Upload
hytrust
View
329
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
1 Phone: 650-681-8100 / email: [email protected] 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040
Eric Pankau – Director, Government, Carahsoft Eric Chiu – Founder & President, HyTrust Curtis Salinas – Technical Account Manager, HyTrust
© 2012, HyTrust, Inc. www.hytrust.com
Virtualize More While Improving Your Cybersecurity Risk Posture – The “4 Must Haves” of Virtualization Security For State, Local, and Education
2
Data Center Evolution in the Public Sector
© 2012, HyTrust, Inc. www.hytrust.com
EXTERNAL FACTORS
Cost cutting
Compliance
APTs
Decreasing time-to-breach
Increasing partner access to data center
TRANSFORMATIVE EVENTS
Virtualization “1st 50%”
Converged infrastructure
Private clouds
Data center consolidation
Data center automation
MOVING FORWARD
Virtualization “next 50%”
Maximum utilization
Multi-tenancy
IT self-service
Maintaining compliance
Maintaining governance
Key trend: pressure for cost cutting driving data center efficiency initiatives, including increased virtualization
3
Security and Compliance Key to Virtualizing “the Next 50%”
Discussion
Tier 3/4 workloads now mostly virtualized
Tier 1/2 workloads have higher security, compliance needs
Virtualization platform provides OK security for non-critical apps
Purpose-built solutions needed for mission critical workloads
© 2012, HyTrust, Inc. www.hytrust.com
Develop/Test
Limited Production
Extensive Production
Enterprise Platform
Mission-Critical Workloads
Non-Compliant Limited Compliance Compliant Best-Practice
Plans to virtualize Tier 1 workloads have exposed gaps in platform security and compliance
4
Gaps in Platform Support for Tier 1 Workloads
© 2012, HyTrust, Inc. www.hytrust.com
Breach Prevention
Audit Support
Stopping Human Error
5
Privilege Misuse Can Have Huge Business Impact
Percentage of outages and availability/ performance problems related to misconfiguration
Percentage of execs who say their most serious fraud was due to a privileged user
Percentage of security breaches due to “trusted” insiders and business partners
— PricewaterhouseCoopers, Wall Street Journal, April 2012
— Forrester survey, June 2011
— Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%), 2005-12
56%
50-80%
43%
© 2012, HyTrust, Inc. www.hytrust.com
6
Privilege Misuse Can Have Huge Business Impact
Percentage of outages and availability/ performance problems related to misconfiguration
Percentage of execs who say their most serious fraud was due to a privileged user
Percentage of security breaches due to “trusted” insiders and business partners
— PricewaterhouseCoopers, Wall Street Journal, April 2012
— Forrester survey, June 2011
— Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%)
56%
50-80%
43%
© 2012, HyTrust, Inc. www.hytrust.com
Shionogi & Co: $3.2B pharmaceutical company Laid off IT admin: • Logged in remotely to vSphere from
McDonald’s WIFI • Deleted 88 virtual production servers • Took down email, order entry, payroll,
BlackBerry, & other services • Caused $800K damage
Enforceable access and configuration policies are needed for safe Tier 1 virtualization
7
Keys to Virtual Infrastructure Security – “The 4 Must Haves”
© 2012, HyTrust, Inc. www.hytrust.com
Virtual Infrastructure
HyTrust provides 2 required functions directly and supports other 2 through partners
8
Expert Consensus on Virtualization Best Practices
8 © 2012, HyTrust, Inc. www.hytrust.com
* NIST SP 800-125: Guide to Security for Full Virtualization Technologies ** PCI-DSS 2.0 Information Supplement – Virtualization Security *** Neil MacDonald, vice president and Gartner fellow
• “Enforce least privilege and separation of duties”
• “It is critical that independent monitoring of all activities be enforced”
• “Require multi-factor authentication for all administrative functions.”
• “Administrative access to the hypervisor/VMM layer must be tightly controlled”
• “Restrict and protect administrator access to the virtualization solution.”
• “Secure each management interface”
• “Monitor and analyze logs at all layers of the virtualization infrastructure”
9
PCI DSS v2 Requirements Met by HyTrust Requirement HyTrust Solution
2) Do not use vendor-supplied defaults for system passwords and other system parameters.
Password vault for generic/shared accounts (root/administrator)
Assessment against a configuration standard to verify passwords have been changed
7) Restrict access to cardholder data by business need-to- know.
Granular RBAC and label-based restricted access to ESX/i, vCenter, VM console, Nexus 1000V, etc.
Authentication integrated with Active Directory groups and roles
8) Assign a unique ID to each person with computer access.
Root Password Vault (RPV) regulates access to privileged/shared accounts. Individuals are tracked with a check-out/in process.
Multi-factor authentication supported with RSA SecurID and/or Smart Cards
10) Track and monitor all access to network data and apps and cardholder data.
Audit trail for all access regardless of method Detailed record of who did what, where, when and the
result (allowed or denied) Logs sent to a central log repository
© 2012, HyTrust, Inc. www.hytrust.com
10
NIST Directives on Virtualization Security
© 2012, HyTrust, Inc. www.hytrust.com
Organizations should have the same security controls in place for virtualized operating systems as they
have for the same operating systems running directly on hardware.
