SlideShare a Scribd company logo

vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs

L
Larus Hjartarson

vBrownbag EMEA VCAP6-DCV Design Objective 2.7 on Build Security Requirements into a vSphere 6.X Logical Designs

Technology
1 of 24
vBrownbag EMEA VMware VCAP6-DCV Design - Objective 2.7 Build Security Requirements into a vSphere 6.X Logical Design Presented by: Larus Hjartarson VCDX-DCV #192
Agenda • Skills and Abilities • 2.7.1 Evaluate which security services can be used with a given vSphere solution. • 2.7.2 Differentiate infrastructure qualities related to security. • 2.7.3 Build specific regulatory compliance requirements into the logical design. • 2.7.4 Analyze application and infrastructure security requirements. • 2.7.5 Build a role-based access model and map roles to services. • 2.7.6 Build a security policy based on existing security requirements and IT governance practices. • 2.7.7Incorporate customer risk tolerance into the security policy. • 2.7.8 Assess the services that will be impacted and create an access management plan. • 2.7.9 Determine the proper security solution that would satisfy a regulatory requirement. • 2.7.10 Based on stated security requirements, analyze the current state for compliance/non-compliance.
Evaluate which security services can be used with a given vSphere solution. • vSphere Solution • Infrastructure Management Components: vCenter, VUM, Log Insight etc. • Resource Components: ESXi (Compute), Storage and Networking. • Application/Service Components: VMs, Application vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & Applications 2.7.1
Evaluate which security services can be used with a given vSphere solution. • Security Services? • Services as in how security can be implemented in each of the vSphere solution? • Services as in VMware tools integrated with core vSphere? • Services as in 3rd party services for integration with vSphere solutions? vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & Applications RBAC Zoning Masking iSCSI CHAP Isolation AirGaps Segments LockDownFirewallLogs Guest OS VM filesVmx Authenti. vSphere Hardening Guide Authenti. Timeouts Filters Sec. Mode Logs Patching 2.7.1
Evaluate which security services can be used with a given vSphere solution. • Security Services? • Services as in how security can be implemented in each of the vSphere solution? • Services as in VMware tools integrated with core vSphere? • Services as in 3rd party services for integration with vSphere solutions? vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & Applications MicroSegmentation Configuration Manager vSphere Log Insight 2.7.1
Evaluate which security services can be used with a given vSphere solution. • Security Services? • Services as in how security can be implemented in each of the vSphere solution? • Services as in VMware tools integrated with core vSphere? • Services as in 3rd party services for integration with vSphere solutions? vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & ApplicationsVirus Scanning Service Insertion 2.7.1
Differentiate infrastructure qualities related to security. • Infrastructure Qualities as per the VCDX blueprint • Plan for overall data control, confidentiality, integrity, accessibility, governance, and risk management, often including the ability to demonstrate or achieve compliance with regulation 2.7.2
Build specific regulatory compliance requirements into the logical design. • What is a regulatory compliance? • Set of rules to follow • Not always a set of instructions how to follow • What happens if you don‘t comply? Risk. 2.7.3 PCI DSS FedRamp HIPAA CJIS NERC-CIP ISO GPDR
Build specific regulatory compliance requirements into the logical design. • List up the rules to comply to and cross reference against vSphere services, solutions and other design qualities. 2.7.3 Conceptual Logical Physical A12.1.3 Capacity management A13.1.3 Network Segregation Security Hardening: isolate.mgmt.network.airgap Security Hardening: vCenter.restrict.network.access Network Design: VLAN design Management and Monitoring Design: vRealize Operations Manager design VM Design: VM Lifecycle Integration vROPS Config Items VM Lifecycle Config Items Network Config Item ID1 Network Config Item ID2 Network Config Item ID3
Build specific regulatory compliance requirements into the logical design. • List up the rules to comply to and cross reference against vSphere services, solutions and other design qualities. 2.7.3 Conceptual Logical Physical 2.2d Change Default Passwords 6.2 1-month pathcing of critical patches Update: VUM Design SOP: Host Patching, vCenter Upgrade Security Hardening: ESXi.apply-patches Risk Mitigation: Update Vulnerability Processes ESXi.create-local-admin vCenter.restrict-admin-privilege Host Config Items vCenter Config Items Validation Item SOPs Infrastructure Lifecycle
Analyze application and infrastructure security requirements. • Infrastructure • vSphere (virtualization) • vCenter (and associated services) • ESXi • VM • Physical • Compute • Storage • Networking • Application • Running in a VM 2.7.4 vSphere Workload Cluster No Security Categories vSphere Workload Cluster Security Domain 1 vSphere Workload Cluster Security Domain 2 Shared Networks Network Silo Network Silo
