490 likes | 683 Views
Securing Business Critical App VMUG San Diego, March 7, 2012. Gargi Mitra Keeling, CISA Staff Product Manager , VMware, Inc. Agenda. Introductions The Cloud Journey Security and Compliance Challenges Security and Compliance Goals Securing Business Critical Apps – An Example
E N D
Securing Business Critical AppVMUG San Diego, March 7, 2012 Gargi Mitra Keeling, CISA Staff Product Manager, VMware, Inc.
Agenda • Introductions • The Cloud Journey • Security and Compliance Challenges • Security and Compliance Goals • Securing Business Critical Apps – An Example • VMware Security and Compliance Solutions • Background Info
Who I Am and How I Got Here IT Management Product Management / Marketing
Introduction – What is your role? VI Administrator Cloud Architect Info security Administrator Network security Administrator IT Auditor App Development Executive Other? ?
Introduction – What industries do you represent? Financial services Government Healthcare Retail Manufacturing Other? ?
Introduction – Why are you here? I want to understand virtualization / cloud security and compliance risks I understand the risks, but want to know what VMware is doing about these risks I want to know how to get our business critical apps to the cloud, without compromising security Other? ?
And Is Your CIO Trying to Figure This Out? INTERNAL? EXTERNAL? Risk $ Speed CIO
Virtualization is Only the Beginning Application Application Application Operating System Operating System Operating System Virtualization ˃ Hardware ˃Software license utilization ˃Operational efficiency Improves
Virtualizing Business Critical Apps is Crucial Business Production Your Cloud IT Production Basic consolidation for infrastructure workloads (file, print…) Virtualizing business critical applications for higher availability and better service levels Self-service provisioning for faster application lifecycle CloudComputing 96% of CIOs view the virtualization of business critical applications as a foundation for enabling cloud computing* *VMware customer study. Business and Financial Benefits of Virtualization, IDG Research, March 2011
Virtualizing Apps Delivers Significant Improvements For each of the benefits your company has achieved by virtualizing business critical applications, please approximate the amount of improvement compared to before virtualization. The Hidden Truth of Virtualizing Business Critical Apps, IDG Research, March 2011 Companies who have virtualized their apps have seen significant improvements, specifically over 60% in BCDR, security/compliance, and test/dev cycles
60% Of Our Customers Are Virtualizing BCA 68% % of Workload Instances Running on VMware in Customer Base 47% 41% 34% 28% 28% June 2011 53% 43% 38% 25% 25% 18% Jan 2010 MSExchange MS SharePoint MS SQL Oracle Middleware Oracle DB SAP Source: VMware customer survey, Jan 2010 and June 2011Data: Total number of instances of that workload deployed in your organization and the percentage of those instances that are virtualized
But Security and Compliance Concerns Slow Down Cloud Efforts • What are the top challenges or barriers to implementing a cloud computing strategy? Source: 2010 IDG Enterprise Cloud-based Computing Research, November 2010
Enterprise Data Center Security & Networking Today • Desktop A/V Agents • DLP, FIM, white listing Users Backend Services View Web Sites DMZ vSphere • DMZ firewall, NAT, IPAM, VR • Site and user VPNs • Web load balancers • Network Segmentation, Firewalls, IDS/IPS • Server A/V Agents • App | data | identity aware security, compliance
Challenges in Cloud Security and Compliance • Mixed Mode Levels of Trust • VM’s riding on the same Guest with different Trust Levels (PCI) • Multi-Tenancy protecting Intellectual Property (IP) with shared Resources • Auditor, QSA Approval of Design • Evidence Based Compliance • How is my data being protected and segmented by level of security? • What standards and frameworks do I adopt to minimize risk? • How do I automate best practices, regulatory guidelines and vendor standards? • Separation of consumer and provider • Consumer needs governance around its workloads • Evidence from provider around its infrastructure compliance • How do I address data governance, privacy, etc? • How do we account for Change? (Loss of Service) PCI CDE Remediate Capture Changes ! vSphere Report Assess PCI CDE ! vSphere PCI CDE ! vSphere
You Organization Cares About Security and Compliance How do I secure applications and data in the cloud ? How do I implement compliancecontrols and audits for resources in the cloud? How can I enable security without affecting applications or limiting cloud flexibility ? Security OperationsTeam InfrastructureTeam Compliance Officer
Secure The Platform and Isolate the Provider • Platform Hardening • Memory protection (ASLR, NX/XD) • Kernel integrity (sign modules) • Trusted boot with Intel TPM/TXT • Deploy workloads and store data only in trusted infrastructure • Admin Separation of Duties • Across functional areas • Between provider and tenant • User Activity Monitoring • Of privileged users in Cloud Infrastructure Tenant vCloud Infrastructure Provider
Segment and Isolate Workloads • At the organization level • Isolate tenants from each other • Restrict provider access • Control traffic to/from org – including to outside world • Based on security or compliance • Elastic zones with membership based on classification • Control traffic between zones • Control traffic within zones • Based on workload / app • Encapsulate and control access to/from app • Protect guest OS with endpoint security Tenant XYZ Intellectual Property PCI DSS Share Point
