VBLOCK SOLUTION FOR TRUSTED MULTI-TENANCY: TECHNICAL OVERVIEW

Transcription

1 VBLOCK SOLUTION FOR TRUSTED MULTI-TENANCY: TECHNICAL OVERVIEW August VCE Company LLC, All rights reserved.

2 Table of Contents Executive Summary... 6 Goal of This Document... 6 Audience... 6 Introduction... 7 Service Models... 7 The Trusted Multi-Tenancy Elements... 8 Secure Separation... 9 Service Assurance... 9 Security and Compliance Availability and Data Protection Tenant Management and Control Service Provider Management and Control Overview of the TMT Model Technology Overview About the Vblock platform Management and Orchestration Vblock Advanced Management Pod (AMP) EMC Ionix Unified Infrastructure Manager (UIM) Security Technologies RSA envision RSA SecurID RSA Authentication Manager RSA Data Loss Prevention RSA Data Loss Prevention Network RSA Data Protection Manager Cisco Virtual Security Gateway VCE Company LLC, All rights reserved. 2

3 VMware vshield VMware vshield Zones VMware vshield App Cisco Adaptive Security Appliance Cisco Intrusion Prevention System Cisco Secure Access Control Server Storage Technologies EMC Symmetrix V-MAX EMC Symmetrix Management Console Symmetrix Priority Controls EMC Symmetrix Performance Analyzer EMC Fully Automated Storage Tiering (FAST) EMC Symmetrix Optimizer EMC PowerPath /VE EMC Unified Storage EMC Unisphere Management Suite EMC Unisphere Quality of Service Manager EMC VPLEX EMC Ionix Storage Configuration Advisor EMC Ionix ControlCenter EMC Virtual Storage Integrator EMC Networker EMC Data Domain EMC Avamar EMC Replication Manager EMC RecoverPoint EMC RecoverPoint Storage Adapter for SRM VCE Company LLC, All rights reserved. 3

4 EMC Data Protection Advisor Compute Technologies Cisco Unified Computing System VMware vsphere VMware vsphere High Availability VMware vsphere Fault Tolerance VMware vsphere Distributed Resource Scheduler VMware vsphere Resource Pools VMware vmotion VMware vcenter Server VMware vcloud Director VMware vcloud Request Manager VMware vcenter Configuration Manager VMware vcenter Site Recovery Manager VMware vcenter Capacity IQ VMware vcenter Chargeback Network Technologies Nexus 1000V Series Nexus 5000 Series Cisco Virtual PortChannels Nexus 7000 Series Cisco Overlay Transport Virtualization Cisco MDS Cisco Data Center Network Manager VLAN Separation Virtual Routing and Forwarding Hot Standby Router Protocol VCE Company LLC, All rights reserved. 4

5 MAC Address Learning EtherChannel Conclusion Further Reading VCE Company LLC, All rights reserved. 5

6 Executive Summary VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel, represents an unprecedented level of collaboration in development, services and partner enablement by four established market and technology leaders. VCE accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the Vblock TM Infrastructure Platforms, delivers the industry's first completely integrated IT offering that combines best-of-breed virtualization, networking, computing, storage, security, and management technologies with end-to-end vendor accountability. VCE's prepackaged solutions cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT infrastructure. VCE provides the fastest, most efficient and effective path to pervasive virtualization and cloud computing, available to customers through a large and growing network of value added resellers, system integrators and service provider partners. To date, more than 100 leading partners in 29 countries are actively selling Vblock platforms to a growing, diverse global customer base. VCE continues to innovate with the goal of providing market-leading simplicity, flexibility and efficiency. For more information, go to This document outlines the six foundational elements of the Trusted Multi-Tenancy (TMT) model and details its features, products and underlying design principles. Goal of This Document This document provides a technical overview of the TMT solution, which enables an organization to successfully create and deploy a secure and dynamic data center infrastructure. The TMT solution comprises six foundational elements that are standard Vblock platform components, together with additional products offered by RSA, Cisco, EMC, and VMware. These six elements address the unique requirements of the Infrastructure as a Service (IaaS) provision model, which is the focus of this paper. In this document, the terms Tenant and Consumer refer to the consumers of the services provided by a service provider. Audience The target audience for this document is highly technical, and it includes technical consultants, professional services personnel, IT managers, infrastructure architects, partner engineers, sales engineers, and consumers who wish to deploy a TMT environment consisting of leading technologies from RSA, Cisco, EMC, and VMware VCE Company LLC, All rights reserved. 6

