040711 webcast securing vmachine


Published on

Presentation provided by Sharon Isaacson and Erin K. Banks on April 07, 2011

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Title Month Year
  • Based on our primary research during discussions with customers like you, our customers are asking themselves these questions. Four basic questions; 1) Can I virtualize my Tier 1 applications and make sure that they are secure 2) How do I really manage compliance across both a physical and virtualized environment? 3) How quickly respond to Security events in my Physical and virtual data center? 4) How can I secure the access information in my Virtualized environment? All virtualization platforms are not the same. As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization technology and the platform you choose. VMware offers the most robust and secure virtualization platform available. Separate fact from fiction when it comes to virtualization and IT security Understand the most significant ways in which virtualization affects security Find resources as well as the latest news on virtualization security
  • VMware offers secure and robust virtualization solutions for virtual data centers and cloud infrastructures, and has both the technology and the processes to ensure that this high standard is maintained in all current and future products. VMware virtualization gives you Secure architecture and design:  Based on its streamlined and purpose-built architecture, vSphere is considered by experts to be the most secure virtualization platform. Third-party validation of security standards:  VMware has validated the security of our software against standards set by Common Criteria, NIST and other organizations. Proven technology:  More than 250,000 customers—including all of the Fortune 100 as well as military and government installations—trust VMware to virtualize their mission-critical applications. NSA being one of Vmware customers!! Title Month Year
  • Today most security is enforced as an add-on to the OS or the application, making it ineffective, inconsistent and complex. Pushing information security enforcement in the virtualization and cloud infrastructure ensures consistency, simplifies security management and enables customers to surpass the levels of security possible in today ’s physical infrastructures by making security SEAMLESS . You won't need to sacrifice security, control or compliance on your journey to the cloud or virtualization. With the VMware vShield family and the RSA product line security solutions, you get virtualization-aware protection that adapts to dynamic cloud environments, making it "better-than-physical." Reduce the complexity of endpoint, application and edge network security by improving visibility and accelerating compliance, all within a single framework.
  • When discussing Security with customers it really come down to three basic principles… TRUST Polices Visiablity 2) First a baseline of what your company or your customers require = creating Polices implementing these polices and enforcement of these 3) But a big part of security or Trust has to be visiablity into what is happening = proving compliance = being able to act on any security alert/alarm issue that comes up and resolve it. All of these together Title Month Year
  • vCloud Infrastructure Underlying vSphere vCloud-specific Resource Sharing Ensure isolation Logging and Monitoring Watch for anomalies and violations User Management Title Month Year
  • Virtual Machines running on an ESX Server are truly isolated from  each other, they cannot see each others' CPU instructions, memory,  network or storage, and they do not share a "parent domain" which  is a full OS. The hypervisor can enforce more restrictive controls on a  VM ethernet network by not allowing it to set its MAC to promiscuous  mode, or change the MAC address, or forge the source MAC address. There  are other controls on the interaction between a virtual machine and the  hypervisor such as the ability to copy data between the guest and the  host. ---- - Lack of intra-server network visibility : Traditional  network-based security tools rely upon access to the traffic traversing  physical switches, typically through a hardware appliance. When the  switch is virtual, new solutions must be employed that access virtual  networking traffic, by running in a virtual appliance for example. ___________ Title Month Year
  • What security framework do the VMware engineers work to? VMware engineers, have security  practices built in to their coding practices. In addition to automated  tools imposing security best practices, engineers have guidelines to  follow and review each others' code once checked in. VMware software  engineers value security very highly and dedicate a significant amount  of focus and effort on ensuring code is secure by design and  implementation to reduce the risk of insecure code entering the product  line VMware Selected as Virtualization Partner for the National Security Agency ’s Secure Workstation Solution Federal Agency Contracts with General Dynamics to Develop High Assurance Platform Workstations Using VMware Software to Enable Secure Access to Varying Levels of Classified Materials PALO ALTO, Calif., August 29, 2007 — What audits does VMware carry out on its software? Security by design – 1 -VMware carries out both internal audits, by it's security and  engineering teams, and also periodical external audits by a leading  security organization. VMware, like other software companies, acts upon the results of these  audits in a timely manner to ensure that its products are as secure as  possible. Like other software companies, VMware does not disclose the  results of these audits, but should updates be required to released  products then a security notice and update will be released via the  normal channel
  • Thousands of customers use in production Passed security audit and put into production use by largest banks in the US Passed Defense and Security Agencies scrutiny and audit 3 rd -party Validation Audit by Foundstone Common Criteria Certification EAL2: achieved for ESX 2.5/VirtualCenter 1.5 EAL4+: in progress for VMware Infrastructure 3
