protecting the software-defined data center from data breach
TRANSCRIPT
Protecting the Software-Defined Data Center from Data Breach
Mordecai Rosen
Security
CA Technologies
Vice President, Product Management and Strategy
SCT33S
Jeremiah Cornelius
VMware
Security Architect and Partner Product Strategist
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Session Abstract:
Protecting the Software Defined Data Center from Breach
In this session, we will discuss:
Security Requirements for our next generation software defined data centers
VMware NSX™, VMware’s network virtualization platform, and how it protects the software defined data center
CA Privileged Access Manager for VMware NSX™, and how it protects the management plane of VMware NSX™
MordecaiRosen
CA Technologies
VP Product Mgmt.
JeremiahCornelius
VMware
Security Architect
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Existing security layers have been breached
1
5 6
Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.
Today’s data centers are protected by strong perimeter defense…
But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection.
Targeted system
Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.
Attackers follow a predictable pattern of actions, called a kill chain, in attempting their attacks.
Compromised identities and privileged accounts are at the core of the kill chain..
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Problem: 25 years of perimeter security has failed
Internet
Series1 Series2 Series3
Today’s security model focuses on perimeter defense
But continued security breaches show this model is not enough
Serviceproviders
Partners
Auditors
Customers
Hacker
Employees
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Repurposing existing tools doesn’t work
…
2 firewalls
1000 workloads
vs
A typical data center has:
Directing all traffic (virtual + physical)
through chokepoint firewalls is inefficient
And a physical firewall per workload
is cost prohibitive and unmanageable
Internet
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Solution: New software defined data center modelIntegrating identity, security, & manageability into the fabric
STARTING ASSUMPTIONS DESIGN PRINCIPLES
Assume everything is a threat and act accordingly
1
2
Identity centric micro-segmentation
Secure policy based management plane
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How do you: move as fast as the business needs you to move
while securing an ever-growing and changing environment—without having to start over?
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
You need a new approach to networking and security that gives you:the agility and speed you need to support the business, while providing an inherently more secure infrastructure
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security is needed everywhere, but we can’t have our controls everywhereWhy can’t we have individual firewalls for every VM?
Data Center Perimeter
Internet
Expensive and complex
Physical firewalls
With traditional technology,this is operationally infeasible.
Slow, costly, and complicated
Virtual firewalls
NSX value proposition
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The next-generation networking model
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services now in the hypervisor
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Switching
Routing
Firewalling/ACLs
Load Balancing
High throughput rates
East-west firewalling
Native platform capability
The next-generation networking model
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The next-generation networking modelNSX value proposition
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual networks
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Business value
More secure and 1/3 the cost of less secure infrastructure
SecurityDelivering inherently secure infrastructure
Data Center Perimeter
Internet
DMZ
Secure User Environments
Security policies simplified
Logical groups enabled
Threats contained
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Intelligent groupingGroups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security PostureRegulatory Requirements
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
NSX: at the “Goldilocks Zone” of security
UbiquityIsolation Context
Ecosystem of Distributed Services
Core Services Built IntoHypervisor Kernel
better security
through insight
fine-grained containment
Switching Routing Firewalling
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
VMware Partners with CA for Privileged Access Management
18
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Technologies Announce CA Privileged Access Manager for VMware NSX
CA Technologies Collaborates with VMware® on Comprehensive Privileged Access Management Solution for VMware NSX
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access ManagerPrivileged Identity and Access Management for the Hybrid Enterprise
HYBRID ENTERPRISE
Hardware Appliance AWS AMIOVF Virtual Appliance
Identity Integration Enterprise-Class Core
Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on
Role-Based Access Control Monitor and Enforce Policy Record Sessions and Metadata Full Attribution
Control and Audit All Privileged Access
Unified Policy Management
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
Software Defined Data Center
SDDC Console and APIs
Public Cloud - IaaS
Cloud Console and APIs
SaaS Applications
SaaS Consoles and APIs
CA Privileged Access Manager
21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access ManagerPrivileged Identity and Access Management for the Hybrid Enterprise
HYBRID ENTERPRISE
Hardware Appliance AWS AMIOVF Virtual Appliance
Identity Integration Enterprise-Class Core
Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on
Role-Based Access Control Monitor and Enforce Policy Record Sessions and Metadata Full Attribution
A New Security Layer - Control and Audit All Privileged Access
Unified Policy Management
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
Software Defined Data Center
SDDC Console and APIs
Public Cloud - IaaS
Cloud Console and APIs
SaaS Applications
SaaS Consoles and APIs
CA Privileged Access Manager
22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
Fully manual process with potential for human error.
No visibility into what the admin did during the session.
An overly broad rule permits bad actors.
Problem
You have a requirement that all management ports on production resources be closed when not in use, and you must demonstrate this to an auditor on-demand.
Traditional Solution
Admin opens a ticket with SOC who adds a firewall rule which permits the admin to do their work.
When admin is done he resolves the ticket, SOC removes the rule, then closes the ticket.
