Vmware and Trend Micro Presentation at VSS

1. Security and Compliance for the Cloud
Trevor Gerdes
Systems Engineer
tgerdes@vmware.com
© 2009 VMware Inc. All rights reserved

2. Disclaimer
This session may contain product features that are
currently under development.
This session/overview of the new technology represents
no commitment from VMware to deliver these features in
any generally available product.
Features are subject to change, and must not be included in
contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features
discussed or presented have not been determined.
“These features are representative of feature areas under development. Feature commitments are
subject to change, and must not be included in contracts, purchase orders, or sales agreements of
any kind. Technical feasibility and market demand will affect final delivery.”
2

3. Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
3

4. Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
4

5. Compliance vs. Security
Compliance Security
Conforming to a set of Implementing Technical,
rules or standards. This Physical, and
is generally confirmed by Administrative controls to
an assessor providing an provide confidentiality,
opinion based on integrity, availability,
observation, inquiry, and accountability and
inspection. assurance.
5

6. Compliance requirements affecting your customers
 PCI-DSS
 Government regulation
 SOX
 ISO
 Internal
6

7. Why is PCI so Hard for Virtualization?
 Technology changes faster than any standard
(including the PCI DSS)
 PCI applies to all systems “in scope”
 Segmentation defines scope
 The DSS is vendor agnostic
 Most whitepapers are written for security, not compliance
“If network segmentation is in place and will be used to reduce
the scope of the PCI DSS assessment, the assessor must verify
that the segmentation is adequate to reduce the scope of the
assessment.” - (PCI DSS p.6)
7

8. What is “In-scope”
All systems that Store, Process, or Transmit cardholder data, and all
system components that are in or connected to the cardholder data
environment (CDE).
What’s unique in a virtual environment?
Storage Transmission Segmentation
Data that used to reside only in Data that used to physically reside in Defining system boundaries can be
memory could be written to disk one location could now be transmitted more difficult, with virtual firewalls,
(encryption keys, PAN) logically across the network (i.e., virtual switches, VLANs, and High
VMotion, pulling images from a SAN, Availability switches.
storage)
The integrity of data can now be
altered in several locations (i.e., a log Mixed mode environments,
server that is stored as VM on the Authentication controls (how can you multi-tenancy.
ESX host) ensure that authentication systems
cannot be by-passed)
Can all system components in the
SAN – Can VM’s be altered in virtual environment meet ALL PCI
storage? How will you know? What “system components” could be controls?
used to sniff sensitive data?
8

9. Aren’t firewalls required for segmentation?
 QSA’s have historically relied on stateful firewalls for network
segmentation
 PCI allows for “other technology” as an acceptable use of
segmentation
 How do firewalls impact the flow of
data unique to a virtual environment
(VMotion, pulling images from a SAN,
taking “dirty” snapshots)
“Network segmentation can be achieved through internal
network firewalls, routers with strong access control lists or
other technology that restricts access to a particular segment of
a network.” – PCI DSS p. 6
9

10. Why are Virtual Environment Perceived As So Much Harder?
1. System boundaries are not as clear as their non-virtual
counterparts
2. Even the simplest network is rather complicated
3. More components, more complexity, more areas for risk
4. Digital forensic risks are more complicated
5. More systems are required for logging and monitoring
6. More access control systems
7. Memory can be written to disk
8. Many applications and O/S were not designed for Virtualization
9. VM Escape?
10. Mixed Mode environments
10

11. “System Boundaries” are not as Clear as their Non-Virtual
Counterparts
Basic Web Server and Database
Standard Environment Virtual Environment
11

12. Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
12

13. Enterprise Security today – not virtualized, not cloud ready
Enterprise VDC
Users DMZ Web Servers Apps / DB Tier
Sites
Perimeter/DMZ Interior security Endpoint security
- Threat Mitigation - Segmentation of - Protecting the Endpoint
- Perimeter security products applications and Server -AV, HIPS agent based
w/ FW/ VPN/ IPS -VLAN or subnet based security
- Hardware Sprawl, policies - Agent Sprawl,
Expensive -VLAN Sprawl, Complex Cumbersome
13

