compliance for the software-defined data center

1

Compliance for the Software-Defined Data Center

IL B16 April 17, 2013 2:30pm to 3:30pm

Jerry BreaudVMwareGlobal Strategic Alliances - Compliance

Kurt Van EttenSymantecDirector, Risk & Compliance Product Management

SYMANTEC VISION 2013

Agenda

2

IT Drivers and the Software-Defined Data Center

Compliance in the SDDC

Our Approach: Compliance Reference Architectures

Symantec and VMware – PCI Solution

Q & A


IT Pressures – a Constant Over the Decades

COST“Are you getting the maximum efficiency out of your infrastructure?”

AGILITY“How quickly can IT respond to LOB requests?”

GOVERNANCE• Legislative Compliance• Risk Reduction – SLAs & Business Continuity• Security – Corp Assets & IP


2008 2012 FUTURE

25% 60% >90%

Adoption Has Enabled Agility

WEEKSDAYS/

HOURSMINUTES/SECONDS


Storage/Availability Servers Networking Security Management/

Monitoring

2008 2012 FUTURE

SOFTWARE-DEFINEDDATACENTER SERVICES

VDC

WEEKSDAYS/

HOURSMINUTES/SECONDS

Driven by Infrastructure


SOFTWARE-DEFINED DATACENTER

All infrastructure is virtualized and delivered as a service, and the control of this datacenter is entirely automated by software.

Abstract. Pool. Automate.


MANAGEMENT

Physical Infrastructure(Server, Storage, Network)

CLOUD INFRASTRUCTURE

SOFTWARE-DEFINEDNETWORKING &

SECURITY

SOFTWARE-DEFINEDSTORAGE & AVAILABILITY

EXTENSIBILITY

VIRTUALIZATIONVMware vSphere

VMware vCloud Director

VMware vCenterOrchestrator

VMware vCloudAPIs

VMware vCloudAutomation Center

VMware vFabricApplication

Director

VMware vCenterOperations

Mngmnt. Suite

VMware vCloudConnectorVMware vCloud

Networking & Security

VMware vCenterSite Recovery

Manager

Getting to The Software-Defined Data Center (SDDC)

VMware vCloud Suite


MANAGEMENT

Physical Infrastructure(Server, Storage, Network)

CLOUD INFRASTRUCTURE

SOFTWARE-DEFINEDNETWORKING &

SECURITY

SOFTWARE-DEFINEDSTORAGE & AVAILABILITY

EXTENSIBILITY

VIRTUALIZATIONVMware vSphere

VMware vCloud Director

VMware vCenterOrchestrator

VMware vCloudAPIs

VMware vCloudAutomation Center

VMware vFabricApplication

Director

VMware vCenterOperations

Mngmnt. Suite

VMware vCloudConnectorVMware vCloud

Networking & Security

VMware vCenterSite Recovery

Manager

Symantec and the SDDCStorage & AvailabilitySolutions

Security and Compliance

Solutions

“At the endpoint and beyond”Anti-virus and Malware

Virtual Server Hardening (vSphere)

Data Loss Prevention

Threat Correlation

Content Filtering

Legal & Regulatory Compliance

Managed Security

“Always on, always available”Backup & Recovery

High Availability

Application Availability

Clustering

Archiving

Storage Management and Reporting

Dynamic Multi-pathing

Extensibility

SYMANTEC VISION 2013Presentation Identifier Goes Here

The Virtualization Path – Continue the Journey

9

Capex SavingsThru

Consolidation

Opex SavingThru

Automation

Game ChangeThru

Self-Service

IT as a ServiceIT Production

Abstract. Pool. Automate. Empower.

Software-Defined Data Center

Business Production

Reactive Proactive

Reducing Cost

Agility

Enabling Governance


Compliance in the Software-Defined Data Center

10

VMware: The Virtualization Journey: Managing and Proving Compliance


Virtualize Applications on The Journey Typical Compliance Challenges

Compliance & Security Operations

Operations Wants to Virtualize and Consolidate More

Business Risk OwnerChief Compliance Officer/ Legal Council

But Sometimes Risk Owners Need Convincing

Will I meet compliance & security requirements?

