Privileged Access Management for the
Software-Defined Network
Shawn Hank
Security
CA Technologies
Director, Presales
SCT32T
@shawnhank
#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
New extensions to CA Privileged Access
Manager significantly expand the ability of the
product to protect and defend resources in
VMware NSX virtualized network environments.
In this session, we’ll examine and demonstrate
those capabilities, which take advantage of new
technologies and methods made available by
the NSX infrastructure, in more detail.
Shawn Hank
CA Technologies
Director, Presales

4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Network virtualization overview
Decoupled
Hardware
Software
General Purpose Networking Hardware
Network Hypervisor
Requirement: IP Transport
Virtual
Network
Virtual
Network
Virtual
Network
Workload Workload Workload
L2, L3, L4-7 Network Services
General Purpose Server Hardware
Server Hypervisor
Requirement: x86
Virtual
Machine
Virtual
Machine
Virtual
Machine
Application Application Application
x86 Environment

5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
NSX Delivers the Operational Model of a VM for the
Network
 Abstracts, pools, automates
networking for the SDDC
 Reproduces L2/3 networking,
L4-7 services
 Runs on any existing
networking hardware
 Provides scale out/distributed
switching, routing, firewalling

6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Distributed firewalling
An NSX network is made up of distributed network elements
embedded in each hypervisor,
enabling each VM to have its own firewall.
 Firewalls/policies provisioned simultaneously with
VMs
 Policies move with their VMs
 Retiring a VM deprovisions its firewall – no
possibility of stale rules
NSX firewalling: fully distributed, embedded in every hypervisor in the
data center

7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Configure policy with Security Groups
Select elements to uniquely identify
application workloads
Use attributes to create Security Groups Apply policies to security groups
1 2 3
ABC
DEF
Group
XYZ
App 1
OS: Windows 8
TAG: “Production”
 Enforce policy based on logical
constructs
 Reduce configuration errors
 Policy follows VM, not IP
 Reduce rule sprawl and complexity
Group
XYZ
Policy 1
“IPS for Desktops”
“FW for Desktops”
Policy 2
“AV for Production”
“FW for Production”
Element type
Static Dynamic
Data center
Virtual net
Virtual machine
vNIC
VM name
OS type
User ID
Security tag
Use security groups to abstract policy from application
workloads.

8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Automate security operations
ACTION (then)ATTRIBUTE (if)
Virus found
IIS.EXE
Vulnerability found
(old software version)
“PCI”
Sensitive Data Found
Allow & Encrypt*
Restrict access while
investigating
OR
 Automated detection of security
conditions
(virus, vulnerability, etc.)
 Security policies define automated
actions
Security operations are automated and adapt to
dynamic conditions
Monitor VM
with IPS
Quarantine VM with
Firewall

9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Achieving segmentation with NSX
 Each VM can now be its
own perimeter
 Policies align with
logical groups
 Control communication
within a single VLAN
 Prevents threats from
spreading
NSX segmentation simplifies network
security
App
DMZ
Services
DB
Perimeter
firewall
Finance HR IT
AD NTP DHCP DNS CERT
Inside
firewall

10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access Manager for VMware NSX-V™
Integration Overview
VMware vCenter
HTTPS (443/tcp)
CA Privileged
Access Manager
VM Network
Windows Targets:
RDP (3389/tcp)
HTTP (80/tcp) & HTTPS (443/tcp)
… and more!
Linux Targets:
SSH (22/tcp)
Telnet (23/tcp)
HTTP (80/tcp) & HTTPS (443/tcp)
… and more!
VMware UIs:
vCloud Automation Center
vCloud Director
vShield Manager
vSphere Web Client
… and more!
Operational Dependencies:
AD/LDAP/etc services
RADIUS/TACACS+ servers
NTP/DNS/Basic IP services
SYSLOG services
SAN/NAS/share (recordings)
NSX Manager
SSH (22/tcp)
HTTPS (443/tcp)
NSX Controllers
SSH (22/tcp)
Supported Authentication Types:
Local, AD/LDAP, TACACS+, RADIUS,
RSA, SMS/Mobile Token, SAML,
and/or PIV/CAC/Smartcard

11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – NSX Manager REST API Proxy
The last mile for full NSX Manager administration visibility
 Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which
may rotate on a policy or schedule
 CA PAM vaults – and rotates – the NSX Manager credentials
 Integrates with Application to Application (A2A)
Closing the “API Loop” to the NSX management plane
Consumer NSX Manager
NAP
NSX Manager API Proxy
Logs A2A Requests Change Password
Z-side Request/ResponseA-side Request/Response
CA Privileged
Access Manager

12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Dynamic Tagging and Grouping
CA PAM Policy in lockstep with NSX Security Tags and Groups
 NSX Security Tags and Groups synced with CA PAM and tied to Policies
 As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed
Synchronize CA PAM policies with changes in the NSX security posture
VMware vCenter
VM Network
NSX Manager
Sync
CA Privileged
Access Manager

13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Access Restrictor
DFW Rules added and removed on-demand
 Rules added when connections are opened and removed when closed
 Removes the human element and potential for error
 Enables a highly-secure “deny all” environment where exceptions are forced through CA
PAM and only CA PAM may access protected resources
Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM
Client
User
Target VM
NSX Manager
DFWCA Privileged
Access Manager

14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Service Composer Integration
Deep integration with Service Composer
 As VMs enter or leave NSX Security Groups, CA PAM will:
- Enable or disable session recording
- Terminate sessions
- Force CA PAM session re-authentication
Trigger events in CA PAM via NSX Service Composer workflows
User
Session
NSX Partner
Ecosystem
Product
NSX Manager
Vmware
vCenter
Admin
Apply Tag
Apply Tag
Enable/Disable Session Recording
Terminate Sessions
Xsuite Re-Authentication
CA Privileged
Access Manager

15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT19T
Defend Against Data Breaches With CA Privileged Access
Management
11/18/2015 at 3:00 pm
SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm
SCT33S
Protecting the Software-Defined Data Center
from Data Breach
11/18/2015 at 2:00 pm

16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Demos
Positive Privileged
User Authentication
CA Privileged Access
Manager
Security Theater
Fine-Grained Access
Control for Servers
CA Privileged Access
Manager Server
Control
Security Theater
Privileged Access
Control
CA Privileged Access
Manager
Security Theater
Record and Analyze
User Sessions
CA Privileged Access
Manager
Security Theater

17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow On Conversations At…
Smart Bar
CA Privileged Access
Manager
Security Theater
Tech Talks
Defend Against Data
Breaches With CA
Privileged Access
Management
SCT19T

18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A

19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15