“ ”
Restrict and protect administrator access to the virtualization solution.
The security of the entire virtual infrastructure relies on the security of the virtualization management system that controls the
hypervisor and allows the operator to start guest OSs, create new guest OS images, and perform other administrative actions.
“
”
Ensure that the hypervisor is properly secured. “ ”
Neither physical data center security controls nor the basic controls provided by the virtualization platform were designed
to fulfill these requirements for FISMA compliance.
11
6 of 18 NIST 800-53 control families focus on controlling and tracking infrastructure access or ensuring configuration and system integrity
Compliance in virtual environments requires an approach that addresses the distinct attributes of virtual infrastructure access, configuration, and system integrity
HyTrust is purpose-built to control and log access activity, ensure compliant host configurations, and protect system integrity in virtual environments
HyTrust fills critical gaps in the virtualization platform’s NIST/FISMA compliance capabilities*
HyTrust Role in NIST/FISMA Compliance
11 © 2012, HyTrust, Inc. www.hytrust.com
IDENTIFIER FAMILY
Source: NIST Special Publication 800-53, Revision 3
* Platform capabilities mentioned in this document are believed to be accurate as of April, 2012, and are subject to revision
12
Secures the hypervisor & virtual infrastructure by closing platform gaps: Enforces consistent access and
authorization policies covering all access methods
Provides granular, user-specific, audit-quality logs
Enables strong, multi-factor authentication
Verifies platform integrity, ensuring the hypervisor is hardened and the virtual infrastructure is trusted
HyTrust: Confidently Virtualize Critical Applications
12 © 2012, HyTrust, Inc. www.hytrust.com
By filling the gaps in virtual infrastructure security and compliance, HyTrust enables enterprises to virtualize more and improve business outcomes
13
Partnerships Magnify HyTrust Value
© 2012, HyTrust, Inc. www.hytrust.com
HyTrust is key "go to" partner for vSphere security and compliance
HyTrust is part of CA ControlMinder for Virtual Environments
HyTrust is the platform security solution - access control and auditing - for vBlock
HyTrust reporting and controls being integrated with Symantec CCS
HyTrust is part of Intel's trusted cloud architecture based on TXT
HyTrust event reporting and TXT integration being integrated with McAfee ePO
HyTrust provides native integration with SecurID and enVision
HyTrust provides combined reporting with Trend's Deep Security product
14
State Government with centralized IT supporting 17 agencies with varied security requirements
• 3 Data Centers with 70+ hosts and growing rapidly
• Running vSphere Active Directory & RSA SecurID
• Admin/user authentication and authorization
• PCI logging
• Hypervisor hardening
• Enables customer to meet access requirements with seamless RSA integration
• Provides audit-quality logs to meet PCI compliance requirements
• Ensures a secure environment with documented, implemented roles
Use Case: State of Michigan
Company:
Background:
Issue:
Benefit:
© 2012, HyTrust, Inc. www.hytrust.com
15
UC Campus with centralized IT supporting 30 departments with varied security requirements
• Consolidation, growth, centralization goals
• Running vSphere Active Directory & RSA SecurID
• Admin/user authentication and authorization
• Lack of transparency
• Hypervisor hardening
• Secure Access leveraging two-factor authentication
• Separation of duties with total visibility
• Mapped to regulatory templates
Use Case: University of California
Company:
Background:
Issue:
Benefit:
The HyTrust Appliance is the robust solution we need to offer essential new capabilities to our growing customer base—while enforcing policies and maintaining the utmost security. University of California, Systems Administrator
© 2012, HyTrust, Inc. www.hytrust.com
16
Under the Hood: Typical VMware deploy (Router Mode)
16 © 2012, HyTrust, Inc. www.hytrust.com
Virtualization Management Clients
VMware Management Subnet (ESXi Management VMkernels, vCenter Server)
Enterprise Clients
VM Guest Traffic Subnet(s)
Corporate Network
vCenter
Authentication via Active Directory, LDAP, RSA SecurID
17
Under the Hood: Live Demo
17 © 2012, HyTrust, Inc. www.hytrust.com
18
Virtualizing Tier 1 supports business goals through higher efficiency
Pre-requisite: mitigate security and compliance risks to workloads
HyTrust enforces access and configuration policies that mitigate risks
By filling gaps in platform security and compliance, HyTrust enables economic benefits of Tier 1 virtualization and private clouds
Summarize: Virtualize More, With Confidence
18 © 2012, HyTrust, Inc. www.hytrust.com
19
Thank You!
© 2012, HyTrust, Inc. www.hytrust.com
20
HyTrust Community Edition and Video Demos http://www.hytrust.com/resources/product
HyTrust Case Studies http://www.hytrust.com/resources/case-studies
HyTrust Analyst Reports http://www.hytrust.com/resources/analyst-reports
Resources Links
© 2012, HyTrust, Inc. www.hytrust.com