View
630
Download
2
Category
Preview:
DESCRIPTION
Vmware and Trend Micro Presentation at VSS
Citation preview
© 2009 VMware Inc. All rights reserved
Security and Compliance for the Cloud
Trevor Gerdes
Systems Engineer
tgerdes@vmware.com
2
Disclaimer
This session may contain product features that are currently under development.
This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or presented have not been determined.
“These features are representative of feature areas under development. Feature commitments are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery.”
3
Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
4
Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
5
Compliance vs. Security
Conforming to a set of rules or standards. This is generally confirmed by an assessor providing an opinion based on observation, inquiry, and inspection.
Compliance
Implementing Technical, Physical, and Administrative controls to provide confidentiality, integrity, availability, accountability and assurance.
Security
6
Compliance requirements affecting your customers
PCI-DSS
Government regulation
SOX
ISO
Internal
7
Why is PCI so Hard for Virtualization?
Technology changes faster than any standard
(including the PCI DSS)
PCI applies to all systems “in scope”
Segmentation defines scope
The DSS is vendor agnostic
Most whitepapers are written for security, not compliance
“If network segmentation is in place and will be used to reduce
the scope of the PCI DSS assessment, the assessor must verify
that the segmentation is adequate to reduce the scope of the
assessment.” - (PCI DSS p.6)
8
What is “In-scope”
All systems that Store, Process, or Transmit cardholder data, and all
system components that are in or connected to the cardholder data
environment (CDE).
What’s unique in a virtual environment?
Data that used to reside only in memory could be written to disk (encryption keys, PAN)
The integrity of data can now be altered in several locations (i.e., a log server that is stored as VM on the ESX host)
SAN – Can VM’s be altered in storage? How will you know?
Storage
Data that used to physically reside in one location could now be transmitted logically across the network (i.e., VMotion, pulling images from a SAN, storage)
Authentication controls (how can you ensure that authentication systems cannot be by-passed)
What “system components” could be used to sniff sensitive data?
Transmission
Defining system boundaries can be more difficult, with virtual firewalls, virtual switches, VLANs, and High Availability switches.
Mixed mode environments, multi-tenancy.
Can all system components in the virtual environment meet ALL PCI controls?
Segmentation
9
Aren’t firewalls required for segmentation?
QSA’s have historically relied on stateful firewalls for network
segmentation
PCI allows for “other technology” as an acceptable use of
segmentation
How do firewalls impact the flow of
data unique to a virtual environment
(VMotion, pulling images from a SAN,
taking “dirty” snapshots)
“Network segmentation can be achieved through internal
network firewalls, routers with strong access control lists or
other technology that restricts access to a particular segment of
a network.” – PCI DSS p. 6
10
Why are Virtual Environment Perceived As So Much Harder?
