Upload
erin-banks
View
990
Download
2
Embed Size (px)
DESCRIPTION
Presentation provided by Sharon Isaacson and Erin K. Banks on April 07, 2011
Citation preview
1© Copyright 2011 EMC Corporation. All rights reserved.
How to Secure your Virtual Machine
Sharon IsaacsonErin K. Banks, CISSP, CISA / www.commondenial.com / @banksek
2© Copyright 2011 EMC Corporation. All rights reserved.
Our Customers Are Asking Themselves
How do I centrally manage compliance across mixed VMware and physical IT environments? How do I centrally manage compliance across mixed VMware and physical IT environments?
Can I secure access and information in my VMware View environment?
Can I respond more quickly to security events in my virtual environment?
Can I ensure my virtualized business critical applications are running in a secure and compliant environment?
3© Copyright 2011 EMC Corporation. All rights reserved.
Implications of Challenges
CISOs need to manage security and compliance
across virtual and physical IT
Security and compliance
concerns stall the adoption of
virtualization
Missing opportunity for
“better than physical” security
4© Copyright 2011 EMC Corporation. All rights reserved.
Virtualization Creates an Opportunityfor More Effective Security
• Push Security Enforcement Further Down the Stack
vApp and VM layer• Today most security is enforced by
the OS and application stack. This is:
• Ineffective
• Inconsistent
• Complex
APP
OS
APP
OS
APP
OS
APP
OS
Physical Infrastructure
Pushing information security enforcement to the infrastructure layer ensures:
•Consistency
•Simplified security management
•Ability to surpass the levels of security possible in today’s physical infrastructures
Virtual and CloudInfrastructure
Virtual and CloudInfrastructure
5© Copyright 2011 EMC Corporation. All rights reserved.
6© Copyright 2011 EMC Corporation. All rights reserved.
VMware Approach to Security
7© Copyright 2011 EMC Corporation. All rights reserved.
Isolation by Design
CPU & Memory Virtual Network Virtual Storage
• Virtual Machines only see virtual SCSI devices, not actual storage
• Exclusive virtual machine access to virtual disks enforced by VMFS using SCSI file locks
• No code exists to link virtual switches
• Virtual switches immune to learning and bridging attacks
• VMs have limited access to CPU
• Memory isolation enforced by Hardware TLB
• Memory pages zeroed out before being used by a VM
8© Copyright 2011 EMC Corporation. All rights reserved.
VMware Secure Development Lifecycle Process
Architecture Risk Analysis
Response PreparationCode
Analysis & Inspection
Security Testing
Security Response
Kickoff & Business Risk
Analysis
Training
Product Security Policy
Protect Customer Data &Infrastructure
EnablePolicy Compliance
ProtectBrand
9© Copyright 2011 EMC Corporation. All rights reserved.
Independently validatedCommon Criteria Certification EAL (Evaluation Assurance Level)•RSA Archer eGRC Platform v5.0 In process•RSA Data Loss Prevention Suite v6.5 EAL 2+•VMware ESXi 3.5 and VirtualCenter 2.5 EAL 4+•VMware ESX Server 3.5 and VirtualCenter 2.5 EAL 4+•VMware® ESX 4.0 Update 1 and vCenter Server 4.0 Update 1 EAL 4+DISA STIG for all products•Approval for use in DoD information systemsNSA Central Security Service•Guidance for both datacenter and desktop scenarios
9
10© Copyright 2011 EMC Corporation. All rights reserved.
How Virtualization Affects Datacenter Security
Faster deployment of servers
VM Mobility VM Encapsulation
• ↑ Ease of business continuity
• ↑ Consistency of deployment
• ↑ Hardware Independence
• ↓ Outdated offline systems
• ↓ Unauthorized Copy
• ↑ Improved Service Levels
• ↓ Identity divorced from physical location
• ↑ IT responsiveness• ↓ Lack of adequate
planning• ↓ Incomplete
knowledge of current state of infrastructure
• ↓ Poorly Defined Procedures
• ↓ Inconsistent Configurations
11© Copyright 2011 EMC Corporation. All rights reserved.
How do we secure and make our Virtual Infrastructure compliant?