Will my auditor approve?

What’s in it for me?

Will my virtualized environment be as compliant as my physical environment?

Reducing Costs

Infrastructure efficiency

Simpler management

Reduces Compliance Complexity

Streamline compliance reporting


Trust and Cloud Computing – Some New Challenges• Mixed mode levels of trust

• VMs riding on the same Guest with different Trust Levels (PCI)

• Multi-Tenancy protecting Intellectual Property (IP) with shared Resources

• Auditor, QSA Approval of Design

• Evidence based compliance• What standards and frameworks do I adopt to minimize risk?

• How do I prove my data is properly protected and segmented?

• How do I automate the application best practices, regulatory guidelines and vendor standards?

• Separation of consumer and provider• Consumer delivered governance around workloads

• Evidence from provider around infrastructure compliance

• How do I address data governance, privacy, etc?

• How do we account for change? (Loss of Service)


Continuously assess and remediate

compliance for guests and VMware

Infrastructure.

VMware Offerings Lay The Foundation


Compliance Framework

People Process Technology

VMware

Compliance Drivers Compliance Levers

1. Compliance is the Top Business Driver for Security Investment

2. Compliance & Regulatory Concerns Is #2 Concern For Private Cloud

3. Compliance Is The # 1 Inhibitor to Moving Data/Apps to the (Public) Cloud

Services Partners

(Consulting & Audit )

Technology Partners

(Symantec)


VMware Compliance Reference Architecture Framework

15



Virtualize Applications on The Journey VMware Compliance GTM

• Customers want to Virtualize Business Critical Applications and maintain required Compliance• Concerns can slow adoption as an “objection” to virtualizing

‒ Concerns are being addressed one-off with individual customers‒ Opportunity is to define Compliance solutions and scale through GTM model

• VMware Approach‒ Deliver Thought Leadership To/Via Audit/Compliance Industry‒ Build And Deliver Compliance Reference Architecture Framework

• Enable Compliant Cloud Solutions By Extending The VMware Eco-System• 1) Align Audit/Advisory, 2) Infrastructure and 3) SI/SO/SP Partners

‒ Focus on Highly Regulated Industries• Focus On PCI, HIPAA/HITECH, FedRAMP, FISMA, SOX, etc• Start with PCI Solution to build framework and partnerships

‒ Expand to other solutions and GTM activities to scale


Virtualize Applications on The Journey VMware – Compliance GTM – In the News


Virtualize Applications on The Journey Solution Development Lifecycle

JOINT ARCHITECTURESBEST PRACTICES

Assessment, Design, Deployment and

Operational Services

Sales motion alignment Delivery capabilities aligned Full solution lifecycle

Solution

BUSINESS FOCUSEDADDRESSES

COMPLIANCE RISKPRODUCT + SERVICES

Led by VMware Multi-party strategy Auditor design input Meets regulatory audit requirements

Architecture

JOINT REFERENCE ARCHITECTURE

DESIGNAUDITOR LAB VALIDATION

COLLABORATIVE DESIGN EFFORT

VMware + Infrastructure +

Auditor + Services Partners

Designed to meet business requirements

Designed to meet majority of technical controls

VALIDATED BY AUDITOR

TESTED FOR INTEROPERATIBLITY &

COMPATIBILITYVMware Ready, NetX,

etc.

Tested for compatibility & support

Tested for API Conformance

VMWARE & PARTNER PRODUCTSMAPPED TO

COMPLIANCE CONTROLS

Capability

REVIEWED BY AUDITOR


Virtualize Applications on The Journey Route to Market – Access, Expertise, Capability

Customer

3 Systems IntegratorOutsourcerService Provider

Compliance Solution Guides

Audit/Advisory PartnersDefine & Validate RA’sIndustry Thought Leadership

1 NEW Partners

Infrastructure PartnerTechnology White SpaceEnhance Compliance Capabilities

2

Enhanced Strategy

Validated Partner Reference Architectures

Validated VMW Reference

Architectures

GTS Compliance Solution Toolkit

1

2 4

3

Converged Infrastructure

Symantec is the first VMware partner to publish Architecture

Design Guide for PCI


Virtualize Applications on The Journey Compliance Reference Architecture Framework

