350 likes | 532 Views
New Directions for Security Services and the Software Defined Data Center. Jeremiah Cornelius. Chip Epps. VMware Alliances Partner Architect. Symantec Product Manager , Data Center Security & Compliance . Agenda. Why the “Software -Defined Data Center”.
E N D
New Directions for Security Services and the Software Defined Data Center Jeremiah Cornelius Chip Epps VMware Alliances Partner Architect Symantec Product Manager, Data Center Security & Compliance IL B06 Apr 16, 2013 2:30pm to 3:30pm
Agenda Why the “Software-Defined Data Center” Vision for Security Service Model in SDDC Designing Security Services for the SDDC Symantec and Software Defined Security Where is the SDDC and When is the Future? Q&A
The Virtualization Path – Continue the JourneyFollowing economic benefit Cost Software-Defined Data Center Agility Governance Game Change Thru Self-Service Opex Saving Thru Automation Capex Savings Thru Consolidation Abstract. Pool. Automate. Empower. Business Production IT Production IT as a Service
IT Pressures – a Constant Over the Decades Cost Agility “Are you getting the maximum efficiency out of your infrastructure?” “How quickly can IT respond to LOB requests?” Governance • Legislative Compliance • Risk Reduction – SLAs & Business Continuity • Security – Corp Assets & IP
Virtualization Architects Are Asking For Security Rethink ANDrisk neutral? ANDcompliant? NOhost sprawl? NOoverprovisioning? 80% PV vCloud
Adoption Has Enabled Agility >90% 25% 60% Minutes/Seconds DAYS/HOURS WEEKS 2008 2012 FUTURE
Driven by Infrastructure Storage/Availability Management/Monitoring Servers Networking Security VDC Software-definedDatacenter Services 2008 2012 FUTURE Minutes/Seconds DAYS/HOURS WEEKS
Software-Defined Datacenter All infrastructure is virtualized and delivered as a service, and the control of this datacenter is entirely automated by software. Abstract. Pool. Automate.
Getting to The Software-Defined Data Center (SDDC) Network Operations Virtual Virtual 1. Decouple 2. Reproduce 3. Automate Cloud Operations Physical Physical Operational benefits of virtualization Hardware independence No change to network from end host perspective
Symantec and the SDDC Security and Compliance Solutions Storage & Availability Solutions VMware vCloudAutomation Center VMware vCloud APIs MANAGEMENT CLOUD INFRASTRUCTURE EXTENSIBILITY “At the endpoint and beyond” Anti-virus and Malware Virtual Server Hardening (vSphere) Data Loss Prevention Threat Correlation Content Filtering Legal & Regulatory Compliance Managed Security • “Always on, always available” • Backup & Recovery • High Availability • Application Availability • Clustering • Archiving • Storage Management and Reporting • Dynamic Multi-pathing VMware vCloud Networking & Security VMware vCenter Site Recovery Manager Software-Defined Networking & Security Software-Defined Storage & Availability VMware vCenterOperations Mngmnt. Suite VMware vCloud Connector VIRTUALIZATION VMware vFabric Application Director VMware vCenter Orchestrator Physical Infrastructure (Server, Storage, Network) VMware vCloud Director VMware vSphere
Agenda Why the “Software-Defined Data Center” Vision for Security Service Model in SDDC Designing Security Services for the SDDC Symantec and Software Defined Security Where is the SDDC and When is the Future? Q&A
Provisioning Services for Virtualization is Still be Slow and Costly Present Past VLAN networks Firewall $3002 minutes $18005 days, 2 min! $10,00010 weeks Load Balancer IDS, security, monitoring Availability Creating the VM is fast but still have to wait for networking and security
Challenge: Make security policies actionable, repeatable across environments Our customers struggles to deliver actionable and repeatable security services, and rules configuration - within and across dev/test and production environments. From whiteboard… …to Visio diagrams… Both are…. Actionable Repeatable
What if a Software Defined Data Center made it possible… • Deploy - Security services were easily deployed and available to all workloads? • Bind - You could group your apps however you like (VMs, vApps, user IDs…) - and assign security services (firewall, antivirus, IPS…) to these groups? • Orchestrate - One security control could be enforced based on the result of another control, without the requirement for point to point integrations? WEB_APP_FILTER