7 Introduction The concept of multi-tenancy is found in virtually every definition of cloud computing. In its simplest form, multitenancy is an architectural model that optimizes resource sharing while providing sufficient levels of isolation to the tenants and Quality of Service (QoS) throughout the shared environment. While most in the industry understand the basics of providing a secure multi-tenancy environment using VMware products, increases in compliance and security requirements are driving providers and tenants to require more than just isolation as a prerequisite for doing business. The TMT model used with the Vblock platform directly addresses this need, integrating high quality security, encryption, and compliance reporting elements into the stack. Large and small companies are taking advantage of the economic and environmental benefits of cloud computing. However, to take full advantage of cloud computing s many benefits, service providers must be able to support multiple tenants within the same physical infrastructure without tenant awareness of any co-resident. The separation between tenants must be comprehensive, complete, and provide mechanisms for management, reporting, and alerting. TMT recognizes and incorporates the need for dynamic resource allocation and secure component isolation throughout the Vblock platform and goes beyond traditional secure multi-tenant designs in the following ways: The Vblock platform is a preconfigured and integrated product, which, combined with the six foundational elements, produces the TMT solution. TMT has a greater scope of security, which includes control and compliance through the integration of RSA products such as RSA envision, RSA SecurID, and RSA Data Protection Manager. TMT includes EMC Ionix Unified Infrastructure Manager (UIM), which provides complete orchestration and provisioning. TMT provides simplified management by distinguishing between the needs of the tenants and the service provider. Finally, service providers faced with increasingly constrained operational expense budgets are demanding greater operational efficiency from their infrastructure. The TMT model used with the Vblock platform directly addresses this issue with the only pre-integrated single pane of glass management platform in the industry the Ionix Unified Infrastructure Manager (UIM) and the only single-call support model that supports all of the included components. Service Models In cloud computing, the meaning of a multi-tenant architecture has broadened because of new service delivery models that take advantage of virtualization and remote access. The Cloud Security Alliance defines the following three basic service delivery models: Software as a Service (SaaS) This model allows the tenant to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client device such as a web browser. The tenant does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, and application capabilities with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS) This model allows the tenant to deploy tenant-created or acquired applications onto the cloud infrastructure using programming languages and tools supported by the provider. The tenant does not manage or control the underlying cloud infrastructure including network, servers, 2011 VCE Company LLC, All rights reserved. 7

8 operating systems, and storage but has control over the deployed applications and possibly application hosting environment configurations. Infrastructure as a Service (IaaS) This model allows the tenant to provision processing, storage, networks, and other fundamental computing resources whereby the tenant is able to deploy and run arbitrary software, which can include operating systems and applications. The tenant does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (for example, host firewalls). Although multi-tenancy requirements are similar for all types of services, this paper addresses the unique requirements of the IaaS delivery model. The Trusted Multi-Tenancy Elements Isolation and service assurance are the primary concerns of the Trusted Multi-Tenancy model (Figure 1). The trusted portion of the model relates to the visibility and control offered to the tenants to verify the environment. To support these fundamental requirements, the TMT model on the Vblock platform is built on six foundational elements: Secure Separation Service Assurance Security and Compliance Availability and Data Protection Tenant Management and Control Service Provider Management and Control Figure 1. Six elements of the Vblock platform Trusted Multi-Tenancy 2011 VCE Company LLC, All rights reserved. 8

9 Secure Separation The first element is Secure Separation. Secure separation refers to the effective segmentation and isolation of tenants and their assets within the multi-tenant environment. Without secure separation, Trusted Multi-Tenancy cannot occur. Tenant Concerns Adequate secure separation ensures that the resources of existing tenants remain untouched and the integrity of the applications, workloads, and data remain uncompromised when the service provider provisions new tenants. Each tenant may have access to different amounts of network, compute, and storage resources in the converged stack. The tenant sees only those resources allocated to them. Provider Challenges From the standpoint of the service provider, secure separation requires the systematic deployment of various security control mechanisms throughout the infrastructure to ensure the confidentiality, integrity, and availability of tenant data, services, and applications. The logical segmentation and isolation of tenant assets and information are essential for providing confidentiality in a multi-tenant environment. In fact, ensuring the privacy and security of each tenant becomes a key design requirement in the decision to adopt cloud services. Table 1 describes secure separation methods. Table 1. Secure separation methods Infrastructure Layer Network layer Compute layer Storage layer Application layer Mechanisms Various methods, including zoning and virtual local area networks (VLANs), can enforce network separation. Internet Protocol Security (IPsec) also provides application independent network encryption at the IP layer for additional security. Within the computing infrastructure of the Vblock platform, multi-tenancy concerns at multiple levels must be addressed beginning with the Intel central processing unit (CPU), through the Cisco Unified Computing System (UCS) server infrastructure, and within the VMware vsphere Hypervisor. Features of EMC s multi-tenancy offerings can be combined with standard security methods such as storage area network (SAN) zoning, and Ethernet VLANs to segregate, control, and manage storage resources among the infrastructure s tenants. EMC s multi-tenancy offerings include the following: data at rest encryption; secure transmission of data; and bandwidth, cache, CPU, and disk drive isolation. A specially written, multi-tenant application or multiple, separate instances of the same application can provide multi-tenancy at this level. Service Assurance Service Assurance plays a vital role in providing tenants with consistent, enforceable, and reliable service levels. Unlike physical resources, virtual resources are highly scalable and easy to allocate and reallocate on demand. In a multitenant virtualized environment, the service provider prioritizes virtual resources to accommodate the growth and changing business needs of tenants. Service level agreements (SLAs) define the level of service agreed to by tenants and the service provider. Service assurance plays an important role in ensuring tenants receive the agreed upon level of service VCE Company LLC, All rights reserved. 9

