securing virtualization
DESCRIPTION
IBM securing virtualization in the real worldTRANSCRIPT
IBM Software
Securing Virtualization in Real-World Environments
© 2010 IBM Corporation
Optimizing the World’s Infrastructure
2
New Forms of Collaboration
Globalization and Globally Available Resources
Access to streams of information in the Real Time
Billions of mobile devices accessing the Web
New possibilities.New complexities.
New risks.
Virtualization is a Key Enabler for a Smarter Planet
3
Complexity of Infrastructure Explosion of Data
Disclosures of Sensitive Business Data
Sources: IBM; IT Policy Compliance Group
Maintain
Growth
% of IT Investment Spent on Maintaining Existing
Infrastructure
Managing Risks Introduced by New Opportunities
Less than 313%
Between 3 and 1267%
More than 12 incidents
20%
4
Virtualization has many benefits but introduces new complexities
After Virtualization
4
Before Virtualization
��Virtualization blurs the physical boundaries between systems thaVirtualization blurs the physical boundaries between systems that are used to t are used to separate workloads and those responsible for securing them. separate workloads and those responsible for securing them.
��Virtualization enables mobility of systems and flexible deploymeVirtualization enables mobility of systems and flexible deployment and rent and re--deployment deployment of systems. Manually tracking software stacks and configurationsof systems. Manually tracking software stacks and configurations of of VMsVMs and images and images becomes increasingly difficult.becomes increasingly difficult.
5
Virtualization has many benefits but introduces new complexities
• 1:1 ratio of OSs and applications per server
• 1:Many ratio of OSs and applications per server• Additional layer to manage and secure
After VirtualizationBefore Virtualization
6
Common security-centric questions with virtualization
AFTER
BEFOREEquipment is PhysicalWires and cables.Routers and switches.Servers on racks.Storage arrays and disks.Memory and CPUs.Machines stay put.Security is in place.
Equipment is VirtualHow do we watch the network?Where are VMs located?.Are they moving around?What’s our change control policy?Are VMs patched?Is the hypervisor secure?Who’s responsible for security?
??
?
?
?
7
More components = more exposures and more difficulty in maintaining compliance standards and regulations
Resource sharing——————————Single point of failure
Traditional Threats
Virtual sprawl——————————Dynamic relocation
——————————VM stealing
Stealth rootkitsin hardware now
possible——————————Virtual NICs & Virtual Hardware are targets
Management Vulnerabilities
——————————Secure storage of VMsand the management
DATA——————————
Requires new skill sets
New threats to vmenvironments
Traditional threats can attack VMs just like real systems
7
8
Virtualizing Security vs. Securing Virtualization
VirtualizingSecurity
SecuringVirtualization
• Existing Solutions• Virtual Appliances
• Integrated Security• Future Protection
9
SVM VM VM VM
Hypervisor
Hardware
Integrated security leveraging the hypervisor
On-demand, centralized protection
Selective network intrusion and host malware protection
Introducing IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4
10
Introducing IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4
� Provides dynamic protection for every layer of the virtual infrastructure
� Helps meet regulatory compliance mandates by providing security and reporting functionality customized for the virtual infrastructure
� Increases ROI over using physical security for virtual data centers
� Increases virtual server uptime with virtual rootkit detection
11
IBM Virtual Server Protection for VMware can accelerate and simplify compliance audits
• Enables firewall network segmentation to reduce the scope of the PCI audit
• Monitors the integrity of critical system• Detects and prevents attacks that
target cardholder data• Leverages IBM Virtual Patch®
technology that automatically protects vulnerabilities on virtual servers regardless of patch strategy
• Collects important security events from the virtual infrastructure
• Isolates payment processing applications from VMs on the same physical hardware that are separate from the cardholder data environment
e.g. PCI DSS Adding Virtualization Security Requirements in 2010
VSP helps meets Security Aspects of PCI Standards
� Requirement 1 – Firewall and Router Configuration (meets 1.1, 1.1.2, 1.2.1, 1.3.1, 1.3.2, 1.3.4, 1.3.5, 1.3.7, and 1.4.2)
� Requirement 2 – Configuration Standards (meets 2.2, 2.2.1, 2.2.2, and 2.4)
� Requirement 6 – Security Patching (meets 6.1, 6.2, 6.5 and 6.6)
� Requirement 10 – Tracks and Monitors Access to Data (meets 10, 10.2, 10.5.2, 10.5.5 and 10.6)
12
IBM Virtual Server Protection for VMware increases ROI of the virtual infrastructure
• Automated Protection as each VM comes online
– Automatic Discovery
– Automated vulnerability assessment
– IBM Virtual Patch® technology
• Non-intrusive– No reconfiguration of the virtual network
– No presence in the guest OS• Improved stability• More CPU/memory available
for workloads• Decreased attack surface
• Protection for any guest OS– Reduction is security agents for
multiple OSs
� Less presence in guest OS
– More CPU/memory available for workloads
– Decreased attack surface
� Less management overhead eliminates redundant processing tasks
– One Security Virtual Machine (SVM) per physical server