Automate Service Provisioning and Service Availability Service Provisioning • Includes VMware security services • Includes partner services • All network and security categories • Multi-vendor support Health Monitoring • Monitor, ensure availability of services Separation of Duties • Role for service provisioning is separate from vCenter VI Admin permissions • Includes roles for Security Admin, Audit Cluster level SLAs • Policy and consistency Partner A: IPS, AV Partner B: Application Filter Partner C: Vulnerability Assessment vCenter/vCloud/vCAC Partner Management Console vCNS Manager Partner Management Console Partner Management Console
Customer Scenario: Enclaves, Sub-enclaves and Remediation Zones • “Datacenter” (within a VC) is carved up into groups based on business function • Each group is bound to a firewall service • Firewall service configured to deny/permit access to shared services or other groups • VMs are placed in respective groups and are protected based on services, rules for these groups. Customer Need SDDC Security Capability • Security Groups - map to business function; empty or prepopulated w/ VMs • Security Policy Object – includes firewall service • VMs are placed in respective groups – as in example • Groups can be nested and policies are inherited
SDDC Solution - Security Services Provisioning Automation • Servicescan be grouped into Policy Templates (Gold, Database, SharePoint, etc.) • Policy Templates are then applied to workloads organized into Security Groups at various levels (VMs, Apps and Groups, etc.) • Security Groups can be nested, and policies can be inherited “Database” VM “X” Database Security Policy “Database” VM “X” Share Point Security Policy vApp “Y” “ERP Application” “Share Point” “HR Department” “Database” VM “X” vApp “Y” “Gold” Security Policy vDC “Z”
SDDC Solution - Extend Platform to Best of Breed Services • Partners provide best of breed services in these categories: • Anti-Virus (AV), Anti-Malware • Application Delivery Controller (ADC) • Application Whitelisting • Application Firewall • Data Loss Prevention (DLP) • Encryption • File Integrity Monitoring (FIM) • Firewall (Host/Network) • Identity and Access Management • Intrusion Detection/Prevention System (IDS/IPS) • Load Balancer • Network Forensics • Network Gateway (VXLAN) • Network Port Profile • Policy and Compliance Solution • Security Intelligence and Event Management (SIEM) • User Access Control (closest to our SAM) • Vulnerability Management • WAN Optimizer • Web Filter Software Defined Data Center • Properties of virtual services: • Programmatic provisioning • Place any workload anywhere • Move any workload anywhere • Decoupled from hardware • Operationally efficient
Agenda Why the “Software-Defined Data Center” Vision for Security Service Model in SDDC Designing Security Services for the SDDC Symantec and Software Defined Security Where is the SDDC and When is the Future? Q&A
Preservation of Elasticity and Motion– continuity, present • Security needs to expand and contract quickly • Security must adapt to movement • WHY: • Can’t break promise of virtualization and the SDDC, i.e. elasticity, HA, etc. Subsequently, workloads can be brought into service or moved onto any piece of hardware instantly • E.g. Security should have awareness of every workload, regardless of which host and SVA it runs on, in case a VM should appear within an SVA’s realm of protection… global policy and content
Single System View– efficient, responsive • Security is implemented from a “leveraged” position • Admin sees the “logical” system defined by VMware • Security overcomes abstraction and removes complexity • Simplifies management • Security is “symmetrical” • Security is retained regardless of underlying infrastructure • WHY: • Services layer is highly abstracted from Infrastructure • E.g. Security should focus on the logical nature of the infrastructure, and not necessarily on the physical infrastructure (hosts & SVAs)
Admin’s View From this Lens… To this Lens Host-1 VDC- PCI Servers VM VM vApp vApp VM Host-2 VM VM VDC- Dev Servers vApp VM vApp Host-3 VM VM
System View VM SVA VM SVA VM VM Security Manager vCenter VM SVA VM SVA VM VM
