trend micro end to end security protection by steve quane

8/8/2019 Trend Micro End to End Security Protection by Steve Quane

1/30

1 Copyright 2010 EMC Corporation. All rights reserved.

End to End Protection for

Virtualised & Cloud Environments


2/30

Copyright 2009 Trend Micro Inc.

Why virtualization matters

Speed and Business Impact

Expertise and Performance

Massive Cost Reduction


3/30


15% 30% 70%

85%

Stage 1Consolidation

DC Consolidation

- Non-mission criticalbase applications

- Standardized hypervisor- Simple VM Management

Public and private cloud

- Multi-hypervisor-Virtualized storage

-Multi-tenancy-Workload Management

-Dedicate or Burst to public

Stage 3Private > Public Cloud

Mission critical applications&

Endpoint Control

- Performance becomes critical-API and advanced

management useVDI sampling

-Enhanced Compliance controls

Servers

Desktops

Stage 2Expansion & Desktop

GET TECHIE

Typical Customer Virtualization Evolution


4/30


By far, the number one concern aboutcloud services is security .-- Frank Gens, IDC, Senior VP & Chief Analyst


5/30

Copyright 2009 Trend Micro Inc. 5

Phase 1 Security Challenge

Perimeter- only (Outside -in) approach together

with rapid virtualization have created less secureapplication environments

Through 2012, 60% of virtualized servers will be less secure thanthe physical servers they replace.

Addressing the Most Common Security Risks in Data Center Virtualization Projects Gartner, 25 January 2010


6/30


Phase I: The virtual datacenter is verydynamic !

6

Hypervisor

Inter-VMattacks PCI Mobility Cloud Computing

New Challenges Require a New Security Architecture


7/30


Virtual Machines Need Specialized Protection

Same threats in virtualized servers

as physical.

New challenges:1. Instant-on/Dormant VMs

2. Resource contention

3. VM Sprawl

4. Inter-VM traffic

5. vMotion

7


8/30


Virtualization Security FoundationSecure the workload

App3

OS3

VM3

App1

OS1

VM1

Hypervisor

VM & NetworkSecurity Integration

Self-secured workloadApp FW, IPS, AV


9/30


Customers most common Phase I concern:Instant-on or unmanaged VMs & Patching

Determines missing patches and existing vulnerabilities Operating System

Common desktop applications

Recommends set of lightweight, fast-to-deploy filters Virtually patches the vulnerabilities

Zero-Day protection

Reports on attempts to exploit vulnerabilities

Removes filters as soon as the patch is deployed

Virtual patch endpoints until patch is readyWithout exposing them to exploits


10/30


Deep SecurityInside -out Protection Model for Physical,Virtual and Cloud Computing

De-Militarized Zone (DMZ)

Mission Critical ServersBusiness Servers

FirewallIPS Firewall

NIPSIPS

Firewall

File Integrity

Monitoring

Log Inspection

IDS / IPS

Trend Micro Deep Security Provides A Secure

Container for Applications and Data


11/30


15% 30% 70%

85%


DC Consolidation





Endpoint Control




Servers

Desktops

Hybrid andselected public cloud


-Workload Management-Burst to public


GET TECHIE



12/30


Phase 2: Security Challenge

Virtually unaware traditional security

architectures eliminate the benefits of VDI andvirtualized mission-critical applications


13/30


Phase II Server Performance

13

App

OS

ESX Server

App

OS

App

OS

VMsafe APIs

Security VM

Firewall

IDS / IPSAnti-VirusIntegrity

Monitoring

Protect the VM by inspection of virtual components Unprecedented security for the app & data inside the VM Complete integration with, and awareness of, vMotion,

Storage VMotion, HA, etc.


14/30


Phase II: Securing virtual desktops (VDI)

Malware risk potential: Identical to physical desktops Same operating systems Same software Same vulnerabilities Same user activities

=> Same risk of exposing corporate and sensitive data

New challenges, unique to VDI: Identify endpoints virtualization status

Manage resource contention CPU Storage IOPs Network


15/30


FILEREPUTATION

WEBREPUTATION

Phase II: Cloud-client architecture

Threat Collection

Partners

ISPs Routers Etc.

