

Web

App

DB

Servers

Users

“skinny VLANs” Business and

Virtual Context

Logical View

VMware

Logical View

25

vCenter Infrastructure Navigator Capabilities

Automated

discovery and

dependency

mapping

Speedy and accurate discovery and dependency

mapping of application services across virtual

infrastructure & adjoining physical servers one hop away

Rapid updates that keep mapping

information up-to-date

26

Cloud Infrastructure (vSphere, vCenter, vShield, vCloud Director)

! ! !

Overview

Benefits

More than 80 pre-defined templates for

country/industry specific regulations

Accurately discover and report sensitive

data in unstructured files with analysis

engine

Segment off VMs with sensitive data in

separate trust zones

Quickly identify sensitive data

exposures

Reduce risk of non-compliance and

reputation damage

Improve performance by offloading data

discovery functions to a virtual

appliance

NSX Data Security

Visibility Into Sensitive Data to Address Regulatory Compliance

27

vShield Endpoint Partners

VMware vSphere Introspection

SVM

OS Hardened

AV

VM

APP

OS Kernel

BIOS

VM

APP

OS Kernel

BIOS

VM

APP

OS Kernel

BIOS

28

vCenter Operations and Log Insight

Machine Data comprises:

• Structured Data

• vCenter Operations

• Unstructured Data

• Log Insight

Log Insight and vCenter Operations

together provide a complete solution

for Cloud Operations Management

29

vCenter Operations Configuration Manager

Harden the VMware Infrastructure

• Harden the configuration for ESX, network, storage, etc.

• Harden the vSphere guest VM settings

• Harden vCD/vCenter settings

Harden the Guest OS

• Physical and Virtual; Desktop and Servers; Win, UNIX, Mac

Virtual Datacenter 1 Virtual Datacenter 2

PCI – PoS PCI Zone Non-PCI Zone

ESX Hardening

Cluster A Cluster B

VMware vSphere + vCenter

Vendor Hardening Guidelines

CIS Benchmarks

FISMA HIPAA SOX

NERC/

FERC NIST

ISO

27002 GLBA DISA

PCI DSS PCI DSS

30

Applicability to PCI Requirements

PCI Requirement Products

1 Install/maintain a firewall configuration to protect cardholder data vSphere, NSX App/Edge, VIN

2 Don’t use defaults for system passwords/security parameters ESXi, vCenter, VCM, NSX

3 Protect stored cardholder data NSX, VCM

4 Encrypt transmission of cardholder data on public networks NSX Edge

5 Use and regularly update anti-virus software or programs vShield Endpoint + Partners

6 Develop and maintain secure systems and applications vSphere, NSX , VIN, VCM,

VUM

7 Restrict access to cardholder data by business need to know vSphere, NSX, vCM

8 Assign a unique ID to each person with computer access ESXi, vSphere, NSX, VCM

9 Restrict physical access to cardholder data

10 Track and monitor all access to network resources/cardholder data vSphere, NSX, VIN, VCM,

Log Insight

11 Regularly test security systems and processes VIN, VCM

12 Maintain a policy that addresses information security

A1 Shared hosting providers must protect the cardholder data vSphere, NSX, vCD, VCM

31

Competing Concerns – Take All 3!

“Are you getting the maximum efficiency

out of your infrastructure?”

“How quickly can IT respond to LOB

requests?”

• Legislative Compliance • Security – Corp Assets & IP

• Risk Reduction • SLAs & Business Continuity

32

Summary – Key Takeaways

VMware, its Technology Partners and Audit Partners are working to validate

reference architectures pertaining to mainstream regulations

Guidance is intended to educate SDDC architects, Information Risk personnel

and Auditors involved in customer environments

Best practices for VMware and Technology Partner products, their

configurations and usage in order to meet regulatory controls

VMware Compliance Reference Architectures will evolve to support new

versions of products and the regulations themselves

33

VMworld: Security and Compliance Sessions

Category Topic

NSX

• 5318: NSX Security Solutions In Action (201)

• 5753: Dog Fooding NSX at VMware IT (201)

• 5828: Datacenter Transformation (201)

• 5582: Network Virtualization across Multiple Data Centers (201)

NSX Firewall

• 5893: Economies of the NSX Distributed Firewall (101)

• 5755: NSX Next Generation Firewalls (201)

• 5891: Build a Collapsed DMZ Architecture (301)

• 5894: NSX Distributed Firewall (301)

NSX Service

Composer

• 5749: Introducing NSX Service Composer (101)

• 5750: NSX Automating Security Operations Workflows (201)

• 5889: Troubleshooting and Monitoring NSX Service Composer (301)

Compliance

• 5428: Compliance Reference Architecture Framework Overview (101)

• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)

• 5253: Streamlining Compliance (201)

• 5775: Segmentation (301)

• 5820: Privileged User Control (301)

• 5837: Operational Efficiencies (301)

Other

• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in

Virtualized Infrastructure (Catbird – Jefferson radiology)

• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A

Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)

• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based

IaaS provider better be doing! (Intel)

34

For More Information…

VMware Collateral VMware Approach to Compliance

VMware Solution Guide for PCI

VMware Architecture Design Guide for PCI

VMware QSA Validated Reference Architecture PCI

Partner Collateral VMware Partner Solution Guides for PCI

How to Engage?

compliance-solutions@vmware.com

@VMW_Compliance on Twitter

35 35

Other VMware Activities Related to This Session

HOL:

HOL-SDC-1315

vCloud Suite Use Cases - Control & Compliance

HOL-SDC-1317

vCloud Suite Use Cases - Business Critical Applications

HOL-PRT-1306

Compliance Reference Architecture- Catbird, HyTrust and LogRhythm

Group Discussions:

SEC1002-GD

Compliance Reference Architecture: Integrating Firewall, Antivirus,

Logging and IPS in the SDDC with Allen Shortnacy

SEC5428

THANK YOU

VMware Compliance Reference Architecture

Framework Overview

Allen Shortnacy, VMware

SEC5428

#SEC5428