Audit Advisory Partners

Compliance Infrastructure

Solution

Defines the overall approach to compliance undertaken by VMware, Partners and Auditors for the broadest understanding of the effort

Collaboration between VMware SMEs and Auditor to establish applicability of VMware software and applicable regulation(s)

Builds upon the first 2 documents and describes more detailed approach for considerations when designing a compliant architecture

Defines expected results of compliant architecture implemented with design principals from Doc 3, focus on audit procedures for verification

Expands concepts of Reference Architecture into a concept of Deployment & operations for green field or remediation implementations

VMware Technology +

Services

VMware Validated Reference ArchitectureAuditor Validated

Document 4

VMware ArchitectureDesign GuideAuditor Reviewed Document 3

VMware SolutionGuide

Document 2

VMware GTS Compliance SolutionToolkitAuditor ReviewedDocument 5

VMware Approach to Compliance

Document 1

1

2

3

4

5


Virtualize Applications on The Journey Compliance Reference Architecture Framework




SolutionVMware Validated Reference ArchitectureAuditor Validated

Document 4

VMware ArchitectureDesign GuideAuditor Reviewed Document 3

VMware SolutionGuide

Document 2

VMware GTS Compliance SolutionToolkitAuditor ReviewedDocument 5

VMware Approach to Compliance

Document 1

Partner Compliance SolutionToolkitAuditor Reviewed

Document 5

Partner Validated Reference ArchitectureAuditor Validated

Document 4


SolutionPartner Technology

+Services

Partner ArchitectureDesign GuideAuditor Reviewed Document 3

Partner SolutionGuide

Document 2

Partner Approach to Compliance

Document 1

VMware Technology +

Services

VMware Partners


Solution

VAR, SI, SO, SP

Deployment Services

VMware PSO

Partner Technology

Partner PSO

VMware Technology

Symantec is the first VMware partner to publish a Solution

Guide and Architecture Design Guide for PCI


Symantec-VMware Partnership

22


SYMANTEC VISION 2013 23

PCI Example – Functional Responsibilities29%Organization ResponsibilityNon-technicalPolicy, Process, Procedure and Physical

22%PartnerTechnical Products

14%VMware + Partners Technical Products

PCI DSS Requirements

50%VMwareTechnical Products


PCI DSS IT Control Statement

1. Install & Maintain a firewall configuration to protect cardholder data

2. Do not use vendor supplied defaults for passwords & other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open and public networks

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict Physical access to cardholder data

10. Monitor and Test Network

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for employees and contractors

PCI DSS x Symantec Solutions*

DLP

SIM

EndpointProtection

Secure Config

Policy

Meeting PCI - Before Virtualization

Firewalls


Symantec Security & Compliance Solutions for VMware

25

Symantec Control Compliance Suite• Policy scan of VM on deployment – quarantine / remediate• Vulnerability scan of VM on deployment – quarantine / remediate

Symantec Data Loss Prevention• Unparalleled ability to discover sensitive data on VMs• Integration with vShield Endpoint to provide VM-quarantine based on DLP policy

Symantec Web Gateway• Integration with vShield Endpoint Endpoint App for threat discovery (including botnets)• Provision to quarantine / remediate threats

Symantec Security Information Manager | Symantec Managed Security Service• Event correlation – quarantine / remediate• Managed Security Service offering

Symantec Critical Systems Protection• Protection from advanced threats for mission-critical servers• vSphere and vCenter server protection to VMware and Industry standards

Symantec Endpoint Protection• Dynamic, transparent, beyond-physical security on a hardened infrastructure• Effective across both managed and unmanaged VMs


