compliance for the software-defined data center
DESCRIPTION
Compliance for the Software-Defined Data Center. Kurt Van Etten. Jerry Breaud. Symantec Director, Risk & Compliance Product Management. VMware Global Strategic Alliances - Compliance. Agenda. IT Drivers and the Software-Defined Data Center. Compliance in the SDDC. - PowerPoint PPT PresentationTRANSCRIPT
1
Compliance for the Software-Defined Data Center
IL B16 April 17, 2013 2:30pm to 3:30pm
Jerry BreaudVMwareGlobal Strategic Alliances - Compliance
Kurt Van EttenSymantecDirector, Risk & Compliance Product Management
SYMANTEC VISION 2013
Agenda
2
IT Drivers and the Software-Defined Data Center
Compliance in the SDDC
Our Approach: Compliance Reference Architectures
Symantec and VMware – PCI Solution
Q & A
SYMANTEC VISION 2013
IT Pressures – a Constant Over the Decades
COST“Are you getting the maximum efficiency out of your infrastructure?”
AGILITY“How quickly can IT respond to LOB requests?”
GOVERNANCE• Legislative Compliance• Risk Reduction – SLAs & Business Continuity• Security – Corp Assets & IP
SYMANTEC VISION 2013
2008 2012 FUTURE
25% 60% >90%
Adoption Has Enabled Agility
WEEKSDAYS/
HOURSMINUTES/SECONDS
SYMANTEC VISION 2013
Storage/Availability Servers Networking Security Management/
Monitoring
2008 2012 FUTURE
SOFTWARE-DEFINEDDATACENTER SERVICES
VDC
WEEKSDAYS/
HOURSMINUTES/SECONDS
Driven by Infrastructure
SYMANTEC VISION 2013
SOFTWARE-DEFINED DATACENTER
All infrastructure is virtualized and delivered as a service, and the control of this datacenter is entirely automated by software.
Abstract. Pool. Automate.
SYMANTEC VISION 2013
MANAGEMENT
Physical Infrastructure(Server, Storage, Network)
CLOUD INFRASTRUCTURE
SOFTWARE-DEFINEDNETWORKING &
SECURITY
SOFTWARE-DEFINEDSTORAGE & AVAILABILITY
EXTENSIBILITY
VIRTUALIZATIONVMware vSphere
VMware vCloud Director
VMware vCenterOrchestrator
VMware vCloudAPIs
VMware vCloudAutomation Center
VMware vFabricApplication
Director
VMware vCenterOperations
Mngmnt. Suite
VMware vCloudConnectorVMware vCloud
Networking & Security
VMware vCenterSite Recovery
Manager
Getting to The Software-Defined Data Center (SDDC)
VMware vCloud Suite
SYMANTEC VISION 2013
MANAGEMENT
Physical Infrastructure(Server, Storage, Network)
CLOUD INFRASTRUCTURE
SOFTWARE-DEFINEDNETWORKING &
SECURITY
SOFTWARE-DEFINEDSTORAGE & AVAILABILITY
EXTENSIBILITY
VIRTUALIZATIONVMware vSphere
VMware vCloud Director
VMware vCenterOrchestrator
VMware vCloudAPIs
VMware vCloudAutomation Center
VMware vFabricApplication
Director
VMware vCenterOperations
Mngmnt. Suite
VMware vCloudConnectorVMware vCloud
Networking & Security
VMware vCenterSite Recovery
Manager
Symantec and the SDDCStorage & AvailabilitySolutions
Security and Compliance
Solutions
“At the endpoint and beyond”Anti-virus and Malware
Virtual Server Hardening (vSphere)
Data Loss Prevention
Threat Correlation
Content Filtering
Legal & Regulatory Compliance
Managed Security
“Always on, always available”Backup & Recovery
High Availability
Application Availability
Clustering
Archiving
Storage Management and Reporting
Dynamic Multi-pathing
Extensibility
SYMANTEC VISION 2013Presentation Identifier Goes Here
The Virtualization Path – Continue the Journey
9
Capex SavingsThru
Consolidation
Opex SavingThru
Automation
Game ChangeThru
Self-Service
IT as a ServiceIT Production
Abstract. Pool. Automate. Empower.