Build a role-based access model and map roles to services. • Based on security compliance, management and seperation of duties • Risk mitigation with role access 2.7.5 vSphere Cluster Storage Network VMs PC-DSS vSphere Cluster PCI-DSS Storage PCI-DSS Network PCI-DSS VMs VM User VM Operator VM Admin PCI VM Operator PCI VM Admin
Build a security policy based on existing security requirements and IT governance practices. • As a part of a virtualizaton strategy • Existing security requirements • IT Governance • „what is to be achieved from leveraging of IT resources“ • Includes inputs from IT standards • ITIL • ISO27000 • TOGAF • PMBOK 2.7.6 Cobit Framework
Build a security policy based on existing security requirements and IT governance practices. • Existing security requirements • IT Governance 2.7.6 Data Protection Policy Resource Isolation Data Encryption RBAC Data Access Logging Data Integrity Risk Management Regulation Compliance Event Processes System Accessibility RunBooks Information Logging Policy
Incorporate customer risk tolerance into the security policy. • What is risk tolerance? • „Risk tolerance is the amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category or for a specific initiative” • Quantitative and measured: Acceptable or unacceptable outcomes or as levels of risk. • Risk Analysis/Assessment • Likelihood • Impact 2.7.7 https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tolerance_0412.pdf
Incorporate customer risk tolerance into the security policy. • Risk Tolerance Statement example: • „The business has zero tolerance for fraudulent data loss“ 2.7.7 Data Protection Policy Key Management Encryption Role Seperation Data Access Multi Layer Auth. Data Isolation
Assess the services that will be impacted and create an access management plan. • Access Management Plan • „Access management is the process of granting authorised users the right to use a service, while preventing access to non-authorised users.” • Least Privileges • To do their job • Role Based Access Control • Roles in vCenter • Users in ESXi • Roles in other components (management and monitoring) 2.7.8
Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance • Three Control categories: • Preventive Controls • Access Control, Seperation of Duty, Configuration standard, Organizational Policies, Firewalls, Network Segregation, Vulnerability Management etc • Detective Controls • Audit monitoring, configuration drift monitoring, Change monitoring, instrusion detection and vulnerability scanning • Corrective Controls • Correct Error, Restore Normal operations, remove unauthorized users, changes and restore services 2.7.9
Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance • Three categories of IT control objectives • Access and user administration • Change and configuration • Operations 2.7.9 Access and user Administration Change and configuration Operations Preventive Detective Preventive Detective Preventive Detective
Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance 2.7.9 Access and user Administration Change and configuration Operations Preventive Detective Preventive Detective Preventive Detective Segragation of duties Segragate data Configuration Standards Change Policies Manage Logs Manage Vulnerability Monitor privileged users Verify network controls Monitor for non-standard configs and changes Deploy IDS/IPS Vulnerability Scans Event Monit.
Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance 2.7.9 Segragation of duties Segragate data Configuration Standards Change Policies Manage Logs Manage Vulnerability Monitor privileged users Verify network controls Monitor for non-standard configs and changes Deploy IDS/IPS Vulnerability Scans Event Monit. Access and user Administration Change and configuration Operations Logging (SIEM) Configuration Management Identity management tools
Based on stated security requirements, analyze the current state for compliance/non-compliance. • Compliance Checker discontinued • Requirement to configuration mapping • Manual • Script for vSphere 5.X somewhere • Validation of configuration, layout, processes, access management 2.7.10
vSphere 6.5 Security Features • VM Encryption (needs key management) • PCI-DSS, GDPR, HIPAA • Data Protection Policies • vMotion Encryption • Secure Boot for ESXi and VMs • Enhanced Logging (Change Control and Monitoring) • No more Security Hardening Guide, now Security Configuration Guide. • https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5- security.html
Questions? Links: Whitepaper on Risk Appetite and Risk Tolerance (not part of the blueprint): https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_ Risk_Tolerance_0412.pdf Official VMware framework on compliance on PCI-DSS: https://solutionexchange.vmware.com/store/products/vmware-pci-compliance- and-cyber-risk-solutions#.VRLGzZPF9Fg Official VMware framework on security regulation compliance: https://solutionexchange.vmware.com/store/products/vmware-compliance-cyber- risk-solutions#.VRGBT5PF9Fg VCAP6-DCV Design Exam: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=88743&ui=www_cert

