The Goldilocks Zone: Security and Architectural Implications of the SDDC
SEC1959-S
Tom CornSVP, VMware, Inc. – Security Products
Securing the Data Center
2
NETWORK STORAGE
INFRASTRUCTURE MANAGEMENT & ORCHESTRATION
COMPUTE
IT INFRASTRUCTURE
APPLICATION INFRASTRUCTURE
NETWORKDFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS
STORAGEEncryption, Key Management, Tokenization
GOVERNANCE/COMPLIANCEVulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP
COMPUTEAV, HIPS, AMP, Encryption, Execution & Device Control
SOCSIEM, Security Analytics, Forensics
SECURITY INFRASTRUCTURE
IDENTITY CONTROLSIAM, IAG, Authentication, Access Control, Federation/SSO
APP/DATABASE CONTROLSApp/DB Activity Mon, App/DB Encryption, Fraud Analytics
A Picture of Diminishing Returns
3
The Only Thing Outpacing Security Spend… Is Security Losses
IT Spend Security Spend Security Breaches
Kill Chain: Anatomy of a Modern Attack
2
Attack Vector R&D
1
Human Recon
3
Delivery Mechanism
1Prep
2Intrusion
3Recon
4Recovery
5Act on Intent
6Exfiltration
5
Install Command& Control I/F
4
CompromisePrimary Entry Point
Strain BDormant
Strain AActive
2. Intrusion
8
Install C2 I/F Wipe Tracks Escalate Priv
7
Lateral Movement
6
Escalate Privileges onPrimary Entry Point
8
8
Strain AActive
3. Recon
9
Wake Up & ModifyNext Dormant Strain
Attack Identified Response
Strain BActive
Strain AActive
Strain CDormant
Strain DDormant
4. Recovery
11
Parcel &Obfuscate
10
Break into Data Stores
12
Exfiltration
13
Cleanup
5. Act on Intent 6. Exfiltration
Modern Attack: targeted, interactive & stealthy
9
1
Human Recon
2
Attack Vector R&D
3
Delivery Mechanism
5
Install Command& Control I/F
4
CompromisePrimary Entry
Point
Strain BDormant
Strain AActive
8
Install C2 I/F Wipe Tracks Escalate Priv
7
Lateral Movement
6
Escalate Privileges onPrimary Entry Point
8
8
Strain AActive
9
Wake Up & ModifyNext Dormant Strain
Attack Identified Response
Strain BActive
Strain AActive
Strain CDormant
Strain DDormant
11
Parcel &Obfuscate
10
Break into Data Stores
12
Exfiltration
13
Cleanup
Stop Infiltration Lack visibility & control to stop exfiltration
shift from…• Perimeter-centric• In-line prevention• Managing compliance
to...• Application & user-centric• Analytics/Out-of-band mitigation• Managing risk
3 Architectural Issues
10
As a ubiquitous abstraction layer between the applications and the infrastructure it provides the “Goldilocks Zone” for security.
Virtualization is the Key
Logical Segmentation ProblemLack ability to segment around
application boundaries
1. Segmentation
Compound Policy ProblemLack mechanisms to orchestrate
policy across controls
2. Policy
Context/Isolation TradeoffLack the right telemetry / “handles”
for security controls
3. Context
Common Thread: The Application
The Logical Segmentation Problem
CONFIDENTIAL 11
Hyper-connected Computing Base
Lateral Movement Complex/Comingled Policy
Enforce segmentation around application boundaries
versus the perimeter, physical zones or machines
TheSolution
TheSolution
We have no mechanism thatmaintains the relationship
between the applications & the infrastructure.
TheObstacle
TheObstacle
The Compound Policy Problem
CONFIDENTIAL 12
C1 C2 C3
Right Place Right Order
Share State
Choke Points / Scalability
A mechanism to insert and order security controls and policy around logical boundaries, and
a mechanism for them to publish and share state
TheSolution
TheSolution
No such mechanism exists. We can insert on physical boundaries, and
share state via point integrations and correlation.