  • Introduction of a new management layer Virtualization software, like all other infrastructure software,  requires the ability to manage the components of the solution. This  occurs through a management interface which connect together  virtualization hosts, management servers, IP-based storage, and  ancillary services such as authentication and monitoring. Since there is  isolation between the virtual machines and the hypervisor ’s interfaces,  the most important step in securing a virtual deployment is to design  and implement a strict separation for the management layer from any  other network traffic. This greatest reduces the possibility of any  attacks on a virtual machine affecting the virtualization layer or any  other virtual machine. Switches and Servers combined into one device With VMware Infrastructure, not only can you create multiple VMs on a  single host but also virtual networks as well. This is implemented using  software layer-2 virtual switches with enterprise-class features such  as VLANs and hardware NIC teaming for availability and performance.  Virtual networking provides a tremendous amount of flexibility and  cost-savings. You can create a switch with as many ports as you need—and  you can create a large number of switches. However, there are several  aspects of virtual networking that affect security:   Lack of intra-server network visibility : Traditional  network-based security tools rely upon access to the traffic traversing  physical switches, typically through a hardware appliance. When the  switch is virtual, new solutions must be employed that access virtual  networking traffic, by running in a virtual appliance for example.     No separation-by-default of administration : In a non-virtual  infrastructure at a large enterprise, the server team is distinct from  the network team, which might be distinct from the security team. With  virtualization, a single administrative interface controls both virtual  machines and virtual networks and the separation must be re-introduced  through the proper definition of roles and privileges.     Elevated risk of misconfiguration : The fact that it is  possible to have more than one virtual switch on a host also represents a  significant change. Now, instead of requiring you to physically unplug a  network cable from one switch and insert into another, you can change  the virtual switch of a VM with a simple drop-down menu. This  flexibility of course brings about tremendous efficiencies, but it also  elevates the risk of misconfiguration. This must be mitigated through  familiar techniques such as strong change controls and meticulous log  and event monitoring. Title Month Year
  • For vSphere-based environments, vShield solutions provide capabilities to secure the edge of the vDC, protect virtual applications from network-based threats, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security VMs. These new product offerings can start securing infrastructure almost immediately since all the underlying compute resources are already present in the vsphere environment. These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center. So what is vshield edge and how is it LIKE what you ’ve already seen in the physical data center? The solution provides a virtual appliance with the following capabilities: DHCP – to automate IP address assignment to virtual machines in the vDC NAT – network address translation to mask private IP addresses in the vDC when they send traffic to untrusted networks Firewall – inbound and outbound connection control based on source/destination IP address and application port Site to site VPN: to encrypt traffic between vDCs to allow for confidentiality between organizations or partner extranets Web load balancer – actually load balancing based on IP address but in practice, since over 70% of server virtualization is for the web tier, organizations use load balancing for HTTP/S traffic And for each vSphere host, the virtual network can be carved up just as a physical network can be carved up using VLANs. This “Network Isolation” keeps traffic within the organization contained within a single port group. But while there are similarities with security in the physical world, there are key differences – and benefits – to vshield Edge over the alternatives: 1. No additional hardware: the virtual appliance with all the aforementioned edge features is provisioned using existing vsphere resources 2. No complicated VLAN rules: network isolation is enforced at the hypervisor layer, not requiring VLAN-enabled switches 3. Rapid and scalable provisioning: each ‘tenant’ gets their edge security virtually on-demand, rather than through some complicated change management process which would require budget and rack space for new edge security hardware 4. Centralized management and logging: with traditional security, each point solution would require its own management interface and logging infrastructure. With vShield, all policy management is done from one interface and logs written in syslog format to a single location. Demonstrating compliance is a breeze. Offload Anti-virus process Tighter collaborative effort with leading AV partners Hypervisor-based introspection for all major AV functions File-scanning engines and virus definitions offloaded to security VM – scheduled and realtime Thin file-virtualization driver in-guest >95%+ reduction in guest footprint (eventually fully agentless) Deployable as a service No agents to manage - thin-guest driver bundling with VMTools (est vSphere 4.1U1) Turnkey, security-as-service delivery Applicable to all virtualized deployment models – private clouds (virtual datacenters), public clouds (service providers), virtual desktops
  • What is VMware doing to continuously improve the security of their products? In addition to the inclusion of fine-grained security controls, such as  roles and permissions, and granular controls on virtual machines such as  ethernet controls, VMware is focused on reducing the security footprint  and exposure of their products as well as innovating new features with  partners. To reduce the footprint, VMware recently released ESXi which shows that  the custom built, "I was born to be a hypervisor" at the heart of ESXi,  is only 32MB (compared to the bloated, 2GB+ fully-loaded OS's that act  as the all-powerful "parent domain" in Hyper-V and Citrix Xen).
