Securing the Journey to a Private Cloud
Rashmi Tarbatt
Chief Security Architect EMEA
Cloud Computing by NIST and VMware

Cloud Computing is an approach to computing that leverages the efficient pooling
of on...
Voice of the Customer

                                          Business Objective (CIO):
             Accelerate/start v...
Security Considerations for the Journey

                            Network
                              admin          ...
The Journey to the Private Cloud


                 IT Production   Business Production           IT-As-A-Service
        ...
How We Do It
System for Managing Security, Risk and Compliance

                                 BUSINESS DRIVERS
        ...
How We Do It
System for Managing Security, Risk and Compliance

                                           BUSINESS CONTEX...
Securing the Journey to The Private Cloud
      Stage 1 – Securing Infrastructure

                 IT Production         ...
Stage 1 - Securing Infrastructure


Extend existing security controls to the
new virtualization infrastructure

      Plat...
GRC - Achieving Business Context

                                                          Identify what you care about:
...
Platform in Action – Cloud Security and Compliance

 Over 100 VMware-specific    1
                                 Discov...
Accelerate Mission Critical Virtualization


                             Benefits                         Capabilities
  ...
Secure the Core Vblock Platform


    IT                                                             Security
Operations  ...
Securing the Journey to The Private Cloud
      Stage 2 – Securing Information

                 IT Production        Busi...
VMware vShield Zones and RSA® Data Loss
     Prevention (Proof of Concept)

       VMware vShield Zones provides          ...
Securing Critical Apps Example:
     Secure Virtual Desktops


     Ionix SCM for                                         ...
RSA SecurBook for VMware View


     RSA Solutions
     –   Multi-product solutions
     –   Validated in the RSA Solution...
Securing the Journey to The Private Cloud
      Stage 3 – Secure ITaaS

                   IT Production           Busines...
Secure Multitenancy Isolation with Vblock

 PREVENTIVE CONTROLS                                                       DETE...
Secure IT as a Service


     Proof of Concept for Measuring and Monitoring
     Cloud Infrastructure Security

          ...
Securing the Journey to the Private Cloud

 CHECK LIST

      Extend existing security controls      Change and configurat...
Thank you!
Upcoming SlideShare
Loading in...5
×

Secure the Journey to the Private Cloud

720

Published on

Business drivers like efficiency and optimization make virtualization and the cloud the best places to be. However Security can be perceived as a roadblock on your path to the cloud. Regulations are requiring that you can attest to confidentiality, integrity and availability in these flexible environments. Learn to solve the security and compliance.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
720
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  •  
  • Secure the Journey to the Private Cloud