Software-Defined Data Center
Business Production
Reactive Proactive
Reducing Cost
Agility
Enabling Governance
SYMANTEC VISION 2013
Compliance in the Software-Defined Data Center
10
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2013
Virtualize Applications on The Journey Typical Compliance Challenges
Compliance & Security Operations
Operations Wants to Virtualize and Consolidate More
Business Risk OwnerChief Compliance Officer/ Legal Council
But Sometimes Risk Owners Need Convincing
Will I meet compliance & security requirements?
Will my auditor approve?
What’s in it for me?
Will my virtualized environment be as compliant as my physical environment?
Reducing Costs
Infrastructure efficiency
Simpler management
Reduces Compliance Complexity
Streamline compliance reporting
SYMANTEC VISION 2013
Trust and Cloud Computing – Some New Challenges• Mixed mode levels of trust
• VMs riding on the same Guest with different Trust Levels (PCI)
• Multi-Tenancy protecting Intellectual Property (IP) with shared Resources
• Auditor, QSA Approval of Design
• Evidence based compliance• What standards and frameworks do I adopt to minimize risk?
• How do I prove my data is properly protected and segmented?
• How do I automate the application best practices, regulatory guidelines and vendor standards?
• Separation of consumer and provider• Consumer delivered governance around workloads
• Evidence from provider around infrastructure compliance
• How do I address data governance, privacy, etc?
• How do we account for change? (Loss of Service)
SYMANTEC VISION 2013
Continuously assess and remediate
compliance for guests and VMware
Infrastructure.
VMware Offerings Lay The Foundation
SYMANTEC VISION 2013
Compliance Framework
People Process Technology
VMware
Compliance Drivers Compliance Levers
1. Compliance is the Top Business Driver for Security Investment
2. Compliance & Regulatory Concerns Is #2 Concern For Private Cloud
3. Compliance Is The # 1 Inhibitor to Moving Data/Apps to the (Public) Cloud
Services Partners
(Consulting & Audit )
Technology Partners
(Symantec)
SYMANTEC VISION 2013
VMware Compliance Reference Architecture Framework
15
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2013
Virtualize Applications on The Journey VMware Compliance GTM
• Customers want to Virtualize Business Critical Applications and maintain required Compliance• Concerns can slow adoption as an “objection” to virtualizing
‒ Concerns are being addressed one-off with individual customers‒ Opportunity is to define Compliance solutions and scale through GTM model
• VMware Approach‒ Deliver Thought Leadership To/Via Audit/Compliance Industry‒ Build And Deliver Compliance Reference Architecture Framework
• Enable Compliant Cloud Solutions By Extending The VMware Eco-System• 1) Align Audit/Advisory, 2) Infrastructure and 3) SI/SO/SP Partners
‒ Focus on Highly Regulated Industries• Focus On PCI, HIPAA/HITECH, FedRAMP, FISMA, SOX, etc• Start with PCI Solution to build framework and partnerships
‒ Expand to other solutions and GTM activities to scale
SYMANTEC VISION 2013
Virtualize Applications on The Journey VMware – Compliance GTM – In the News
SYMANTEC VISION 2013
Virtualize Applications on The Journey Solution Development Lifecycle
JOINT ARCHITECTURESBEST PRACTICES
Assessment, Design, Deployment and
Operational Services
Sales motion alignment Delivery capabilities aligned Full solution lifecycle
Solution
BUSINESS FOCUSEDADDRESSES
COMPLIANCE RISKPRODUCT + SERVICES
Led by VMware Multi-party strategy Auditor design input Meets regulatory audit requirements
Architecture
JOINT REFERENCE ARCHITECTURE
DESIGNAUDITOR LAB VALIDATION
COLLABORATIVE DESIGN EFFORT
VMware + Infrastructure +
Auditor + Services Partners
Designed to meet business requirements
Designed to meet majority of technical controls
VALIDATED BY AUDITOR
TESTED FOR INTEROPERATIBLITY &
COMPATIBILITYVMware Ready, NetX,
etc.
