040711 webcast securing vmachine

1© Copyright 2011 EMC Corporation. All rights reserved.

How to Secure your Virtual Machine

Sharon IsaacsonErin K. Banks, CISSP, CISA / www.commondenial.com / @banksek


Our Customers Are Asking Themselves

How do I centrally manage compliance across mixed VMware and physical IT environments? How do I centrally manage compliance across mixed VMware and physical IT environments?

Can I secure access and information in my VMware View environment?

Can I respond more quickly to security events in my virtual environment?

Can I ensure my virtualized business critical applications are running in a secure and compliant environment?


Implications of Challenges

CISOs need to manage security and compliance

across virtual and physical IT

Security and compliance

concerns stall the adoption of

virtualization

Missing opportunity for

“better than physical” security


Virtualization Creates an Opportunityfor More Effective Security

• Push Security Enforcement Further Down the Stack

vApp and VM layer• Today most security is enforced by

the OS and application stack. This is:

• Ineffective

• Inconsistent

• Complex

APP

OS

APP

OS

APP

OS

APP

OS

Physical Infrastructure

Pushing information security enforcement to the infrastructure layer ensures:

•Consistency

•Simplified security management

•Ability to surpass the levels of security possible in today’s physical infrastructures

Virtual and CloudInfrastructure

Virtual and CloudInfrastructure



VMware Approach to Security


Isolation by Design

CPU & Memory Virtual Network Virtual Storage

• Virtual Machines only see virtual SCSI devices, not actual storage

• Exclusive virtual machine access to virtual disks enforced by VMFS using SCSI file locks

• No code exists to link virtual switches

• Virtual switches immune to learning and bridging attacks

• VMs have limited access to CPU

• Memory isolation enforced by Hardware TLB

• Memory pages zeroed out before being used by a VM


VMware Secure Development Lifecycle Process

Architecture Risk Analysis

Response PreparationCode

Analysis & Inspection

Security Testing

Security Response

Kickoff & Business Risk

Analysis

Training

Product Security Policy

Protect Customer Data &Infrastructure

EnablePolicy Compliance

ProtectBrand


Independently validatedCommon Criteria Certification EAL (Evaluation Assurance Level)•RSA Archer eGRC Platform v5.0 In process•RSA Data Loss Prevention Suite v6.5 EAL 2+•VMware ESXi 3.5 and VirtualCenter 2.5 EAL 4+•VMware ESX Server 3.5 and VirtualCenter 2.5 EAL 4+•VMware® ESX 4.0 Update 1 and vCenter Server 4.0 Update 1 EAL 4+DISA STIG for all products•Approval for use in DoD information systemsNSA Central Security Service•Guidance for both datacenter and desktop scenarios

9


How Virtualization Affects Datacenter Security

Faster deployment of servers

VM Mobility VM Encapsulation

• ↑ Ease of business continuity

• ↑ Consistency of deployment

• ↑ Hardware Independence

• ↓ Outdated offline systems

• ↓ Unauthorized Copy

• ↑ Improved Service Levels

• ↓ Identity divorced from physical location

• ↑ IT responsiveness• ↓ Lack of adequate

planning• ↓ Incomplete

knowledge of current state of infrastructure

• ↓ Poorly Defined Procedures

• ↓ Inconsistent Configurations


How do we secure and make our Virtual Infrastructure compliant?

Use the Principles of Information Security

• Hardening and Lockdown

• Defense in Depth

• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges

• Administrative Controls

For virtualization this means:• Secure the Guests

• Harden the Virtualization layer

• Setup Access Controls

• Leverage Virtualization Specific Administrative Controls

What Auditors Want to See:

• Network Controls

• Change Control and Configuration Management

• Access Controls & Management

• Vulnerability Management


Segmentation

of applications, servers

• VLAN or subnet based policies • Interior or Web application Firewalls• DLP, application identity aware policies

VLAN 1

VLANs

Data Center needs to be secured at different levels

Cost & ComplexityAt the vDC Edge

• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks Keep the bad guys out• Perimeter security device (s) at the edge• Firewall, VPN, Intrusion Prevention• Load balancers

End Point Protection• Desktop AV agents, • Host based intrusion• DLP agents for privacy

Perimeter Security

Internal Security

End Point Security


Securing virtual Data Center (vDC) with legacy security solutions

Customers cannot realize true virtualization benefits due to security concerns

VIRTUALIZED DMZ WITH FIREWALLS

APPLICATION ZONE DATABASE ZONEWEB ZONE

ENDPOINT SECURITY

INTERNAL SECURITY

PERIMETER SECURITY

Internet

vSphere vSphere vSphere

•Air Gapped Pods with dedicated physical hardware

•Mixed trust clusters without internal security segmentation

•Configuration Complexityo VLAN sprawl o Firewall rules sprawlo Rigid network IP rules without resource context

• Private clouds (?)