    1. 1. Securing the Journey to a Private Cloud Rashmi Tarbatt Chief Security Architect EMEA
    2. 2. Cloud Computing by NIST and VMware Cloud Computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Cloud is a way of doing computing Cloud Service Enterprises Bridging Providers Private Cloud Hybrid Cloud Public Cloud Operated solely for Composition of 2 or Accessible over the an more interoperable Internet for general organization, typicall clouds, enabling data consumption y within the firewall and application portability
    3. 3. Voice of the Customer Business Objective (CIO): Accelerate/start virtualization of business critical apps to continue optimizing costs Business Objective (CISO): Manage risk and compliance while going from IT production to business production Pain: Security technologies and Pain: Maintaining separation of duties professionals have not kept up with and managing risk of privileged user virtualization. Have to resort to physical abuse despite convergence of isolation which restricts server infrastructure layers Opportunity: Leverage virtualization to improve security consolidation enforcement andPain: Perceived vulnerability of the management Pain: High cost and difficulty of hypervisor which could become the responding to compliance audits for weakest link virtual environments Pain: Mistakes can be amplified due to Pain: Lack of consistency in physical rate and ease of change in virtual and virtual security increases cost and environments complexity of virtualization 3
    4. 4. Security Considerations for the Journey Network admin • Separation of duties is challenged Security • Need to retrain and admin reorient ops teams • Opportunity to improve Host Virtualization administrator security operations admin Apps Guest OS • Consolidation of IT • Visibility into external Virt. FW infrastructure on top of service providers a new software layer • Secure multi- Virt. switch below the OS layer tenancy concerns Hypervisor • A vantage security • Trustworthiness enforcement point Hardware IT-as-a- Service Virtual host 4
    5. 5. The Journey to the Private Cloud IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% High 15% Availability Data Protection 5
    6. 6. How We Do It System for Managing Security, Risk and Compliance BUSINESS DRIVERS Manage Governance, Risk + Compliance Assess Risk and Monitor | Audit | Report Define Policy Report Correlate Add Map to Controls Collect Context IDENTITIES INFRASTRUCTURE INFORMATION Manage Monitor Detect Enforce MENU
    7. 7. How We Do It System for Managing Security, Risk and Compliance BUSINESS CONTEXT Manage Governance, Risk + Compliance Define Policy Report On Risk Monitor | Audit | Report RSA Archer eGRC Suite RSA enVision Add Context Assess Map to Controls Correlate Compliance IDENTITIES / Access Authentication Provision Fraud Prevention INFRASTRUCTURE INFORMATION Data Loss Encryption & Prevention Tokenization Ionix Config Mgmt DLP RKM App Access Fraud SecurID ManagerManage Action Network Security Feeds Monitor RKM DC Cisco IronPort Adaptive Federated Transaction BSAFE Auth Identity Mgr Monitoring Endpoint Security Feeds Network Partners Tokenization Identity Detect eFraud Infrastructure Feeds Enforce Endpoint Microsoft Verification Network Partners RMS MENU
    8. 8. Securing the Journey to The Private Cloud Stage 1 – Securing Infrastructure IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% High 15% Availability Data Protection Visibility into virtualization infrastructure, privileged user monitoring, access mgmt, network security, infrastructure compliance 8
    9. 9. Stage 1 - Securing Infrastructure Extend existing security controls to the new virtualization infrastructure Platform hardening (e.g., VMware vSphere hardening guides) Strong authentication and role separation for administrators Privileged user monitoring and security event reporting Change and configuration management Virtual firewalls/AV 9
    10. 10. GRC - Achieving Business Context Identify what you care about: – Business Drivers, Objectives and Governance Regulatory Requirements Define & Manage Business Drivers Implement Controls to ensure the achievement of the Business Drivers and monitor them relentlessly using: – People, Processes, Information & Technology Visibility Mitigation Gain Visibility of control failures and risks within Operational Infrastructure: – Risks, threats, incidents, or compliance deficiencies Prioritize mitigation resources in the context of the Business Drivers and Controls Objectives Execution and Monitoring across the Operational Infrastructure Orchestrate the remediation of the risks and compliance issues with continuous monitoring – Adapt the control framework and operational infrastructure
    11. 11. Platform in Action – Cloud Security and Compliance Over 100 VMware-specific 1 Discover VMware 2 controls added to the Manual and automated Infrastructure & Define Archer library, mapped to configuration assessment Security Policy Authoritative Sources New component scans and automatically assesses VMware configuration to check compliance with controls Remediation workflow to manage non-compliance and risk mitigation RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products for 4 3 visualization in Archer Manage Security Remediation of non- incidents that affect compliant controls RSA SecurBook for compliance guidance deploying and operating the solution
