The Goldilocks Zone: Security and Architectural Implications of the SDDC

SEC1959-S

Tom CornSVP, VMware, Inc. – Security Products

Securing the Data Center

2

NETWORK STORAGE

INFRASTRUCTURE MANAGEMENT & ORCHESTRATION

COMPUTE

IT INFRASTRUCTURE

APPLICATION INFRASTRUCTURE

NETWORKDFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS

STORAGEEncryption, Key Management, Tokenization

GOVERNANCE/COMPLIANCEVulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP

COMPUTEAV, HIPS, AMP, Encryption, Execution & Device Control

SOCSIEM, Security Analytics, Forensics

SECURITY INFRASTRUCTURE

IDENTITY CONTROLSIAM, IAG, Authentication, Access Control, Federation/SSO

APP/DATABASE CONTROLSApp/DB Activity Mon, App/DB Encryption, Fraud Analytics

A Picture of Diminishing Returns

3

The Only Thing Outpacing Security Spend… Is Security Losses

IT Spend Security Spend Security Breaches

Kill Chain: Anatomy of a Modern Attack

2

Attack Vector R&D

1

Human Recon

3

Delivery Mechanism

1Prep

2Intrusion

3Recon

4Recovery

5Act on Intent

6Exfiltration

5

Install Command& Control I/F

4

CompromisePrimary Entry Point

Strain BDormant

Strain AActive

2. Intrusion

8

Install C2 I/F Wipe Tracks Escalate Priv

7

Lateral Movement

6

Escalate Privileges onPrimary Entry Point

8

8

Strain AActive

3. Recon

9

Wake Up & ModifyNext Dormant Strain

Attack Identified Response

Strain BActive

Strain AActive

Strain CDormant

Strain DDormant

4. Recovery

11

Parcel &Obfuscate

10

Break into Data Stores

12

Exfiltration

13

Cleanup

5. Act on Intent 6. Exfiltration

Modern Attack: targeted, interactive & stealthy

9

1

Human Recon

2

Attack Vector R&D

3

Delivery Mechanism

5

Install Command& Control I/F

4

CompromisePrimary Entry

Point

Strain BDormant

Strain AActive

8

Install C2 I/F Wipe Tracks Escalate Priv

7

Lateral Movement

6

Escalate Privileges onPrimary Entry Point

8

8

Strain AActive

9

Wake Up & ModifyNext Dormant Strain

Attack Identified Response

Strain BActive

Strain AActive

Strain CDormant

Strain DDormant

11

Parcel &Obfuscate

10

Break into Data Stores

12

Exfiltration

13

Cleanup

Stop Infiltration Lack visibility & control to stop exfiltration

shift from…• Perimeter-centric• In-line prevention• Managing compliance

to...• Application & user-centric• Analytics/Out-of-band mitigation• Managing risk

3 Architectural Issues

10

As a ubiquitous abstraction layer between the applications and the infrastructure it provides the “Goldilocks Zone” for security.

Virtualization is the Key

Logical Segmentation ProblemLack ability to segment around

application boundaries

1. Segmentation

Compound Policy ProblemLack mechanisms to orchestrate

policy across controls

2. Policy

Context/Isolation TradeoffLack the right telemetry / “handles”

for security controls

3. Context

Common Thread: The Application

The Logical Segmentation Problem

CONFIDENTIAL 11

Hyper-connected Computing Base

Lateral Movement Complex/Comingled Policy

Enforce segmentation around application boundaries

versus the perimeter, physical zones or machines

TheSolution

TheSolution

We have no mechanism thatmaintains the relationship

between the applications & the infrastructure.

TheObstacle

TheObstacle

The Compound Policy Problem

CONFIDENTIAL 12

C1 C2 C3

Right Place Right Order

Share State

Choke Points / Scalability

A mechanism to insert and order security controls and policy around logical boundaries, and

a mechanism for them to publish and share state

TheSolution

TheSolution

No such mechanism exists. We can insert on physical boundaries, and

share state via point integrations and correlation.

TheObstacle

TheObstacle

Complex Distributed Policy

??