Recommended

The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityPrecisely
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
W982 05092004
W982 05092004W982 05092004
W982 05092004Sumit Tambe
 

Recommended

The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityPrecisely
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
W982 05092004
W982 05092004W982 05092004
W982 05092004Sumit Tambe
 
Microsoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by AtidanMicrosoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by AtidanDavid J Rosenthal
 
SCOM: The Unsung Hero of the System Center Suite April 24, 2013
SCOM: The Unsung Hero of the System Center Suite April 24, 2013SCOM: The Unsung Hero of the System Center Suite April 24, 2013
SCOM: The Unsung Hero of the System Center Suite April 24, 2013C/D/H Technology Consultants
 
RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Nederland
 
Automated Operating System Deployment Using SCCM 2012
Automated Operating System Deployment Using SCCM 2012Automated Operating System Deployment Using SCCM 2012
Automated Operating System Deployment Using SCCM 2012Abdelslam Elsobky
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
Sccm hands-on-lab
Sccm hands-on-labSccm hands-on-lab
Sccm hands-on-labDPA
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureNetwrix Corporation
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
Administering and configuring System Center Configuration Manager 2012 R2 SP1
Administering and configuring System Center Configuration Manager 2012 R2 SP1Administering and configuring System Center Configuration Manager 2012 R2 SP1
Administering and configuring System Center Configuration Manager 2012 R2 SP1Unitek Eduation
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsNetwrix Corporation
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryNetwrix Corporation
 
Overview of System Center 2012 R2 Configuration Manager
Overview of System Center 2012 R2 Configuration ManagerOverview of System Center 2012 R2 Configuration Manager
Overview of System Center 2012 R2 Configuration ManagerDigicomp Academy AG
 
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...eG Innovations
 
scom
scomscom
scomNitin Ankushkar
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
System center seminar presentation
System center seminar presentationSystem center seminar presentation
System center seminar presentationC/D/H Technology Consultants
 
Web Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - ZurichWeb Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - Zurichjavagroup2006
 
Novinky QualysGuard 2010
Novinky QualysGuard 2010Novinky QualysGuard 2010
Novinky QualysGuard 2010Risk Analysis Consultants, s.r.o.
 
Sccm 2012
Sccm 2012Sccm 2012
Sccm 2012ebuc
 
Installation
InstallationInstallation
InstallationChuan Ha Quang
 
VMworld 2013: Automating IT Configuration and Compliance Management for Your ...
VMworld 2013: Automating IT Configuration and Compliance Management for Your ...VMworld 2013: Automating IT Configuration and Compliance Management for Your ...
VMworld 2013: Automating IT Configuration and Compliance Management for Your ...VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 

More Related Content

What's hot

Microsoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by AtidanMicrosoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by AtidanDavid J Rosenthal
 
SCOM: The Unsung Hero of the System Center Suite April 24, 2013
SCOM: The Unsung Hero of the System Center Suite April 24, 2013SCOM: The Unsung Hero of the System Center Suite April 24, 2013
SCOM: The Unsung Hero of the System Center Suite April 24, 2013C/D/H Technology Consultants
 
RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Nederland
 
Automated Operating System Deployment Using SCCM 2012
Automated Operating System Deployment Using SCCM 2012Automated Operating System Deployment Using SCCM 2012
Automated Operating System Deployment Using SCCM 2012Abdelslam Elsobky
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
Sccm hands-on-lab
Sccm hands-on-labSccm hands-on-lab
Sccm hands-on-labDPA
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureNetwrix Corporation
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
Administering and configuring System Center Configuration Manager 2012 R2 SP1
Administering and configuring System Center Configuration Manager 2012 R2 SP1Administering and configuring System Center Configuration Manager 2012 R2 SP1
Administering and configuring System Center Configuration Manager 2012 R2 SP1Unitek Eduation
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsNetwrix Corporation
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryNetwrix Corporation
 
Overview of System Center 2012 R2 Configuration Manager
Overview of System Center 2012 R2 Configuration ManagerOverview of System Center 2012 R2 Configuration Manager
Overview of System Center 2012 R2 Configuration ManagerDigicomp Academy AG
 
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...eG Innovations
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
Web Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - ZurichWeb Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - Zurichjavagroup2006
 
Sccm 2012
Sccm 2012Sccm 2012
Sccm 2012ebuc
 

What's hot (20)

Microsoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by AtidanMicrosoft System Center 2012 R2 Overview - Presented by Atidan
Microsoft System Center 2012 R2 Overview - Presented by Atidan
 
SCOM: The Unsung Hero of the System Center Suite April 24, 2013
SCOM: The Unsung Hero of the System Center Suite April 24, 2013SCOM: The Unsung Hero of the System Center Suite April 24, 2013
SCOM: The Unsung Hero of the System Center Suite April 24, 2013
 
RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011RES Software Online Seminar 10 mei 2011
RES Software Online Seminar 10 mei 2011
 
Automated Operating System Deployment Using SCCM 2012
Automated Operating System Deployment Using SCCM 2012Automated Operating System Deployment Using SCCM 2012
Automated Operating System Deployment Using SCCM 2012
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
Sccm hands-on-lab
Sccm hands-on-labSccm hands-on-lab
Sccm hands-on-lab
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructure
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
 
Administering and configuring System Center Configuration Manager 2012 R2 SP1
Administering and configuring System Center Configuration Manager 2012 R2 SP1Administering and configuring System Center Configuration Manager 2012 R2 SP1
Administering and configuring System Center Configuration Manager 2012 R2 SP1
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutions
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directory
 
Overview of System Center 2012 R2 Configuration Manager
Overview of System Center 2012 R2 Configuration ManagerOverview of System Center 2012 R2 Configuration Manager
Overview of System Center 2012 R2 Configuration Manager
 
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
 
scom
scomscom
scom
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
System center seminar presentation
System center seminar presentationSystem center seminar presentation
System center seminar presentation
 
Web Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - ZurichWeb Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - Zurich
 
Novinky QualysGuard 2010
Novinky QualysGuard 2010Novinky QualysGuard 2010
Novinky QualysGuard 2010
 
Sccm 2012
Sccm 2012Sccm 2012
Sccm 2012
 
Installation
InstallationInstallation
Installation
 

Similar to vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs

VMworld 2013: Automating IT Configuration and Compliance Management for Your ...
VMworld 2013: Automating IT Configuration and Compliance Management for Your ...VMworld 2013: Automating IT Configuration and Compliance Management for Your ...
VMworld 2013: Automating IT Configuration and Compliance Management for Your ...VMworld
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld
 
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...VMworld
 
vbrownbag dcd6-2.4-merged
vbrownbag dcd6-2.4-mergedvbrownbag dcd6-2.4-merged
vbrownbag dcd6-2.4-mergedVirtualtiers
 