Legacy security approach does not work for vDCs


• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks


• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks

Agent Sprawl, PerformanceOn vDC Endpoints

• AV ‘storms’ strain resource pools• Sprawl: AV agents in all VMs• Risk: AV in guest VMs – not hardened

VLAN 1 VLAN Complexity & Blind Spots Across vDC Applications

• Sprawl: VLANs, hardware• Blind spots: inter-VM traffic• Performance bottlenecksVLAN 2

Perimeter Security

Internal Security

End Point Security


vShield Products

DMZ Application 1 Application 2

Securing the Private Cloud End to End: from the Edge to the Endpoint

Edge

vShield Edge

Secure the edge of the virtual datacenter

Security Zone

vShield App and Zones

Create segmentation between enclaves or silos of workloads

Endpoint = VM

vShield Endpoint

Offload anti-virus processing

Endpoint = VM vShield Manager

Centralized Management


Leveraging Virtualization for Better-than-Physical SecurityKey Benefits

– Complete visibility and control to the Inter- VM traffic enabling multi trust zones on same ESX cluster.

– Intuitive business language policy leveraging vCenter inventory.

Better than Physical– Virtual firewall with unlimited port

density– Hypervisor level introspection

provides access to inter-VM traffic– Topology independent regardless of

Network Config as policies follow the VMs IP address agnostic policies

– Built in Firewall capabilities provide better than physical security at 1/3rd the cost.

Securi

ty

Policy


Summary: VMware Approach to Security



Security Tools

• SIEM (security information and event management)

• Compliance (Hardening guidelines)• Data Loss Prevention• vShield Zones • Access Control• Network Control • VLANS• Secure Code• …


Visibility


SIEM• Security information and event

management tool• Captures event data• Audit logs• Storage • Groups• Virtual network infrastructure• User and Administrative activities


VMware Collector for RSA enVision• VMware native API’s to retrieve the logs from

vCenter and ESX/ESXi servers• multiple vCenters

RSA enVision


VMware Messages

• enVision collects messages and parses from– VMware View, VMware vShield, VMware vCloud Director

• Over 800 very well described Message ID’s– vMotion and Storage vMotion

– Snapshots

– User Login/Logoff

– Virtual Machine Operations e.g. Power On/Off/Reset

• 7 taxonomy categories– Authentication, config, policies, system



GRC• Governance

– Setting the rules

• Risk– Ensuring the correct rules are in place and

functioning

• Compliance– Measuring the effectiveness of the rule

• Understanding the process used to define the rule• Understanding how well people adhere to the rule


Governance

Trusting The Cloud

How Do You Govern, Manage Risk, and Ensure Compliance?

Hybrid

PCI Cobit SOX ISO GLBA

Compliance

NIST FISMA

RiskeGRC

PrivatePublic


RSA Archer: Mapping VMware security controls to regulations and standards

CxO

VI Admin

Authoritative SourceRegulations (PCI-DSS, etc.)“10.10.04 Administrator and Operator Logs”

Control StandardGeneralized security controls “CS-179 Activity Logs – system start/stop/config changes etc.”

Control ProcedureTechnology-specific control“CP-108324 Persistent logging on ESXi Server”


VI Configuration Measurement

RSA Solution for Cloud Security and Compliance v1.0

28

VI Component Discovery and Population

VMware-specific Controls

RSA Archer eGRCRSA Archer eGRC

RSA enVisionRSA enVision

Automated Measurement Agent

Automated Measurement Agent

alerts


Overall Virtual Infrastructure Compliance Dashboard


Demonstration


VMware vShield Network Security Events Fed to Archer


HyTrust - Access Policy Events Fed to Archer


Making Archer the Best GRC Solution for Hybrid Clouds

RSA Solution for Cloud Security

and Compliance aligns with CSA

Consensus Assessment Questions

by automating 195 questions that

customers can issue to assess cloud

service providers.

Cloud Security Alliance’s 13 domains of focus for cloud computing

Assessing Service Provider Compliance


More Information

• www.rsa.com/rsavirtualization• RSA SecurBooks – Technical guides for

deploying and operating RSA Solutions



Avamar Advantages for VMwareData Protection (Backup & Recovery)

Guest-Level Backup– Best for Tier 1 Application

Consistency– Highest level of deduplication– File-level recovery

vCenter Integration– Displays protected VMs and

protection type (guest, image)

– Identifies VMs that are not protected

Image-Level Backup (vmdk)– Change block tracking reduces

backup processing

– Single-step backups & restores

– Restore to the original VM or new VM

– Proxy pooling and load balancing

– File-level recovery from image backup

Scalability– Avamar scales to meet data growth

and backup requirements

– Bare metal restore for entire Vblock (VCE)


VMware vStorage API for Site Recovery ManagerEMC Storage Replication Adapters for DR

Recovery

EMC Replication

ProductionProduction

DR Test

WAN

• EMC Storage Platforms Integrate With VMware SRM

• EMC SRAs Allow Automated

• D/R Setup• D/R Testing• Site Failover

• EMC VSI Manages Automated Failback After Recovery


THANK YOU


Q&A