14. Foundations of Virtual Security: Secure Deployment
 VMware Security Hardening
Guides
VMkernel • Being provided for major platform
vnic
vnic
vnic
products
Production Mgmt Storage • vSphere 4.x
vSwitch
• VMware vCloud Director
• View
• Important for architecture and
deployment related controls
vSphere Security Hardening Guide
Prod Mgmt http://www.vmware.com/resources/techresources/10109
Network Network
Other ESX/ESXi IP-based
vCenter hosts Storage
14

15. Foundations of Virtual Security: Securing Virtual Machines
Provide Same Protection
as for Physical Servers
 Guest
• Anti-Virus
• Patch Management
• OS hardening and compliance
 Network
• Intrusion Detection/Prevention
(IDS/IPS)
 Edge
• Firewalls
15

16. Foundations of Virtual Security: Virtual Trust Zones
Firewall / IDS / IPS
virtual appliance(s) Web servers Application servers Database servers
VM VM VM Manage-
VM VM VM
VM VM VM ment
interface
VMkernel
Internet Intranet Web Application Database
ESX/ESXi
Host
vCenter Server
system
Production Management
Internet LAN LAN
16

17. Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
17

18. Virtualization Controls for Security
 Network Controls
 Change Control and Configuration Management
 Access Controls & Management
 Vulnerability Management
18

19. vShield - Comprehensive Security for Cloud Infrastructure
In Guest
Defense in Depth from inside the Guest to the Edge of the Cloud
VMVM OrgOrg
vShield Endpoint vShield App vShield Edge
Accreditations and Certifications
Firewall certification in progress H2/2011
19

20. vShield Edge
Secure the Edge of the Virtual Data Center
firewall
Features
• Multiple edge security services in one appliance
Tenant A Tenant X
• Stateful inspection firewall
• Network Address Translation (NAT)
Load balancer • Dynamic Host Configuration Protocol (DHCP)
• Site to site VPN (IPsec)
• Web Load Balancer
• Edge port group isolation
VPN • Detailed network flow statistics for chargebacks, etc
• Policy management through UI or REST APIs
• Logging and auditing based on industry standard
syslog format
20

21. vShield Edge Network Topology
21

22. vShield App/Zones
Application Protection for Network Based Threats
Features
DMZ PCI HIPAA
• Hypervisor-level firewall
• Inbound, outbound connection control applied at
vNIC level
• Elastic security groups - “stretch” as virtual machines
migrate to new hosts
• Robust flow monitoring
• IP Address protection management
• Policy Management
• Simple and business-relevant policies
• Managed through UI or REST APIs
• Logging and auditing based on industry standard
syslog format
22

23. vShield Zones/App Topology
23

24. Customers Trust What They Know – 2 Segment Preferences
“Air Gapped” Pods Mixed Trust Hosts Secure Private Cloud
Network Security
vShield Edge
vShield App
VI Architects
• VI Architects who understand the power of virtualization and introspection expect to
deploy vShield App but want it in Cloud environments in addition to vShield Edge
• IT Security and Network Security see vShield Edge as a natural bridge from what
they know and understand in the physical security world and are looking to find a fit
within their existing mixed trust host and air gapped pods network designs, VLANs, etc.
24

25. vShield Endpoint
Endpoint Security for Virtual Data Centers and Cloud Environments
Improves performance and effectiveness of
existing endpoint security solutions
• Offload of AV functions
• Hardened, security virtual machine
Features
• Offload file activity to Security VM
• Manage AV service across VMs
• Enforce Remediation using driver in VM
• Partner Integrations through EPSEC API
- Trend Micro, Symantec, McAfee
• Policy Management: Built-in or
customizable with REST APIs
• Logging of AV file activity
25