Use the Principles of Information Security
• Hardening and Lockdown
• Defense in Depth
• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges
• Administrative Controls
For virtualization this means:• Secure the Guests
• Harden the Virtualization layer
• Setup Access Controls
• Leverage Virtualization Specific Administrative Controls
What Auditors Want to See:
• Network Controls
• Change Control and Configuration Management
• Access Controls & Management
• Vulnerability Management
12© Copyright 2011 EMC Corporation. All rights reserved.
Segmentation
of applications, servers
• VLAN or subnet based policies • Interior or Web application Firewalls• DLP, application identity aware policies
VLAN 1
VLANs
Data Center needs to be secured at different levels
Cost & ComplexityAt the vDC Edge
• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks Keep the bad guys out• Perimeter security device (s) at the edge• Firewall, VPN, Intrusion Prevention• Load balancers
End Point Protection• Desktop AV agents, • Host based intrusion• DLP agents for privacy
Perimeter Security
Internal Security
End Point Security
13© Copyright 2011 EMC Corporation. All rights reserved.
Securing virtual Data Center (vDC) with legacy security solutions
Customers cannot realize true virtualization benefits due to security concerns
VIRTUALIZED DMZ WITH FIREWALLS
APPLICATION ZONE DATABASE ZONEWEB ZONE
ENDPOINT SECURITY
INTERNAL SECURITY
PERIMETER SECURITY
Internet
vSphere vSphere vSphere
•Air Gapped Pods with dedicated physical hardware
•Mixed trust clusters without internal security segmentation
•Configuration Complexityo VLAN sprawl o Firewall rules sprawlo Rigid network IP rules without resource context
• Private clouds (?)
14© Copyright 2011 EMC Corporation. All rights reserved.
Legacy security approach does not work for vDCs
Cost & ComplexityAt the vDC Edge
• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks
Cost & ComplexityAt the vDC Edge
• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks
Agent Sprawl, PerformanceOn vDC Endpoints
• AV ‘storms’ strain resource pools• Sprawl: AV agents in all VMs• Risk: AV in guest VMs – not hardened
VLAN 1 VLAN Complexity & Blind Spots Across vDC Applications
• Sprawl: VLANs, hardware• Blind spots: inter-VM traffic• Performance bottlenecksVLAN 2
Perimeter Security
Internal Security
End Point Security
15© Copyright 2011 EMC Corporation. All rights reserved.
vShield Products
DMZ Application 1 Application 2
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge
Secure the edge of the virtual datacenter
Security Zone
vShield App and Zones
Create segmentation between enclaves or silos of workloads
Endpoint = VM
vShield Endpoint
Offload anti-virus processing
Endpoint = VM vShield Manager
Centralized Management
16© Copyright 2011 EMC Corporation. All rights reserved.
Leveraging Virtualization for Better-than-Physical SecurityKey Benefits
– Complete visibility and control to the Inter- VM traffic enabling multi trust zones on same ESX cluster.
– Intuitive business language policy leveraging vCenter inventory.
Better than Physical– Virtual firewall with unlimited port
density– Hypervisor level introspection
provides access to inter-VM traffic– Topology independent regardless of
Network Config as policies follow the VMs IP address agnostic policies
– Built in Firewall capabilities provide better than physical security at 1/3rd the cost.
Securi
ty
Policy
17© Copyright 2011 EMC Corporation. All rights reserved.
Summary: VMware Approach to Security
18© Copyright 2011 EMC Corporation. All rights reserved.
19© Copyright 2011 EMC Corporation. All rights reserved.
Security Tools
• SIEM (security information and event management)
• Compliance (Hardening guidelines)• Data Loss Prevention• vShield Zones • Access Control• Network Control • VLANS• Secure Code• …
20© Copyright 2011 EMC Corporation. All rights reserved.
Visibility
21© Copyright 2011 EMC Corporation. All rights reserved.
SIEM• Security information and event
management tool• Captures event data• Audit logs• Storage • Groups• Virtual network infrastructure• User and Administrative activities
22© Copyright 2011 EMC Corporation. All rights reserved.
VMware Collector for RSA enVision• VMware native API’s to retrieve the logs from
vCenter and ESX/ESXi servers• multiple vCenters
RSA enVision
23© Copyright 2011 EMC Corporation. All rights reserved.