Tested for compatibility & support
Tested for API Conformance
VMWARE & PARTNER PRODUCTSMAPPED TO
COMPLIANCE CONTROLS
Capability
REVIEWED BY AUDITOR
SYMANTEC VISION 2013
Virtualize Applications on The Journey Route to Market – Access, Expertise, Capability
Customer
3 Systems IntegratorOutsourcerService Provider
Compliance Solution Guides
Audit/Advisory PartnersDefine & Validate RA’sIndustry Thought Leadership
1 NEW Partners
Infrastructure PartnerTechnology White SpaceEnhance Compliance Capabilities
2
Enhanced Strategy
Validated Partner Reference Architectures
Validated VMW Reference
Architectures
GTS Compliance Solution Toolkit
1
2 4
3
Converged Infrastructure
Symantec is the first VMware partner to publish Architecture
Design Guide for PCI
SYMANTEC VISION 2013
Virtualize Applications on The Journey Compliance Reference Architecture Framework
Audit Advisory Partners
Compliance Infrastructure
Solution
Defines the overall approach to compliance undertaken by VMware, Partners and Auditors for the broadest understanding of the effort
Collaboration between VMware SMEs and Auditor to establish applicability of VMware software and applicable regulation(s)
Builds upon the first 2 documents and describes more detailed approach for considerations when designing a compliant architecture
Defines expected results of compliant architecture implemented with design principals from Doc 3, focus on audit procedures for verification
Expands concepts of Reference Architecture into a concept of Deployment & operations for green field or remediation implementations
VMware Technology +
Services
VMware Validated Reference ArchitectureAuditor Validated
Document 4
VMware ArchitectureDesign GuideAuditor Reviewed Document 3
VMware SolutionGuide
Document 2
VMware GTS Compliance SolutionToolkitAuditor ReviewedDocument 5
VMware Approach to Compliance
Document 1
1
2
3
4
5
SYMANTEC VISION 2013
Virtualize Applications on The Journey Compliance Reference Architecture Framework
Audit Advisory Partners
Audit Advisory Partners
Compliance Infrastructure
SolutionVMware Validated Reference ArchitectureAuditor Validated
Document 4
VMware ArchitectureDesign GuideAuditor Reviewed Document 3
VMware SolutionGuide
Document 2
VMware GTS Compliance SolutionToolkitAuditor ReviewedDocument 5
VMware Approach to Compliance
Document 1
Partner Compliance SolutionToolkitAuditor Reviewed
Document 5
Partner Validated Reference ArchitectureAuditor Validated
Document 4
Compliance Infrastructure
SolutionPartner Technology
+Services
Partner ArchitectureDesign GuideAuditor Reviewed Document 3
Partner SolutionGuide
Document 2
Partner Approach to Compliance
Document 1
VMware Technology +
Services
VMware Partners
Compliance Infrastructure
Solution
VAR, SI, SO, SP
Deployment Services
VMware PSO
Partner Technology
Partner PSO
VMware Technology
Symantec is the first VMware partner to publish a Solution
Guide and Architecture Design Guide for PCI
SYMANTEC VISION 2013
Symantec-VMware Partnership
22
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2013 23
PCI Example – Functional Responsibilities29%Organization ResponsibilityNon-technicalPolicy, Process, Procedure and Physical
22%PartnerTechnical Products
14%VMware + Partners Technical Products
PCI DSS Requirements
50%VMwareTechnical Products
SYMANTEC VISION 2013
PCI DSS IT Control Statement
1. Install & Maintain a firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for passwords & other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open and public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict Physical access to cardholder data
10. Monitor and Test Network
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors
PCI DSS x Symantec Solutions*
DLP
SIM
EndpointProtection
Secure Config
Policy
Meeting PCI - Before Virtualization
Firewalls
