Protect Root Abuse privilege on Hypervisor (Cloud Security)

Transcription

1 Protect Root Abuse privilege on Hypervisor (Cloud Security) Nantharat Puwarang, CISSP Senior Technical Consultant Protect Software Defined Data Center 1

2 The Road to Software Defined Data Centers: Virtualization & Cloud Adoption Source: VMware 2013 Journey to IT-as-a-Service Survey 2

3 Changing Risk Profile: Virtualization and Cloud Concentrates Compute and Access Significant Risk of Catastrophic Failure 2013, HyTrust, Inc. 3

4 Threats from Abuse of Privilege Access Remains High 43% Percentage of security breaches due to trusted insiders and business partners Forrester survey, June % Percentage of execs who say their most serious fraud was due to a privileged user PricewaterhouseCoopers, Wall Street Journal, April % Percentage of outages and availability/ performance problems related to misconfiguration Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%), , HyTrust, Inc.

5 our view The SDDC The data center of the future is software-defined. It is dynamic and application-centric. Our mission is to support our customers as they evolve to the SDDC. Software-Defined Data Center Applications and Policies Software Defined Services Network Virtualization Compute and Storage Virtualization On-Prem/Private/Public Cloud Resources Data Center Security Automation and Management Drivers Cost Speed Flexibility Inhibitors Security Tax Complexity Compliance 5

6 Transitioning Our Security Controls and Architectures VM VM VM VM Maximum Guest Security Maximum Guest Security Advanced Security Advanced Security SVA Baseline Security Host Security Host Security Hardened Virtual Infrastructure Traditional Security Security controls specific to underlying infrastructure Security deployed at perimeter to reduce cost/effort of deployment at each workload Scales up to meet additional workload demand SDDC Security Delivered as a service by the virtualization infrastructure Security deployed on virtualization host (closer to workload) through an SVA, i.e. Agentless Scales out to meet additional workload demand (more SVAs) 1518 Best Practices in Virtualization & Cloud Security with Symantec 6

7 Need Security? A dynamic, application-centric data center needs dynamic, application-centric security. By 2015, 40% of security controls used in Enterprise data centers will be virtualized, up from less than 5% in 2010 Neil MacDonald Software-Defined Data Center Applications and Policies Software Defined Services Network Virtualization Compute/Storage Virtualization On-Prem/Private/Public Cloud Resources Dynamic, contextbased, policycentric security Integrated security orchestration Security for hybrid networks Security for leading hypervisors Support for key standards for private clouds e.g. Openstack and partner with vendors delivering those standards e.g. Amazon, VMWare, Openstack How to control/audit on hypervisors? Data Center Security Automation and Management Roadmap: The Evolution of Data Center Security, Risk and Compliance

8 Software-Defined Data Center Security & Compliance Challenges Management & oversight of privilege users Enforce separation of duties Identity & Access Governance Catastrophic Fail: Material & Regulatory Impact Enforce regulatory mandates for data and network Separation. Data & Network Segregation Harden the virtual and physical infrastructure Patching and maintenance Infrastructure Resilience & Integrity Audit, Monitoring, Reporting & Prioritization Pass compliance audits Identify and prioritize risks Effective resource allocation 8

9 Six Ways Symantec Protects Your Software-Defined Data Center Management Clients Virtual Infrastructure 1 1. Two-Factor AuthN vcenter Virtualization Management Clients Guest Traffic Uninterrupted 3 3. Logging and Real-time Alerting 2 2. Role-Based Access and Secondary Approval (2 Man Rule) Tag-based Policies ESXi Hosts 4 4. Hypervisor Hardening / Platform Integrity 5 5. Guest Hardening* and Assessment 6 6. Malware Protection 9

10 CCS Virtualization Security Manager: Oversight & Control of Privileged Users in Virtual Environments Secure the hypervisor from threats Granular access control including secondary approval Manage hypervisor and VM configuration settings Automate configuration assessment and reporting Enforce instance separation to isolate assets and limit scope Detailed logging for forensics & audit VSM Dashboard VMware Hardening Guidelines Detailed logging Symantec Data Center Security & Compliance

11 Showcase - Demo Presentation Identifier Goes Here 11

12 Denied change of Network interfaces 12

13 2 Man Rules Secondary Approval Presentation Identifier Goes Here 13

14 Visibility You Get From VMware Symantec Virtualization Security Manager 14

15 CCS VSM Delivers Audit-Quality Log Detail Needed 15

16 Visibility You Get From VMware Symantec Virtualization Security Manager 16

17 Security for the Data Centre [email protected] CCS Dashboard & Reports CCS Vulnerability Manager CCS Standards Manager Critical System Protection VM1 VM2 VM3 Harden & protect guest VM s with same protection policies as physical servers Server Monitor & protect hypervisor configuration CCS Assessment Manager Admin VMware Admins ESX/ESXi vcenter Physical Harden vcenter based on VMware hardening guidelines CCS Virtual Security Manager Virtual