securing the journey to the private cloud -...
TRANSCRIPT
Securing the Journey to the Private Cloud Dominique Dessy RSA, the Security Division of EMCJune 2010
Securing the Journey to The Private CloudThe Journey
IT Production Business Production IT-As-A-ServiceLower Costs Improve Quality Of Service Improve Agility
% Virtualized
PlatinumGold
15%
30%
50%
85% 95%
Source: Live EMC Forum pole conducted in 5 cities across N. America, 10/09
“Yes, in all cases”
24%“In some cases, but there are gaps”
43%“No, security is brought in after the fact”
22%“The business moves ahead without security”
11%
QuestionDoes your IT security address the risks associated with virtualization and private cloud before they are implemented?
Why is this bad?Restricted potential valueIncreased potential for data breaches
QuestionDoes your IT security address the risks associated with virtualization and private cloud before they are implemented?
Securing the Journey to The Private CloudSecurity: An Afterthought?
Voice of the customer
Business Objective (CISO): Manage risk and compliance while
virtualizing mission critical apps
Business Objective (CIO):
Accelerate/start virtualization of
business critical apps to continue optimizing
costs
Pain: Security technologies and professionals have not kept up with virtualization. Have to resort to physical isolation which
restricts server consolidation
Pain: High cost and difficulty of responding to compliance audits for virtual environments
Pain: Lack of consistency in physical and virtual security increases cost and complexity of virtualization
Pain: Maintaining separation of duties and managing risk of privileged user abuse despite convergence of infrastructure
layers.
Pain: Perceived vulnerability of the hypervisor
Pain: Mistakes can be amplified due to rate and ease of change in virtual environments
Pain: Security teams are not growing, required to do more with less and to focus on advanced analysis instead of operational
tasks
Opportunity: Leverage virtualization to improve security enforcement and management
Security Considerations for the Journey
Network admin
Security admin
Host admin
Virtualizationadministrator
• Separation of duties is challenged
• Need to retrain and reorient ops teams
• Opportunity to improve security operations
Peo
ple,
Pro
cess
es
Virtual host
Apps
•Hyperconsolidation of IT infrastructure on top
of a new software layer below the OS
layer that is a vantage security enforcement
pointTechnology
Guest OS
Virt. FW
Virt. switch
Hypervisor
Hardware
IT-as-a-Service
•Visibility into external service
providers• Secure multi-
tenancy concerns• ‘Trustworthiness’
Better Security with Virtualization
End
to e
nd c
hain
of t
rust
and
vi
sibi
lity
(Phy
sica
l and
Virt
ual)
VM layer
Virtual Infrastructure(including hypervisor)
APP
OS
APP
OS
APP
OS
StorageCompute Network
• Integrity monitoring for hardware and hypervisor to ensure a trusted computing environment(e.g., Intel, VMware, RSA PoC)
Trusted zone DMZ
•Logical security zones that move with virtual machines(e.g. VMware vShield Zones virtual firewall)
• Deep visibility and unified reporting (e.g. RSA enVision, RSA Archer support for VMware)
•Security controls embedded deep within virtual infrastructure (e.g., VMsafe APIs for deep security introspection)
Unified Point of Control
Unified Reporting
Efficient, Flexible
Securing the Journey to The Private CloudStage 1 – Securing Infrastructure
IT Production Business Production IT-As-A-ServiceLower Costs Improve Quality Of Service Improve Agility
% Virtualized
PlatinumGold
15%
30%
50%
85% 95%
Visibility into virtualization infrastructure, privileged user monitoring, access mgmtnetwork security, endpoint security, infrastructure compliance
Stage 1 - Securing Infrastructure:Checklist
Build a solid foundation by extending existing security controls to the new virtualization infrastructure• Platform hardening (e.g., VMware vSphere hardening guides)
• Strong authentication and role separation for administrators
• Privileged user monitoring and security event reporting
• Change and configuration management
Leverage unique capabilities enabled by virtualization • Firewall policies associated with logical groups of VMs instead of
network addresses
• Antivirus protection at the hypervisor layer instead of in-guest (e.g., using VMware VMsafe APIs)
Vblock Security Guidance
Threat-based approach to Vblock security
Threat CountermeasureAdministrator impersonation,privilege abuse
• Use LDAP or Windows AD authentication for all Vblockcomponents• Use least privilege roles.• Minimize use of root accounts.• Stream all logs to a security incident and event management system such as RSA enVision.• Disable access or require strong authentication such as RSA SecurID for ESX console
Network attacks •Enable secure network protocol options only•Disable optional and unsecure network protocols•Separate management traffic from data path traffic•Separate VMotion traffic from data path traffic•Enable recommended VMware, Cisco network security options.