Securing Business Critical Apps An example
App Developers Are Also Stakeholders for Security I need better Qos and availability and faster deployment times for my apps…and I’m assuming another team is taking care of my app security. Application Development Team
The Journey to Production-Ready Isn’t Always Smooth Staging (Sandbox) Development and Testing Production Developers and architects focus on ideas, as they should. Security is the last thing on their mind. But this causes problems in the long run. In some cases, staging environments are not properly isolated from production. This results in data leaks to production environments. If security wasn’t a consideration during development, applications may not work in production. Network security teams lock things down – but developers don’t know until it’s too late Back to the drawing board
What if security could enable efficient application deployment? Staging (Sandbox) Development and Testing Production Developer environment mimics production. No perceived change, other than less likelihood of re-writing app to address security issues found in production. Staging environments also mimic production, and are completely isolated from production networks. No more data leaks! Production environment has necessary controls in place and application is deployed with no surprises…and no rewrites.
vShield App Simplifies Security for SAP Dev and Sand Box Unblock ports for SAP GUI (dispatcher + msg server) + NFS DEV App DEV DB+CI SNDBX CI SNDBX DB 10.128.140.118 10.128.140.119 10.128.140.117 10.128.140.116 All ports Blocked NFS: /usr/sap/trans vShield Mgr + firewall VM per ESX host SANDBOX DEV loadable kernel module loadable kernel module loadable kernel module
vShield App Example – Define Environment as vApp in vCenter vApp: logical entity of one or more VMs vApp
vShield App Example – Define Rules in vCenter using vApps Allow SAP GUI to connect to dispatcher port • Blocks all access in and out of vApp environment • rule applies to all VMs within the vApp • then create exceptions to allow required access e.g. SAP GUI port, NFS for CTS filesystem
Overview of vShield and vCenter Configuration Manager vShield Edge vShield App with Data Security vShield Endpoint vCenter Configuration Manager • Segment and isolate at org level • Firewall (IP), VPN, Web load balancer, NAT, DHCP, static routing… • Segment and isolate based on security, compliance • Firewall (vNIC), security groups, sensitive data discovery • Segment and isolate based on workload, app • Enablement for endpoint security (AV, File Integrity Monitoring, and more) • IT compliance management across the stack • Controls validation, compliance reporting, change management, patching, and more
Trusted vCloud: Compliance – Product View Regulations Healthcare HIPAA, HITECH, HITRUST, FDA Horizon Identity Management GRC End User Computing Government NIST, FISMA, FDCC, DISA vShield + 3rd party End Point Security Cloud Applications Finance SOX, PCI DSS, Basel, GLBA Authorization Horizon & VIEW Public/Private/Hybrid Cloud Virtualized Infrastructure Energy FERC, ISO, NERC CIP, CIS vShield + 3rd Party Data Security VCM Configuration Management 3rd Party White Listing vShield + 3rd Party Network Security VCM + SIEM Config & Log Management VUM +VCM + 3rd Party Platform Security Meet Customers’ Compliance Requirements to Migrate Tier 1 Apps to vSphere
Thank you Question & Answer Session
vShield EdgeSecure the Edge of the Virtual Data Center Tenant A Tenant X Features Load balancer • Multiple edge security services in one appliance • Stateful inspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPsec) • Web Load Balancer • Edge port group isolation • Detailed network flow statistics for chargebacks, etc. • Policy management through UI or REST APIs • Logging and auditing based on industry standard syslog format firewall VPN VMware vSphere
vShield EdgeSecure the Edge of the Virtual Data Center Tenant A Tenant X Features Load balancer • Multiple edge security services in one appliance • Stateful inspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPsec) • Web Load Balancer • Edge port group isolation • Detailed network flow statistics for chargebacks, etc. • Policy management through UI or REST APIs • Logging and auditing based on industry standard syslog format firewall VPN VMware vSphere
vShield AppApplication Protection for Network Based Threats DMZ PCI HIPAA Features VMware vSphere • Hypervisor-level firewall • Inbound, outbound connection control applied at vNIC level • Elastic security groups - “stretch” as virtual machines migrate to new hosts • Robust flow monitoring • Policy Management • Simple and business-relevant policies • Managed through UI or REST APIs • Logging and auditing based on industry standard syslog format
Network segmentation • Examples: • Deny traffic from Contractors Desktops pool to the Business Apps pool. • Allow DNS traffic from DC01 to the DNS server at 10.91.245.129. • Allow VMs in Web-Tier to communicate with VMs in DB-Tier. • Two approaches • vCenter Server container objects: • Datacenters • Clusters • Resource pools • vApps • Port groups • Topology-independent • Security groups are administrator-defined, business-relevant groupings of any virtual machines by their virtual NICs.