– 1:many protection-to-VM ratio
– CPU-intensive processing removed from the guest OS and consolidated in SVM
� Centralized Management
– IBM Proventia® Management SiteProtector™ system
13
Summary
Need
Drive operational efficiency
How IBM VSP for VMware® helps
Increases ROI of the virtual infrastructure
Mitigate new risks and complexities introduced by Virtualization
Maintain compliance standards and regulations
Provides dynamic protection for every layer of the virtual infrastructure
Helps meet regulatory compliance by providing security and reporting functionality customized for the virtual infrastructure
14
IBM Delivers Comprehensive Security Governance, Risk & Compliance Management
– The only security vendor in the market with an end-to-end framework and solution coverage from both the business and IT security perspectives
– 15,000 researchers, developers and SMEs on security initiatives
– 3,000+ security & risk management patents
– 200+ security customer references and 50+published case studies
– Managing over 4 Billion security events per day for over 3,700 clients
– 40+ years of proven success securing the zSeries environment
– $1.5 Billion security spend in 2008
15
IBM Security Solutions Portfolio
���������������� ��
� ����� ��
� ���� � � ����������������
�������������� �������������
����������������
������������������
� �����������������
� �������
Assess Mitigate Manage
Tivoli Identity Manager (TIM)
Tivoli Access Manager family
(TAM)Tivoli Security Policy Manager
(TSPM)
Tivoli Federated Identity Manager
(TFIM)
Tivoli Security Information and Event Manager
(TSIEM)
Guardium
����� ���������� ����� ��
Tivoli Privileged Identity
Management (TPIM)
� ����� ����� �����
��������
� � �� ���������������
!����� ����� ��
���������"���� ����� ��
� ����! ����#������
������ �������
� ����$����������������
InfoSphereIdentity Insight
InfoSphereContent
Assessment
ISS Proventia Gx, Fidelis, Verdasys
PGP
InfoSphere Optim
WebSphereDataPower
Tivoli Key Lifecycle Manager
(TKLM)
InfoSphereeDiscovery
Manager and Analyzer
���#������ �� �������
������ �������%� � �� �������
� �������
� ������� �������� �������
& ��' ���
( ���
) ���� �*��
IBM Global Technology
Services & BPsIBM Global Technology
Services & BPs
ISS Proventia Gx
ISS Proventia Server
IBM Virtual Server Protection (VSP)
� �����!�#��������� ����� ��
Tivoli Security Compliance
Manager (TSCM)
Tivoli zSecure
!�� � ������!����
IBM SiteProtector
� ������� �����!���� � ����
� ��� ��� �� �������) ����� ����
� ����
+�� ���� �� �� �������) ����� ������������� ����������������
� ���� � � ����������������
�������������� �������������
����������������
ISS Proventia Gx
WebSphereDataPower
Rational Ounce Labs
Rational AppScan
Tivoli Access Manager family
(TAM)Tivoli Security Policy Manager
(TSPM)
Tivoli Federated Identity Manager
(TFIM)
��� �� ����������
Lotus Protector
16
For More Information: IBM Virtualization Security Solutions
Links work in presentation mode
Virtualization Security Solutions Virtualization Security Solutions WebpageWebpage
White PaperWhite Paper
16
http://www-935.ibm.com/services/us/iss/html/virtualizat
ion-security-solutions.html
18
IBM Virtual Server Protection Features• Intrusion Prevention and Firewall
– Enforces dynamic security wherever VMs are deployed– Applies one Security Virtual Machine (SVM) per physical server– Privileged presence gives SVM a holistic view of the virtual network– Enables IBM Virtual Patch® technology to protect vulnerabilities on
virtual servers regardless of patch strategy
• VM lifecycle enforcement– Performs automatic VM discovery in order to reduce virtual sprawl– Provides virtual access control and assessment by quarantining or
limiting network access until VM security posture can be validated– Virtual infrastructure auditing
• VM Rootkit detection– Transparently inspects VMs and detects installation of rootkits– Reports on access and usage of the virtual environment
19
IBM offers the broadest, most integrated, defense-in-depth virtualization security with one product
19
Feature VSP Altor Reflex
Trend McAfee
Firewall ���� ���� ���� ���� ����
Rootkit Detection ���� ����
Hypervisor-Level (VMsafe) Integration ���� ����
Intrusion Prevention ���� ����
Intrusion Detection ���� ���� ���� ����
Virtual Patch ����
Visibility into Virtual Network Activity ���� ���� ���� ����
Virtual Network Segment Protection ����
VM Sprawl Management ���� ���� ����
Central Management ���� ���� ���� ����
Web Application Protection ���� ����
Inter-VM Traffic Analysis ���� ���� ����
Network Policy Enforcement ���� ���� ���� ����
Automated Protection for Mobile VMs(VMotion)
���� ���� ����
Auto Discovery ����
22
Trademarks and disclaimersIntel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries./ Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind.
The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.
Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.
Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.
Photographs shown may be engineering prototypes. Changes may be incorporated in production models.
© IBM Corporation 1994-2010. All rights reserved.References in this document to IBM products or services do not imply that IBM intends to make them available in every country.
Trademarks of International Business Machines Corporation in the United States, other countries, or both can be found on the World Wide Web at http://www.ibm.com/legal/copytrade.shtml.