  • Where can we get help on security from VMware? VMware have provided an online Security Center . Check out the VMware Knowledge Base where you can search for "security" and other topics. Read the VMware Security Blog . Subscribe to the VMware Security Feed . Security services are also available from VMware Professional Services Organization .  Speak with your local VMware representative to find out more Title Month Year
  • Title Month Year
  • Compliance (depending on your industry), information governance, and reporting to ensure all these measures are in place are a big concern for customers. This is another opportunity for RSA security solutions to help.
  • Solution provides multiple views into the compliance posture of the VMware infrastructure. Archer has this tiered heirarchy mapping regulations to control standards and control procedures in place out of the box. From the virtual administrator who is looking at specific technical controls, to the “C-level” officer who is looking at how those roll up to affect the status of compliance with regulations such as PCI DSS. Clicked on CP would get more detail – exactly how to do it on specific device gets ….mapped to Control Standard which is more general you should be doing these kinds of things…this is what you should be doing to comply with relevant section of Authoritative Source above it. Can report on PCI posture of your infrastructure.
  • <1 click> The new RSA Solution for Cloud Security and Compliance is based on the Archer eGRC platform. Over 130 VMware-specific controls have been added to Archer to enable VMware security policy implementation and management tied directly to regulations, such as PCI and HIPPA. So, organizations can now use Archer to centralize management and view security compliance across both physical and virtual IT. This RSA solution also includes a new software component that continuously does two things: it discovers new virtual infrastructure devices and it interrogates about 30-40% of the 130 control procedures to verify VMware security controls have been implemented correctly. The results of these automated discovery and configuration checks are fed directly into Archer for continuous controls monitoring across the virtual infrastructure and augment answers from VI admins to web-based questionnaires. This allows security operations to more quickly and continuously remediate non-compliant controls. <1 click> Integrating enVision into this Archer solution via an internal project called “Golden Gate” ensures that log data and alerts on security events generated from virtual resources and collected by enVision are passed into RSA Archer so customers are aware of any new security events that alter their compliance posture. The entire solution is documented in a SecurBook, which is available in the SRC and online at rsa.com. - Confidential - Introduction to Selling the RSA Solution for Cloud Security and Compliance
  • The future direction for the RSA Cloud Solution for Security and Compliance will make Archer the best GRC solution for hybrid clouds using the same tool that is used widely to manage risk and compliance across the enterprise. RSA offers one additional differentiator today as we are first to market with this feature which helps customers assess cloud service providers. The Cloud Security Alliance is a not-for-profit organization that is producing leading guidance about best practice in cloud computing and has produced a check-list for potential users of such services. Its membership comprises RSA plus both vendors and enterprises from over 20 major companies. RSA’ s Cloud Solution aligns with the CSA Assessment Questions (part of the CSA GRC Stack) by using Archer ’ s questionnaire workflow to help customers automate the process of asking cloud service providers 195 CSA questions covering the most critical components of a service providers offering, from business and legal processes to technical infrastructure best practices. This will help customers assess against industry established best practices, standards, and critical compliance requirements which hybrid and public cloud service providers best fit their needs.
