Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vss Security And Compliance For The Cloud


Published on

Vmware and Trend Micro Presentation at VSS

  • Be the first to comment

  • Be the first to like this

Vss Security And Compliance For The Cloud

  1. 1. Security and Compliance for the CloudTrevor GerdesSystems © 2009 VMware Inc. All rights reserved
  2. 2. DisclaimerThis session may contain product features that arecurrently under development.This session/overview of the new technology representsno commitment from VMware to deliver these features inany generally available product.Features are subject to change, and must not be included incontracts, purchase orders, or sales agreements of any kind.Technical feasibility and market demand will affect final delivery.Pricing and packaging for any new technologies or featuresdiscussed or presented have not been determined.“These features are representative of feature areas under development. Feature commitments aresubject to change, and must not be included in contracts, purchase orders, or sales agreements ofany kind. Technical feasibility and market demand will affect final delivery.”2
  3. 3. Agenda • Overview of compliance and security requirements • Foundations for virtual security • Where can VMware help? • How are our partners are helping? • Summary3
  4. 4. Agenda • Overview of compliance and security requirements • Foundations for virtual security • Where can VMware help? • How are our partners are helping? • Summary4
  5. 5. Compliance vs. Security Compliance Security Conforming to a set of Implementing Technical, rules or standards. This Physical, and is generally confirmed by Administrative controls to an assessor providing an provide confidentiality, opinion based on integrity, availability, observation, inquiry, and accountability and inspection. assurance.5
  6. 6. Compliance requirements affecting your customers  PCI-DSS  Government regulation  SOX  ISO  Internal6
  7. 7. Why is PCI so Hard for Virtualization? Technology changes faster than any standard (including the PCI DSS) PCI applies to all systems “in scope” Segmentation defines scope The DSS is vendor agnostic Most whitepapers are written for security, not compliance “If network segmentation is in place and will be used to reduce the scope of the PCI DSS assessment, the assessor must verify that the segmentation is adequate to reduce the scope of the assessment.” - (PCI DSS p.6)7
  8. 8. What is “In-scope”All systems that Store, Process, or Transmit cardholder data, and allsystem components that are in or connected to the cardholder dataenvironment (CDE).What’s unique in a virtual environment? Storage Transmission Segmentation Data that used to reside only in Data that used to physically reside in Defining system boundaries can be memory could be written to disk one location could now be transmitted more difficult, with virtual firewalls, (encryption keys, PAN) logically across the network (i.e., virtual switches, VLANs, and High VMotion, pulling images from a SAN, Availability switches. storage) The integrity of data can now be altered in several locations (i.e., a log Mixed mode environments, server that is stored as VM on the Authentication controls (how can you multi-tenancy. ESX host) ensure that authentication systems cannot be by-passed) Can all system components in the SAN – Can VM’s be altered in virtual environment meet ALL PCI storage? How will you know? What “system components” could be controls? used to sniff sensitive data?8
  9. 9. Aren’t firewalls required for segmentation? QSA’s have historically relied on stateful firewalls for network segmentation PCI allows for “other technology” as an acceptable use of segmentation How do firewalls impact the flow of data unique to a virtual environment (VMotion, pulling images from a SAN, taking “dirty” snapshots) “Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network.” – PCI DSS p. 69
  10. 10. Why are Virtual Environment Perceived As So Much Harder?1. System boundaries are not as clear as their non-virtual counterparts2. Even the simplest network is rather complicated3. More components, more complexity, more areas for risk4. Digital forensic risks are more complicated5. More systems are required for logging and monitoring6. More access control systems7. Memory can be written to disk8. Many applications and O/S were not designed for Virtualization9. VM Escape?10. Mixed Mode environments10