Endpoint

Gateway

SaaS/Managed

Cloud

Management

Off Network

Messaging

Threats

EMAILREPUTATION


16/30


CLOUD-CLIENT ARCHITECTURE Speeds protection

In-the-cloud technologies are constantly updated Frees resources

Offloads growing patterns to the cloud

Phase II: Light and Lean ArchitectureSmart Protection Network

GLOBAL THREAT INTELLIGENCE Correlated

Integrates web, email, and file reputation databases Instant feedback

Immediately updates using global feedback loops

WEB

FILE

EMAIL


17/30


The 9 -AM problem Multiple users log in and download updates at the same time

AV-Storms, Scheduled scans Adds significant load to the endpoint Multiplied by number of VMs

Cumulativesystem loadExisting Endpoint Security Induces

Resource Contention and LimitsDesktop Virtualization Benefits

Phase II: IT Environment ChangesChallenge: Resource Contention with VDI


18/30


Phase II Security has to have VDI-Intelligence

Detects whether endpoints are physical or virtual With VMware View With Citrix XenDesktop

Serialize updates and scans per VDI-host Controls the number of concurrent scans and updates per VDI host Maintains availability and performance of the VDI host Faster than concurrent approach

Leverages Base-Images to further shorten scan times Pre-scans and white-lists VDI base-images Prevents duplicate scanning of unchanged files on a VDI host Further reduces impact on the VDI host

Can be done agentlessly as well


19/30


OfficeScan 10.5 has VDI-intelligence

With OfficeScan 10.5, you can run more than double the number of desktop images per host without sacrificingsecurity

Investment in OfficeScans VDI plug -in pays for itself: In less than 3 months with 1000 users*

In less than 2 months with 2500 users*

*: assuming average cost of $8000 per VDI server and the deployment of standard endpoint secur

You no longer have to choose betweenSecurity and Return On Investment


20/30


Summary of Phase II Solutions

Light and lean agents when deep visibilityis required Using cloud-client architecture

Agent-less option for application & serverperformance Using virtualization APIs

Architecture optimizes performance acrossentire infrastructure Processes are virtually -aware across CPU, network,

and storage

Trend Micro Confidential11/26/2010 20


21/30


15% 30% 70%

85%


DC Consolidation





Endpoint Control




Servers

Desktops

Hybrid andselected public cloud


-Workload Management-Burst to public


GET TECHIE



22/30


Phase III: Virtualized Storage and Multi-tenancyCreates Data Protection Nightmares

Classification 11/26/2010 22

Perimeter

Public andPrivate

CloudDatacenter

Strong perimeter securityNo shared CPU

No shared networkNo shared storage

Weak perimeter securityShared CPU

Shared networkShared storage

Traditional outside -in approach is inadequate in an

inside -out cloud world full of strangers

Hypervisor

C o m p an

y1

A p p2

A p p1

A p p 3

A p p1

A p p2

A p p 3

A p p4

A p p 5

A p pn

C o m p an

y2

C o m p an

y 3

C o m p an

y4

C o m p an

y 5

C o m p an

yn

Hypervisor


23/30


The Public Cloud:Who Has Control? How Secure is the Data?

Servers Virtualization &Private Cloud

Public CloudPaaS

Public CloudIaaS

End-User (Enterprise)Service Provider

Public CloudSaaS

23Trend Micro Confidential 11/26/2010

Hypervisor

C o m p an

y1

A p p2

A p p1

A p p 3

A p p1

A p p2

A p p 3

A p p4

A p p 5

A p pn

C o m p an

y2

C o m p an

y 3

C o m p an

y4

C o m p an

y 5

C o m p an

yn

Hypervisor

Data

Shared CPUShared networkShared storage

Company


24/30


Phase 3: Security Challenge

How do I protect data in a virtualized and multi-tenant storage environment (private, hybrid, or

public cloud) ?


25/30


SecureCloud: Enterprise ControlledData Protection for the Cloud

25

Patent pending Trend Micro technology enablesenterprises to retain control of data in the cloud



26/30


All Phases: Architecture Security ChallengeHow do I bring it all together in a manageable way

across virtualized, private and public cloudenvironments?


27/30


A New Security Architecture For A New EraAll environments should be considered un-trusted

Usersaccess app

Image ensures datais always encrypted

and managed

Host defendsitself from attack

EncryptedData

Encryption keyscontrolled by you

DC1, LAN 1

Cloud 2, LAN 1

Data

Cloud 1, LAN 2

DC2, LAN 2

Data

Public CloudDatacenter

Data


BenefitsFacilitates movement between

datacenter & cloudDelivers security compliancethrough encryptionEnables portability between serviceprovidersEnsures private data in public cloud


28/30


29/30


ANSWER: YES, BUT ONLY WITH ABETTER -THAN-PHYSICAL CLOUD

SECURITY ARCHITECTURE

Back to the question: To Virtualize or not ?


Speed and Business Impact

Expertise and Performance

Massive Cost Reduction


30/30


Thank you

For visiting the Trend Micro Carnival

trend micro end to end security protection by steve quane

Documents