Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must Haves" of Virtualization Security for State, Local, and Education

1 Phone: 650-681-8100 / email: [email protected] 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040

Eric Pankau – Director, Government, Carahsoft Eric Chiu – Founder & President, HyTrust Curtis Salinas – Technical Account Manager, HyTrust

© 2012, HyTrust, Inc. www.hytrust.com

Virtualize More While Improving Your Cybersecurity Risk Posture – The “4 Must Haves” of Virtualization Security For State, Local, and Education

2

Data Center Evolution in the Public Sector


EXTERNAL FACTORS

Cost cutting

Compliance

APTs

Decreasing time-to-breach

Increasing partner access to data center

TRANSFORMATIVE EVENTS

Virtualization “1st 50%”

Converged infrastructure

Private clouds

Data center consolidation

Data center automation

MOVING FORWARD

Virtualization “next 50%”

Maximum utilization

Multi-tenancy

IT self-service

Maintaining compliance

Maintaining governance

Key trend: pressure for cost cutting driving data center efficiency initiatives, including increased virtualization

3

Security and Compliance Key to Virtualizing “the Next 50%”

Discussion

Tier 3/4 workloads now mostly virtualized

Tier 1/2 workloads have higher security, compliance needs

Virtualization platform provides OK security for non-critical apps

Purpose-built solutions needed for mission critical workloads


Develop/Test

Limited Production

Extensive Production

Enterprise Platform

Mission-Critical Workloads

Non-Compliant Limited Compliance Compliant Best-Practice

Plans to virtualize Tier 1 workloads have exposed gaps in platform security and compliance

4

Gaps in Platform Support for Tier 1 Workloads


Breach Prevention

Audit Support

Stopping Human Error

5

Privilege Misuse Can Have Huge Business Impact

Percentage of outages and availability/ performance problems related to misconfiguration

Percentage of execs who say their most serious fraud was due to a privileged user

Percentage of security breaches due to “trusted” insiders and business partners

— PricewaterhouseCoopers, Wall Street Journal, April 2012

— Forrester survey, June 2011

— Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%), 2005-12

56%

50-80%

43%


6

Privilege Misuse Can Have Huge Business Impact

Percentage of outages and availability/ performance problems related to misconfiguration

Percentage of execs who say their most serious fraud was due to a privileged user

Percentage of security breaches due to “trusted” insiders and business partners

— PricewaterhouseCoopers, Wall Street Journal, April 2012

— Forrester survey, June 2011

— Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%)

56%

50-80%

43%


Shionogi & Co: $3.2B pharmaceutical company Laid off IT admin: • Logged in remotely to vSphere from

McDonald’s WIFI • Deleted 88 virtual production servers • Took down email, order entry, payroll,

BlackBerry, & other services • Caused $800K damage

Enforceable access and configuration policies are needed for safe Tier 1 virtualization

7

Keys to Virtual Infrastructure Security – “The 4 Must Haves”


Virtual Infrastructure

HyTrust provides 2 required functions directly and supports other 2 through partners

8

Expert Consensus on Virtualization Best Practices

8 © 2012, HyTrust, Inc. www.hytrust.com

* NIST SP 800-125: Guide to Security for Full Virtualization Technologies ** PCI-DSS 2.0 Information Supplement – Virtualization Security *** Neil MacDonald, vice president and Gartner fellow

• “Enforce least privilege and separation of duties”

• “It is critical that independent monitoring of all activities be enforced”

• “Require multi-factor authentication for all administrative functions.”

• “Administrative access to the hypervisor/VMM layer must be tightly controlled”

• “Restrict and protect administrator access to the virtualization solution.”

• “Secure each management interface”

• “Monitor and analyze logs at all layers of the virtualization infrastructure”

9

PCI DSS v2 Requirements Met by HyTrust Requirement HyTrust Solution

2) Do not use vendor-supplied defaults for system passwords and other system parameters.

Password vault for generic/shared accounts (root/administrator)

Assessment against a configuration standard to verify passwords have been changed

7) Restrict access to cardholder data by business need-to- know.

Granular RBAC and label-based restricted access to ESX/i, vCenter, VM console, Nexus 1000V, etc.

Authentication integrated with Active Directory groups and roles

8) Assign a unique ID to each person with computer access.

Root Password Vault (RPV) regulates access to privileged/shared accounts. Individuals are tracked with a check-out/in process.

Multi-factor authentication supported with RSA SecurID and/or Smart Cards

10) Track and monitor all access to network data and apps and cardholder data.

