Secure the Journey to the Private Cloud
 

Like this? Share it with your network

Share

Secure the Journey to the Private Cloud

on

  • 1,207 views

Business drivers like efficiency and optimization make virtualization and the cloud the best places to be. ...

Business drivers like efficiency and optimization make virtualization and the cloud the best places to be.
However Security can be perceived as a roadblock on your path to the cloud. Regulations are requiring that
you can attest to confidentiality, integrity and availability in these flexible environments. Learn to solve the
security and compliance.

Statistics

Views

Total Views
1,207
Views on SlideShare
1,207
Embed Views
0

Actions

Likes
0
Downloads
64
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  •  

Secure the Journey to the Private Cloud Presentation Transcript

  • 1. Securing the Journey to a Private Cloud Rashmi Tarbatt Chief Security Architect EMEA
  • 2. Cloud Computing by NIST and VMware Cloud Computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Cloud is a way of doing computing Cloud Service Enterprises Bridging Providers Private Cloud Hybrid Cloud Public Cloud Operated solely for Composition of 2 or Accessible over the an more interoperable Internet for general organization, typicall clouds, enabling data consumption y within the firewall and application portability
  • 3. Voice of the Customer Business Objective (CIO): Accelerate/start virtualization of business critical apps to continue optimizing costs Business Objective (CISO): Manage risk and compliance while going from IT production to business production Pain: Security technologies and Pain: Maintaining separation of duties professionals have not kept up with and managing risk of privileged user virtualization. Have to resort to physical abuse despite convergence of isolation which restricts server infrastructure layers Opportunity: Leverage virtualization to improve security consolidation enforcement andPain: Perceived vulnerability of the management Pain: High cost and difficulty of hypervisor which could become the responding to compliance audits for weakest link virtual environments Pain: Mistakes can be amplified due to Pain: Lack of consistency in physical rate and ease of change in virtual and virtual security increases cost and environments complexity of virtualization 3
  • 4. Security Considerations for the Journey Network admin • Separation of duties is challenged Security • Need to retrain and admin reorient ops teams • Opportunity to improve Host Virtualization administrator security operations admin Apps Guest OS • Consolidation of IT • Visibility into external Virt. FW infrastructure on top of service providers a new software layer • Secure multi- Virt. switch below the OS layer tenancy concerns Hypervisor • A vantage security • Trustworthiness enforcement point Hardware IT-as-a- Service Virtual host 4
  • 5. The Journey to the Private Cloud IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% High 15% Availability Data Protection 5
  • 6. How We Do It System for Managing Security, Risk and Compliance BUSINESS DRIVERS Manage Governance, Risk + Compliance Assess Risk and Monitor | Audit | Report Define Policy Report Correlate Add Map to Controls Collect Context IDENTITIES INFRASTRUCTURE INFORMATION Manage Monitor Detect Enforce MENU
  • 7. How We Do It System for Managing Security, Risk and Compliance BUSINESS CONTEXT Manage Governance, Risk + Compliance Define Policy Report On Risk Monitor | Audit | Report RSA Archer eGRC Suite RSA enVision Add Context Assess Map to Controls Correlate Compliance IDENTITIES / Access Authentication Provision Fraud Prevention INFRASTRUCTURE INFORMATION Data Loss Encryption & Prevention Tokenization Ionix Config Mgmt DLP RKM App Access Fraud SecurID ManagerManage Action Network Security Feeds Monitor RKM DC Cisco IronPort Adaptive Federated Transaction BSAFE Auth Identity Mgr Monitoring Endpoint Security Feeds Network Partners Tokenization Identity Detect eFraud Infrastructure Feeds Enforce Endpoint Microsoft Verification Network Partners RMS MENU
  • 8. Securing the Journey to The Private Cloud Stage 1 – Securing Infrastructure IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% High 15% Availability Data Protection Visibility into virtualization infrastructure, privileged user monitoring, access mgmt, network security, infrastructure compliance 8
  • 9. Stage 1 - Securing Infrastructure Extend existing security controls to the new virtualization infrastructure Platform hardening (e.g., VMware vSphere hardening guides) Strong authentication and role separation for administrators Privileged user monitoring and security event reporting Change and configuration management Virtual firewalls/AV 9
  • 10. GRC - Achieving Business Context Identify what you care about: – Business Drivers, Objectives and Governance Regulatory Requirements Define & Manage Business Drivers Implement Controls to ensure the achievement of the Business Drivers and monitor them relentlessly using: – People, Processes, Information & Technology Visibility Mitigation Gain Visibility of control failures and risks within Operational Infrastructure: – Risks, threats, incidents, or compliance deficiencies Prioritize mitigation resources in the context of the Business Drivers and Controls Objectives Execution and Monitoring across the Operational Infrastructure Orchestrate the remediation of the risks and compliance issues with continuous monitoring – Adapt the control framework and operational infrastructure
  • 11. The Case for Business Context: Security Management Example Industry Standard: Payment Card Industry (PCI) Security Governance Standard Define & Manage Business Drivers Sensitive Data Storage Policy: Credit card data stored securely to support business processes. Technical Control: Visibility Mitigation Credit Card data at rest must be encrypted with appropriate access control. Data Visualization • Data Loss Prevention (DLP) scans reveal files with non-encrypted credit card data Controls • File / folder owners Execution and Monitoring across the Mitigation Operational Infrastructure • Questionnaires targeted at file owners to obtain business use of data • Identify requirements and manage mitigation
