37
© 2009 VMware Inc. All rights reserved Security and Compliance for the Cloud Trevor Gerdes Systems Engineer [email protected]

Vmware Seminar Security & Compliance for the cloud with Trend Micro

Embed Size (px)

DESCRIPTION

Security and Compliance Presentation at Vmware VSSPresentation with Trend Micro

Citation preview

Page 1: Vmware Seminar Security & Compliance for the cloud with Trend Micro

© 2009 VMware Inc. All rights reserved

Security and Compliance for the Cloud

Trevor Gerdes

Systems Engineer

[email protected]

Page 2: Vmware Seminar Security & Compliance for the cloud with Trend Micro

2

Disclaimer

This session may contain product features that are currently under development.

This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new technologies or features discussed or presented have not been determined.

“These features are representative of feature areas under development. Feature commitments are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery.”

Page 3: Vmware Seminar Security & Compliance for the cloud with Trend Micro

3

Agenda

• Overview of compliance and security requirements

• Foundations for virtual security

• Where can VMware help?

• How are our partners are helping?

• Summary

Page 4: Vmware Seminar Security & Compliance for the cloud with Trend Micro

4

Agenda

• Overview of compliance and security requirements

• Foundations for virtual security

• Where can VMware help?

• How are our partners are helping?

• Summary

Page 5: Vmware Seminar Security & Compliance for the cloud with Trend Micro

5

Compliance vs. Security

Conforming to a set of rules or standards. This is generally confirmed by an assessor providing an opinion based on observation, inquiry, and inspection.

Compliance

Implementing Technical, Physical, and Administrative controls to provide confidentiality, integrity, availability, accountability and assurance.

Security

Page 6: Vmware Seminar Security & Compliance for the cloud with Trend Micro

6

Compliance requirements affecting your customers

PCI-DSS

Government regulation

SOX

ISO

Internal

Page 7: Vmware Seminar Security & Compliance for the cloud with Trend Micro

7

Why is PCI so Hard for Virtualization?

Technology changes faster than any standard

(including the PCI DSS)

PCI applies to all systems “in scope”

Segmentation defines scope

The DSS is vendor agnostic

Most whitepapers are written for security, not compliance

“If network segmentation is in place and will be used to reduce

the scope of the PCI DSS assessment, the assessor must verify

that the segmentation is adequate to reduce the scope of the

assessment.” - (PCI DSS p.6)

Page 8: Vmware Seminar Security & Compliance for the cloud with Trend Micro

8

What is “In-scope”

All systems that Store, Process, or Transmit cardholder data, and all

system components that are in or connected to the cardholder data

environment (CDE).

What’s unique in a virtual environment?

Data that used to reside only in memory could be written to disk (encryption keys, PAN)

The integrity of data can now be altered in several locations (i.e., a log server that is stored as VM on the ESX host)

SAN – Can VM’s be altered in storage? How will you know?

Storage

Data that used to physically reside in one location could now be transmitted logically across the network (i.e., VMotion, pulling images from a SAN, storage)

Authentication controls (how can you ensure that authentication systems cannot be by-passed)

What “system components” could be used to sniff sensitive data?

Transmission

Defining system boundaries can be more difficult, with virtual firewalls, virtual switches, VLANs, and High Availability switches.

Mixed mode environments, multi-tenancy.

Can all system components in the virtual environment meet ALL PCI controls?

Segmentation

Page 9: Vmware Seminar Security & Compliance for the cloud with Trend Micro

9

Aren’t firewalls required for segmentation?

QSA’s have historically relied on stateful firewalls for network

segmentation

PCI allows for “other technology” as an acceptable use of

segmentation

How do firewalls impact the flow of

data unique to a virtual environment

(VMotion, pulling images from a SAN,

taking “dirty” snapshots)

“Network segmentation can be achieved through internal

network firewalls, routers with strong access control lists or

other technology that restricts access to a particular segment of

a network.” – PCI DSS p. 6

Page 10: Vmware Seminar Security & Compliance for the cloud with Trend Micro

10

Why are Virtual Environment Perceived As So Much Harder?