  • To help customers implement our solutions, we’ve developed the RSA SecurBook. This easy-to-follow solution guide provides detailed instructions for deploying and administering RSA’s solution in a virtualized environment. Designed to help organizations reduce implementation time and total cost of ownership, the RSA SecurBooks offer guidance for the Cloud Security and Compliance Solution and the VMware View Solution.
  • SPEAKING TRACK FOR PRESENTER Avamar is the industry leading backup and recovery solution for VMware environments. In fact, VMware, the company, uses Avamar for its enterprise data protection. Avamar provides both Guest-Level and Image Level (VMDK) backup and recovery. Read the bullets
  • Another area that VMware had opened up for integration is the vStorage API for Site Recovery Manager. This was a huge development, as the lack of an easy integrated disaster recovery solution was a barrier for many organizations’ adoption of VMware for their production environments. Site Recovery Manager coordinates with vendor-developed Storage Replication Adapters. These Adapters allow for automated set-up and testing of disaster recovery, as well as the automated clean failover from the production site to the recovery site. The one feature that today’s Site Recovery Manager is lacking is failback. After the disaster is over, failback to the production site is a manual process. Today, EMC is the only vendor providing an easy mechanism for automating the failback process – all managed from our Virtual Storage Integrator vCenter plug-in.
  • 040711 webcast securing vmachine

    1. 1. How to Secure your Virtual Machine Sharon Isaacson Erin K. Banks, CISSP, CISA / www.commondenial.com / @banksek
    2. 2. Our Customers Are Asking Themselves How do I centrally manage compliance across mixed VMware and physical IT environments? Can I secure access and information in my VMware View environment? Can I respond more quickly to security events in my virtual environment? Can I ensure my virtualized business critical applications are running in a secure and compliant environment?
    3. 3. Implications of Challenges CISOs need to manage security and compliance across virtual and physical IT Security and compliance concerns stall the adoption of virtualization Missing opportunity for “better than physical” security
    4. 4. Virtualization Creates an Opportunity for More Effective Security <ul><li>Push Security Enforcement Further Down the Stack </li></ul>Physical Infrastructure Virtual and Cloud Infrastructure vApp and VM layer <ul><li>Today most security is enforced by the OS and application stack. This is: </li></ul><ul><li>Ineffective </li></ul><ul><li>Inconsistent </li></ul><ul><li>Complex </li></ul>APP OS APP OS APP OS APP OS <ul><li>Pushing information security enforcement to the infrastructure layer ensures: </li></ul><ul><li>Consistency </li></ul><ul><li>Simplified security management </li></ul><ul><li>Ability to surpass the levels of security possible in today ’s physical infrastructures </li></ul>
    5. 6. VMware Approach to Security
    6. 7. Isolation by Design <ul><li>Virtual Machines only see virtual SCSI devices, not actual storage </li></ul><ul><li>Exclusive virtual machine access to virtual disks enforced by VMFS using SCSI file locks </li></ul><ul><li>No code exists to link virtual switches </li></ul><ul><li>Virtual switches immune to learning and bridging attacks </li></ul><ul><li>VMs have limited access to CPU </li></ul><ul><li>Memory isolation enforced by Hardware TLB </li></ul><ul><li>Memory pages zeroed out before being used by a VM </li></ul>CPU & Memory Virtual Network Virtual Storage