V center operations management suite 5.6 what's new, pricing and packaging ...
V center operations management suite 5.6 what's new, pricing and packaging ...V center operations management suite 5.6 what's new, pricing and packaging ...
V center operations management suite 5.6 what's new, pricing and packaging ...solarisyourep
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - OverviewIrsandi Hasan
 
VMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxVMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxAbasse KPEGOUNI
 
Weblogic Cluster Security
Weblogic Cluster SecurityWeblogic Cluster Security
Weblogic Cluster SecurityAditya Bhuyan
 
Centrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxCentrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxjohncenafls
 
VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...
VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...
VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...VMworld
 
VMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainVMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainALAMGIR HOSSAIN
 
Compliance in Virtualized Environments
Compliance in Virtualized EnvironmentsCompliance in Virtualized Environments
Compliance in Virtualized EnvironmentsSeccuris Inc.
 
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...VMworld
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newsolarisyourep
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newxKinAnx
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 

Similar to vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs (20)

VMworld 2013: Automating IT Configuration and Compliance Management for Your ...
VMworld 2013: Automating IT Configuration and Compliance Management for Your ...VMworld 2013: Automating IT Configuration and Compliance Management for Your ...
VMworld 2013: Automating IT Configuration and Compliance Management for Your ...
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational...
 
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
 
vbrownbag dcd6-2.4-merged
vbrownbag dcd6-2.4-mergedvbrownbag dcd6-2.4-merged
vbrownbag dcd6-2.4-merged
 
V center operations management suite 5.6 what's new, pricing and packaging ...
V center operations management suite 5.6 what's new, pricing and packaging ...V center operations management suite 5.6 what's new, pricing and packaging ...
V center operations management suite 5.6 what's new, pricing and packaging ...
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
VMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxVMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptx
 
Weblogic security
Weblogic securityWeblogic security
Weblogic security
 
Weblogic Cluster Security
Weblogic Cluster SecurityWeblogic Cluster Security
Weblogic Cluster Security
 
Centrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxCentrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptx
 
VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...
VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...
VMworld 2013: VMware Compliance Reference Architecture Framework: Accelerate ...
 
vSphere Security
vSphere SecurityvSphere Security
vSphere Security
 
VMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossainVMware overview presentation by alamgir hossain
VMware overview presentation by alamgir hossain
 
Compliance in Virtualized Environments
Compliance in Virtualized EnvironmentsCompliance in Virtualized Environments
Compliance in Virtualized Environments
 
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
VMworld 2013: Moving Beyond Infrastructure: Meeting Demands on App Lifecycle ...
 
VMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats NewVMware vRealize Network Insight 3.5 - Whats New
VMware vRealize Network Insight 3.5 - Whats New
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
 
Presentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s newPresentation cloud infrastructure launch – what’s new
Presentation cloud infrastructure launch – what’s new
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs

  • 1. vBrownbag EMEA VMware VCAP6-DCV Design - Objective 2.7 Build Security Requirements into a vSphere 6.X Logical Design Presented by: Larus Hjartarson VCDX-DCV #192
  • 2. Agenda • Skills and Abilities • 2.7.1 Evaluate which security services can be used with a given vSphere solution. • 2.7.2 Differentiate infrastructure qualities related to security. • 2.7.3 Build specific regulatory compliance requirements into the logical design. • 2.7.4 Analyze application and infrastructure security requirements. • 2.7.5 Build a role-based access model and map roles to services. • 2.7.6 Build a security policy based on existing security requirements and IT governance practices. • 2.7.7Incorporate customer risk tolerance into the security policy. • 2.7.8 Assess the services that will be impacted and create an access management plan. • 2.7.9 Determine the proper security solution that would satisfy a regulatory requirement. • 2.7.10 Based on stated security requirements, analyze the current state for compliance/non-compliance.
  • 3. Evaluate which security services can be used with a given vSphere solution. • vSphere Solution • Infrastructure Management Components: vCenter, VUM, Log Insight etc. • Resource Components: ESXi (Compute), Storage and Networking. • Application/Service Components: VMs, Application vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & Applications 2.7.1
  • 4. Evaluate which security services can be used with a given vSphere solution. • Security Services? • Services as in how security can be implemented in each of the vSphere solution? • Services as in VMware tools integrated with core vSphere? • Services as in 3rd party services for integration with vSphere solutions? vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & Applications RBAC Zoning Masking iSCSI CHAP Isolation AirGaps Segments LockDownFirewallLogs Guest OS VM filesVmx Authenti. vSphere Hardening Guide Authenti. Timeouts Filters Sec. Mode Logs Patching 2.7.1
  • 5. Evaluate which security services can be used with a given vSphere solution. • Security Services? • Services as in how security can be implemented in each of the vSphere solution? • Services as in VMware tools integrated with core vSphere? • Services as in 3rd party services for integration with vSphere solutions? vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & Applications MicroSegmentation Configuration Manager vSphere Log Insight 2.7.1
  • 6. Evaluate which security services can be used with a given vSphere solution. • Security Services? • Services as in how security can be implemented in each of the vSphere solution? • Services as in VMware tools integrated with core vSphere? • Services as in 3rd party services for integration with vSphere solutions? vCenter–VUM–Log Insight-SSO Compute NetworkingStorage VM & ApplicationsVirus Scanning Service Insertion 2.7.1
  • 7. Differentiate infrastructure qualities related to security. • Infrastructure Qualities as per the VCDX blueprint • Plan for overall data control, confidentiality, integrity, accessibility, governance, and risk management, often including the ability to demonstrate or achieve compliance with regulation 2.7.2
  • 8. Build specific regulatory compliance requirements into the logical design. • What is a regulatory compliance? • Set of rules to follow • Not always a set of instructions how to follow • What happens if you don‘t comply? Risk. 2.7.3 PCI DSS FedRamp HIPAA CJIS NERC-CIP ISO GPDR
  • 9. Build specific regulatory compliance requirements into the logical design. • List up the rules to comply to and cross reference against vSphere services, solutions and other design qualities. 2.7.3 Conceptual Logical Physical A12.1.3 Capacity management A13.1.3 Network Segregation Security Hardening: isolate.mgmt.network.airgap Security Hardening: vCenter.restrict.network.access Network Design: VLAN design Management and Monitoring Design: vRealize Operations Manager design VM Design: VM Lifecycle Integration vROPS Config Items VM Lifecycle Config Items Network Config Item ID1 Network Config Item ID2 Network Config Item ID3
  • 10. Build specific regulatory compliance requirements into the logical design. • List up the rules to comply to and cross reference against vSphere services, solutions and other design qualities. 2.7.3 Conceptual Logical Physical 2.2d Change Default Passwords 6.2 1-month pathcing of critical patches Update: VUM Design SOP: Host Patching, vCenter Upgrade Security Hardening: ESXi.apply-patches Risk Mitigation: Update Vulnerability Processes ESXi.create-local-admin vCenter.restrict-admin-privilege Host Config Items vCenter Config Items Validation Item SOPs Infrastructure Lifecycle
  • 11. Analyze application and infrastructure security requirements. • Infrastructure • vSphere (virtualization) • vCenter (and associated services) • ESXi • VM • Physical • Compute • Storage • Networking • Application • Running in a VM 2.7.4 vSphere Workload Cluster No Security Categories vSphere Workload Cluster Security Domain 1 vSphere Workload Cluster Security Domain 2 Shared Networks Network Silo Network Silo