1. System boundaries are not as clear as their non-virtual

counterparts

2. Even the simplest network is rather complicated

3. More components, more complexity, more areas for risk

4. Digital forensic risks are more complicated

5. More systems are required for logging and monitoring

6. More access control systems

7. Memory can be written to disk

8. Many applications and O/S were not designed for Virtualization

9. VM Escape?

10. Mixed Mode environments

Page 11: Vmware Seminar Security & Compliance for the cloud with Trend Micro

11

“System Boundaries” are not as Clear as their Non-Virtual

Counterparts

Basic Web Server and Database

Virtual EnvironmentStandard Environment

Page 12: Vmware Seminar Security & Compliance for the cloud with Trend Micro

12

Agenda

• Overview of compliance and security requirements

• Foundations for virtual security

• Where can VMware help?

• How are our partners are helping?

• Summary

Page 13: Vmware Seminar Security & Compliance for the cloud with Trend Micro

13

Enterprise Security today – not virtualized, not cloud ready

Apps / DB TierWeb ServersDMZUsers

Perimeter/DMZ

- Threat Mitigation

- Perimeter security products

w/ FW/ VPN/ IPS

- Hardware Sprawl,

Expensive

Interior security

- Segmentation of

applications and Server

-VLAN or subnet based

policies

-VLAN Sprawl, Complex

Enterprise VDC

Sites

Endpoint security

- Protecting the Endpoint

-AV, HIPS agent based

security

- Agent Sprawl,

Cumbersome

Page 14: Vmware Seminar Security & Compliance for the cloud with Trend Micro

14

Foundations of Virtual Security: Secure Deployment

VMware Security Hardening

Guides

• Being provided for major platform

products

• vSphere 4.x

• VMware vCloud Director

• View

• Important for architecture and

deployment related controls

vSwitch

Production

VMkernel

Mgmt Storagevn

ic

vn

ic

vn

ic

vCenter IP-based

StorageOther ESX/ESXi

hosts

Mgmt

Network

Prod

Network

vSphere Security Hardening Guide

http://www.vmware.com/resources/techresources/10109

Page 15: Vmware Seminar Security & Compliance for the cloud with Trend Micro

15

Foundations of Virtual Security: Securing Virtual Machines

Guest

• Anti-Virus

• Patch Management

• OS hardening and compliance

Network

• Intrusion Detection/Prevention

(IDS/IPS)

Edge

• Firewalls

Provide Same Protection

as for Physical Servers

Page 16: Vmware Seminar Security & Compliance for the cloud with Trend Micro

16

Foundations of Virtual Security: Virtual Trust Zones

vCenter Server

system

ESX/ESXi

Host

Manage-

ment

interface

VMVM

VM

Application serversWeb servers

VMVM

VM

Database servers

VMVM

VM

Web Application DatabaseIntranetInternet

Firewall / IDS / IPS

virtual appliance(s)

Production

LANManagement

LAN

VMkernel

Internet

Page 17: Vmware Seminar Security & Compliance for the cloud with Trend Micro

17

Agenda

• Overview of compliance and security requirements

• Foundations for virtual security

• Where can VMware help?

• How are our partners are helping?

• Summary

Page 18: Vmware Seminar Security & Compliance for the cloud with Trend Micro

18

Virtualization Controls for Security

Network Controls

Change Control and Configuration Management

Access Controls & Management

Vulnerability Management

Page 19: Vmware Seminar Security & Compliance for the cloud with Trend Micro

19

vShield - Comprehensive Security for Cloud Infrastructure

In Guest

VMVM OrgOrg

vShield Endpoint vShield App vShield Edge

Defense in Depth from inside the Guest to the Edge of the Cloud

Accreditations and Certifications

Firewall certification in progress H2/2011

Page 20: Vmware Seminar Security & Compliance for the cloud with Trend Micro

20

• Multiple edge security services in one appliance

• Stateful inspection firewall

• Network Address Translation (NAT)