  11. 11. “System Boundaries” are not as Clear as their Non-VirtualCounterparts Basic Web Server and Database Standard Environment Virtual Environment11
  12. 12. Agenda • Overview of compliance and security requirements • Foundations for virtual security • Where can VMware help? • How are our partners are helping? • Summary12
  13. 13. Enterprise Security today – not virtualized, not cloud ready Enterprise VDC Users DMZ Web Servers Apps / DB Tier Sites Perimeter/DMZ Interior security Endpoint security - Threat Mitigation - Segmentation of - Protecting the Endpoint - Perimeter security products applications and Server -AV, HIPS agent based w/ FW/ VPN/ IPS -VLAN or subnet based security - Hardware Sprawl, policies - Agent Sprawl, Expensive -VLAN Sprawl, Complex Cumbersome13
  14. 14. Foundations of Virtual Security: Secure Deployment  VMware Security Hardening Guides VMkernel • Being provided for major platform vnic vnic vnic products Production Mgmt Storage • vSphere 4.x vSwitch • VMware vCloud Director • View • Important for architecture and deployment related controls vSphere Security Hardening Guide Prod Mgmt Network Network Other ESX/ESXi IP-based vCenter hosts Storage14
  15. 15. Foundations of Virtual Security: Securing Virtual Machines Provide Same Protection as for Physical Servers  Guest • Anti-Virus • Patch Management • OS hardening and compliance  Network • Intrusion Detection/Prevention (IDS/IPS)  Edge • Firewalls15
  16. 16. Foundations of Virtual Security: Virtual Trust Zones Firewall / IDS / IPS virtual appliance(s) Web servers Application servers Database servers VM VM VM Manage- VM VM VM VM VM VM ment interface VMkernel Internet Intranet Web Application Database ESX/ESXi Host vCenter Server system Production Management Internet LAN LAN16
  17. 17. Agenda • Overview of compliance and security requirements • Foundations for virtual security • Where can VMware help? • How are our partners are helping? • Summary17
  18. 18. Virtualization Controls for Security Network Controls Change Control and Configuration Management Access Controls & Management Vulnerability Management18
  19. 19. vShield - Comprehensive Security for Cloud Infrastructure In GuestDefense in Depth from inside the Guest to the Edge of the Cloud VMVM OrgOrg vShield Endpoint vShield App vShield EdgeAccreditations and Certifications Firewall certification in progress H2/201119
  20. 20. vShield Edge Secure the Edge of the Virtual Data Center firewall Features • Multiple edge security services in one appliance Tenant A Tenant X • Stateful inspection firewall • Network Address Translation (NAT)Load balancer • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPsec) • Web Load Balancer • Edge port group isolation VPN • Detailed network flow statistics for chargebacks, etc • Policy management through UI or REST APIs • Logging and auditing based on industry standard syslog format 20
  21. 21. vShield Edge Network Topology21
  22. 22. vShield App/ZonesApplication Protection for Network Based Threats Features DMZ PCI HIPAA • Hypervisor-level firewall • Inbound, outbound connection control applied at vNIC level • Elastic security groups - “stretch” as virtual machines migrate to new hosts • Robust flow monitoring • IP Address protection management • Policy Management • Simple and business-relevant policies • Managed through UI or REST APIs • Logging and auditing based on industry standard syslog format22
  23. 23. vShield Zones/App Topology23
  24. 24. Customers Trust What They Know – 2 Segment Preferences “Air Gapped” Pods Mixed Trust Hosts Secure Private Cloud Network Security vShield Edge vShield App VI Architects • VI Architects who understand the power of virtualization and introspection expect to deploy vShield App but want it in Cloud environments in addition to vShield Edge • IT Security and Network Security see vShield Edge as a natural bridge from what they know and understand in the physical security world and are looking to find a fit within their existing mixed trust host and air gapped pods network designs, VLANs, etc.24
  25. 25. vShield EndpointEndpoint Security for Virtual Data Centers and Cloud Environments Improves performance and effectiveness of existing endpoint security solutions • Offload of AV functions • Hardened, security virtual machine Features • Offload file activity to Security VM • Manage AV service across VMs • Enforce Remediation using driver in VM • Partner Integrations through EPSEC API - Trend Micro, Symantec, McAfee • Policy Management: Built-in or customizable with REST APIs • Logging of AV file activity 25