Layer 4 Firewall Policies • Ability to enforce based on network, application port, protocol type (TCP, UDP), application type • IP-based stateful firewall and application layer gateway for a broad range of protocols • Eliminates need to list individual port numbers for well-known multi-port protocols • Automatically handles dynamic and ephemeral ports
Visibility into Sensitive Data to Address Regulatory Compliance ! ! ! Overview New • Accurately discover and report on sensitive data in unstructured files/running VMs with proven analysis engine • More than 80 pre-defined templates for country/industry specific regulations • Move VMs with sensitive data to separate trust zones for remediation Benefits • Visibility into sensitive data at rest in virtual data center, with a guest VM agent • Address compliance and risk management requirements • Eliminate agent footprint compared to legacy software agents Cloud Infrastructure(vSphere, vCenter, vShield, vCloud Director)
vShield Data Security in v5.0.1Enhanced Reporting, Export Options
USE USE USE Strong and Efficient Protection Against Malware Overview • Offloaded anti-virus protection • Leverage 3rd party anti-virus solutions • Eliminate security agent from guest VM • Partner provides security virtual appliance for endpoint security such as anti-virus, file integrity monitoring, OS event logging Benefits AV Storm! Agent Agent Agent Agent Agent Agent AV PartnerProduct • Efficiency - Improve performance and consolidation ratios from 30-100%*. Eliminate anti-virus ‘storms • Manageability - Streamline deployment and monitoring of endpoint security • “Better than physical” – VM protected the moment it comes online, no agent susceptible to attack Agent Agent Agent Agent Agent Agent Cloud Infrastructure(vSphere, vCenter, vShield, vCloud Director) * Depending on whether workload stresses the AV solution – Source: Tolly Group 2010
Strong and Efficient Protection Against Network Intrusions Overview New • Leverage 3rd party intrusion detection solutions (IDS) to identify network based threats • Automatically isolate compromised VMs Benefits Quarantine IDS PartnerProduct • Contain network intrusions and prevent them from spreading in the environment Cloud Infrastructure(vSphere, vCenter, vShield, vCloud Director)
Programmability and Automation • Policy Management • vShield Manager APIs (REST) • Full parity with GUI • Java SDK, vCO plugin – Future • Power CLI – Future • Customers, ISVs, SIs, etc. • Endpoint Security • EPSEC APIs (C libraries) • Guest introspection • Endpoint security partners • SDK – Future • Network Security • NetSec APIs (REST) - Future • 10-tuple traffic redirection • Network security partners APIs, SDKs Automation Partner Ecosystem
Compliance Management through vCenter Configuration Manager “Operational Efficiency & Tool Consolidation”
Use Case: Provision and Secure Virtual ‘Infrastructure on Demand”Remediate Compromised VMs Compromised VM detected by network IPS Security Groups Firewall Rules Compromised VM added to Remediation Security Group Already in place SHARED SERVICES Network IPS Physical Datacenter Virtual Datacenter Remediation Service C Service A Service B Service C - VDI (end users) Service A - VDI (end users) Service B - VDI (end users) VMware vSphere + vCenter
Programmability and Automation • Policy Management • vShield Manager APIs (REST) • Full parity with GUI • Java SDK, vCO plugin – Q4 2011 • Power CLI – future • Customers, ISVs, SIs, etc. • Endpoint Security • EPSEC APIs (C libraries) • Guest introspection • Endpoint security partners • APIs 2010, SDK Q4 2011 • Network Security • NetSec APIs (REST) - 2012 • 10-tuple traffic redirection • Network security partners APIs, SDKs Automation Partner Ecosystem
Partner Ecosystem – Endpoint Security • Improve performance and effectiveness of existing endpoint security • Offload AV functions from in-Guest agents to the hypervisor • Hardened security virtual appliance can be optimized for better efficacy Features • vShield Endpoint for partner insertion • Offload file activity to Security VM • Manage AV service across VMs • Enforce Remediation using driver in VM • Partner Integrations through EPSEC API • Policy Management: Built-in or customizable with REST APIs Anti-virus partners Partner Solution Availability April 2011 Aug 2011 Aug 2010 TBD Dec 2010 April 2011