Audit trail for all access regardless of method Detailed record of who did what, where, when and the

result (allowed or denied) Logs sent to a central log repository


10

NIST Directives on Virtualization Security


Organizations should have the same security controls in place for virtualized operating systems as they

have for the same operating systems running directly on hardware.

“ ”

Restrict and protect administrator access to the virtualization solution.

The security of the entire virtual infrastructure relies on the security of the virtualization management system that controls the

hypervisor and allows the operator to start guest OSs, create new guest OS images, and perform other administrative actions.

“

”

Ensure that the hypervisor is properly secured. “ ”

Neither physical data center security controls nor the basic controls provided by the virtualization platform were designed

to fulfill these requirements for FISMA compliance.

11

6 of 18 NIST 800-53 control families focus on controlling and tracking infrastructure access or ensuring configuration and system integrity

Compliance in virtual environments requires an approach that addresses the distinct attributes of virtual infrastructure access, configuration, and system integrity

HyTrust is purpose-built to control and log access activity, ensure compliant host configurations, and protect system integrity in virtual environments

HyTrust fills critical gaps in the virtualization platform’s NIST/FISMA compliance capabilities*

HyTrust Role in NIST/FISMA Compliance


IDENTIFIER FAMILY

Source: NIST Special Publication 800-53, Revision 3

* Platform capabilities mentioned in this document are believed to be accurate as of April, 2012, and are subject to revision

12

Secures the hypervisor & virtual infrastructure by closing platform gaps: Enforces consistent access and

authorization policies covering all access methods

Provides granular, user-specific, audit-quality logs

Enables strong, multi-factor authentication

Verifies platform integrity, ensuring the hypervisor is hardened and the virtual infrastructure is trusted

HyTrust: Confidently Virtualize Critical Applications


By filling the gaps in virtual infrastructure security and compliance, HyTrust enables enterprises to virtualize more and improve business outcomes

13

Partnerships Magnify HyTrust Value


HyTrust is key "go to" partner for vSphere security and compliance

HyTrust is part of CA ControlMinder for Virtual Environments

HyTrust is the platform security solution - access control and auditing - for vBlock

HyTrust reporting and controls being integrated with Symantec CCS

HyTrust is part of Intel's trusted cloud architecture based on TXT

HyTrust event reporting and TXT integration being integrated with McAfee ePO

HyTrust provides native integration with SecurID and enVision

HyTrust provides combined reporting with Trend's Deep Security product

14

State Government with centralized IT supporting 17 agencies with varied security requirements

• 3 Data Centers with 70+ hosts and growing rapidly

• Running vSphere Active Directory & RSA SecurID

• Admin/user authentication and authorization

• PCI logging

• Hypervisor hardening

• Enables customer to meet access requirements with seamless RSA integration

• Provides audit-quality logs to meet PCI compliance requirements

• Ensures a secure environment with documented, implemented roles

Use Case: State of Michigan

Company:

Background:

Issue:

Benefit:


15

UC Campus with centralized IT supporting 30 departments with varied security requirements

• Consolidation, growth, centralization goals

• Running vSphere Active Directory & RSA SecurID

• Admin/user authentication and authorization

• Lack of transparency

• Hypervisor hardening

• Secure Access leveraging two-factor authentication

• Separation of duties with total visibility

• Mapped to regulatory templates

Use Case: University of California

Company:

Background:

Issue:

Benefit:

The HyTrust Appliance is the robust solution we need to offer essential new capabilities to our growing customer base—while enforcing policies and maintaining the utmost security. University of California, Systems Administrator


16

Under the Hood: Typical VMware deploy (Router Mode)


Virtualization Management Clients

VMware Management Subnet (ESXi Management VMkernels, vCenter Server)

Enterprise Clients

VM Guest Traffic Subnet(s)

Corporate Network

vCenter

Authentication via Active Directory, LDAP, RSA SecurID

17

Under the Hood: Live Demo


18

Virtualizing Tier 1 supports business goals through higher efficiency

Pre-requisite: mitigate security and compliance risks to workloads

HyTrust enforces access and configuration policies that mitigate risks

By filling gaps in platform security and compliance, HyTrust enables economic benefits of Tier 1 virtualization and private clouds

Summarize: Virtualize More, With Confidence


19

Thank You!


20

HyTrust Community Edition and Video Demos http://www.hytrust.com/resources/product

HyTrust Case Studies http://www.hytrust.com/resources/case-studies

HyTrust Analyst Reports http://www.hytrust.com/resources/analyst-reports

Resources Links


Technology

Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must Haves" of Virtualization Security for State, Local, and Education