10 Various methods are available to deliver consistent SLAs across the network, compute, and storage components of the Vblock platform, including QoS in the Cisco Unified Computing System and Cisco Nexus platforms, EMC Symmetrix Quality of Service tools, EMC Unisphere Quality of Service Manager (UQM), and VMware Distributed Resource Scheduler (DRS). Without the correct mix of service assurance features and capabilities, maintaining uptime, throughput, quality of service, and availability SLAs can be difficult. Tenant Concerns Infrastructure support for evolving, growing and unpredictable workloads SLA compliance measuring and reporting Provider Challenges Deliver consistent, stable, predictable service Support and track tenant SLAs Build a predictable cost model while delivering higher value services Security and Compliance The third element Security and Compliance ensures the confidentiality, integrity, and availability of each tenant s environment at every layer of the TMT stack using technologies like identity management and access control, encryption and key management, firewalls, malware protection, and intrusion prevention. This is a primary concern for both service provider and tenant. The TMT solution must ensure that all activities performed in the provisioning, configuration, and management of the multi-tenant environment, as well as day-to-day activities and events for individual tenants, are verified and continuously monitored. It is also important that all operational events are recorded and that these records are available as evidence during audits. As regulatory compliance expands, the private cloud environment will become increasingly subject to security and compliance standards, such as PCI DSS, HIPAA and SOX (GLBA). With the proper tools, achieving and demonstrating compliance is not only possible, but it can often become easier than a non-virtual environment. Tenant Concerns Answer internal Audit and Governance Boards Receive and rely on audit records from the service provider regarding security posture, as well as actions and events occurring in their space Provider Challenges Meet archive and report requirements defined in standards such as PCI DSS and HIPAA Address the tenant s concerns about the confidentiality, integrity, and availability of their data and resources Availability and Data Protection Resources and data must be available for use by the tenant. High availability means that resources such as network bandwidth, memory, CPU, or data storage are always online and available to users when needed. Redundant systems, 2011 VCE Company LLC, All rights reserved. 10

11 configurations, and architecture can minimize or eliminate points of failure that adversely affect availability to the tenant. Data protection is a key ingredient in a resilient architecture. Cloud computing imposes a resource tradeoff between high performance, and the requirements of increasingly robust security and data classification are an essential tool for balancing that equation. Enterprises need to know what data is important and where it is located as prerequisites to making performance cost-benefit decisions, as well as ensuring focus on the most critical areas for data loss prevention procedures. Tenant Concerns Assurance that data and resources will be available when needed and protected at all times Confidence that data and resources are protected against intrusion and attack without regard to the status of other tenants in the environment Provider Challenges Ensure that resources needed by tenants are available for use Provide a secured environment by means of threat detection and mitigation, including the monitoring and response to intrusions and attacks against the TMT environment and its tenants Provide tenant isolation and secure separation to ensure that other tenants in the TMT environment will stay up and available for use, even if one tenant is the target of a Denial-of-Service attack Tenant Management and Control The fifth element is Tenant Management and Control. In every cloud services model there are elements of control that the service provider will delegate to the tenant. Reasons for delegation of control include convenience, new revenue opportunities, security, compliance, or tenant requirement. In all cases, the goal of the TMT model is to allow for and simplify the management, visibility and reporting of this delegation. Tenants should have control over relevant portions of their service. Specifically, tenants should be able to provision allocated resources, manage the state of all virtualized objects, view change management status for all parts of their infrastructure, add and remove administrative contacts, and request more services as needed. In addition, tenants taking advantage of data protection or data backup services should be able to manage this capability on their own, including setting schedules and backup types, initiating jobs, and running reports. This tenant-in-control model allows tenants to dynamically change the environment to suit their workloads as resource requirements change. Tenant Concerns Accountability for all data inside the multi-tenant environment at all times Proof of compliance with corporate policies, and relevant laws Isolation of their services, or some subset of their services, on demand with a service provider guarantee thereof 2011 VCE Company LLC, All rights reserved. 11

12 Provider Challenges Providing different tenants different levels of control; thus, the ability to delegate tenant control at a granular level Reporting on and auditing changes made by the provider and the tenant Service Provider Management and Control The sixth element in the TMT model on the Vblock platform is Service Provider Management and Control. One goal of Trusted Multi-Tenancy is to simplify management of resources at every level of the infrastructure and to provide the functionality to provision, monitor, troubleshoot, and charge back the resources used by tenants. Management of multi-tenant environments comes with challenges, from reporting and alerting to capacity management and tenant control delegation. The Vblock platform helps address these challenges by providing scalable, integrated management solutions inherent to the infrastructure and a rich, fully developed API stack for adding additional service provider value. Providers of infrastructure services in a multi-tenant environment require comprehensive control and complete visibility of the shared infrastructure in order to provide the availability, data protection, security, and service levels expected by tenants. The ability to control, manage, and monitor resources at all levels of the infrastructure requires a dynamic, efficient, and flexible design that allows the service provider to access, provision, and then release computing resources from a shared pool quickly, easily, and with minimal effort VCE Company LLC, All rights reserved. 12