• Dynamic Host Configuration Protocol (DHCP)

• Site to site VPN (IPsec)

• Web Load Balancer

• Edge port group isolation

• Detailed network flow statistics for chargebacks, etc

• Policy management through UI or REST APIs

• Logging and auditing based on industry standard syslog format

vShield EdgeSecure the Edge of the Virtual Data Center

Tenant A Tenant X

Features

Load balancer

firewall

VPN

Page 21: Vmware Seminar Security & Compliance for the cloud with Trend Micro

21

vShield Edge Network Topology

Page 22: Vmware Seminar Security & Compliance for the cloud with Trend Micro

22

vShield App/ZonesApplication Protection for Network Based Threats

DMZ PCI HIPAA

Features

• Hypervisor-level firewall

• Inbound, outbound connection control applied at vNIC level

• Elastic security groups - “stretch” as virtual machines migrate to new hosts

• Robust flow monitoring

• IP Address protection management

• Policy Management

• Simple and business-relevant policies

• Managed through UI or REST APIs

• Logging and auditing based on industry standard syslog format

Page 23: Vmware Seminar Security & Compliance for the cloud with Trend Micro

23

vShield Zones/App Topology

Page 24: Vmware Seminar Security & Compliance for the cloud with Trend Micro

24

Customers Trust What They Know – 2 Segment Preferences

vShield App

vShield Edge

“Air Gapped” Pods Mixed Trust Hosts Secure Private Cloud

• VI Architects who understand the power of virtualization and introspection expect to

deploy vShield App but want it in Cloud environments in addition to vShield Edge

• IT Security and Network Security see vShield Edge as a natural bridge from what

they know and understand in the physical security world and are looking to find a fit

within their existing mixed trust host and air gapped pods network designs, VLANs, etc.

VI Architects

Network Security

Page 25: Vmware Seminar Security & Compliance for the cloud with Trend Micro

25

vShield EndpointEndpoint Security for Virtual Data Centers and Cloud Environments

Improves performance and effectiveness of existing endpoint security solutions

• Offload of AV functions

• Hardened, security virtual machine

• Offload file activity to Security VM

• Manage AV service across VMs

• Enforce Remediation using driver in VM

• Partner Integrations through EPSEC API - Trend Micro, Symantec, McAfee

• Policy Management: Built-in or customizable with REST APIs

• Logging of AV file activity

Features

Page 26: Vmware Seminar Security & Compliance for the cloud with Trend Micro

26

Efficient Antivirus as a Service for Virtual Datacenters

• File-scanning engines and virus definitions

offloaded to security VM – scheduled and

realtime

• Thin file-virtualization driver in-guest >95%+

reduction in guest footprint (eventually fully

agentless)

