Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:

703 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
703
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:

  1. 1. Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers: How to virtualize more by building a security fortress around your "in-scope” virtual environment with HyTrust First in a three-part series for IS and IT professionals responsible for virtualization and data center architecture, management, and optimization 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com© 2012, HyTrust, Inc. www.hytrust.com 1
  2. 2. Overview Meet the Experts What are the key business drivers for the virtualization security blueprint ? Can you recommend a strategy, framework, and tools to help us succeed with compliance audits and beyond? What cross-vendor architectures exist to help virtualize more mission- critical applications, more securely this year? What best practices and methodologies can you outline for planning and undertaking these newer virtualization security initiatives? Summary Q&A© 2012, HyTrust, Inc. www.hytrust.com 2
  3. 3. Today’s Experts Justin Lute  Director, Product Management - Virtualization, Cloud, and Technology Integrations – Qualys  Extensively-certified, technical and business leader in cloud security  Strategic product, technical consulting, and engineering roles at VCE, EMC, RSA, and more.  Justin has studied at Stanford University and The Ohio State University.© 2012, HyTrust, Inc. www.hytrust.com 3
  4. 4. Today’s Experts Dave Shackleford  SVP of Research and CTO, IANS  Former consultant at Voodoo Security  Author of SANS Virtualization Security and Cloud Security courses, and SANS curriculum lead for Virtualization and Cloud Security  Sybex “Virtualization Security” book coming in Q3 2012  Helped create and publish first virtualization security hardening guides while CTO at Center for Internet Security© 2012, HyTrust, Inc. www.hytrust.com 4
  5. 5. Today’s Experts Eric Chiu  Eric Chiu is CEO and co-founder of HyTrust, Inc. (http://www.hytrust.com/),  Vice President of Sales and Business Development at Cemaphore Systems, a leader in disaster recovery for Microsoft Exchange, Business Development at MailFrontier and mySimon  Instrumental in building OEM partnerships and technology alliances and driving new product initiatives.  Formerly a Venture Capitalist for Brentwood (now Redpoint) and Pinnacle, he also served in the M&A Group for Robertson, Stephens and Company.  Eric holds a BS in Materials Science and Engineering from UC Berkeley.© 2012, HyTrust, Inc. www.hytrust.com 5
  6. 6. HyTrust Backgrounder Founded: Fall 2007 Headquarters: Mountain View, CA Venture Funding: $16 million Strategic Partners: Awards & Top Ten Lists: VMworld 2009 Best of Show, VMworld 2009 Gold, VMworld 2010 Finalist, TechTarget 2009 Product of the Year, RSA Innovation Sandbox 2009/2010 Finalist, SC Magazine 2010 Rookie Company of the Year, Network World Startup to Watch 2010, InfoWorld Tech Company to Know 2010, Forbes “Who’s Who” in Virtualization, Red Herring 2010 North America winner, Gartner Cool Vendor 2011© 2012, HyTrust, Inc. www.hytrust.com 66
  7. 7. Data Center of the Future – 3 year Vision “Rented” Cloud SaaS Application Infrastructure Self-Service Access Identity and UsageConsolidation & IT as a Virtualization Service Ubiquitous Access Data Cost End result of datacenter transformation: IT is delivered as-a-service; Role of Corporate IT is transformed from operational to control / governance © 2012, HyTrust, Inc. www.hytrust.com 7
  8. 8. What security concern ranks highest in importance in your virtualized environments heading into 2012?  Lack of automation (admin is brought in for every update and change)  Self service for line of businesses to access/manage their virtual machines  Strength of security policies and processes around access and change controls  Insider breach – either malicious or errant  Logging and reporting tools for audit and/or forensics purposes  All of the above© 2011, HyTrust, Inc. Inc. www.hytrust.com 8 © 2012, HyTrust, www.hytrust.com
  9. 9. When are you planning your next server refresh?  Next 6 months as part of a full data center re-architecture  Next 6 months as standalone server refresh  Next 7-12 months as part of a full data center re-architecture  Next 7-12 months as standalone server refresh  Greater than 12 months as part of a full data center re-architecture  Greater than 12 months as standalone server refresh  No server refresh planned  Unknown© 2011, HyTrust, Inc. www.hytrust.com 9
