Securing the Journey to the Private Cloud Dominique Dessy RSA, the Security Division of EMCJune 2010

Securing the Journey to The Private CloudThe Journey

IT Production Business Production IT-As-A-ServiceLower Costs Improve Quality Of Service Improve Agility

% Virtualized

PlatinumGold

15%

30%

50%

85% 95%

Source: Live EMC Forum pole conducted in 5 cities across N. America, 10/09

“Yes, in all cases”

24%“In some cases, but there are gaps”

43%“No, security is brought in after the fact”

22%“The business moves ahead without security”

11%

QuestionDoes your IT security address the risks associated with virtualization and private cloud before they are implemented?

Why is this bad?Restricted potential valueIncreased potential for data breaches

QuestionDoes your IT security address the risks associated with virtualization and private cloud before they are implemented?

Securing the Journey to The Private CloudSecurity: An Afterthought?

Voice of the customer

Business Objective (CISO): Manage risk and compliance while

virtualizing mission critical apps

Business Objective (CIO):

Accelerate/start virtualization of

business critical apps to continue optimizing

costs

Pain: Security technologies and professionals have not kept up with virtualization. Have to resort to physical isolation which

restricts server consolidation

Pain: High cost and difficulty of responding to compliance audits for virtual environments

Pain: Lack of consistency in physical and virtual security increases cost and complexity of virtualization

Pain: Maintaining separation of duties and managing risk of privileged user abuse despite convergence of infrastructure

layers.

Pain: Perceived vulnerability of the hypervisor

Pain: Mistakes can be amplified due to rate and ease of change in virtual environments

Pain: Security teams are not growing, required to do more with less and to focus on advanced analysis instead of operational

tasks

Opportunity: Leverage virtualization to improve security enforcement and management

Security Considerations for the Journey

Network admin

Security admin

Host admin

Virtualizationadministrator

• Separation of duties is challenged

• Need to retrain and reorient ops teams

• Opportunity to improve security operations

Peo

ple,

Pro

cess

es

Virtual host

Apps

•Hyperconsolidation of IT infrastructure on top

of a new software layer below the OS

layer that is a vantage security enforcement

pointTechnology

Guest OS

Virt. FW

Virt. switch

Hypervisor

Hardware

IT-as-a-Service

•Visibility into external service

providers• Secure multi-

tenancy concerns• ‘Trustworthiness’

Better Security with Virtualization

End

to e

nd c

hain

of t

rust

and

vi

sibi

lity

(Phy

sica

l and

Virt

ual)

VM layer

Virtual Infrastructure(including hypervisor)

APP

OS

APP

OS

APP

OS

StorageCompute Network

• Integrity monitoring for hardware and hypervisor to ensure a trusted computing environment(e.g., Intel, VMware, RSA PoC)

Trusted zone DMZ

•Logical security zones that move with virtual machines(e.g. VMware vShield Zones virtual firewall)

• Deep visibility and unified reporting (e.g. RSA enVision, RSA Archer support for VMware)

•Security controls embedded deep within virtual infrastructure (e.g., VMsafe APIs for deep security introspection)

Unified Point of Control

Unified Reporting

Efficient, Flexible

Securing the Journey to The Private CloudStage 1 – Securing Infrastructure

IT Production Business Production IT-As-A-ServiceLower Costs Improve Quality Of Service Improve Agility

% Virtualized

PlatinumGold

15%

30%

50%

85% 95%

Visibility into virtualization infrastructure, privileged user monitoring, access mgmtnetwork security, endpoint security, infrastructure compliance

Stage 1 - Securing Infrastructure:Checklist

Build a solid foundation by extending existing security controls to the new virtualization infrastructure• Platform hardening (e.g., VMware vSphere hardening guides)

• Strong authentication and role separation for administrators

• Privileged user monitoring and security event reporting

• Change and configuration management

Leverage unique capabilities enabled by virtualization • Firewall policies associated with logical groups of VMs instead of

network addresses

• Antivirus protection at the hypervisor layer instead of in-guest (e.g., using VMware VMsafe APIs)

Vblock Security Guidance

Threat-based approach to Vblock security

Threat CountermeasureAdministrator impersonation,privilege abuse

• Use LDAP or Windows AD authentication for all Vblockcomponents• Use least privilege roles.• Minimize use of root accounts.• Stream all logs to a security incident and event management system such as RSA enVision.• Disable access or require strong authentication such as RSA SecurID for ESX console

Network attacks •Enable secure network protocol options only•Disable optional and unsecure network protocols•Separate management traffic from data path traffic•Separate VMotion traffic from data path traffic•Enable recommended VMware, Cisco network security options.