    7. 8. VMware Secure Development Lifecycle Process Protect Customer Data & Infrastructure Enable Policy Compliance Protect Brand Architecture Risk Analysis Response Preparation Code Analysis & Inspection Security Testing Security Response Kickoff & Business Risk Analysis Training Product Security Policy
    8. 9. Independently validated <ul><ul><li>Common Criteria Certification EAL (Evaluation Assurance Level) </li></ul></ul><ul><ul><li>RSA Archer eGRC Platform v5.0 In process </li></ul></ul><ul><ul><li>RSA Data Loss Prevention Suite v6.5 EAL 2+ </li></ul></ul><ul><ul><li>VMware ESXi 3.5 and VirtualCenter 2.5 EAL 4+ </li></ul></ul><ul><ul><li>VMware ESX Server 3.5 and VirtualCenter 2.5 EAL 4+ </li></ul></ul><ul><ul><li>VMware® ESX 4.0 Update 1 and vCenter Server 4.0 Update 1 EAL 4+ </li></ul></ul><ul><ul><li>DISA STIG for all products </li></ul></ul><ul><ul><li>Approval for use in DoD information systems </li></ul></ul><ul><ul><li>NSA Central Security Service </li></ul></ul><ul><ul><li>Guidance for both datacenter and desktop scenarios </li></ul></ul>
    9. 10. How Virtualization Affects Datacenter Security <ul><li>↑ Ease of business continuity </li></ul><ul><li>↑ Consistency of deployment </li></ul><ul><li>↑ Hardware Independence </li></ul><ul><li>↓ Outdated offline systems </li></ul><ul><li>↓ Unauthorized Copy </li></ul><ul><li>↑ Improved Service Levels </li></ul><ul><li>↓ Identity divorced from physical location </li></ul><ul><li>↑ IT responsiveness </li></ul><ul><li>↓ Lack of adequate planning </li></ul><ul><li>↓ Incomplete knowledge of current state of infrastructure </li></ul><ul><li>↓ Poorly Defined Procedures </li></ul><ul><li>↓ Inconsistent Configurations </li></ul>Faster deployment of servers VM Mobility VM Encapsulation
    10. 11. How do we secure and make our Virtual Infrastructure compliant? <ul><li>Use the Principles of Information Security </li></ul><ul><ul><li>Hardening and Lockdown </li></ul></ul><ul><ul><li>Defense in Depth </li></ul></ul><ul><ul><li>Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges </li></ul></ul><ul><ul><li>Administrative Controls </li></ul></ul><ul><li>For virtualization this means: </li></ul><ul><ul><li>Secure the Guests </li></ul></ul><ul><ul><li>Harden the Virtualization layer </li></ul></ul><ul><ul><li>Setup Access Controls </li></ul></ul><ul><ul><li>Leverage Virtualization Specific Administrative Controls </li></ul></ul><ul><li>What Auditors Want to See: </li></ul><ul><ul><li>Network Controls </li></ul></ul><ul><ul><li>Change Control and Configuration Management </li></ul></ul><ul><ul><li>Access Controls & Management </li></ul></ul><ul><ul><li>Vulnerability Management </li></ul></ul>
    11. 12. Data Center needs to be secured at different levels Perimeter Security Internal Security End Point Security Segmentation of applications, servers <ul><li>VLAN or subnet based policies </li></ul><ul><li>Interior or Web application Firewalls </li></ul><ul><li>DLP, application identity aware policies </li></ul>VLAN 1 VLANs Cost & Complexity At the vDC Edge <ul><li>Sprawl: hardware, FW rules, VLANs </li></ul><ul><li>Rigid FW rules </li></ul><ul><li>Performance bottlenecks </li></ul>Keep the bad guys out <ul><li>Perimeter security device (s) at the edge </li></ul><ul><li>Firewall, VPN, Intrusion Prevention </li></ul><ul><li>Load balancers </li></ul>End Point Protection <ul><li>Desktop AV agents, </li></ul><ul><li>Host based intrusion </li></ul><ul><li>DLP agents for privacy </li></ul>
    12. 13. Securing virtual Data Center (vDC) with legacy security solutions VIRTUALIZED DMZ WITH FIREWALLS APPLICATION ZONE DATABASE ZONE WEB ZONE ENDPOINT SECURITY INTERNAL SECURITY PERIMETER SECURITY Internet vSphere vSphere vSphere <ul><li>Air Gapped Pods with dedicated physical hardware </li></ul><ul><li>Mixed trust clusters without internal security segmentation </li></ul><ul><li>Configuration Complexity </li></ul><ul><li>VLAN sprawl </li></ul><ul><li>Firewall rules sprawl </li></ul><ul><li>Rigid network IP rules without resource context </li></ul><ul><li>Private clouds (?) </li></ul>Customers cannot realize true virtualization benefits due to security concerns