1. System boundaries are not as clear as their non-virtual
counterparts
2. Even the simplest network is rather complicated
3. More components, more complexity, more areas for risk
4. Digital forensic risks are more complicated
5. More systems are required for logging and monitoring
6. More access control systems
7. Memory can be written to disk
8. Many applications and O/S were not designed for Virtualization
9. VM Escape?
10. Mixed Mode environments
11
“System Boundaries” are not as Clear as their Non-Virtual
Counterparts
Basic Web Server and Database
Virtual EnvironmentStandard Environment
12
Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
13
Enterprise Security today – not virtualized, not cloud ready
Apps / DB TierWeb ServersDMZUsers
Perimeter/DMZ
- Threat Mitigation
- Perimeter security products
w/ FW/ VPN/ IPS
- Hardware Sprawl,
Expensive
Interior security
- Segmentation of
applications and Server
-VLAN or subnet based
policies
-VLAN Sprawl, Complex
Enterprise VDC
Sites
Endpoint security
- Protecting the Endpoint
-AV, HIPS agent based
security
- Agent Sprawl,
Cumbersome
14
Foundations of Virtual Security: Secure Deployment
VMware Security Hardening
Guides
• Being provided for major platform
products
• vSphere 4.x
• VMware vCloud Director
• View
• Important for architecture and
deployment related controls
vSwitch
Production
VMkernel
Mgmt Storagevn
ic
vn
ic
vn
ic
vCenter IP-based
StorageOther ESX/ESXi
hosts
Mgmt
Network
Prod
Network
vSphere Security Hardening Guide
http://www.vmware.com/resources/techresources/10109
15
Foundations of Virtual Security: Securing Virtual Machines
Guest
• Anti-Virus
• Patch Management
• OS hardening and compliance
Network
• Intrusion Detection/Prevention
(IDS/IPS)
Edge
• Firewalls
Provide Same Protection
as for Physical Servers
16
Foundations of Virtual Security: Virtual Trust Zones
vCenter Server
system
ESX/ESXi
Host
Manage-
ment
interface
VMVM
VM
Application serversWeb servers
VMVM
VM
Database servers
VMVM
VM
Web Application DatabaseIntranetInternet
Firewall / IDS / IPS
virtual appliance(s)
Production
LANManagement
LAN
VMkernel
Internet
17
Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
18
Virtualization Controls for Security
Network Controls
Change Control and Configuration Management
Access Controls & Management
Vulnerability Management
19
vShield - Comprehensive Security for Cloud Infrastructure
In Guest
VMVM OrgOrg
vShield Endpoint vShield App vShield Edge
Defense in Depth from inside the Guest to the Edge of the Cloud
Accreditations and Certifications
Firewall certification in progress H2/2011
20
• Multiple edge security services in one appliance
• Stateful inspection firewall
• Network Address Translation (NAT)
• Dynamic Host Configuration Protocol (DHCP)
• Site to site VPN (IPsec)
• Web Load Balancer
• Edge port group isolation
• Detailed network flow statistics for chargebacks, etc
• Policy management through UI or REST APIs
• Logging and auditing based on industry standard syslog format
vShield EdgeSecure the Edge of the Virtual Data Center
Tenant A Tenant X
Features
Load balancer
firewall
VPN
21
vShield Edge Network Topology
22
vShield App/ZonesApplication Protection for Network Based Threats
DMZ PCI HIPAA
Features
• Hypervisor-level firewall
• Inbound, outbound connection control applied at vNIC level
• Elastic security groups - “stretch” as virtual machines migrate to new hosts
• Robust flow monitoring
• IP Address protection management
• Policy Management
• Simple and business-relevant policies
• Managed through UI or REST APIs
• Logging and auditing based on industry standard syslog format
23
vShield Zones/App Topology
24
Customers Trust What They Know – 2 Segment Preferences
vShield App
vShield Edge
“Air Gapped” Pods Mixed Trust Hosts Secure Private Cloud
• VI Architects who understand the power of virtualization and introspection expect to
deploy vShield App but want it in Cloud environments in addition to vShield Edge
• IT Security and Network Security see vShield Edge as a natural bridge from what
they know and understand in the physical security world and are looking to find a fit
within their existing mixed trust host and air gapped pods network designs, VLANs, etc.
