protecting the software-defined data center from data breach

Protecting the Software-Defined Data Center from Data Breach

Mordecai Rosen

Security

CA Technologies

Vice President, Product Management and Strategy

SCT33S

Jeremiah Cornelius

VMware

Security Architect and Partner Product Strategist

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type

of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only

Terms of this Presentation


Session Abstract:

Protecting the Software Defined Data Center from Breach

In this session, we will discuss:

Security Requirements for our next generation software defined data centers

VMware NSX™, VMware’s network virtualization platform, and how it protects the software defined data center

CA Privileged Access Manager for VMware NSX™, and how it protects the management plane of VMware NSX™

MordecaiRosen

CA Technologies

VP Product Mgmt.

JeremiahCornelius

VMware

Security Architect


Existing security layers have been breached

1

5 6

Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.

Today’s data centers are protected by strong perimeter defense…

But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection.

Targeted system

Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.

Attackers follow a predictable pattern of actions, called a kill chain, in attempting their attacks.

Compromised identities and privileged accounts are at the core of the kill chain..


The Problem: 25 years of perimeter security has failed

Internet

Series1 Series2 Series3

Today’s security model focuses on perimeter defense

But continued security breaches show this model is not enough

Serviceproviders

Partners

Auditors

Customers

Hacker

Employees


Repurposing existing tools doesn’t work

…

2 firewalls

1000 workloads

vs

A typical data center has:

Directing all traffic (virtual + physical)

through chokepoint firewalls is inefficient

And a physical firewall per workload

is cost prohibitive and unmanageable

Internet


The Solution: New software defined data center modelIntegrating identity, security, & manageability into the fabric

STARTING ASSUMPTIONS DESIGN PRINCIPLES

Assume everything is a threat and act accordingly

1

2

Identity centric micro-segmentation

Secure policy based management plane


How do you: move as fast as the business needs you to move

while securing an ever-growing and changing environment—without having to start over?


You need a new approach to networking and security that gives you:the agility and speed you need to support the business, while providing an inherently more secure infrastructure


Security is needed everywhere, but we can’t have our controls everywhereWhy can’t we have individual firewalls for every VM?

Data Center Perimeter

Internet

Expensive and complex

Physical firewalls

With traditional technology,this is operationally infeasible.

Slow, costly, and complicated

Virtual firewalls

NSX value proposition

Network Virtualization is at the core of an SDDC approach

Network, storage, compute

Virtualization layer


The next-generation networking model

Switching

Routing

Firewalling/ACLs

Load Balancing

Network and security services now in the hypervisor


Switching

Routing

Firewalling/ACLs

Load Balancing

High throughput rates

East-west firewalling

Native platform capability

The next-generation networking model


The next-generation networking modelNSX value proposition

Network Virtualization is at the core of an SDDC approach

Network, storage, compute

Virtualization layer

“Network hypervisor”

Virtual networks


Business value

More secure and 1/3 the cost of less secure infrastructure

SecurityDelivering inherently secure infrastructure

Data Center Perimeter

Internet

DMZ

Secure User Environments

Security policies simplified

Logical groups enabled

Threats contained


Intelligent groupingGroups defined by customized criteria

Operating System Machine Name

Application Tier

Services

Security PostureRegulatory Requirements


NSX: at the “Goldilocks Zone” of security

UbiquityIsolation Context

Ecosystem of Distributed Services

Core Services Built IntoHypervisor Kernel

better security

through insight

fine-grained containment

Switching Routing Firewalling


VMware Partners with CA for Privileged Access Management

18


CA Technologies Announce CA Privileged Access Manager for VMware NSX

CA Technologies Collaborates with VMware® on Comprehensive Privileged Access Management Solution for VMware NSX


CA Privileged Access ManagerPrivileged Identity and Access Management for the Hybrid Enterprise

HYBRID ENTERPRISE

Hardware Appliance AWS AMIOVF Virtual Appliance

Identity Integration Enterprise-Class Core

Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on

Role-Based Access Control Monitor and Enforce Policy Record Sessions and Metadata Full Attribution

Control and Audit All Privileged Access

Unified Policy Management

Traditional Data Center

Mainframe, Windows, Linux, Unix, Networking

Enterprise Admin Tools

Software Defined Data Center

SDDC Console and APIs

Public Cloud - IaaS

Cloud Console and APIs

SaaS Applications

SaaS Consoles and APIs

CA Privileged Access Manager


CA Privileged Access ManagerPrivileged Identity and Access Management for the Hybrid Enterprise

HYBRID ENTERPRISE

Hardware Appliance AWS AMIOVF Virtual Appliance

Identity Integration Enterprise-Class Core

Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on

Role-Based Access Control Monitor and Enforce Policy Record Sessions and Metadata Full Attribution

A New Security Layer - Control and Audit All Privileged Access

Unified Policy Management

Traditional Data Center

Mainframe, Windows, Linux, Unix, Networking

Enterprise Admin Tools

Software Defined Data Center

SDDC Console and APIs

Public Cloud - IaaS

Cloud Console and APIs

SaaS Applications

SaaS Consoles and APIs



Challenges

Fully manual process with potential for human error.

No visibility into what the admin did during the session.

An overly broad rule permits bad actors.