Breach of tenant isolation

•Isolate tenants using VLANs, vShield Zones virtual firewall, VSANs, storage LUN masking and zoning

Component vulnerability

•Mature security engineering and vulnerability response practices of VMware, Cisco and EMC

Securing Infrastructure Example:Controlling user access

11

VMware vSphere (ESX)– Stakes are higher if privileged

user accounts are compromised– RSA SecurID secures

administrative access to ESX and vSphere Management Assistant

VMware View– Anywhere, anytime, any device

access to virtual desktops must increases risk of unauthorized access

– VMware View enforces strong RSA SecurID authentication for remote access to virtual desktops

AuthenticationManager

Securing Infrastructure Example:Privileged user monitoring for VMware

12

Securing Infrastructure Example:Logical / dynamic vs. perimeter security

13

Network

INTERNET

Zone1Zone2 Zone3

VMware VSphere

VMware VSphere

VMware VSphere

VMware VSphere

Security solutions based on physical network perimeters are ineffective in the private cloudSecurity policies must remain effective when VMs moveVMware vShield Zones allows zones to be constructed by grouping arbitrary sets of VMs and protects traffic to and from zones using state-full firewalling

IT Production Business Production IT-As-A-ServiceLower Costs Improve Quality Of Service Improve Agility

PlatinumGold

15%

30%

50%

95%85%

Information-centric security, risk-driven policies, IT and security operations alignment, information compliance

Visibility into virtualization infrastructure, privileged user monitoring, access mgmtnetwork security, endpoint security, infrastructure compliance

Securing the Journey to The Private CloudStage 2 – Securing Mission Critical Apps

Stage 2 - Securing Critical Apps:Checklist

Extend existing application security controls to the virtualized applications• Ensure that your security vendors support your applications when

they are virtualized

Apply information-centric security policies at the virtual layer to protect applications and data without security agents

Use virtual desktop infrastructure to offer access to applications rapidly, flexibly and securely

15

Securing Critical Apps Example:Content-aware, logical zones

16

Network

INTERNET

Zone1Zone2 Zone3

VMware VSphere

VMware VSphere

VMware VSphere

VMware VSphere

OverviewPoC that leverages the capabilities of vShield Zones to deploy RSA Data Loss Prevention as a virtual application monitoring data traversing virtual networksUses a centrally managed policies and enforcement controls to prevent data loss in the virtual datacenter

Security benefitsPervasive protectionPersistent protectionImproved scalability

Securing Critical Apps Example:Secure Virtual Desktops

Clients

VMware Infrastructure

VMwareView Manager

VMwarevCenter

Microsoft Active Directory

Ionix SCM for security configuration and patch management

RSA SecurIDfor remote authentication

RSA DLP for protection of data-in-use

RSA enVision log management for• VMware vCenter & ESX• VMware View• Ionix SCM • RSA SecurID• RSA Data Loss Prevention • Microsoft Active Directory• Cisco UCS• EMC Storage

RSA SecurIDfor ESX Service Console and vMA

15%

30%

50%

85%

IT Production Business Production IT-As-A-Service

95%

Lower Costs Improve Quality Of Service Improve Agility

PlatinumGold

Secure multitenancy, verifiable chain of trust

Information-centric security, risk-driven policies, IT and security operations alignment, information compliance

Visibility into virtualization infrastructure, privileged user monitoring, access mgmtnetwork security, endpoint security, infrastructure compliance

Securing the Journey to The Private CloudStage 3 – Establish trust

Secure Multitenancy Isolation with Vblock

EMC Symmetrix,CLARiiON

Cisco MDS

Cisco UCS

Cisco Nexus 1000v, VMware vSwitch

Vmware vShield Zones

VMware vSphere

RSA

enV

isio

n

VblockESX/ESXi VM isolation, resource reservation /

limits

Firewall for traffic into and between tenant networks

Dedicated tenant VLANs, anti-spoofing

Dedicated LUNs, LUN masking, port zoning,

dedicated NAS file share exports per tenant

Comprehensive and real time security event

monitoring and alerting with RSA enVision

ensures that any change in isolation configuration

is detectedDedicated tenant VSANs

Preventive controls

Detective controls

Dedicated Service Profiles, virtualized n/w adapters

Establishing Trust Example:Compliance dashboard for the private cloud

Thank you!