13 Overview of the TMT Model The TMT model (Figure 2) on the Vblock platform uses a layered approach with security controls, isolation mechanisms, and monitoring controls embedded in the network, compute, and storage layers of the service stack. This layered approach provides secure access to the cloud, guarantees resources to tenants, and provides abstraction to the physical elements. Virtualization at different layers allows the infrastructure to provide logical isolation without dedicating physical resources to each tenant. Figure 2. The Vblock platform Trusted Multi-Tenancy model 2011 VCE Company LLC, All rights reserved. 13

14 Technology Overview The following sections describe the key components of the Vblock platform and the other security, storage, compute, and network software and applications that work in conjunction with the Vblock platform to create a Trusted Multi- Tenant environment. About the Vblock platform With the Vblock platform, VCE delivers the industry s first completely integrated IT offering that combines high quality networking, computing, storage, virtualization, security, and management technologies with end-to-end vendor accountability. The Vblock platform provides pre-engineered, production ready, fully tested virtualized infrastructure components, including excellent private cloud offerings from RSA, Cisco, EMC, and VMware. The Vblock platform is available in different sizes and configurations to meet dynamic and extensible workload needs. Enabled by the leading players in IT product delivery, each with industry leading, enterprise level credibility, the Vblock platform provides consumers several benefits through its integrated hardware and software stacks including: Fewer unplanned outages and reduced planned downtimes for maintenance activities Reduced complexity due to preconfigured and centralized IT resources and resulting standardized IT services Predictable performance and operational characteristics Tested and validated solutions Unified support and end-to-end vendor accountability Graceful scaling of the Vblock platform environment by adding capacity to the Vblock platform or adding more Vblock platforms Virtualized efficiency with predictable scaling for a given footprint Management and Orchestration Table 2 lists the standard management and orchestration components on each of the Vblock platforms. Table 2. Management and orchestration components Component TMT on Vblock 300 TMT on Vblock 700 Vblock platform Advanced Management Pod (AMP) EMC Ionix Unified Infrastructure Manager (UIM) Vblock Advanced Management Pod (AMP) The Advanced Management Pod (AMP) is an optional component in the Vblock platform but is recommended as a best practice, inasmuch as it provides the capability to manage the Vblock platform. The AMP will normally consume 6U of rack space. The AMP consists of: Two Cisco UCS C200 M1 Servers Cisco 2921 Integrated Services Router 2011 VCE Company LLC, All rights reserved. 14

15 Cisco 4948 Switch Cisco UCS C200 M1 Servers provide (N+1) redundancy to support mission critical applications for Vblock platform management. The logical servers in the AMP provide separate and independent services to both the AMP environment and the production TMT environment. The servers are preconfigured with the following necessary tools to manage the Vblock platform: Cisco UCS Manager Cisco Nexus 1000V Supervisor EMC Ionix UIM EMC Symmetrix Management Console or Unisphere EMC PowerPath/VE Server VMware vcenter Server and VMware Update Manager Active Directory, DNS, and Database services dedicated to support all management applications this function may be standalone or be integrated into an existing customer environment. The Cisco 2921 Integrated Services Router and the Cisco 4948 Switch enable monitoring and managing Vblock platform health, performance, and capacity. With these tools, the AMP provides the following benefits: Fault isolation for management Eliminates resource overhead on the Vblock platform A clear demarcation point for remote operations EMC Ionix Unified Infrastructure Manager (UIM) EMC Ionix UIM provides simplified management for the Vblock platform in a TMT environment by combining provisioning as well as configuration, change, and compliance management. Key Features Manage the Vblock platform as a single entity Integrate with enterprise management platforms Consolidate views into all the Vblock platform components, including network, compute, and storage Achieve system wide compliance through policy based management Easily deploy hardware and software, VMware vsphere and infrastructure provisioning, and disaster recovery infrastructure With UIM, management of the individual components in the Vblock platform can be combined into a single entity to reduce operational costs and ease the transition from physical to virtual to private cloud infrastructure. Centralizing 2011 VCE Company LLC, All rights reserved. 15