    13. 14. Legacy security approach does not work for vDCs Perimeter Security Internal Security End Point Security Cost & Complexity At the vDC Edge <ul><li>Sprawl: hardware, FW rules, VLANs </li></ul><ul><li>Rigid FW rules </li></ul><ul><li>Performance bottlenecks </li></ul>Cost & Complexity At the vDC Edge <ul><li>Sprawl: hardware, FW rules, VLANs </li></ul><ul><li>Rigid FW rules </li></ul><ul><li>Performance bottlenecks </li></ul>Agent Sprawl, Performance On vDC Endpoints <ul><li>AV ‘storms’ strain resource pools </li></ul><ul><li>Sprawl: AV agents in all VMs </li></ul><ul><li>Risk: AV in guest VMs – not hardened </li></ul>VLAN 1 VLAN Complexity & Blind Spots Across vDC Applications <ul><li>Sprawl: VLANs, hardware </li></ul><ul><li>Blind spots: inter-VM traffic </li></ul><ul><li>Performance bottlenecks </li></ul>VLAN 2
    14. 15. vShield Products DMZ Application 1 Application 2 Securing the Private Cloud End to End: from the Edge to the Endpoint Edge vShield Edge Secure the edge of the virtual datacenter Security Zone vShield App and Zones Create segmentation between enclaves or silos of workloads Endpoint = VM vShield Endpoint Offload anti-virus processing Endpoint = VM vShield Manager Centralized Management
    15. 16. Leveraging Virtualization for Better-than-Physical Security <ul><li>Key Benefits </li></ul><ul><ul><li>Complete visibility and control to the Inter- VM traffic enabling multi trust zones on same ESX cluster. </li></ul></ul><ul><ul><li>Intuitive business language policy leveraging vCenter inventory. </li></ul></ul><ul><li>Better than Physical </li></ul><ul><ul><li>Virtual firewall with unlimited port density </li></ul></ul><ul><ul><li>Hypervisor level introspection provides access to inter-VM traffic </li></ul></ul><ul><ul><li>Topology independent regardless of Network Config as policies follow the VMs IP address agnostic policies </li></ul></ul><ul><ul><li>Built in Firewall capabilities provide better than physical security at 1/3rd the cost. </li></ul></ul>Security Policy
    16. 17. Summary: VMware Approach to Security
    17. 19. Security Tools <ul><li>SIEM (security information and event management) </li></ul><ul><li>Compliance (Hardening guidelines) </li></ul><ul><li>Data Loss Prevention </li></ul><ul><li>vShield Zones </li></ul><ul><li>Access Control </li></ul><ul><li>Network Control </li></ul><ul><li>VLANS </li></ul><ul><li>Secure Code </li></ul><ul><li>… </li></ul>
    18. 20. Visibility
    19. 21. SIEM <ul><li>Security information and event management tool </li></ul><ul><li>Captures event data </li></ul><ul><li>Audit logs </li></ul><ul><li>Storage </li></ul><ul><li>Groups </li></ul><ul><li>Virtual network infrastructure </li></ul><ul><li>User and Administrative activities </li></ul>
    20. 22. VMware Collector for RSA enVision <ul><li>VMware native API’s to retrieve the logs from vCenter and ESX/ESXi servers </li></ul><ul><li>multiple vCenters </li></ul>RSA enVision
    21. 23. VMware Messages <ul><li>enVision collects messages and parses from </li></ul><ul><ul><li>VMware View, VMware vShield, VMware vCloud Director </li></ul></ul><ul><li>Over 800 very well described Message ID’s </li></ul><ul><ul><li>vMotion and Storage vMotion </li></ul></ul><ul><ul><li>Snapshots </li></ul></ul><ul><ul><li>User Login/Logoff </li></ul></ul><ul><ul><li>Virtual Machine Operations e.g. Power On/Off/Reset </li></ul></ul><ul><li>7 taxonomy categories </li></ul><ul><ul><li>Authentication, config, policies, system </li></ul></ul>