TheObstacle
TheObstacle
Complex Distributed Policy
??
Sharing State
The Context/Isolation Tradeoff
CONFIDENTIAL 13
Policy Analytics
ContextContext IsolationIsolation
Endpoint
Network
HTTP://192.163.8.10:8080
HTTP://192.159.2.10:8080 HTTP://192.162.5.8:8080
Poor Handles/Telemetryfor Policy/Analytics
10.20.2.1409:00:02:A3:D1:3D
10.18.3.1308:00:03:A4:C2:4C
A ubiquitous mechanism for communicating telemetry with security controls that has the
isolation properties of a network control point and the context of an endpoint agent.
TheSolution
TheSolution
No such mechanism exists. We are forced to make the tradeoff.
TheObstacle
TheObstacle
3 Architectural Issues
CONFIDENTIAL 14
1 Common Thread: The Application
Virtualization is the Goldilocks Zone for Security
• Segment along application boundaries and compliance scopes
• Provision and order controls along those boundaries
• Share context to and among controls
If we could…If we could…• Reduce our attack surface
• Simplify our policies
• Improve the effectiveness of all our controls
…then we candramatically……then we candramatically…
Logical Segmentation ProblemLack ability to segment around
application boundaries
1. Segmentation
Compound Policy ProblemLack mechanisms to orchestrate
policy across controls
2. Policy
Context/Isolation TradeoffLack the right telemetry/”handles”
for security controls
3. Context
Putting Security Controls into the Virtualization Layer
15
ContextSecurity/Telemetry
ContextSecurity/Telemetry
Security ServiceProvisioning & Orchestration
Security ServiceProvisioning & Orchestration
Built-in ControlsIsolation/Segmentation/Access
Built-in ControlsIsolation/Segmentation/Access
Virtual Infrastructure
NETWORKDFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS
STORAGEEncryption, Key Management, Tokenization
GOVERNANCE/COMPLIANCE Vulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP
COMPUTEAV, HIPS, AMP, Encryption, Execution & Device
Control
SOCSIEM, Security Analytics, Forensics
SECURITY CONTROLS
Micro-segmentation
CONFIDENTIAL 16
Logical segmentation around application boundaries
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
App 1 App 2 App 3
Insidefirewall
Micro-segmentation
CONFIDENTIAL 17
IsolationExplicit Allow Comm.
(Default Deny)Secure
CommunicationsStructured Secure Communications
NGFW
IPS
IPS
NGFW
WAF
IPS
Advanced Context
18
The hypervisor can bridge the context / isolation gap
ContextContext IsolationIsolation
EndpointAgent
Virtualization
NetworkDevice
Policy Orchestration
19
Advanced Malware Protection DEFCON
Security Group = Web Tier
Policy Definition
Standard Web PolicyAdvanced Malware Protection
DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging
Policy Orchestration
19
Advanced Malware Protection DEFCONSecurity Group = DEFCON 1Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}
Security Group = Web Tier
Policy Definition
Standard Web PolicyAdvanced Malware Protection
DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging
Policy Orchestration
19
Advanced Malware Protection DEFCONSecurity Group = DEFCON 1Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}
Security Group = Web Tier
Policy Definition
Standard Web PolicyAdvanced Malware Protection
DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging
Case StudyWestJet AirlinesRichard SillitoSolution Architect, IT SecurityWestJet Airlines
The Call to ActionA Once in Wave Opportunity
1st WaveMainframe | TerminalMillions of UsersThousands of Apps
2nd WavePC | Client/Server | LAN/InternetHundreds of Millions of UsersTens of Thousands of Apps
3rd WaveCloud/SDDC | Mobile | Social | Big DataBillions of Users. Millions of Apps.Trillions of Devices
SecurityTeams
SecurityTeams
Security VendorsSecurity Vendors
VirtualizationThe Goldilocks Zone
for Security
Thank You
Fill out a surveyEvery completed survey is entered
into a drawing for a $25 VMware company store gift certificate