VMware Messages
• enVision collects messages and parses from– VMware View, VMware vShield, VMware vCloud Director
• Over 800 very well described Message ID’s– vMotion and Storage vMotion
– Snapshots
– User Login/Logoff
– Virtual Machine Operations e.g. Power On/Off/Reset
• 7 taxonomy categories– Authentication, config, policies, system
24© Copyright 2011 EMC Corporation. All rights reserved.
25© Copyright 2011 EMC Corporation. All rights reserved.
GRC• Governance
– Setting the rules
• Risk– Ensuring the correct rules are in place and
functioning
• Compliance– Measuring the effectiveness of the rule
• Understanding the process used to define the rule• Understanding how well people adhere to the rule
26© Copyright 2011 EMC Corporation. All rights reserved.
Governance
Trusting The Cloud
How Do You Govern, Manage Risk, and Ensure Compliance?
Hybrid
PCI Cobit SOX ISO GLBA
Compliance
NIST FISMA
RiskeGRC
PrivatePublic
27© Copyright 2011 EMC Corporation. All rights reserved.
RSA Archer: Mapping VMware security controls to regulations and standards
CxO
VI Admin
Authoritative SourceRegulations (PCI-DSS, etc.)“10.10.04 Administrator and Operator Logs”
Control StandardGeneralized security controls “CS-179 Activity Logs – system start/stop/config changes etc.”
Control ProcedureTechnology-specific control“CP-108324 Persistent logging on ESXi Server”
28© Copyright 2011 EMC Corporation. All rights reserved.
VI Configuration Measurement
RSA Solution for Cloud Security and Compliance v1.0
28
VI Component Discovery and Population
VMware-specific Controls
RSA Archer eGRCRSA Archer eGRC
RSA enVisionRSA enVision
Automated Measurement Agent
Automated Measurement Agent
alerts
29© Copyright 2011 EMC Corporation. All rights reserved.
Overall Virtual Infrastructure Compliance Dashboard
30© Copyright 2011 EMC Corporation. All rights reserved.
Demonstration
31© Copyright 2011 EMC Corporation. All rights reserved.
VMware vShield Network Security Events Fed to Archer
32© Copyright 2011 EMC Corporation. All rights reserved.
HyTrust - Access Policy Events Fed to Archer
33© Copyright 2011 EMC Corporation. All rights reserved.
Making Archer the Best GRC Solution for Hybrid Clouds
RSA Solution for Cloud Security
and Compliance aligns with CSA
Consensus Assessment Questions
by automating 195 questions that
customers can issue to assess cloud
service providers.
Cloud Security Alliance’s 13 domains of focus for cloud computing
Assessing Service Provider Compliance
34© Copyright 2011 EMC Corporation. All rights reserved.
More Information
• www.rsa.com/rsavirtualization• RSA SecurBooks – Technical guides for
deploying and operating RSA Solutions
35© Copyright 2011 EMC Corporation. All rights reserved.
36© Copyright 2011 EMC Corporation. All rights reserved.
Avamar Advantages for VMwareData Protection (Backup & Recovery)
Guest-Level Backup– Best for Tier 1 Application
Consistency– Highest level of deduplication– File-level recovery
vCenter Integration– Displays protected VMs and
protection type (guest, image)
– Identifies VMs that are not protected
Image-Level Backup (vmdk)– Change block tracking reduces
backup processing
– Single-step backups & restores
– Restore to the original VM or new VM
– Proxy pooling and load balancing
– File-level recovery from image backup
Scalability– Avamar scales to meet data growth
and backup requirements
– Bare metal restore for entire Vblock (VCE)
37© Copyright 2011 EMC Corporation. All rights reserved.
VMware vStorage API for Site Recovery ManagerEMC Storage Replication Adapters for DR
Recovery
EMC Replication
ProductionProduction
DR Test
WAN
• EMC Storage Platforms Integrate With VMware SRM
• EMC SRAs Allow Automated
• D/R Setup• D/R Testing• Site Failover
• EMC VSI Manages Automated Failback After Recovery
38© Copyright 2011 EMC Corporation. All rights reserved.
THANK YOU
39© Copyright 2011 EMC Corporation. All rights reserved.
Q&A