16 provisioning, change, and compliance management across the Vblock platform reduces operating costs, ensures consistency, improves operational efficiency, and speeds deployment of new services. With EMC Ionix UIM taking care of the Vblock platform, the management transition from a physical to virtual to private cloud infrastructure is easier. Compared to building and integrating pieces individually, the advantages provided by UIM s integrated management solution UIM become obvious. Although some tools integrate basic health and performance data from the network, compute, and storage domains, the operationally critical areas of configuration, change, and compliance management remain separate or do not exist. This type of disjointed, distributed management can result in: Higher ongoing operational costs and reduced ongoing operational efficiency Slower service deployments Inconsistent management across the Vblock platform Inability to automatically ensure configurations for accuracy and compliance Inability to simultaneously and easily restore multiple elements to a compliant state Less overall flexibility in supporting the IT needs of the business Security Technologies Table 3 lists the standard and optional security components and features of the Vblock platform. The table maps each component and feature to the TMT elements that it addresses. Table 3. Security and Compliance components Component Secure Separation Service Assurance Security and Compliance Availability Tenant Mgmt & Control Service Provider Mgmt & Control RSA Solution for Cloud Security and Compliance RSA envision RSA SecurID RSA SecurID Authentication Manager RSA Data Loss Prevention RSA DLP Network RSA Data Protection Manager Cisco Virtual Security Gateway VMware vshield VMware vshield Zones VMware vshield App 2011 VCE Company LLC, All rights reserved. 16

17 Component Secure Separation Service Assurance Security and Compliance Availability Tenant Mgmt & Control Service Provider Mgmt & Control Cisco Adaptive Security Appliance (ASA) Cisco Intrusion Prevention System Cisco Secure Access Control Server RSA Solution for Cloud Security and Compliance Built on the RSA Archer egrc Suite, the RSA Solution for Cloud Security and Compliance enables end user organizations and service providers to orchestrate and visualize the security of their VMware virtualization infrastructure and physical infrastructure from a single console (Figure 3). The solution offers a solid foundation that enables organizations to address security of VMware environments systematically so they can confidently continue their migration to virtualization and cloud computing models. Figure 3. System overview Secure Separation The RSA Archer egrc Platform is a multi-tenant software platform, supporting the configuration of separate instances in provider-hosted environments. These individual instances support data segmentation, as well as discrete user experiences and branding. Individual instances store data in physically separate databases while using a common hardware environment and a single deployment of RSA Archer application code. Users identify their instance as part 2011 VCE Company LLC, All rights reserved. 17

18 of a manual login process, although instance identification can be automated through DNS or single sign-on configuration. Security and Compliance Rationalizing the complexity of compliance requirements across both physical and virtual environments especially in today s evolving regulatory landscape is a challenge for security and compliance teams. The RSA Archer egrc Suite for enterprise governance, risk, and compliance answers this challenge with a comprehensive library of policies, control standards, procedures, and assessments mapped to current global regulations and industry guidelines. More than 130 control procedures in the library, written specifically against the VMware vsphere 4.0 Security Hardening Guide, are mapped to security policies and authoritative sources such as PCI, COBIT, NIST, HIPAA and NERC. In addition, the library includes thousands of other control procedures for operating systems, databases, network devices, and other infrastructure assets, which are mapped to the same laws, regulations, and industry standards thereby forming the basis of a complete technology controls approach. Using automated workflow within the RSA Archer egrc Platform, a project manager can distribute security policies and control procedures to appropriate administrators for both physical and virtual infrastructure (Figure 4). For example, VMware vsphere configuration steps are sent to the VMware administrator, storage configuration steps are sent to the storage administrator, security configuration steps are sent to the security administrator, and so forth. Figure 4. Distribution and tracking control procedures RSA s solution includes new software that substantially automates the assessment of whether VMware security controls have been implemented correctly. The results of these automated configuration checks are fed directly into the RSA Archer egrc Platform, which also captures the results of configuration checks for physical assets through prebuilt integration with commercially available scan technologies VCE Company LLC, All rights reserved. 18

19 As a result, the Platform serves as a point of consolidation for continuous controls monitoring across the physical and virtual infrastructure. While a significant number of the VMware control procedures are tested automatically, the remainder must be tested manually because their status cannot be directly inferred from the environment. For these control procedures, project managers can issue manual assessments from the RSA Archer egrc Platform, using a preloaded bank of questions mapped to control procedures and regulatory requirements. Project managers can create new questionnaires within minutes and issue them to appropriate users based on asset ownership. Issue Remediation Configuring the physical and virtual infrastructure according to best practice security guidelines and regulatory requirements is critical. However, the security and compliance process does not stop there. Organizations also require the ability to monitor incorrect configurations, policy violations, and control failures across their infrastructure and to respond swiftly with appropriate remediation steps. RSA s solution also enables security operations teams to manage policy violations and control failures. The RSA Archer egrc Platform integrates with RSA envision log management to collect and correlate security and compliance events from a variety of sources, including the RSA Data Loss Prevention suite, VMware vshield, and VMware Cloud Director, among others. RSA SecurBook for Cloud Security and Compliance The RSA SecurBook for Cloud Security and Compliance is a simple solution guide that provides detailed instructions for deploying and administering RSA s solution in a virtualized environment. Designed to help organizations reduce implementation time and total cost of ownership, the RSA SecurBook offers guidance in the following areas: Solution architecture for managing VMware security and compliance Solution deployment and configuration guides Operational guidance for effectively using the solution Troubleshooting guidance Tenant and Service Provider Management and Control The multi-tenant reporting capabilities of the RSA Archer egrc Platform give each tenant a comprehensive, real-time view of the enterprise governance, risk, and compliance (egrc) program. Tenants can take advantage of prebuilt reports to monitor activities and trends and generate ad hoc reports to access the information needed to make decisions, address issues, and complete tasks. The cloud provider can build customizable dashboards tailored by tenant or audience, so users get exactly the information they need depending on their roles and responsibilities. RSA envision The RSA envision 3-in-1 platform offers an effective security and information event management (SIEM) and log management solution, capable of collecting and analyzing large amounts of data in real time from any event source and in computing environments of any size. RSA envision is easily scalable, eliminating the need for filtering and deploying agents. Security and Compliance RSA envision is a 3-in-1 solution designed to: 2011 VCE Company LLC, All rights reserved. 19

