secure the journey to the private cloud
TRANSCRIPT
Securing the Journey to a Private Cloud
Rashmi Tarbatt
Chief Security Architect EMEA
Cloud Computing by NIST and VMware
Cloud is a way of doing computing
Cloud ServiceProviders
Hybrid CloudComposition of 2 or more interoperable clouds, enabling data and application portability
Public CloudAccessible over the Internet for general consumption
Private CloudOperated solely for an organization, typically within the firewall
EnterprisesBridging
Cloud Computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service.
Voice of the Customer
Business Objective (CISO):
Manage risk and compliance while going from IT production to business production
Business Objective (CIO):
Accelerate/start virtualization of business critical apps to continue optimizing costs
3
Pain: Security technologies and professionals have not kept up with virtualization. Have to resort to physical isolation which restricts server consolidation
Pain: High cost and difficulty of responding to compliance audits for virtual environments
Pain: Lack of consistency in physical and virtual security increases cost and complexity of virtualization
Pain: Maintaining separation of duties and managing risk of privileged user abuse despite convergence of infrastructure layers
Pain: Perceived vulnerability of the hypervisor which could become the weakest link
Pain: Mistakes can be amplified due to rate and ease of change in virtual environments
Opportunity: Leverage virtualization to improve security enforcement and management
Security Considerations for the Journey
• Consolidation of IT infrastructure on top of a new software layer below the OS layer
• A vantage security enforcement point
Virtual host
Apps
Guest OS
Virt. FW
Virt. switch
Hypervisor
HardwareIT-as-a-Service
Peo
ple
, P
roce
sses
TechnologyDelivery model
• Separation of duties is challenged
• Need to retrain and reorient ops teams
• Opportunity to improve security operations
4
Network admin
Security admin
Host admin
Virtualizationadministrator
• Visibility into external service providers
• Secure multi-tenancy concerns
• Trustworthiness
The Journey to the Private Cloud
15%
30%
70%
85% 95%
IT ProductionLower Costs
Business ProductionImprove Quality Of Service
IT-As-A-ServiceImprove Agility
% Virtualized
HighAvailability
DataProtection
5
BUSINESS DRIVERS
How We Do ItSystem for Managing Security, Risk and Compliance
Define Policy
Map to Controls
Assess Risk and Report
AddContext
Monitor | Audit | Report
Correlate
Collect
Manage Monitor
Detect Enforce
IDENTITIES INFRASTRUCTURE INFORMATION
Manage Governance, Risk + Compliance
MENU
How We Do ItSystem for Managing Security, Risk and Compliance
BUSINESS CONTEXT
Define Policy
Map to Controls
Report On Risk
Assess Compliance
Monitor | Audit | Report
Add Context
Correlate
Manage Monitor
Detect Enforce
IDENTITIES INFRASTRUCTURE INFORMATION
Manage Governance, Risk + Compliance
RSA Archer eGRC Suite RSA enVision
AuthenticationAccess / Provision
Fraud Prevention
SecurIDAccess
ManagerFraudAction
Adaptive Auth
TransactionMonitoring
IdentityVerification
FederatedIdentity Mgr
eFraudNetwork
Data Loss Prevention
Encryption & Tokenization
DLP
CiscoIronPort
NetworkPartners
EndpointPartners
RKM App
RKM DC
BSAFE
MicrosoftRMS
Network Security Feeds
Endpoint Security Feeds
Infrastructure Feeds
Ionix Config Mgmt
Tokenization
MENU
15%
30%
70%
85% 95%
IT ProductionLower Costs
Business ProductionImprove Quality Of Service
IT-As-A-ServiceImprove Agility
% Virtualized
HighAvailability
DataProtection
Securing the Journey to The Private CloudStage 1 – Securing Infrastructure
8
Visibility into virtualization infrastructure, privileged user monitoring, access mgmt, network security, infrastructure compliance
Stage 1 - Securing Infrastructure
Extend existing security controls to the new virtualization infrastructure
Platform hardening(e.g., VMware vSphere hardening guides)
Strong authentication and role separation for administrators
Privileged user monitoring and security event reporting
Change and configuration management
Virtual firewalls/AV
9
ControlsExecution and Monitoring across the
Operational Infrastructure
GRC - Achieving Business Context
Visibility
Identify what you care about:
– Business Drivers, Objectives and Regulatory Requirements
Implement Controls to ensure the achievement of the Business Drivers and monitor them relentlessly using:
– People, Processes, Information & Technology
Gain Visibility of control failures and risks within Operational Infrastructure:
– Risks, threats, incidents, or compliance deficiencies
Prioritize mitigation resources in the context of the Business Drivers and Objectives
Orchestrate the remediation of the risks and compliance issues with continuous monitoring
– Adapt the control framework and operational infrastructure
Mitigation
Governance
Define & Manage Business Drivers
Industry Standard:
Payment Card Industry (PCI) Security Standard
Sensitive Data Storage Policy:
Credit card data stored securely to support business processes.
