Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting the Software-Defined Data Center from Data Breach

1,130 views

Published on

In this session, learn:

Security Requirements for our next generation software defined data centers

VMware NSX™, VMware’s network virtualization platform, and how it protects the software defined data center

CA Privileged Access Manager for VMware NSX™, and how it protects the management plane of VMware NSX™

For more information, please visit http://cainc.to/Nv2VOe

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Protecting the Software-Defined Data Center from Data Breach

  1. 1. Protecting the Software-Defined Data Center from Data Breach Mordecai Rosen Security CA Technologies Vice President, Product Management and Strategy SCT33S Jeremiah Cornelius VMware Security Architect and Partner Product Strategist
  2. 2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Session Abstract: Protecting the Software Defined Data Center from Breach In this session, we will discuss:  Security Requirements for our next generation software defined data centers  VMware NSX™, VMware’s network virtualization platform, and how it protects the software defined data center  CA Privileged Access Manager for VMware NSX™, and how it protects the management plane of VMware NSX™ Mordecai Rosen CA Technologies VP Product Mgmt. Jeremiah Cornelius VMware Security Architect
  4. 4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Existing security layers have been breached 1 5 6 Possibly after months of reconnaissance, the infiltration relays secret data to the attacker. Today’s data centers are protected by strong perimeter defense… But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection. Targeted system Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted. Attackers follow a predictable pattern of actions, called a kill chain, in attempting their attacks. Compromised identities and privileged accounts are at the core of the kill chain..
  5. 5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Problem: 25 years of perimeter security has failed Internet Series1 Series2 Series3 Today’s security model focuses on perimeter defense But continued security breaches show this model is not enough Service providers Partners Auditors Customers Hacker Employees
  6. 6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Repurposing existing tools doesn’t work … 2 firewalls 1000 workloads vs A typical data center has: Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient And a physical firewall per workload is cost prohibitive and unmanageable Internet
  7. 7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Solution: New software defined data center model Integrating identity, security, & manageability into the fabric STARTING ASSUMPTIONS DESIGN PRINCIPLES Assume everything is a threat and act accordingly 1 2 Identity centric micro-segmentation Secure policy based management plane
  8. 8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD How do you: move as fast as the business needs you to move while securing an ever-growing and changing environment— without having to start over?
  9. 9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD You need a new approach to networking and security that gives you: the agility and speed you need to support the business, while providing an inherently more secure infrastructure
  10. 10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security is needed everywhere, but we can’t have our controls everywhere Why can’t we have individual firewalls for every VM? Data Center Perimeter Internet Expensive and complex Physical firewalls With traditional technology, this is operationally infeasible. Slow, costly, and complicated Virtual firewalls
  11. 11. NSX value proposition Network Virtualization is at the core of an SDDC approach Network, storage, compute Virtualization layer
  12. 12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The next-generation networking model Switching Routing Firewalling/ACLs Load Balancing Network and security services now in the hypervisor
  13. 13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Switching Routing Firewalling/ACLs Load Balancing High throughput rates East-west firewalling Native platform capability The next-generation networking model
  14. 14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The next-generation networking model NSX value proposition Network Virtualization is at the core of an SDDC approach Network, storage, compute Virtualization layer “Network hypervisor” Virtual networks
  15. 15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Business value More secure and 1/3 the cost of less secure infrastructure Security Delivering inherently secure infrastructure Data Center Perimeter Internet DMZ Secure User Environments Security policies simplified Logical groups enabled Threats contained
  16. 16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Intelligent grouping Groups defined by customized criteria Operating System Machine Name Application Tier Services Security PostureRegulatory Requirements
  17. 17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD NSX: at the “Goldilocks Zone” of security UbiquityIsolation Context Ecosystem of Distributed Services Core Services Built Into Hypervisor Kernel better security through insight fine-grained containment Switching Routing Firewalling
  18. 18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD VMware Partners with CA for Privileged Access Management 1
  19. 19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Technologies Announce CA Privileged Access Manager for VMware NSX CA Technologies Collaborates with VMware® on Comprehensive Privileged Access Management Solution for VMware NSX
  20. 20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Privileged Access Manager Privileged Identity and Access Management for the Hybrid Enterprise HYBRID ENTERPRISE Hardware Appliance AWS AMIOVF Virtual Appliance Identity Integration Enterprise-Class Core  Vault Credentials  Centralized Authentication  Federated Identity  Privileged Single Sign-on  Role-Based Access Control  Monitor and Enforce Policy  Record Sessions and Metadata  Full Attribution Control and Audit All Privileged Access Unified Policy Management Traditional Data Center Mainframe, Windows, Linux, Unix, Networking Enterprise Admin Tools Software Defined Data Center SDDC Console and APIs Public Cloud - IaaS Cloud Console and APIs SaaS Applications SaaS Consoles and APIs CA Privileged Access Manager
  21. 21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Privileged Access Manager Privileged Identity and Access Management for the Hybrid Enterprise HYBRID ENTERPRISE Hardware Appliance AWS AMIOVF Virtual Appliance Identity Integration Enterprise-Class Core  Vault Credentials  Centralized Authentication  Federated Identity  Privileged Single Sign-on  Role-Based Access Control  Monitor and Enforce Policy  Record Sessions and Metadata  Full Attribution A New Security Layer - Control and Audit All Privileged Access Unified Policy Management Traditional Data Center Mainframe, Windows, Linux, Unix, Networking Enterprise Admin Tools Software Defined Data Center SDDC Console and APIs Public Cloud - IaaS Cloud Console and APIs SaaS Applications SaaS Consoles and APIs CA Privileged Access Manager