VI Architects
Network Security
25
vShield EndpointEndpoint Security for Virtual Data Centers and Cloud Environments
Improves performance and effectiveness of existing endpoint security solutions
• Offload of AV functions
• Hardened, security virtual machine
• Offload file activity to Security VM
• Manage AV service across VMs
• Enforce Remediation using driver in VM
• Partner Integrations through EPSEC API - Trend Micro, Symantec, McAfee
• Policy Management: Built-in or customizable with REST APIs
• Logging of AV file activity
Features
26
Efficient Antivirus as a Service for Virtual Datacenters
• File-scanning engines and virus definitions
offloaded to security VM – scheduled and
realtime
• Thin file-virtualization driver in-guest >95%+
reduction in guest footprint (eventually fully
agentless)
Deployable as a service
• No agents to manage - thin-guest driver to
be bundled with VMTools
• Turnkey, security-as-service delivery
Applicable to all virtualized
deployment models – private clouds
(virtual datacenters), public clouds (service
providers), virtual desktops
VMware vSphere
Introspection
SVM
OSHardened
AV
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
Tighter collaborative effort with leading AV partners
Hypervisor-based introspection for all major AV functions
27
vCenter Configuration Manager
Drive IT Compliance to lower risk
• Ensure compliance with various industry and
regulatory standards on a continuous basis
• Quickly remediate problems
Mitigate outages through approved change
processes
• Detailed understanding and tracking of changes
• Control change by following your Closed Loop
Change Mgmt Process
Harden your environment and reduce
potential threats and breaches
Compliance Through Unified Patching and
Provisioning
• Provision Linux, Windows and ESX images
• Assess and Patch Windows, UNIX, MAC, etc
Control your virtual infrastructure
• Fight VM Sprawl & Decommissioning Issues
• Improved Virtual Troubleshooting
• Single Pane of Glass
28
Manage & Measure Compliance
Deep Collection and Visibility
• Virtual and Physical Machines
• Desktops and Servers
• Spans a large array or OSs
Built in compliance tool kits
• Regulatory
• SOX, HIPAA, GLBA, FISMA, DISA, ISO 27002
• Industry
• PCI DSS
• NERC/FERC
• vSphere Hardening
• VMware Best Practices
• CIS Benchmark
Virtualization Hardening Guidelines
FISMAHIPAA
NERC/
FERC
ISO 27002
CIS Benchmarks
Automated & Continuous Enterprise Compliance Posture
• Security
CIS Certified Benchmarks
DISA NIST
Security Hardening Guides
Vendor Specific Hardening Guidelines
Dashboards provide “At-a-Glance”
health
PCI DSS
GLBA
SOX
NIST
DISAPCI
CIS
VMware
29
vCenter Application Discovery Manager
• Get and keep a fast and
accurate data center view –
across virtual and physical
• Precise visibility into all
application interactions via
network-based approach
• Eye-opening discovery of
unknown, unwanted, &
unexpected application
behaviors and dependencies
• Application-aware data center
moves & consolidations,
migrations, and DR plans
30
Business Application Dependency Mapping
Application
LayersDB Layer
Provides a detailed and accurate infrastructure layout of a given business application
– Virtual and Physical servers
– Services
– Interdependencies
This is first step to understanding the business application is to map out its internal dependencies
Required for any major data center project (i.e. DR, Migration, Consolidation)
31
Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
32
Welcome to the stage Trend Micro
33
Agenda
• Overview of compliance and security requirements
• Foundations for virtual security
• Where can VMware help?
• How are our partners are helping?
• Summary
34
What Compliance Benefits are there for Virtual Environments?
1. Repeatable security
2. Scalable controls
3. Risk aggregation/concentration
4. Improve security without impacting operations
5. Stronger/quicker configuration management
6. More money can be spent on security controls
7. Quickly provision and release with minimal management
8. Faster recovery after an attack
9. Ability to quickly capture and isolate compromised VM’s
35
Security Advantages of Virtualization
Allows Automation of Many Manual Error Prone Processes
Cleaner and Easier Disaster Recovery/Business Continuity
Better Forensics Capabilities
Faster Recovery After an Attack
Patching is Safer and More Effective
Better Control Over Desktop Resources
More Cost Effective Security Devices
App Virtualization Allows de-privileging of end users
Better Lifecycle Controls
Security Through VM Introspection
36
Where to Learn More
Security
• Hardening Best Practices
• Implementation Guidelines
• http://vmware.com/go/security
Compliance
• Partner Solutions
• Advice and Recommendation
• http://vmware.com/go/compliance
Operations
• Peer-contributed Content
• http://viops.vmware.com
37
ThankyouTrevor Gerdes – tgerdes@vmware.com
Recommended