Technical Control:
Credit Card data at rest must be encrypted with appropriate access control.
ControlsExecution and Monitoring across the
Operational Infrastructure
Visibility Mitigation
Governance
Define & Manage Business Drivers
Mitigation
• Questionnaires targeted at file owners to obtain business use of data
• Identify requirements and manage mitigation
Data Visualization
• Data Loss Prevention (DLP) scans reveal files with non-encrypted credit card data
• File / folder owners
The Case for Business Context: Security Management Example
Platform in Action – Cloud Security and Compliance
Over 100 VMware-specific controls added to the Archer library, mapped to Authoritative Sources
New component scans and automatically assesses VMware configuration to check compliance with controls
Remediation workflow to manage non-compliance and risk mitigation
RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products for visualization in Archer
RSA SecurBook for guidance deploying and operating the solution
Discover VMware Infrastructure & Define Security Policy
1Manual and automated configuration assessment
2
Remediation of non-compliant controls
3Manage Security incidents that affect compliance
4
Technology Integrations
Risk Content
Regulatory Content
Vulnerability Scanners
Continuous Controls Monitoring
Patch Management
Databases CMDB’s
Emergency Notifications
Security Event and Information Management
Virtualization
Server
Network
Storage
Security
Security Challenges in the Virtual Data Center
Control access to sensitive data in an increasingly fluid virtual machine environment
Strong authentication of privileged users
Ease of integration with existing security operations
Full visibility into security-relevant events across the virtual stack for compliance reporting
14
Symmetrix V-Max
CLARiiON
Cisco UCS
Cisco Switches
VMware VMware
Cisco UCS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
SecureInformation
MonitorInfrastructure
ProtectIdentities
Accelerate Mission Critical Virtualization
Secure sensitive data on virtual servers to meet security and compliance requirements
Data Loss Prevention protects sensitive data on virtual servers
Ensure compliance across virtual and physical with a single platform
Security Information and Event Management support for VMware
View, ESX, vCenter, vSphere
Benefits Capabilities
Assure authorized access into every layer of the virtual environment
Strong authentication into VMware View, ESX Service Console,
vSphere Management Assistant
15
Secure the Core Vblock Platform
RSA® SecurID
Strong authentication before access to ESX Service Console and vSphere Management Assistant
vSphere Management
Assistant
RSA enVision®
Comprehensive visibility into security events
Security incident management, compliance reporting
vBlock Security
Guidance
vSphere
Storage
UCS
16
ITOperations
SecurityOperations
Securing the Journey to The Private CloudStage 2 – Securing Information
15%
30%
70%
85% 95%
IT ProductionLower Costs
Business ProductionImprove Quality Of Service
IT-As-A-ServiceImprove Agility
% Virtualized
HighAvailability
DataProtection
17
• Information-centric security, risk-driven policies, IT and security operations alignment, information compliance• Visibility into virtualization infrastructure, privileged user monitoring, access Management, network security, infrastructure compliance
VMware vShield Zones and RSA® Data Loss Prevention (Proof of Concept)
VMware VSphere
VMware vShield zonesVMware vShield Zones provides isolation between groups of VMs in the virtual infrastructure