Deployable as a service

• No agents to manage - thin-guest driver to

be bundled with VMTools

• Turnkey, security-as-service delivery

Applicable to all virtualized

deployment models – private clouds

(virtual datacenters), public clouds (service

providers), virtual desktops

VMware vSphere

Introspection

SVM

OSHardened

AV

VM

APP

OSKernel

BIOS

VM

APP

OSKernel

BIOS

VM

APP

OSKernel

BIOS

Tighter collaborative effort with leading AV partners

Hypervisor-based introspection for all major AV functions

Page 27: Vmware Seminar Security & Compliance for the cloud with Trend Micro

27

vCenter Configuration Manager

Drive IT Compliance to lower risk

• Ensure compliance with various industry and

regulatory standards on a continuous basis

• Quickly remediate problems

Mitigate outages through approved change

processes

• Detailed understanding and tracking of changes

• Control change by following your Closed Loop

Change Mgmt Process

Harden your environment and reduce

potential threats and breaches

Compliance Through Unified Patching and

Provisioning

• Provision Linux, Windows and ESX images

• Assess and Patch Windows, UNIX, MAC, etc

Control your virtual infrastructure

• Fight VM Sprawl & Decommissioning Issues

• Improved Virtual Troubleshooting

• Single Pane of Glass

Page 28: Vmware Seminar Security & Compliance for the cloud with Trend Micro

28

Manage & Measure Compliance

Deep Collection and Visibility

• Virtual and Physical Machines

• Desktops and Servers

• Spans a large array or OSs

Built in compliance tool kits

• Regulatory

• SOX, HIPAA, GLBA, FISMA, DISA, ISO 27002

• Industry

• PCI DSS

• NERC/FERC

• vSphere Hardening

• VMware Best Practices

• CIS Benchmark

Virtualization Hardening Guidelines

FISMAHIPAA

NERC/

FERC

ISO 27002

CIS Benchmarks

Automated & Continuous Enterprise Compliance Posture

• Security

CIS Certified Benchmarks

DISA NIST

Security Hardening Guides

Vendor Specific Hardening Guidelines

Dashboards provide “At-a-Glance”

health

PCI DSS

GLBA

SOX

NIST

DISAPCI

CIS

VMware

Page 29: Vmware Seminar Security & Compliance for the cloud with Trend Micro

29

vCenter Application Discovery Manager

• Get and keep a fast and

accurate data center view –

across virtual and physical

• Precise visibility into all

application interactions via

network-based approach

• Eye-opening discovery of

unknown, unwanted, &

unexpected application

behaviors and dependencies

• Application-aware data center

moves & consolidations,

migrations, and DR plans

Page 30: Vmware Seminar Security & Compliance for the cloud with Trend Micro

30

Business Application Dependency Mapping

Application

LayersDB Layer

Provides a detailed and accurate infrastructure layout of a given business application

– Virtual and Physical servers

– Services

– Interdependencies

This is first step to understanding the business application is to map out its internal dependencies

Required for any major data center project (i.e. DR, Migration, Consolidation)

Page 31: Vmware Seminar Security & Compliance for the cloud with Trend Micro

31

Agenda

• Overview of compliance and security requirements

• Foundations for virtual security

• Where can VMware help?

• How are our partners are helping?

• Summary

Page 32: Vmware Seminar Security & Compliance for the cloud with Trend Micro

32

Welcome to the stage Trend Micro

Page 33: Vmware Seminar Security & Compliance for the cloud with Trend Micro

33

Agenda

• Overview of compliance and security requirements

• Foundations for virtual security

• Where can VMware help?

• How are our partners are helping?

• Summary

Page 34: Vmware Seminar Security & Compliance for the cloud with Trend Micro

34

What Compliance Benefits are there for Virtual Environments?

1. Repeatable security

2. Scalable controls

3. Risk aggregation/concentration

4. Improve security without impacting operations

5. Stronger/quicker configuration management

6. More money can be spent on security controls

7. Quickly provision and release with minimal management

8. Faster recovery after an attack

9. Ability to quickly capture and isolate compromised VM’s

Page 35: Vmware Seminar Security & Compliance for the cloud with Trend Micro

35

Security Advantages of Virtualization

Allows Automation of Many Manual Error Prone Processes

Cleaner and Easier Disaster Recovery/Business Continuity

Better Forensics Capabilities

Faster Recovery After an Attack

Patching is Safer and More Effective

Better Control Over Desktop Resources

More Cost Effective Security Devices

App Virtualization Allows de-privileging of end users

Better Lifecycle Controls

Security Through VM Introspection

Page 36: Vmware Seminar Security & Compliance for the cloud with Trend Micro

36

Where to Learn More

Security

• Hardening Best Practices

• Implementation Guidelines

• http://vmware.com/go/security

Compliance

• Partner Solutions

• Advice and Recommendation

• http://vmware.com/go/compliance

Operations

• Peer-contributed Content

• http://viops.vmware.com

Page 37: Vmware Seminar Security & Compliance for the cloud with Trend Micro

37

ThankyouTrevor Gerdes – [email protected]