Use Case 1: Firewall AdministrationAddressing a traditional problem with a more secure and agile solution
23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Access Restrictor
DFW Rules added and removed on-demand Rules added when connections are opened and removed when closed
Removes the human element and potential for error
Enables a highly-secure “deny all” environment where exceptions are forced through CA PAM and only CA PAM may access protected resources
Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM
Client
UserTarget VM
NSX Manager
DFWCA Privileged Access Manager
24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
In the manual case, more human error and opportunity for insider threat.
In the custom code case you must hire somebody to write it and keep code it up to date.
Problem
You want to synchronize your security policies across products from different vendors.
For example, when your A/V vendor detects a virus, you want the VM placed into a quarantine.
Traditional Solution
Hire somebody to keep them in sync, or write custom code to keep them in sync by leveraging different APIs from different vendors.
Use Case 2: Policy SynchronizationDifferent products, different data, and different policy models
25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Dynamic Tagging and Grouping
CA PAM Policy in lockstep with NSX Security Tags and Groups NSX Security Tags and Groups synced with CA PAM and tied to Policies
As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed
Synchronize CA PAM policies with changes in the NSX security posture
VMware vCenterVM Network
NSX Manager
Sync
CA Privileged Access Manager
26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
Seeing a trend? This too relies on a manual step – and if your SOC is distracted, suffering “false positive fatigue,” or malicious, you miss a critical opportunity to break the kill chain.
Problem
When your security products detect anomalies, you want them to coordinate with other products.
For example, when threat intel detects an event, you want it to terminate or begin recording all traffic on affected VMs.
Traditional Solution
Have your SOC monitor logs and SEIM data and take action manually.
Use Case 3: Workflow AutomationMaking different products from different vendors talk to each other
27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Service Composer Integration
Deep integration with Service Composer As VMs enter or leave NSX Security Groups, CA PAM will:
- Enable or disable session recording- Terminate sessions- Force CA PAM session re-authentication
Trigger events in CA PAM via NSX Service Composer workflows
User
Session
NSX Partner Ecosystem Product
NSX Manager
VmwarevCenter
Admin
Apply Tag
Apply Tag
Enable/Disable Session Recording
Terminate Sessions
Xsuite Re-Authentication
CA Privileged Access Manager
28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
API access is like leaving the back door open – no matter how many controls you have on the front door, if you don’t protect the API you expose a very attractive target.
Credentials within scripts are the ultimate target.
Problem
You have a plethora of scripts and power users who interact with management tools via well-defined APIs, and you lack any controls into who uses them and visibility into what they do.
Traditional Solution
Attempt to limit API sprawl and hope that the users and scripts that are using these interfaces are trusted and kind.
Use Case 4: Programmatic/API AccessControls for your APIs
29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – NSX Manager REST API Proxy
The last mile for full NSX Manager administration visibility Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which
may rotate on a policy or schedule
CA PAM vaults – and rotates – the NSX Manager credentials
Integrates with Application to Application (A2A)
Closing the “API Loop” to the NSX management plane
Consumer NSX Manager
NAP
NSX Manager API Proxy
Logs A2A Requests Change Password
Z-side Request/ResponseA-side Request/Response
CA Privileged Access Manager
30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access Manager for VMware NSXCapability Summary
Vaulting and full lifecycle management of passwords and SSH access keys
NSX-based resources, NSX Manager and API, other enterprise resourcesCredentials
Management
TACACS+, AD/LDAP, RADIUS, RSA, SMS Mobile Token, SAML, PIV/CAC
VMware vSphere®, NSX APIs, VMware® NSX Manager™, other physical/virtual resources across enterprise
Federated SSO
Integrated with NSX Manager; Service Composer service insertion
Dynamic application of access control policies based on NSX security policies
Enforced via NSX micro-segmentation
Access Policy Enforcement
Complete logs and full session recording
All access to NSX resources including NSX Manager and APIAudit Trail &
Session Recording
32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
33 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Conclusions and Recommendations
• Existing security layers have been breached
• Next generation Software Defined Data Centers models like VMware NSX are inherently more secure
• Protecting the management plane of the hybrid enterprise is required to break the data breach kill chain
• Security has now become a business enabler versus an operational cost or tax
SummaryA Few Words to Review
34 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT19TDefend Against Data Breaches With CA Privileged Access
Management11/18/2015 at 3:00 pm
SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm
SCT32TPrivileged Access Management for the Software-Defined
Network11/19/2015 at 11:30 am
35 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Demos
Positive Privileged User Authentication
CA Privileged Access Manager
Security Theater
Fine-Grained Access Control for Servers
CA Privileged Access Manager Server Control
Security Theater
Privileged Access Control
CA Privileged Access Manager
Security Theater
Record and Analyze User Sessions
CA Privileged Access Manager
Security Theater
36 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow On Conversations At…
Smart Bar
CA Privileged Access Manager
Theater # location
Tech Talks
PAM for the Software-Defined Network
SCT32T
37 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
38 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15