20 Simplify compliance Complete accounting of network activity, comprehensive reporting with built-in and customized reporting capabilities, and retention and maintenance of complete log records help ease the burden of compliance. Preconfigured reporting content for all major regulations and frameworks (for example, PCI DSS, HIPAA, FISMA, and ISO) is included. Enhance security Real-time notification of high risk events, a streamlined incident handling process, and reporting on the most vulnerable assets directly enhance security operations. This is SIEM in action not just log collection, but actionable intelligence. Optimize IT and network operations Determine network availability and status, identify network issues and faulty equipment, and gain visibility into specific behavioral aspects of users in order to optimize the performance of your network. RSA envision includes preconfigured integration with all of the the Vblock platform infrastructure components, including the Cisco UCS and Nexus components; EMC storage; and VMware vsphere, vcenter, vshield, and vcloud Director. In addition, RSA envision has preconfigured integration and support for more than 235 more (and counting) of the most common IT components, including network gear, security systems, operating systems, databases, and applications. Tenant and Service Provider Management and Control The baselining, trending, and reporting capabilities of RSA envision give tenants and cloud administrators a long-term graphical overview of performance and security events, improving their overall management and control of cloud resources. The RSA envision platform collects the event logs generated by IP devices within the cloud infrastructure, permanently archives copies of the data, processes the logs in real time, and generates alerts when it observes suspicious patterns of behavior. Administrators can interrogate the full volume of stored data through intuitive dashboards, and advanced analytical software that turns complex and unstructured raw data into structured information. RSA SecurID RSA SecurID two-factor authentication is based on something you know (a password or PIN) and something you possess (an authenticator) providing a more reliable level of user authentication than reusable passwords. RSA SecurID automatically changes user passwords every 60 seconds. The RSA SecurID solution is regarded as a more secure alternative to authentication systems based on reusable passwords. In addition, the RSA SecurID solution is easier to use than challenge-and-response systems that require multiple steps to generate a valid access code. The RSA SecurID two-factor authentication solution is a fundamental piece in support of security and compliance. RSA Authentication Manager RSA Authentication Manager is the management component of the RSA SecurID solution used to verify authentication requests and centrally administer authentication policies for enterprise networks. RSA Authentication Manager is interoperable with many network, remote access, VPN, Internet, wireless, and application solutions. Secure Separation RSA Authentication Manager supports logical partitioning whereby a provider can define and enforce separate authentication policies by assigning each tenant a Security Domain VCE Company LLC, All rights reserved. 20

21 RSA Data Loss Prevention The RSA Data Loss Prevention (DLP) suite provides a policy-based approach to securing data in data centers, networks and end points, enabling organizations to discover and classify their sensitive data, educate end users, ensure data is handled appropriately, and report on risk reduction and progress towards policy objectives. The RSA DLP Suite reduces the total cost of ownership with high scalability, automated data protection services, and the most extensive data policy and classification library available in the industry. The RSA DLP suite improves security by protecting the tenant s confidential data, such as intellectual property, product roadmaps, and company financials; and it facilitates compliance by securing customer records and other sensitive data as required by regulations and standards. RSA Data Loss Prevention Network RSA Data Loss Prevention (DLP) Network identifies and enforces policies for sensitive data transmitted through corporate (SMTP), webmail, instant messaging, FTP, web based tools (HTTP or HTTPS), and generic TCP/IP protocols. Key Features Depth of policy and classification library increases ROI by eliminating the need to fine tune policies and helping organizations realize the value of their DLP deployment more quickly. Comprehensive support for numerous protocols dramatically reduces risk exposure. Retention of end user actions logs helps administrators simplify the compliance process. Numerous automatic and manual remediation options allow organizations to customize policy responses based on varying levels of risk. RSA DLP Network provides deep visibility into network policy violations by sender, recipient and content type. Secure Separation RSA DLP Network virtual appliances can be deployed for each tenant. Each virtual DLP appliance enforces the policies defined for that specific tenant. RSA Data Protection Manager RSA Data Protection Manager is an enterprise encryption key management system designed to manage encryption keys at the application, database, and storage layers. RSA Data Protection Manager lowers the total cost of ownership associated with encryption by giving administrators fine grained control over the vaulting and management of keys from a single, central console. The RSA SafeProxy architecture employs a unique combination of tokenization, advanced encryption, and public-key technologies to protect sensitive data with a layered approach to security. RSA Data Protection Manager s combination of application encryption and tokenization increases security and facilitates compliance. Cisco Virtual Security Gateway Cisco Virtual Security Gateway (VSG) for Nexus 1000V Series switches is a virtual firewall appliance that provides trusted access to virtualized data centers. VSG facilitates multi-tenancy by allowing tenants with varied security profiles to share a common compute infrastructure VCE Company LLC, All rights reserved. 21