Breach of tenant isolation
•Isolate tenants using VLANs, vShield Zones virtual firewall, VSANs, storage LUN masking and zoning
Component vulnerability
•Mature security engineering and vulnerability response practices of VMware, Cisco and EMC
Securing Infrastructure Example:Controlling user access
11
VMware vSphere (ESX)– Stakes are higher if privileged
user accounts are compromised– RSA SecurID secures
administrative access to ESX and vSphere Management Assistant
VMware View– Anywhere, anytime, any device
access to virtual desktops must increases risk of unauthorized access
– VMware View enforces strong RSA SecurID authentication for remote access to virtual desktops
AuthenticationManager
Securing Infrastructure Example:Privileged user monitoring for VMware
12
Securing Infrastructure Example:Logical / dynamic vs. perimeter security
13
Network
INTERNET
Zone1Zone2 Zone3
VMware VSphere
VMware VSphere
VMware VSphere
VMware VSphere
Security solutions based on physical network perimeters are ineffective in the private cloudSecurity policies must remain effective when VMs moveVMware vShield Zones allows zones to be constructed by grouping arbitrary sets of VMs and protects traffic to and from zones using state-full firewalling
IT Production Business Production IT-As-A-ServiceLower Costs Improve Quality Of Service Improve Agility
PlatinumGold
15%
30%
50%
95%85%
Information-centric security, risk-driven policies, IT and security operations alignment, information compliance
Visibility into virtualization infrastructure, privileged user monitoring, access mgmtnetwork security, endpoint security, infrastructure compliance
Securing the Journey to The Private CloudStage 2 – Securing Mission Critical Apps
Stage 2 - Securing Critical Apps:Checklist
Extend existing application security controls to the virtualized applications• Ensure that your security vendors support your applications when
they are virtualized
Apply information-centric security policies at the virtual layer to protect applications and data without security agents
Use virtual desktop infrastructure to offer access to applications rapidly, flexibly and securely
15
Securing Critical Apps Example:Content-aware, logical zones
16
Network
INTERNET
Zone1Zone2 Zone3
VMware VSphere
VMware VSphere
VMware VSphere
VMware VSphere
OverviewPoC that leverages the capabilities of vShield Zones to deploy RSA Data Loss Prevention as a virtual application monitoring data traversing virtual networksUses a centrally managed policies and enforcement controls to prevent data loss in the virtual datacenter
Security benefitsPervasive protectionPersistent protectionImproved scalability
Securing Critical Apps Example:Secure Virtual Desktops
Clients
VMware Infrastructure
VMwareView Manager
VMwarevCenter
Microsoft Active Directory
Ionix SCM for security configuration and patch management
RSA SecurIDfor remote authentication
RSA DLP for protection of data-in-use
RSA enVision log management for• VMware vCenter & ESX• VMware View• Ionix SCM • RSA SecurID• RSA Data Loss Prevention • Microsoft Active Directory• Cisco UCS• EMC Storage
RSA SecurIDfor ESX Service Console and vMA
15%
30%
50%
85%
IT Production Business Production IT-As-A-Service
95%
Lower Costs Improve Quality Of Service Improve Agility
PlatinumGold
Secure multitenancy, verifiable chain of trust
Information-centric security, risk-driven policies, IT and security operations alignment, information compliance
Visibility into virtualization infrastructure, privileged user monitoring, access mgmtnetwork security, endpoint security, infrastructure compliance
Securing the Journey to The Private CloudStage 3 – Establish trust
Secure Multitenancy Isolation with Vblock
EMC Symmetrix,CLARiiON
Cisco MDS
Cisco UCS
Cisco Nexus 1000v, VMware vSwitch
Vmware vShield Zones
VMware vSphere
RSA
enV
isio
n
VblockESX/ESXi VM isolation, resource reservation /
limits
Firewall for traffic into and between tenant networks
Dedicated tenant VLANs, anti-spoofing
Dedicated LUNs, LUN masking, port zoning,
dedicated NAS file share exports per tenant
Comprehensive and real time security event
monitoring and alerting with RSA enVision
ensures that any change in isolation configuration
is detectedDedicated tenant VSANs
Preventive controls
Detective controls
Dedicated Service Profiles, virtualized n/w adapters
Establishing Trust Example:Compliance dashboard for the private cloud
Thank you!