  • 12. Build a role-based access model and map roles to services. • Based on security compliance, management and seperation of duties • Risk mitigation with role access 2.7.5 vSphere Cluster Storage Network VMs PC-DSS vSphere Cluster PCI-DSS Storage PCI-DSS Network PCI-DSS VMs VM User VM Operator VM Admin PCI VM Operator PCI VM Admin
  • 13. Build a security policy based on existing security requirements and IT governance practices. • As a part of a virtualizaton strategy • Existing security requirements • IT Governance • „what is to be achieved from leveraging of IT resources“ • Includes inputs from IT standards • ITIL • ISO27000 • TOGAF • PMBOK 2.7.6 Cobit Framework
  • 14. Build a security policy based on existing security requirements and IT governance practices. • Existing security requirements • IT Governance 2.7.6 Data Protection Policy Resource Isolation Data Encryption RBAC Data Access Logging Data Integrity Risk Management Regulation Compliance Event Processes System Accessibility RunBooks Information Logging Policy
  • 15. Incorporate customer risk tolerance into the security policy. • What is risk tolerance? • „Risk tolerance is the amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category or for a specific initiative” • Quantitative and measured: Acceptable or unacceptable outcomes or as levels of risk. • Risk Analysis/Assessment • Likelihood • Impact 2.7.7 https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tolerance_0412.pdf
  • 16. Incorporate customer risk tolerance into the security policy. • Risk Tolerance Statement example: • „The business has zero tolerance for fraudulent data loss“ 2.7.7 Data Protection Policy Key Management Encryption Role Seperation Data Access Multi Layer Auth. Data Isolation
  • 17. Assess the services that will be impacted and create an access management plan. • Access Management Plan • „Access management is the process of granting authorised users the right to use a service, while preventing access to non-authorised users.” • Least Privileges • To do their job • Role Based Access Control • Roles in vCenter • Users in ESXi • Roles in other components (management and monitoring) 2.7.8
  • 18. Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance • Three Control categories: • Preventive Controls • Access Control, Seperation of Duty, Configuration standard, Organizational Policies, Firewalls, Network Segregation, Vulnerability Management etc • Detective Controls • Audit monitoring, configuration drift monitoring, Change monitoring, instrusion detection and vulnerability scanning • Corrective Controls • Correct Error, Restore Normal operations, remove unauthorized users, changes and restore services 2.7.9
  • 19. Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance • Three categories of IT control objectives • Access and user administration • Change and configuration • Operations 2.7.9 Access and user Administration Change and configuration Operations Preventive Detective Preventive Detective Preventive Detective
  • 20. Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance 2.7.9 Access and user Administration Change and configuration Operations Preventive Detective Preventive Detective Preventive Detective Segragation of duties Segragate data Configuration Standards Change Policies Manage Logs Manage Vulnerability Monitor privileged users Verify network controls Monitor for non-standard configs and changes Deploy IDS/IPS Vulnerability Scans Event Monit.
  • 21. Determine the proper security solution that would satisfy a regulatory requirement. • How to achieve and demonstrate compliance 2.7.9 Segragation of duties Segragate data Configuration Standards Change Policies Manage Logs Manage Vulnerability Monitor privileged users Verify network controls Monitor for non-standard configs and changes Deploy IDS/IPS Vulnerability Scans Event Monit. Access and user Administration Change and configuration Operations Logging (SIEM) Configuration Management Identity management tools
  • 22. Based on stated security requirements, analyze the current state for compliance/non-compliance. • Compliance Checker discontinued • Requirement to configuration mapping • Manual • Script for vSphere 5.X somewhere • Validation of configuration, layout, processes, access management 2.7.10
  • 23. vSphere 6.5 Security Features • VM Encryption (needs key management) • PCI-DSS, GDPR, HIPAA • Data Protection Policies • vMotion Encryption • Secure Boot for ESXi and VMs • Enhanced Logging (Change Control and Monitoring) • No more Security Hardening Guide, now Security Configuration Guide. • https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5- security.html
  • 24. Questions? Links: Whitepaper on Risk Appetite and Risk Tolerance (not part of the blueprint): https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_ Risk_Tolerance_0412.pdf Official VMware framework on compliance on PCI-DSS: https://solutionexchange.vmware.com/store/products/vmware-pci-compliance- and-cyber-risk-solutions#.VRLGzZPF9Fg Official VMware framework on security regulation compliance: https://solutionexchange.vmware.com/store/products/vmware-compliance-cyber- risk-solutions#.VRGBT5PF9Fg VCAP6-DCV Design Exam: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=88743&ui=www_cert