  • 12. Platform in Action – Cloud Security and Compliance Over 100 VMware-specific 1 Discover VMware 2 controls added to the Manual and automated Infrastructure & Define Archer library, mapped to configuration assessment Security Policy Authoritative Sources New component scans and automatically assesses VMware configuration to check compliance with controls Remediation workflow to manage non-compliance and risk mitigation RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products for 4 3 visualization in Archer Manage Security Remediation of non- incidents that affect compliant controls RSA SecurBook for compliance guidance deploying and operating the solution
  • 13. Technology Integrations Risk Content Regulatory Content Vulnerability Scanners Continuous Controls Monitoring Patch Management Databases CMDB’s Emergency Notifications Security Event and Information Management
  • 14. Security Challenges in the Virtual Data Center Control access to sensitive data in an increasingly fluid Security virtual machine environment VMware VMware Virtualization APP APP APP APP APP APP Strong authentication of OS OS OS OS OS OS privileged users Server Ease of integration with Cisco UCS Cisco UCS existing security operations Network Cisco Full visibility into security- Switches Storage relevant events across the virtual stack for compliance Symmetrix reporting CLARiiON V-Max 14
  • 15. Accelerate Mission Critical Virtualization Benefits Capabilities Protect Assure authorized access Strong authentication into VMware into every layer of the virtual View, ESX Service Console, Identities environment vSphere Management Assistant Ensure compliance across Security Information and Event Monitor virtual and physical with a Management support for VMware Infrastructure single platform View, ESX, vCenter, vSphere Secure sensitive data on Secure virtual servers to meet Data Loss Prevention protects Information security and compliance sensitive data on virtual servers requirements 15
  • 16. Secure the Core Vblock Platform IT Security Operations Operations vSphere Management vSphere Assistant UCS RSA® SecurID RSA enVision® Storage Strong authentication Comprehensive visibility before access to ESX into security events Service Console and vSphere Management Security incident Assistant management, compliance reporting vBlock Security Guidance 16
  • 17. Securing the Journey to The Private Cloud Stage 2 – Securing Information IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% High 15% Availability Data Protection •Information-centric security, risk-driven policies, IT and security operations alignment, information compliance • Visibility into virtualization infrastructure, privileged user monitoring, access Management, network security, infrastructure compliance 17
  • 18. VMware vShield Zones and RSA® Data Loss Prevention (Proof of Concept) VMware vShield Zones provides Virtual Infrastructure isolation between groups of VMs in VMware vShield zones the virtual infrastructure APP APP APP APP APP APP APP APP Leverages the capabilities of vShield OS OS OS OS OS OS OS OS Zones to deploy DLP as a virtual application monitoring data traversing virtual networks DLP DLP DLP DLP Uses a centrally managed policies and enforcement controls to prevent VMware VSphere data loss in the virtual datacenter Customer Benefits Pervasive Persistent Improved protection protection scalability Physical Infrastructure 18
  • 19. Securing Critical Apps Example: Secure Virtual Desktops Ionix SCM for RSA DLP for security configuration and protection of patch management data-in-use VMware Infrastructure Microsoft Active RSA SecurID Directory for remote authentication VMware VMware View Manager vCenter Clients RSA SecurID RSA enVision log management for for ESX Service • VMware vCenter • RSA Data Loss Console and vMA & ESX Prevention • VMware View • Microsoft Active • Ionix SCM Directory • RSA SecurID • Cisco UCS • EMC Storage 19
  • 20. RSA SecurBook for VMware View RSA Solutions – Multi-product solutions – Validated in the RSA Solutions Center RSA SecurBooks – Guides for planning, deploying, and administering RSA solutions. – Comprehensive reference architecture, screenshots, prac tical guidance 20
  • 21. Securing the Journey to The Private Cloud Stage 3 – Secure ITaaS IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% Platinum 15% Gold • Information-centric security, risk-driven policies, IT and security operations alignment, information compliance • Visibility into virtualization infrastructure, privileged user monitoring, access Management, network security, infrastructure compliance • Secure multi-tenancy, verifiable chain of trust 21
  • 22. Secure Multitenancy Isolation with Vblock PREVENTIVE CONTROLS DETECTIVE CONTROLS ESX/ESXi VM isolation, Vblock Comprehensive and real resource reservation / limits time security event VMware vSphere monitoring and alerting with Firewall for traffic into and RSA enVision ensures that between tenant networks any change in isolation VMware vShield Zones configuration is detected RSA enVision Dedicated tenant VLANs, anti-spoofing Cisco Nexus 1000v, VMware vSwitch Dedicated Service Profiles, virtualized n/w adapters Cisco UCS Dedicated tenant VSANs Cisco MDS Dedicated LUNs, LUN EMC Symmetrix, masking, port zoning, CLARiiON dedicated NAS file share exports per tenant 22
  • 23. Secure IT as a Service Proof of Concept for Measuring and Monitoring Cloud Infrastructure Security VMware vCenter Server RSA VMware ESXi enVision Cloud compliance dashboard VMware RSA ADML Archer Data Feed Integration RSA Hardening apps apps Manager Data Loss ADML Guidelines Prevention Advanced Data RSA Archer Management Layer Intel Westmere processor with Intel Trusted Execution Technology 23
  • 24. Securing the Journey to the Private Cloud CHECK LIST Extend existing security controls Change and configuration to the virtual infrastructure management Platform hardening (e.g., VMware Use virtual desktop vSphere hardening guides) infrastructure to offer access Strong authentication and role to applications separation for administrators rapidly, flexibly and securely Privileged user monitoring and security event reporting Ensure compliance across physical, virtual infrastructures Apply information-centric and service providers security policies at the virtual layer to protect applications and Secure multi-tenancy, data without security agents verifiable chain of trust 24
  • 25. Thank you!