Deterministic– consistent, compliant • Security does no harm • Shouldn’t contribute to problem or make things worse • No surprises… resources, behavior, performance, etc. • All SVAs running a consistent state • WHY: • Infrastructure is designed to be templated and repeatable, and security should similarly fit into this model • E.g. Security controls (instantiated via an SVA) should be the same, thus predictable (same app, same sizing, same policies, same defs, same logs, etc)
Preservation of Fault Zones– resilient, available • Security works under duress – takes care of itself • Security separate from infrastructure • If you take away the management console, system will continue to run, ie. security will run indefinitely if no changes • And visa versa: if security ecosystem has an issue, it won’t disrupt operations • WHY: • Should infrastructure fail, security needs to function • E.g. Each SVA should be self sustaining with a complete view of the world (ie operate “headless”)
Agenda Why the “Software-Defined Data Center” Vision for Security Service Model in SDDC Designing Security Services for the SDDC Symantec and Software Defined Security Where is the SDDC and When is the Future? Q&A
What is “Data Center Protection”? FINAL branding pending Agentless AV and IDP Virtual Security SVA’s “Data Center Protection (DCP)” Agent Sandboxing + Application WhitelistingControls New
Next Symantec Releases: Ferrari - Athens Overview Ferrari - Athens Today Agented protection Antimalware protection using AV, IPS, Reputation, Behavioral techniques SEP Symantec Endpoint Protection SEP FINAL branding pending “Data Center Protection” Agentless protection via EPSEC (AV) & NetX integration (includes vCenter hardening and ESXi host monitoring resources of CSP) Agentless (Servers & VDI) Critical Systems Protection Agent (for Servers) Includes entitlement to agentless & agented protection (SEP & CSP)
New SDDC Use Case – Remediation Action Registration VMware Infrastructure Symantec Agentless “DCP” 3rd Party Security System Events/Actions *Symantec registers its threat protection security services, e.g. Agentless AV--- Provides following to VMware: location of “DCP” Manager, pointers to AV and IDP SVA OVA’s, and policy types/profile definitions) *VMware defines Security Policies for Security Groups, e.g. -AV Detect Only policy for Normal group -AV Clean policy for Quarantine group *VMware provisions AV and IDP (IPS) SVAs to Host *VMware assigns GVM X to Host GVM X assigned to Normal group with AV Detect policy 29
New SDDC Use Case – Remediation Action Registration VMware Infrastructure Symantec Agentless “DCP” 3rd Party Security System Events/Actions User of GVM X tries to execute Malware *Symantec Agentless AV (SVA) security service on Host detects Malware on GVM X via AV Detect Only policy, and denies access *Symantec Manager sets Security Tag for AV Detect *VMware reassigns GVM X to group Quarantine *Symantec AV SVA responds to policy change associated with Quarantine group, and applies AV Clean policy to GVM X, deletes Malware on execute, and clears AV Detect Security Tag *VMware restores GVM X to group Normal GVM X assigned to Normal group with AV Detect policy 30
Agenda Why the “Software-Defined Data Center” Vision for Security Service Model in SDDC Designing Security Services for the SDDC Symantec and Software Defined Security Where is the SDDC and When is the Future? Q&A
What is the Future? The Software Defined Data Center Begins Today • This began with vMotion… • NSX Service Composer – 2013 Focus Areas • Simplify service provisioning • Make policies actionable and repeatable • Enable Multi-Vendor, Multi-Discipline Conditional Workflows for Service Automation Symantec leading to deliver on the promise • Unparalleled Integration for Symantec Solutions Serving the Software Defined Data Center and Security Policy Automation with NSX • Converged roadmaps for VMware protection of enterprise • Coordinated releases for 2013- See Demos at VMworld • Visit the VMware booth and the Symantec booth for more information
Agenda Why the “Software-Defined Data Center” Vision for Security Service Model in SDDC Designing Security Services for the SDDC Symantec and Software Defined Security Where is the SDDC and When is the Future? Q&A