22 In a multi-tenant environment, deployment of VSG can occur at several levels of the virtualized infrastructure (Figure 5). Deployment options include: Using VSG as a tenant edge firewall Placing VSG in each virtual center within a tenant Deploying VSG within each virtual application Secure Separation VSG provides secure segmentation of the virtual machines in the virtualized data center using granular, zone based control and monitoring with context-aware security policies (based on virtual machine identities, custom attributes, and 5-tuple network parameters). Key benefits include the following Controls are applied across organizational zones, lines of business, and multi-tenant environments. Security policies are organized into security profiles (templates). Context-based access logs are generated with activity details at the network and virtual machine levels. Non-disruptive administration through administrative segregation across security and server teams. Security and Compliance With VMs organized into distinct trust zones, configurable security policies control and monitor traffic between zones. In this way, the VSG can effectively control traffic between trust zones, as well as between trust zones and external zones VCE Company LLC, All rights reserved. 22

23 Figure 5. Cisco Virtual Security Gateway (VSG) VMware vshield The VMware vshield family of security solutions (Table 4) provides virtualization-aware protection for virtual data centers and cloud environments. VMware vshield products strengthen application and data security, enable TMT, improve visibility and control, and accelerate IT compliance efforts across the organization. Figure 6 illustrates the interaction between vshield components. Table 4. VMware vshield family Solution vshield Zones vshield App vshield Edge Description Basic access control list (ACL) capability built into vsphere. Support applications belonging to different trust levels on the same virtual data center. Enhanced version provides firewalling capability between virtual machines by placing a firewall filter on every virtual network adapter. Allows for the easy application of firewall policies based upon logical Security Groups, which are associated with resource pools, folders, containers, and other vsphere groupings from the vcenter inventory. Virtualizes data center perimeters and offers firewall, VPN, web load balancer, NAT, and DHCP services. Isolates the virtual machines in a port group from the external network. Connects isolated, tenant stub networks to the shared (uplink) networks and provides common perimeter security services such as DHCP, VPN, and NAT VCE Company LLC, All rights reserved. 23

24 Solution vshield Endpoint Description Enables offloading of antivirus and other anti-malware processing to dedicated security-hardened virtual machines delivered by VMware partners. Figure 6. VMware vshield family Secure Separation Two components of the VMware vshield suite that enable service providers to protect and isolate VMs belonging to different tenants are vshield App and vshield Edge. Table 5 describes these components. Table 5. VMware vshield isolation mechanisms Component vshield App vshield Edge Description Implements an IP-based, stateful firewall and application layer gateway for a broad range of protocols including Oracle, FTP, and Sun Remote Procedure Call (RPC), Linux RPC, and Microsoft RPC. Places firewall filter on every virtual network adapter to provide firewalling capability between VMs. Operates transparently and does not require network changes or modifications of IP addresses. Firewall rules defined using various object types, including data center, cluster, resource pools, vapp, port group, and VLAN. Secures the edge of a virtual data center with firewall, VPN, and NAT services (Figure 7) VCE Company LLC, All rights reserved. 24

25 Component Description Creates logical security perimeters around virtual data centers (vdcs) to support multitenancy environments. Other common deployments for vshield Edge include DMZs and extranets. Compatible with port groups on the vnetwork Standard Switch (vswitch), vnetwork Distributed Switch (vds), and the Nexus 1000v. Figure 7. VMware vshield Edge Service Provider Management and Control VMware vshield Manager is the management interface for all vshield products. Integrated with VMware vcenter and deployed in its own virtual machine, vshield Manager leverages vsphere resources. The user interface offers configuration and data viewing options for all vshield products. Tight integration with vcenter allows display of all underlying vsphere resource pools within vshield Manager. Service providers can use the VMware vshield Manager unified dashboard overview to manage and deploy policies for the entire vcenter environment, leveraging their existing virtual infrastructure containers as organizational zones across physical hosts, virtual switches, and networks. The inventory panel offers multiple view options, each displaying different perspectives of the underlying vsphere resource pool and vcenter inventory. VMware vshield Zones VMware vshield Zones is a firewall deployed as a hypervisor-level Loadable Kernel Module (LKM) security virtual appliance that provides visibility and enforcement of network activity within a VMware vsphere deployment to comply with corporate security policies and industry regulations such as PCI or Sarbanes-Oxley VCE Company LLC, All rights reserved. 25