SYMANTEC VISION 2013
Symantec Security & Compliance Solutions for VMware
25
Symantec Control Compliance Suite• Policy scan of VM on deployment – quarantine / remediate• Vulnerability scan of VM on deployment – quarantine / remediate
Symantec Data Loss Prevention• Unparalleled ability to discover sensitive data on VMs• Integration with vShield Endpoint to provide VM-quarantine based on DLP policy
Symantec Web Gateway• Integration with vShield Endpoint Endpoint App for threat discovery (including botnets)• Provision to quarantine / remediate threats
Symantec Security Information Manager | Symantec Managed Security Service• Event correlation – quarantine / remediate• Managed Security Service offering
Symantec Critical Systems Protection• Protection from advanced threats for mission-critical servers• vSphere and vCenter server protection to VMware and Industry standards
Symantec Endpoint Protection• Dynamic, transparent, beyond-physical security on a hardened infrastructure• Effective across both managed and unmanaged VMs
SYMANTEC VISION 2013
PCI Example –Virtualized Environment
Automated and Self-healing
Symantec DLP with vCloud
Networking and Security
App
vCenter Infrastructure
Navigator
vCloud Networking and
SecurityApp
Symantec Control Compliance Suite
w/vSphere Hardening Policy
vShield Endpoint
& Symantec Endpoint Solutions
Discover sensitive data• Scans environment looking for
sensitive data• Flags affected VM’s• Quarantine out of policy VMS
Map application environment • Show where the
affected systems are connected
• Identify relationships
Creates logical trust zones • Automatically • Based on App (banking)
segmented• Inter-vSphere “firewall”
Assess VMs for configuration and vulnerability states to remediate deficiencies and policy violations
Endpoint Malware with Intrusion Detection/Prevention
Policy and Assessment Management
Symantec Security Information
Manager w/vShield Log Collector
Incident Management and
Reporting
SYMANTEC VISION 2013
PCI Validated Solutions – available today• Specific
implementation guidance
• Maps VMware and Partner technologies
• VMware-authored with addendum by partners
• Auditor reviewed and validated
• HIPAA/HITECH in 2H 13
Symantec Compliance Practice 27
27
SYMANTEC VISION 2013Presentation Identifier Goes Here 28
Bringing It All Together
VMware
Services Partners
(Consulting & Audit )
Technology Partners
(Symantec)
SYMANTEC VISION 2012
Q&A
29
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2012
For More Information
VMware: The Virtualization Journey: Managing and Proving Compliance
30
VMware Compliance Press Release https://www.vmware.com/company/news/releases/vmw-pci-100412.html VMware Collateral VMware Approach to Compliance http://www.vmware.com/files/pdf/VMware-Approach-to-Compliance.pdf VMware Solution Guide for PCI http://www.vmware.com/files/pdf/VMware-Payment-Card-Industry-Solution-Guide.pdf VMware Architecture Design Guide for PCI http://www.vmware.com/files/pdf/VMware-Architecture-Design-Guide-for-PCI.pdf Partner Collateral VMware Partner Solution Guides for PCI https://solutionexchange.vmware.com/store/categories/compliance
SYMANTEC VISION 2012
For More Information
VMware: The Virtualization Journey: Managing and Proving Compliance
31
Symantec VMWare Press Releasehttp://www.symantec.com/about/news/release/article.jsp?prid=20120228_02
Symantec Collateral
Symantec VMWare Approach to Security in Virtualized Environmenthttp://www.symantec.com/content/en/us/enterprise/white_papers/b-WP_SecuringThePromiseOfVirtualization_WP_21229614.en-us.pdf
Symantec Solutions for Security and Compliance in Virtualized Environmenthttp://www.symantec.com/products-solutions/solutions/detail.jsp?parent=virtualization&child=secure_virtualization
Symantec Solutions that support PCI Compliancehttp://www.symantec.com/pci-compliance