PCI Example –Virtualized Environment

Automated and Self-healing

Symantec DLP with vCloud

Networking and Security

App

vCenter Infrastructure

Navigator

vCloud Networking and

SecurityApp

Symantec Control Compliance Suite

w/vSphere Hardening Policy

vShield Endpoint

& Symantec Endpoint Solutions

Discover sensitive data• Scans environment looking for

sensitive data• Flags affected VM’s• Quarantine out of policy VMS

Map application environment • Show where the

affected systems are connected

• Identify relationships

Creates logical trust zones • Automatically • Based on App (banking)

segmented• Inter-vSphere “firewall”

Assess VMs for configuration and vulnerability states to remediate deficiencies and policy violations

Endpoint Malware with Intrusion Detection/Prevention

Policy and Assessment Management

Symantec Security Information

Manager w/vShield Log Collector

Incident Management and

Reporting


PCI Validated Solutions – available today• Specific

implementation guidance

• Maps VMware and Partner technologies

• VMware-authored with addendum by partners

• Auditor reviewed and validated

• HIPAA/HITECH in 2H 13

Symantec Compliance Practice 27

27

SYMANTEC VISION 2013Presentation Identifier Goes Here 28

Bringing It All Together

VMware

Services Partners

(Consulting & Audit )

Technology Partners

(Symantec)


Q&A

29



For More Information


30

VMware Compliance Press Release https://www.vmware.com/company/news/releases/vmw-pci-100412.html VMware Collateral VMware Approach to Compliance http://www.vmware.com/files/pdf/VMware-Approach-to-Compliance.pdf VMware Solution Guide for PCI http://www.vmware.com/files/pdf/VMware-Payment-Card-Industry-Solution-Guide.pdf VMware Architecture Design Guide for PCI http://www.vmware.com/files/pdf/VMware-Architecture-Design-Guide-for-PCI.pdf Partner Collateral VMware Partner Solution Guides for PCI https://solutionexchange.vmware.com/store/categories/compliance

[email protected]

https://www.vmware.com/company/news/releases/vmw-pci-100412.html

https://www.vmware.com/company/news/releases/vmw-pci-100412.html

http://www.vmware.com/files/pdf/VMware-Approach-to-Compliance.pdf

http://www.vmware.com/files/pdf/VMware-Approach-to-Compliance.pdf

http://www.vmware.com/files/pdf/VMware-Payment-Card-Industry-Solution-Guide.pdf

http://www.vmware.com/files/pdf/VMware-Payment-Card-Industry-Solution-Guide.pdf

http://www.vmware.com/files/pdf/VMware-Architecture-Design-Guide-for-PCI.pdf

http://www.vmware.com/files/pdf/VMware-Architecture-Design-Guide-for-PCI.pdf

https://solutionexchange.vmware.com/store/categories/compliance

https://solutionexchange.vmware.com/store/categories/compliance

mailto:[email protected]


For More Information


31

Symantec VMWare Press Releasehttp://www.symantec.com/about/news/release/article.jsp?prid=20120228_02

Symantec Collateral

Symantec VMWare Approach to Security in Virtualized Environmenthttp://www.symantec.com/content/en/us/enterprise/white_papers/b-WP_SecuringThePromiseOfVirtualization_WP_21229614.en-us.pdf

Symantec Solutions for Security and Compliance in Virtualized Environmenthttp://www.symantec.com/products-solutions/solutions/detail.jsp?parent=virtualization&child=secure_virtualization

Symantec Solutions that support PCI Compliancehttp://www.symantec.com/pci-compliance

http://www.symantec.com/about/news/release/article.jsp?prid=20120228_02

http://www.symantec.com/content/en/us/enterprise/white_papers/b-WP_SecuringThePromiseOfVirtualization_WP_21229614.en-us.pdf

http://www.symantec.com/content/en/us/enterprise/white_papers/b-WP_SecuringThePromiseOfVirtualization_WP_21229614.en-us.pdf

http://www.symantec.com/products-solutions/solutions/detail.jsp?parent=virtualization&child=secure_virtualization

http://www.symantec.com/products-solutions/solutions/detail.jsp?parent=virtualization&child=secure_virtualization

http://www.symantec.com/pci-compliance

compliance for the software-defined data center

Documents

desired text

desired object

text box

outside object

entire object

pasted object

infrastructuresymantec

font group