1. Solutions for Cloud Security Erin K. Banks, vSpecialist, CISSP, CISA www.commondenial.com @banksek
2. Federation Virtualization Information CloudComputing enabling convenient, on-demand access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction PrivateCloud Virtualized Data Center Internal cloud External cloud
3. Our Customers Are Asking Themselves Can I ensure my virtualized business critical applications are running in a secure and compliant environment? How do I centrally manage compliance across mixed VMware and physical IT environments? Can I respond more quickly to security events in my virtual environment? Can I secure access and information in my VMware View environment?
4. Implications of Challenges Security and compliance concerns stall the adoption of virtualization Missing opportunity for “better than physical” security CISOs need to manage security and compliance across virtual and physical IT
13. Security Tools SIEM (security information and event management) Compliance (Hardening guidelines) Encryption Data Loss Prevention vShield Zones Access Control Network Control VLANS Secure Code …
14. Ionix Control Center ESM/ADM IT Compliance Analyzer Server Config Manager VMware’s Integration Framework Avamar Replication Manager Networker Data Protection Advisor RSA enVision RSA DLP RSA eGRC RSA Securid Storage QoS Virtual Provisioning Virtual Storage vCenter Application APIs Scalability Security Availability VMware vSphere vCompute Infrastructure APIs vStorage vNetwork Cisco UCS Ultrascale V-Max Ultraflex EFD Only Vendor Integrated into all 3 vStorage APIs PowerPath for VMware Cisco VN-Link and Nexus Family supported by EMC Ionix and EMC RSA EMC Storage Viewer Plug-in EMC SRM Failback Plug-in EMC VDI Plug-in
16. SIEM Security information and event management tool Captures event data Audit logs Storage Groups Virtual network infrastructure User and Administrative activities
17. VMware Collector for RSA enVision VMware Collector uses VMware native API’s to retrieve the logs from vCenterand all ESX/ESXi servers It can also connect to multiple vCenters! RSA enVision
18. VMware Messages enVision collects messages and parses from VMware View, VMware vShield, VMware vCloud Director Over 800 very well described Message ID’s vMotion and Storage vMotion Snapshots User Login/Logoff Virtual Machine Operations e.g. Power On/Off/Reset 7 taxonomy categories Authentication, config, policies, system
28. GRC Governance Setting the rules Risk Ensuring the correct rules are in place and functioning Compliance Measuring the effectiveness of the rule Understanding the process used to define the rule Understanding how well people adhere to the rule
30. RSA Archer eGRC Solutions Policy Management Centrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance. Audit Management Centrally manage the planning, prioritization, staffing, procedures and reporting of audits to increase collaboration and efficiency. Risk Management Identify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance. Business Continuity Management Automate your approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution. Compliance Management Document your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues. Threat Management Track threats through a centralized early warning system to help prevent attacks before they affect your enterprise. Enterprise Management Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives. Vendor Management Centralize vendor data, manage relationships, assess vendor risk, and ensure compliance with your policies and controls. Incident Management Report incidents and ethics violations, manage their escalation, track investigations and analyze resolutions.
31. RSA Solution for Cloud Security and Compliance v1.0 What’s New Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards What’s New RSA Securbook Discover VMware infrastructure Define security policy Manual and automated configuration assessment Manage security incidents that affect compliance Remediation of non-compliant controls Respond Prevent What’s New RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards (e.g. DLP, VMware vShield and vCD, HyTrust, Ionix, etc.) RSA Archer eGRC What’s New New solution component automatically assesses VMware configuration and updates Archer
32. RSA Archer: Mapping VMware security controls to regulations and standards Authoritative Source Regulations (PCI-DSS, etc.) “10.10.04 Administrator and Operator Logs” Control Standard Generalized security controls “CS-179 Activity Logs – system start/stop/config changes etc.” Control Procedure Technology-specific control “CP-108324 Persistent logging on ESXi Server” VI Admin CxO
36. Automated Assessment via PowerCLI Automatically discover and assess VMware infrastructure via PowerCLI VMware objects (ESX, vSwitches, etc…) are automatically populated into Archer They are then mapped to control procedures. Over 40% are automatically assessed via PowerCLI and the results fed into Archer for reporting and remediation. RSA Archer eGRC
42. Making Archer the Best GRC Solution for Hybrid Clouds Assessing Service Provider Compliance Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit RSA Solution for Cloud Security and Compliance aligns with CSA Consensus Assessment Questions by automating 195 questions that customers can issue to assess cloud service providers. Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Virtualization Identity and Access Management Cloud Security Alliance’s 13 domains of focus for cloud computing
49. vShield Products Securing the Private Cloud End to End: from the Edge to the Endpoint vShield App and Zones Security Zone Endpoint = VM Edge vShield Edge vShield Endpoint vShield Manager Endpoint = VM Create segmentation between enclaves or silos of workloads Secure the edge of the virtual datacenter Offload anti-virus processing Centralized Management DMZ Application 1 Application 2 VMware vSphere VMware vSphere
Based on our primary research during discussions with customers like you, our customers are asking themselves these questions.Four basic questions;1) Can I virtualize my Tier 1 applications and make sure that they are secure2) How do I really manage compliance across both a physical and virtualized environment?3) How quickly respond to Security events in my Physical and virtual data center?4) How can I secure the access information in my Virtualized environment?All virtualization platforms are not the same. As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization technology and the platform you choose. VMware offers the most robust and secure virtualization platform available. Separate fact from fiction when it comes to virtualization and IT securityUnderstand the most significant ways in which virtualization affects securityFind resources as well as the latest news on virtualization security
VMware offers secure and robust virtualization solutions for virtual data centers and cloud infrastructures, and has both the technology and the processes to ensure that this high standard is maintained in all current and future products. VMware virtualization gives youSecure architecture and design: Based on its streamlined and purpose-built architecture, vSphere is considered by experts to be the most secure virtualization platform.Third-party validation of security standards: VMware has validated the security of our software against standards set by Common Criteria, NIST and other organizations.Proven technology: More than 250,000 customers—including all of the Fortune 100 as well as military and government installations—trust VMware to virtualize their mission-critical applications.NSA being one of Vmware customers!!