  10. 10. Key Drivers – Innovation Driving Business GoalsVirtualize More…Analyst research of CIO top priorities for 2012, 40% picked virtualization as one of top threeAnalyst research shows market is now 52% virtualized, with many organizations goaled to be 75% virtualized by 2014. * Forrester Research CISO’s Guide to Virtualization Security© 2012, HyTrust, Inc. www.hytrust.com 10
  11. 11. Key Drivers - Virtualization / Cloud Security Leading IT Virtualize More Securely… “There will be more “By 2015, 40% of the virtual machines security controls used deployed on servers within enterprise data during 2011 than in centers will be 2001 through 2009 virtualized, up from combined”2 less than 5% in 2010.”1 “Virtualization increases security risk by 60%.”1 1Gartner; “From Secure Virtualization to Secure Private Clouds”; Neil MacDonald & Thomas J. Bittman; 13 October 201011 2Gartner; “Q&A: Six Misconceptions About Server Virtualization”, Thomas J. Bittman; 29 July 2010 © 2012, HyTrust, Inc. www.hytrust.com 11
  12. 12. Key Drivers - Business Demands More Virtualize More… More Securely… With Less! Forrester Research CISO’s Guide to Virtualization Security© 2012, HyTrust, Inc. www.hytrust.com 12
  13. 13. Key Drivers - Proactively Protect and Secure Your IP87% Percentage of companies that have experienced a data breach — IT Compliance Institute48% Percent of all breaches that involved privileged user misuse — Verizon report, 201074% Percentage of breached companies who lost customers as a result of the breach — IT Compliance Institute© 2012, HyTrust, Inc. www.hytrust.com 13
  14. 14. Key Drivers - Proactively Protect and Secure Your IP87% Percentage of companies that have experienced a data breach — IT Compliance Institute48% Percent of all breaches that involved privileged user misuse — Verizon report, 201074% Percentage of breached companies who lost customers as a result of the breach — IT Compliance Institute© 2012, HyTrust, Inc. www.hytrust.com 14
  15. 15. Typical Response for Errant Insider-caused Breach© 2012, HyTrust, Inc. www.hytrust.com 15
  16. 16. Key Drivers - Summary Build the Business Case External and Internal drivers Describing What is ISO/IEC 27001? Articulating benefits  Value to your intellectual property (IP)  Value to Brand  Value to departmental reputation and team careers© 2012, HyTrust, Inc. www.hytrust.com 16
  17. 17. Strategy, Framework, and Tools Scoping – the Key to Success Planning and Design - Understanding the environment is critical ISMS - Documented Components Communication and Setting Expectations Internally© 2012, HyTrust, Inc. www.hytrust.com 17
  18. 18. Strategy, Framework, and Tools GRC Tool Benefits ISO Controls Testing (control activities) Obtain Certification Maintenance, Surveillance, and Re-Audit© 2012, HyTrust, Inc. www.hytrust.com 18
  19. 19. Why Get Started Now?  Jason Cornish, former Shionogi Pharma IT Staffer  Plead guilty to Feb ‘11 computer intrusion  Wiped out 88 corporate servers (VMs) – email, order tracking, financial, & other services – and 15 ESX hosts  Shionogi’s operations frozen for days  unable to ship product  unable to cut checks  unable to send email  Estimated cost: $800k All of this was accomplished from a McDonalds19 19
  20. 20. Why Get Started Now?“…down the road, the cyberthreat will be the number onethreat to the country…”FBI Director Robert Mueller…”service attacks … into NASDAQ,RSA, and the IMF“ underscorethe vulnerability of key sectorsof the economy."…"wholesale plundering" ofAmerican intellectual property.,,Director National Intelligence, James Clapper © 2012, HyTrust, Inc. www.hytrust.com 20
  21. 21. Best Practices and Guidance - Getting Started How To Get Started with Virtualization Security Strive for virtual security that is equal to or better than the traditional security in your environment. Consider the following:  Apply the “Zero Trust” model of information security to your network architecture  Consider virtualization-aware security solutions  Implement privileged identity management  Incorporate vulnerability management into the virtual server environment© 2012, HyTrust, Inc. www.hytrust.com 21
  22. 22.  eric@hytrust.com jlute@qualys.com dave@daveshackleford.com© 2011, HyTrust, Inc. www.hytrust.com 22
  23. 23.  eric@hytrust.com jlute@qualys.com dave@daveshackleford.com© 2011, HyTrust, Inc. www.hytrust.com 23
  24. 24.  eric@hytrust.com jlute@qualys.com dave@daveshackleford.com© 2011, HyTrust, Inc. www.hytrust.com 24
  25. 25.  eric@hytrust.com jlute@qualys.com dave@daveshackleford.com© 2011, HyTrust, Inc. www.hytrust.com 25

×