Sharing State

The Context/Isolation Tradeoff

CONFIDENTIAL 13

Policy Analytics

ContextContext IsolationIsolation

Endpoint

Network

HTTP://192.163.8.10:8080

HTTP://192.159.2.10:8080 HTTP://192.162.5.8:8080

Poor Handles/Telemetryfor Policy/Analytics

10.20.2.1409:00:02:A3:D1:3D

10.18.3.1308:00:03:A4:C2:4C

A ubiquitous mechanism for communicating telemetry with security controls that has the

isolation properties of a network control point and the context of an endpoint agent.

TheSolution

TheSolution

No such mechanism exists. We are forced to make the tradeoff.

TheObstacle

TheObstacle

3 Architectural Issues

CONFIDENTIAL 14

1 Common Thread: The Application

Virtualization is the Goldilocks Zone for Security

• Segment along application boundaries and compliance scopes

• Provision and order controls along those boundaries

• Share context to and among controls

If we could…If we could…• Reduce our attack surface

• Simplify our policies

• Improve the effectiveness of all our controls

…then we candramatically……then we candramatically…

Logical Segmentation ProblemLack ability to segment around

application boundaries

1. Segmentation

Compound Policy ProblemLack mechanisms to orchestrate

policy across controls

2. Policy

Context/Isolation TradeoffLack the right telemetry/”handles”

for security controls

3. Context

Putting Security Controls into the Virtualization Layer

15

ContextSecurity/Telemetry

ContextSecurity/Telemetry

Security ServiceProvisioning & Orchestration

Security ServiceProvisioning & Orchestration

Built-in ControlsIsolation/Segmentation/Access

Built-in ControlsIsolation/Segmentation/Access

Virtual Infrastructure

NETWORKDFW, IDS/IPS, NGFW, WAF, AMP, SWG, DDoS

STORAGEEncryption, Key Management, Tokenization

GOVERNANCE/COMPLIANCE Vulnerability Mgmt, Log Mgmt, GRC, PUAM, Security Posture Management, DLP

COMPUTEAV, HIPS, AMP, Encryption, Execution & Device

Control

SOCSIEM, Security Analytics, Forensics

SECURITY CONTROLS

Micro-segmentation

CONFIDENTIAL 16

Logical segmentation around application boundaries

App

DMZ

Services

DB

Perimeterfirewall

AD NTP DHCP DNS CERT

App 1 App 2 App 3

Insidefirewall

Micro-segmentation

CONFIDENTIAL 17

IsolationExplicit Allow Comm.

(Default Deny)Secure

CommunicationsStructured Secure Communications

NGFW

IPS

IPS

NGFW

WAF

IPS

Advanced Context

18

The hypervisor can bridge the context / isolation gap

ContextContext IsolationIsolation

EndpointAgent

Virtualization

NetworkDevice

Policy Orchestration

19

Advanced Malware Protection DEFCON

Security Group = Web Tier

Policy Definition

Standard Web PolicyAdvanced Malware Protection

DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging

Policy Orchestration

19

Advanced Malware Protection DEFCONSecurity Group = DEFCON 1Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}

Security Group = Web Tier

Policy Definition

Standard Web PolicyAdvanced Malware Protection

DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging

Policy Orchestration

19

Advanced Malware Protection DEFCONSecurity Group = DEFCON 1Members = {Tag = ‘AdvancedMalware.Suspicious’, DEFCON Network}

Security Group = Web Tier

Policy Definition

Standard Web PolicyAdvanced Malware Protection

DEFCON 1 Policy Gateway Authentication 1 2 Factor Ratchet back Access Controls Increase Logging

Case StudyWestJet AirlinesRichard SillitoSolution Architect, IT SecurityWestJet Airlines

The Call to ActionA Once in Wave Opportunity

1st WaveMainframe | TerminalMillions of UsersThousands of Apps

2nd WavePC | Client/Server | LAN/InternetHundreds of Millions of UsersTens of Thousands of Apps

3rd WaveCloud/SDDC | Mobile | Social | Big DataBillions of Users. Millions of Apps.Trillions of Devices

SecurityTeams

SecurityTeams

Security VendorsSecurity Vendors

VirtualizationThe Goldilocks Zone

for Security

Thank You

Fill out a surveyEvery completed survey is entered

into a drawing for a $25 VMware company store gift certificate