  22. 22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Challenges Fully manual process with potential for human error. No visibility into what the admin did during the session. An overly broad rule permits bad actors. Problem You have a requirement that all management ports on production resources be closed when not in use, and you must demonstrate this to an auditor on-demand. Traditional Solution Admin opens a ticket with SOC who adds a firewall rule which permits the admin to do their work. When admin is done he resolves the ticket, SOC removes the rule, then closes the ticket. Use Case 1: Firewall Administration Addressing a traditional problem with a more secure and agile solution
  23. 23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA PAM for VMware NSX – Access Restrictor DFW Rules added and removed on-demand  Rules added when connections are opened and removed when closed  Removes the human element and potential for error  Enables a highly-secure “deny all” environment where exceptions are forced through CA PAM and only CA PAM may access protected resources Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM Client User Target VM NSX Manager DFWCA Privileged Access Manager
  24. 24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Challenges In the manual case, more human error and opportunity for insider threat. In the custom code case you must hire somebody to write it and keep code it up to date. Problem You want to synchronize your security policies across products from different vendors. For example, when your A/V vendor detects a virus, you want the VM placed into a quarantine. Traditional Solution Hire somebody to keep them in sync, or write custom code to keep them in sync by leveraging different APIs from different vendors. Use Case 2: Policy Synchronization Different products, different data, and different policy models
  25. 25. 25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA PAM for VMware NSX – Dynamic Tagging and Grouping CA PAM Policy in lockstep with NSX Security Tags and Groups  NSX Security Tags and Groups synced with CA PAM and tied to Policies  As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed Synchronize CA PAM policies with changes in the NSX security posture VMware vCenter VM Network NSX Manager Sync CA Privileged Access Manager
  26. 26. 26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Challenges Seeing a trend? This too relies on a manual step – and if your SOC is distracted, suffering “false positive fatigue,” or malicious, you miss a critical opportunity to break the kill chain. Problem When your security products detect anomalies, you want them to coordinate with other products. For example, when threat intel detects an event, you want it to terminate or begin recording all traffic on affected VMs. Traditional Solution Have your SOC monitor logs and SEIM data and take action manually. Use Case 3: Workflow Automation Making different products from different vendors talk to each other
  27. 27. 27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA PAM for VMware NSX – Service Composer Integration Deep integration with Service Composer  As VMs enter or leave NSX Security Groups, CA PAM will: - Enable or disable session recording - Terminate sessions - Force CA PAM session re-authentication Trigger events in CA PAM via NSX Service Composer workflows User Session NSX Partner Ecosystem Product NSX Manager Vmware vCenter Admin Apply Tag Apply Tag Enable/Disable Session Recording Terminate Sessions Xsuite Re-Authentication CA Privileged Access Manager
  28. 28. 28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Challenges API access is like leaving the back door open – no matter how many controls you have on the front door, if you don’t protect the API you expose a very attractive target. Credentials within scripts are the ultimate target. Problem You have a plethora of scripts and power users who interact with management tools via well-defined APIs, and you lack any controls into who uses them and visibility into what they do. Traditional Solution Attempt to limit API sprawl and hope that the users and scripts that are using these interfaces are trusted and kind. Use Case 4: Programmatic/API Access Controls for your APIs
  29. 29. 29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA PAM for VMware NSX – NSX Manager REST API Proxy The last mile for full NSX Manager administration visibility  Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which may rotate on a policy or schedule  CA PAM vaults – and rotates – the NSX Manager credentials  Integrates with Application to Application (A2A) Closing the “API Loop” to the NSX management plane Consumer NSX Manager NAP NSX Manager API Proxy Logs A2A Requests Change Password Z-side Request/ResponseA-side Request/Response CA Privileged Access Manager
  30. 30. 30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Privileged Access Manager for VMware NSX Capability Summary  Vaulting and full lifecycle management of passwords and SSH access keys  NSX-based resources, NSX Manager and API, other enterprise resources Credentials Management  TACACS+, AD/LDAP, RADIUS, RSA, SMS Mobile Token, SAML, PIV/CAC  VMware vSphere®, NSX APIs, VMware® NSX Manager™, other physical/virtual resources across enterprise Federated SSO  Integrated with NSX Manager; Service Composer service insertion  Dynamic application of access control policies based on NSX security policies  Enforced via NSX micro-segmentation Access Policy Enforcement  Complete logs and full session recording  All access to NSX resources including NSX Manager and API Audit Trail & Session Recording
  31. 31. 31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Customer Testimonial
  32. 32. 32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
  33. 33. 33 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Conclusions and Recommendations • Existing security layers have been breached • Next generation Software Defined Data Centers models like VMware NSX are inherently more secure • Protecting the management plane of the hybrid enterprise is required to break the data breach kill chain • Security has now become a business enabler versus an operational cost or tax Summary A Few Words to Review
  34. 34. 34 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME SCT19T Defend Against Data Breaches With CA Privileged Access Management 11/18/2015 at 3:00 pm SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm SCT32T Privileged Access Management for the Software-Defined Network 11/19/2015 at 11:30 am
  35. 35. 35 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Must See Demos Positive Privileged User Authentication CA Privileged Access Manager Security Theater Fine-Grained Access Control for Servers CA Privileged Access Manager Server Control Security Theater Privileged Access Control CA Privileged Access Manager Security Theater Record and Analyze User Sessions CA Privileged Access Manager Security Theater
  36. 36. 36 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Follow On Conversations At… Smart Bar CA Privileged Access Manager Theater # location Tech Talks PAM for the Software-Defined Network SCT32T
  37. 37. 37 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
  38. 38. 38 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15

×