  26. 26. Efficient Antivirus as a Service for Virtual Datacenters Tighter collaborative effort with leading AV partners Hypervisor-based introspection for all major AV functions • File-scanning engines and virus definitions offloaded to security VM – scheduled and SVM VM VM VM realtime APP APP APP • Thin file-virtualization driver in-guest >95%+ AV OS OS OS reduction in guest footprint (eventually fully OS Kernel Kernel Kernel agentless) Hardened BIOS BIOS BIOS Deployable as a service Introspection • No agents to manage - thin-guest driver to VMware vSphere be bundled with VMTools • Turnkey, security-as-service delivery Applicable to all virtualized deployment models – private clouds (virtual datacenters), public clouds (service providers), virtual desktops 26
  27. 27. vCenter Configuration Manager  Drive IT Compliance to lower risk • Ensure compliance with various industry and regulatory standards on a continuous basis • Quickly remediate problems  Mitigate outages through approved change processes • Detailed understanding and tracking of changes • Control change by following your Closed Loop Change Mgmt Process Harden your environment and reduce potential threats and breaches Compliance Through Unified Patching and Provisioning • Provision Linux, Windows and ESX images • Assess and Patch Windows, UNIX, MAC, etc  Control your virtual infrastructure • Fight VM Sprawl & Decommissioning Issues • Improved Virtual Troubleshooting • Single Pane of Glass27
  28. 28. Manage & Measure Compliance Automated & Continuous Enterprise Compliance Posture Deep Collection and Visibility SOX HIPAA FISMA • Virtual and Physical Machines • Desktops and Servers DISA GLBA ISO 27002 PCI • Spans a large array or OSs CIS NERC/ Built in compliance tool kits NIST PCI DSS FERC VMware • Regulatory Virtualization Hardening Guidelines • SOX, HIPAA, GLBA, FISMA, DISA, ISO 27002 • Industry CIS Benchmarks • PCI DSS • Security • NERC/FERC  CIS Certified Benchmarks • vSphere Hardening  DISA NIST • VMware Best Practices  Security Hardening Guides • CIS Benchmark  Vendor Specific Hardening Guidelines Dashboards provide “At-a-Glance” health 28
  29. 29. vCenter Application Discovery Manager • Get and keep a fast and accurate data center view – across virtual and physical • Precise visibility into all application interactions via network-based approach • Eye-opening discovery of unknown, unwanted, & unexpected application behaviors and dependencies • Application-aware data center moves & consolidations, migrations, and DR plans29
  30. 30. Business Application Dependency Mapping Provides a detailed and accurate infrastructure layout of a given business application – Virtual and Physical servers – Services – Interdependencies This is first step to understanding the business application is to map out its internal dependencies Required for any major data center project (i.e. DR, Migration, Consolidation) DB Layer Application Layers 30
  31. 31. Agenda • Overview of compliance and security requirements • Foundations for virtual security • Where can VMware help? • How are our partners are helping? • Summary31
  32. 32. Welcome to the stage Trend Micro32
  33. 33. Agenda • Overview of compliance and security requirements • Foundations for virtual security • Where can VMware help? • How are our partners are helping? • Summary33
  34. 34. What Compliance Benefits are there for Virtual Environments?1. Repeatable security2. Scalable controls3. Risk aggregation/concentration4. Improve security without impacting operations5. Stronger/quicker configuration management6. More money can be spent on security controls7. Quickly provision and release with minimal management8. Faster recovery after an attack9. Ability to quickly capture and isolate compromised VM’s34
  35. 35. Security Advantages of Virtualization Allows Automation of Many Manual Error Prone Processes Cleaner and Easier Disaster Recovery/Business Continuity Better Forensics Capabilities Faster Recovery After an Attack Patching is Safer and More Effective Better Control Over Desktop Resources More Cost Effective Security Devices App Virtualization Allows de-privileging of end users Better Lifecycle Controls Security Through VM Introspection35
  36. 36. Where to Learn More  Security • Hardening Best Practices • Implementation Guidelines •  Compliance • Partner Solutions • Advice and Recommendation •  Operations • Peer-contributed Content • http://viops.vmware.com36
  37. 37. Thankyou Trevor Gerdes – tgerdes@vmware.com37