26. Efficient Antivirus as a Service for Virtual Datacenters
 Tighter collaborative effort with leading AV partners
 Hypervisor-based introspection for all major AV functions
• File-scanning engines and virus definitions
offloaded to security VM – scheduled and SVM VM VM VM
realtime
APP APP APP
• Thin file-virtualization driver in-guest >95%+ AV
OS OS OS
reduction in guest footprint (eventually fully
OS Kernel Kernel Kernel
agentless) Hardened BIOS BIOS BIOS
 Deployable as a service
Introspection
• No agents to manage - thin-guest driver to VMware vSphere
be bundled with VMTools
• Turnkey, security-as-service delivery
 Applicable to all virtualized
deployment models – private clouds
(virtual datacenters), public clouds (service
providers), virtual desktops
26

27. vCenter Configuration Manager
 Drive IT Compliance to lower risk
• Ensure compliance with various industry and
regulatory standards on a continuous basis
• Quickly remediate problems
 Mitigate outages through approved change
processes
• Detailed understanding and tracking of changes
• Control change by following your Closed Loop
Change Mgmt Process
Harden your environment and reduce
potential threats and breaches
Compliance Through Unified Patching and
Provisioning
• Provision Linux, Windows and ESX images
• Assess and Patch Windows, UNIX, MAC, etc
 Control your virtual infrastructure
• Fight VM Sprawl & Decommissioning Issues
• Improved Virtual Troubleshooting
• Single Pane of Glass
27

28. Manage & Measure Compliance
Automated & Continuous Enterprise Compliance Posture
 Deep Collection and Visibility SOX HIPAA FISMA
• Virtual and Physical Machines
• Desktops and Servers DISA GLBA ISO 27002
PCI
• Spans a large array or OSs CIS
NERC/
 Built in compliance tool kits NIST PCI DSS
FERC
VMware
• Regulatory
Virtualization Hardening Guidelines
• SOX, HIPAA, GLBA, FISMA, DISA, ISO 27002
• Industry CIS Benchmarks
• PCI DSS
• Security
• NERC/FERC
 CIS Certified Benchmarks
• vSphere Hardening  DISA NIST
• VMware Best Practices  Security Hardening Guides
• CIS Benchmark  Vendor Specific Hardening Guidelines
Dashboards provide “At-a-Glance”
health
28

29. vCenter Application Discovery Manager
• Get and keep a fast and
accurate data center view –
across virtual and physical
• Precise visibility into all
application interactions via
network-based approach
• Eye-opening discovery of
unknown, unwanted, &
unexpected application
behaviors and dependencies
• Application-aware data center
moves & consolidations,
migrations, and DR plans
29

30. Business Application Dependency Mapping
 Provides a detailed and
accurate infrastructure
layout of a given
business application
– Virtual and Physical
servers
– Services
– Interdependencies
 This is first step to
understanding the
business application is to
map out its internal
dependencies
 Required for any major
data center project (i.e.
DR, Migration,
Consolidation)
DB Layer Application
Layers
30

31. Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
31

32. Welcome to the stage Trend Micro
32

33. Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
33

34. What Compliance Benefits are there for Virtual Environments?
1. Repeatable security
2. Scalable controls
3. Risk aggregation/concentration
4. Improve security without impacting operations
5. Stronger/quicker configuration management
6. More money can be spent on security controls
7. Quickly provision and release with minimal management
8. Faster recovery after an attack
9. Ability to quickly capture and isolate compromised VM’s
34

35. Security Advantages of Virtualization
 Allows Automation of Many Manual Error Prone Processes
 Cleaner and Easier Disaster Recovery/Business Continuity
 Better Forensics Capabilities
 Faster Recovery After an Attack
 Patching is Safer and More Effective
 Better Control Over Desktop Resources
 More Cost Effective Security Devices
 App Virtualization Allows de-privileging of end users
 Better Lifecycle Controls
 Security Through VM Introspection
35

36. Where to Learn More
 Security
• Hardening Best Practices
• Implementation Guidelines
• http://vmware.com/go/security
 Compliance
• Partner Solutions
• Advice and Recommendation
• http://vmware.com/go/compliance
 Operations
• Peer-contributed Content
• http://viops.vmware.com
36

37. Thankyou
Trevor Gerdes – tgerdes@vmware.com
37