    22. 25. GRC <ul><li>Governance </li></ul><ul><ul><li>Setting the rules </li></ul></ul><ul><li>Risk </li></ul><ul><ul><li>Ensuring the correct rules are in place and functioning </li></ul></ul><ul><li>Compliance </li></ul><ul><ul><li>Measuring the effectiveness of the rule </li></ul></ul><ul><ul><ul><li>Understanding the process used to define the rule </li></ul></ul></ul><ul><ul><ul><li>Understanding how well people adhere to the rule </li></ul></ul></ul>
    23. 26. Trusting The Cloud <ul><li>How Do You Govern, Manage Risk, and Ensure Compliance? </li></ul>Compliance Private Public Governance Hybrid PCI Cobit SOX ISO GLBA NIST FISMA Risk eGRC
    24. 27. RSA Archer: Mapping VMware security controls to regulations and standards <ul><li>CxO </li></ul><ul><li>VI Admin </li></ul>Authoritative Source Regulations (PCI-DSS, etc.) “ 10.10.04 Administrator and Operator Logs” Control Standard Generalized security controls “ CS-179 Activity Logs – system start/stop/config changes etc.” Control Procedure Technology-specific control “ CP-108324 Persistent logging on ESXi Server”
    25. 28. RSA Solution for Cloud Security and Compliance v1.0 VMware-specific Controls RSA Archer eGRC RSA enVision Automated Measurement Agent VI Configuration Measurement VI Component Discovery and Population alerts
    26. 29. Overall Virtual Infrastructure Compliance Dashboard
    27. 30. Demonstration
    28. 31. VMware vShield Network Security Events Fed to Archer
    29. 32. HyTrust - Access Policy Events Fed to Archer
    30. 33. Making Archer the Best GRC Solution for Hybrid Clouds <ul><li>RSA Solution for Cloud Security </li></ul><ul><li>and Compliance aligns with CSA </li></ul><ul><li>Consensus Assessment Questions </li></ul><ul><li>by automating 195 questions that </li></ul><ul><li>customers can issue to assess cloud </li></ul><ul><li>service providers. </li></ul>Cloud Security Alliance’s 13 domains of focus for cloud computing Assessing Service Provider Compliance
    31. 34. More Information <ul><li>www.rsa.com/rsavirtualization </li></ul><ul><li>RSA SecurBooks – Technical guides for deploying and operating RSA Solutions </li></ul>
    32. 36. Avamar Advantages for VMware Data Protection (Backup & Recovery) <ul><li>Guest-Level Backup </li></ul><ul><ul><li>Best for Tier 1 Application Consistency </li></ul></ul><ul><ul><li>Highest level of deduplication </li></ul></ul><ul><ul><li>File-level recovery </li></ul></ul><ul><li>v Ce nter Integration </li></ul><ul><ul><li>Displays protected VMs and protection type (guest, image) </li></ul></ul><ul><ul><li>Identifies VMs that are not protected </li></ul></ul><ul><li>Image-Level Backup (vmdk) </li></ul><ul><ul><li>Change block tracking reduces backup processing </li></ul></ul><ul><ul><li>Single-step backups & restores </li></ul></ul><ul><ul><li>Restore to the original VM or new VM </li></ul></ul><ul><ul><li>Proxy pooling and load balancing </li></ul></ul><ul><ul><li>File-level recovery from image backup </li></ul></ul><ul><li>Scalability </li></ul><ul><ul><li>Avamar scales to meet data growth and backup requirements </li></ul></ul><ul><ul><li>Bare metal restore for entire Vblock (VCE) </li></ul></ul>
    33. 37. VMware vStorage API for Site Recovery Manager EMC Storage Replication Adapters for DR Recovery EMC Replication Production DR Test <ul><li>EMC Storage Platforms Integrate With VMware SRM </li></ul><ul><li>EMC SRAs Allow Automated </li></ul><ul><ul><li>D/R Setup </li></ul></ul><ul><ul><li>D/R Testing </li></ul></ul><ul><ul><li>Site Failove r </li></ul></ul><ul><li>EMC VSI Manages Automated Failback After Recovery </li></ul>Press In Case of Disaster WAN
    34. 39. Q & A