26 VMware vshield App VMware vshield App is a more feature-rich version of vshield Zones, which is highly recommended for multi-tenant environments. It adds the following capabilities: Service providers can use vshield Manager to deploy distributed vshield App LKMs on each vsphere host, providing visibility and control of virtual network traffic across virtual server environments. The distributed vshield App LKMs are administered by vshield Manager, which integrates seamlessly with the service provider s vcenter deployment to present policies and events in the context of the existing virtual machines, networks, host, and clusters used to service their customer deployments. Key Features Central management of logical zone boundaries and segmentation Extensive visibility through flow monitoring to help define and refine firewall rules, detect botnets, and secure business processes Simplified policy management through Security Groups, which allow administrators to define businessrelevant groupings of any virtual machines by their virtual NICs Secure Separation The hypervisor-level firewall in VMware vshield ensures that proper segmentation and trust zones are enforced for all application deployments. Security and Compliance VMware vshield App integrates into VMware vcenter and leverages virtual inventory information such as vnics, port groups, clusters, and VLANs to simplify firewall rule management and trust zone provisioning. Leveraging various VMware logical containers reduces the number of rules required to secure a multi-tenant environment and therefore reduces the operational burden that accompanies the isolation and segmentation of tenants. This method of creating security policies closely links with VMware virtual machine objects, and therefore follows the VMs during vmotion. Using vshield App within Distributed Resource Scheduler (DRS) clusters ensures secure compute load balancing operations without performance compromise, as the security policy follows the virtual machine. Cisco Adaptive Security Appliance The Cisco Adaptive Security Appliance (ASA) is a purpose-built security appliance that combines firewall, Virtual Private Network (VPN), and optional content security and intrusion prevention to distribute network security across the data center. A single Cisco ASA appliance can be partitioned into multiple virtual firewalls, known also as security contexts. Each security context acts as a separate firewall with its own security policy, interfaces, and configuration, although some features are not available for virtual firewalls such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection. Secure Separation In a multi-tenant environment, the service provider may assign one or more security contexts to each tenant to provide separation at the network level. Security and Compliance The ASA provides threat defense and highly secure communications services to stop attacks before they affect business continuity VCE Company LLC, All rights reserved. 26

27 Cisco Intrusion Prevention System Cisco Intrusion Prevention System (IPS) appliances provide proven protection against well known and emerging threats to help secure confidential data and meet ever increasing compliance mandates. Cisco IPS accurately identifies, classifies, and stops malicious traffic, including worms, spyware, adware, network viruses, and application abuse before they affect business continuity. Cisco Anomaly Detection stops Day-Zero attacks before signature updates are available. Cisco IPS collaborates with other key network components for end-to-end network-wide protection. Cisco IPS may participate in Cisco Global Correlation, where the visibility and controls of the IPS are enhanced with threat information shared by the Cisco SensorBase network. Available as a dedicated appliance, Cisco IPS is also integrated into Cisco firewall, switch, and router platforms for maximum protection and deployment flexibility. Key Features Proven protection against well known and zero-day attacks Protects against more than just virus outbreaks, such as attacks targeted against a company s information Helps prevent against severe loss due to disruptions, theft, or defacement caused by compromised servers Stops worm and virus outbreaks at the network level, before they reach the desktop Identifies, classifies, and stops malicious traffic, including worms, spyware, adware, viruses, and application abuse. Delivers high performance, intelligent threat detection and protection over a range of deployment options. Secure Separation IPS virtual sensors allow the logical partition of a physical sensor appliance or module into multiple virtual sensors. Each virtual sensor maintains its own configuration indicating the data streams to be inspected and the policies to be enforced. By separating tenant traffic into multiple virtual sensors, the cloud provider can define and enforce separate sets of policies tailored to address the unique requirements of each tenant. Security and Compliance Cisco IPS sensors protect the data center by detecting, classifying, and blocking network-based threats by means of attack signatures associated with worms, viruses, and various application abuse scenarios. This process occurs on a per connection basis, allowing legitimate traffic to flow unobstructed. Cisco Secure Access Control Server Cisco Secure Access Control Server (ACS) is a highly scalable, high performance, access policy system that centralizes authentication, user access, and administrator access policy and reduces the administrative and management burden. The Cisco ACS supports authentication, authorization, and accounting (AAA) protocols such as TACACS+ and RADIUS as well as directory databases such as LDAP and Active Directory. Key features A comprehensive, identity-based access policy system for Cisco intelligent information networks Central management of access policies for both network access and device administration 2011 VCE Company LLC, All rights reserved. 27