Today most security is enforced as an add-on to the OS or the application, making it ineffective, inconsistent and complex. Pushing information security enforcement in the virtualization and cloud infrastructure ensures consistency, simplifies security management and enables customers to surpass the levels of security possible in today’s physical infrastructures by making security SEAMLESS.You won't need to sacrifice security, control or compliance on your journey to the cloud or virtualization. With the VMware vShield family and the RSA product line security solutions, you get virtualization-aware protection that adapts to dynamic cloud environments, making it "better-than-physical." Reduce the complexity of endpoint, application and edge network security by improving visibility and accelerating compliance, all within a single framework.
The future direction for the RSA Cloud Solution for Security and Compliance will make Archer the best GRC solution for hybrid clouds using the same tool that is used widely to manage risk and compliance across the enterprise. RSA offers one additional differentiator today as we are first to market with this feature which helps customers assess cloud service providers.The Cloud Security Alliance is a not-for-profit organization that is producing leading guidance about best practice in cloud computing and has produced a check-list for potential users of such services. Its membership comprises RSA plus both vendors and enterprises from over 20 major companies. RSA’s Cloud Solution aligns with the CSA Assessment Questions (part of the CSA GRC Stack) by using Archer’s questionnaire workflow to help customers automate the process of asking cloud service providers 195 CSA questions covering the most critical components of a service providers offering, from business and legal processes to technical infrastructure best practices. This will help customers assess against industry established best practices, standards, and critical compliance requirements which hybrid and public cloud service providers best fit their needs.
vCloud InfrastructureUnderlying vSpherevCloud-specificResource SharingEnsure isolationLogging and MonitoringWatch for anomalies and violationsUser Management
For vSphere-based environments, vShield solutions provide capabilities to secure the edge of the vDC, protect virtual applications from network-based threats, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security VMs.These new product offerings can start securing infrastructure almost immediately since all the underlying compute resources are already present in the vsphere environment. These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center.So what is vshield edge and how is it LIKE what you’ve already seen in the physical data center? The solution provides a virtual appliance with the following capabilities:DHCP – to automate IP address assignment to virtual machines in the vDCNAT – network address translation to mask private IP addresses in the vDC when they send traffic to untrusted networksFirewall – inbound and outbound connection control based on source/destination IP address and application portSite to site VPN: to encrypt traffic between vDCs to allow for confidentiality between organizations or partner extranetsWeb load balancer – actually load balancing based on IP address but in practice, since over 70% of server virtualization is for the web tier, organizations use load balancing for HTTP/S trafficAnd for each vSphere host, the virtual network can be carved up just as a physical network can be carved up using VLANs. This “Network Isolation” keeps traffic within the organization contained within a single port group.But while there are similarities with security in the physical world, there are key differences – and benefits – to vshield Edge over the alternatives:1. No additional hardware: the virtual appliance with all the aforementioned edge features is provisioned using existing vsphere resources2. No complicated VLAN rules: network isolation is enforced at the hypervisor layer, not requiring VLAN-enabled switches3. Rapid and scalable provisioning: each ‘tenant’ gets their edge security virtually on-demand, rather than through some complicated change management process which would require budget and rack space for new edge security hardware4. Centralized management and logging: with traditional security, each point solution would require its own management interface and logging infrastructure. With vShield, all policy management is done from one interface and logs written in syslog format to a single location. Demonstrating compliance is a breeze.Offload Anti-virus processTighter collaborative effort with leading AV partnersHypervisor-based introspection for all major AV functionsFile-scanning engines and virus definitions offloaded to security VM – scheduled and realtimeThin file-virtualization driver in-guest >95%+ reduction in guest footprint (eventually fully agentless)Deployable as a serviceNo agents to manage - thin-guest driver bundling with VMTools (est vSphere 4.1U1)Turnkey, security-as-service deliveryApplicable to all virtualized deployment models – private clouds (virtual datacenters), public clouds (service providers), virtual desktops