    12. 12. Accelerate Mission Critical Virtualization Benefits Capabilities Protect Assure authorized access Strong authentication into VMware into every layer of the virtual View, ESX Service Console, Identities environment vSphere Management Assistant Ensure compliance across Security Information and Event Monitor virtual and physical with a Management support for VMware Infrastructure single platform View, ESX, vCenter, vSphere Secure sensitive data on Secure virtual servers to meet Data Loss Prevention protects Information security and compliance sensitive data on virtual servers requirements 12
    13. 13. Secure the Core Vblock Platform IT Security Operations Operations vSphere Management vSphere Assistant UCS RSA® SecurID RSA enVision® Storage Strong authentication Comprehensive visibility before access to ESX into security events Service Console and vSphere Management Security incident Assistant management, compliance reporting vBlock Security Guidance 13
    14. 14. Securing the Journey to The Private Cloud Stage 2 – Securing Information IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% High 15% Availability Data Protection •Information-centric security, risk-driven policies, IT and security operations alignment, information compliance • Visibility into virtualization infrastructure, privileged user monitoring, access Management, network security, infrastructure compliance 14
    15. 15. VMware vShield Zones and RSA® Data Loss Prevention (Proof of Concept) VMware vShield Zones provides Virtual Infrastructure isolation between groups of VMs in VMware vShield zones the virtual infrastructure APP APP APP APP APP APP APP APP Leverages the capabilities of vShield OS OS OS OS OS OS OS OS Zones to deploy DLP as a virtual application monitoring data traversing virtual networks DLP DLP DLP DLP Uses a centrally managed policies and enforcement controls to prevent VMware VSphere data loss in the virtual datacenter Customer Benefits Pervasive Persistent Improved protection protection scalability Physical Infrastructure 15
    16. 16. Securing Critical Apps Example: Secure Virtual Desktops Ionix SCM for RSA DLP for security configuration and protection of patch management data-in-use VMware Infrastructure Microsoft Active RSA SecurID Directory for remote authentication VMware VMware View Manager vCenter Clients RSA SecurID RSA enVision log management for for ESX Service • VMware vCenter • RSA Data Loss Console and vMA & ESX Prevention • VMware View • Microsoft Active • Ionix SCM Directory • RSA SecurID • Cisco UCS • EMC Storage 16
    17. 17. RSA SecurBook for VMware View RSA Solutions – Multi-product solutions – Validated in the RSA Solutions Center RSA SecurBooks – Guides for planning, deploying, and administering RSA solutions. – Comprehensive reference architecture, screenshots, prac tical guidance 17
    18. 18. Securing the Journey to The Private Cloud Stage 3 – Secure ITaaS IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% Platinum 15% Gold • Information-centric security, risk-driven policies, IT and security operations alignment, information compliance • Visibility into virtualization infrastructure, privileged user monitoring, access Management, network security, infrastructure compliance • Secure multi-tenancy, verifiable chain of trust 18
    19. 19. Secure Multitenancy Isolation with Vblock PREVENTIVE CONTROLS DETECTIVE CONTROLS ESX/ESXi VM isolation, Vblock Comprehensive and real resource reservation / limits time security event VMware vSphere monitoring and alerting with Firewall for traffic into and RSA enVision ensures that between tenant networks any change in isolation VMware vShield Zones configuration is detected RSA enVision Dedicated tenant VLANs, anti-spoofing Cisco Nexus 1000v, VMware vSwitch Dedicated Service Profiles, virtualized n/w adapters Cisco UCS Dedicated tenant VSANs Cisco MDS Dedicated LUNs, LUN EMC Symmetrix, masking, port zoning, CLARiiON dedicated NAS file share exports per tenant 19
    20. 20. Secure IT as a Service Proof of Concept for Measuring and Monitoring Cloud Infrastructure Security VMware vCenter Server RSA VMware ESXi enVision Cloud compliance dashboard VMware RSA ADML Archer Data Feed Integration RSA Hardening apps apps Manager Data Loss ADML Guidelines Prevention Advanced Data RSA Archer Management Layer Intel Westmere processor with Intel Trusted Execution Technology 20
    21. 21. Securing the Journey to the Private Cloud CHECK LIST Extend existing security controls Change and configuration to the virtual infrastructure management Platform hardening (e.g., VMware Use virtual desktop vSphere hardening guides) infrastructure to offer access Strong authentication and role to applications separation for administrators rapidly, flexibly and securely Privileged user monitoring and security event reporting Ensure compliance across physical, virtual infrastructures Apply information-centric and service providers security policies at the virtual layer to protect applications and Secure multi-tenancy, data without security agents verifiable chain of trust 21
    22. 22. Thank you!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×