Problem

You have a requirement that all management ports on production resources be closed when not in use, and you must demonstrate this to an auditor on-demand.

Traditional Solution

Admin opens a ticket with SOC who adds a firewall rule which permits the admin to do their work.

When admin is done he resolves the ticket, SOC removes the rule, then closes the ticket.

Use Case 1: Firewall AdministrationAddressing a traditional problem with a more secure and agile solution


CA PAM for VMware NSX – Access Restrictor

DFW Rules added and removed on-demand Rules added when connections are opened and removed when closed

Removes the human element and potential for error

Enables a highly-secure “deny all” environment where exceptions are forced through CA PAM and only CA PAM may access protected resources

Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM

Client

UserTarget VM

NSX Manager

DFWCA Privileged Access Manager


Challenges

In the manual case, more human error and opportunity for insider threat.

In the custom code case you must hire somebody to write it and keep code it up to date.

Problem

You want to synchronize your security policies across products from different vendors.

For example, when your A/V vendor detects a virus, you want the VM placed into a quarantine.


Hire somebody to keep them in sync, or write custom code to keep them in sync by leveraging different APIs from different vendors.

Use Case 2: Policy SynchronizationDifferent products, different data, and different policy models


CA PAM for VMware NSX – Dynamic Tagging and Grouping

CA PAM Policy in lockstep with NSX Security Tags and Groups NSX Security Tags and Groups synced with CA PAM and tied to Policies

As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed

Synchronize CA PAM policies with changes in the NSX security posture

VMware vCenterVM Network

NSX Manager

Sync



Challenges

Seeing a trend? This too relies on a manual step – and if your SOC is distracted, suffering “false positive fatigue,” or malicious, you miss a critical opportunity to break the kill chain.

Problem

When your security products detect anomalies, you want them to coordinate with other products.

For example, when threat intel detects an event, you want it to terminate or begin recording all traffic on affected VMs.


Have your SOC monitor logs and SEIM data and take action manually.

Use Case 3: Workflow AutomationMaking different products from different vendors talk to each other


CA PAM for VMware NSX – Service Composer Integration

Deep integration with Service Composer As VMs enter or leave NSX Security Groups, CA PAM will:

- Enable or disable session recording- Terminate sessions- Force CA PAM session re-authentication

Trigger events in CA PAM via NSX Service Composer workflows

User

Session

NSX Partner Ecosystem Product

NSX Manager

VmwarevCenter

Admin

Apply Tag

Apply Tag

Enable/Disable Session Recording

Terminate Sessions

Xsuite Re-Authentication



Challenges

API access is like leaving the back door open – no matter how many controls you have on the front door, if you don’t protect the API you expose a very attractive target.

Credentials within scripts are the ultimate target.

Problem

You have a plethora of scripts and power users who interact with management tools via well-defined APIs, and you lack any controls into who uses them and visibility into what they do.


Attempt to limit API sprawl and hope that the users and scripts that are using these interfaces are trusted and kind.

Use Case 4: Programmatic/API AccessControls for your APIs


CA PAM for VMware NSX – NSX Manager REST API Proxy

The last mile for full NSX Manager administration visibility Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which

may rotate on a policy or schedule

CA PAM vaults – and rotates – the NSX Manager credentials

Integrates with Application to Application (A2A)

Closing the “API Loop” to the NSX management plane

Consumer NSX Manager

NAP

NSX Manager API Proxy

Logs A2A Requests Change Password

Z-side Request/ResponseA-side Request/Response



CA Privileged Access Manager for VMware NSXCapability Summary

Vaulting and full lifecycle management of passwords and SSH access keys

NSX-based resources, NSX Manager and API, other enterprise resourcesCredentials

Management

TACACS+, AD/LDAP, RADIUS, RSA, SMS Mobile Token, SAML, PIV/CAC

VMware vSphere®, NSX APIs, VMware® NSX Manager™, other physical/virtual resources across enterprise

Federated SSO

Integrated with NSX Manager; Service Composer service insertion

Dynamic application of access control policies based on NSX security policies

Enforced via NSX micro-segmentation

Access Policy Enforcement

Complete logs and full session recording

All access to NSX resources including NSX Manager and APIAudit Trail &

Session Recording


Customer Testimonial

Scott Ormiston_v2.mp4


Conclusions and Recommendations

• Existing security layers have been breached

• Next generation Software Defined Data Centers models like VMware NSX are inherently more secure

• Protecting the management plane of the hybrid enterprise is required to break the data breach kill chain

• Security has now become a business enabler versus an operational cost or tax

SummaryA Few Words to Review


Recommended Sessions

SESSION # TITLE DATE/TIME

SCT19TDefend Against Data Breaches With CA Privileged Access

Management11/18/2015 at 3:00 pm

SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm

SCT32TPrivileged Access Management for the Software-Defined

Network11/19/2015 at 11:30 am


Must See Demos

Positive Privileged User Authentication


Security Theater

Fine-Grained Access Control for Servers

CA Privileged Access Manager Server Control

Security Theater

Privileged Access Control


Security Theater

Record and Analyze User Sessions


Security Theater


Follow On Conversations At…

Smart Bar


Theater # location

Tech Talks

PAM for the Software-Defined Network

SCT32T


Q & A


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX

protecting the software-defined data center from data breach

Technology