Leverages the capabilities of vShield Zones to deploy DLP as a virtual application monitoring data traversing virtual networks
Uses a centrally managed policies and enforcement controls to prevent data loss in the virtual datacenter
Pervasive protection
Customer Benefits
Physical Infrastructure
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
Virtual Infrastructure
Persistent protection
Improved scalability
DLP DLP DLP DLP
18
Securing Critical Apps Example:Secure Virtual Desktops
Clients
VMware Infrastructure
VMwareView Manager
VMwarevCenter
Microsoft Active DirectoryRSA SecurID
for remote authentication
RSA DLP for protection of data-in-use
RSA SecurIDfor ESX Service Console and vMA
RSA enVision log management for
• VMware vCenter & ESX
• VMware View• Ionix SCM • RSA SecurID
• RSA Data Loss Prevention
• Microsoft Active Directory
• Cisco UCS• EMC Storage
Ionix SCM for security configuration and patch management
19
RSA SecurBook for VMware View
RSA Solutions
– Multi-product solutions
– Validated in the RSA Solutions Center
RSA SecurBooks
– Guides for planning, deploying, and administering RSA solutions.
– Comprehensive reference architecture, screenshots, practical guidance
20
Securing the Journey to The Private CloudStage 3 – Secure ITaaS
15%
30%
70%
85% 95%
IT ProductionLower Costs
Business ProductionImprove Quality Of Service
IT-As-A-ServiceImprove Agility
% Virtualized
Platinum
Gold
21
• Information-centric security, risk-driven policies, IT and security operations alignment, information compliance• Visibility into virtualization infrastructure, privileged user monitoring, access Management, network security, infrastructure compliance• Secure multi-tenancy, verifiable chain of trust
Secure Multitenancy Isolation with Vblock
ESX/ESXi VM isolation, resource reservation / limits
Firewall for traffic into and between tenant networks
Dedicated tenant VLANs, anti-spoofing
Dedicated tenant VSANs
PREVENTIVE CONTROLS
Dedicated Service Profiles, virtualized n/w adapters
Dedicated LUNs, LUN masking, port zoning, dedicated NAS file share exports per tenant
DETECTIVE CONTROLS
Comprehensive and real time security event monitoring and alerting with RSA enVision ensures that any change in isolation configuration is detected
VMware vSphere
VMware vShield Zones
Cisco Nexus 1000v, VMware vSwitch
Cisco UCS
Cisco MDS
EMC Symmetrix,CLARiiON
Vblock
RS
A en
Visio
n
22
Secure IT as a Service
ADMLapps
Cloud compliance dashboard
Archerapps
Data FeedManager
VMware HardeningGuidelines
RSA Archer
RSA Data LossPrevention
Integration
VMware vCenter ServerVMware ESXi
Intel Westmere processor with Intel Trusted Execution
Technology
RSA enVision
RSAADML
Advanced Data Management
Layer
Proof of Concept for Measuring and Monitoring Cloud Infrastructure Security
23
Securing the Journey to the Private Cloud
CHECK LIST
Extend existing security controls to the virtual infrastructure
Platform hardening (e.g., VMware vSphere hardening guides)
Strong authentication and role separation for administrators
Privileged user monitoring and security event reporting
Apply information-centric security policies at the virtual layer to protect applications and data without security agents
Change and configuration management
Use virtual desktop infrastructure to offer access to applicationsrapidly, flexibly and securely
Ensure compliance across physical, virtual infrastructures and service providers
Secure multi-tenancy, verifiable chain of trust
24
Thank you!