The Virtualization Practice

Transcription

1 The Virtualization Practice White Paper: Trend Micro Deep Security Reference Architecture for the Secure Hybrid Cloud Edward L. Haletky Analyst Virtualization and Cloud Security The Virtualization Practice Sponsored by Trend Micro Version 1.0 January The Virtualization Practice, LLC. All Rights Reserved. All other marks are property of their respective owners. Abstract Trend Micro was one of the first VMware security ecosystem partners to implement the VMware introspective API from that came the very first version of Trend Micro Deep Security TM. Deep Security has grown to include much more than just a firewall allowed by the very first introspective API to a product that includes agentless offload of many important security tasks. Trend has expanded this functionality to cover not only a virtual environment, but also physical and cloud environments. Trend Micro SecureCloud TM has grown to use Deep Security policy to further refine who or what can gain access to encrypted data. Given these new changes, how Trend Micro Deep Security and SecureCloud products provide a solution that fits into the over all hybrid cloud security architecture comes to the forefront, as these products are no longer just a virtualization tool. 1

2 Table of Contents I. Introduction... 3 II. III. IV. Why a Spectrum of Security... 5 Trend Micro within the Spectrum... 6 Protect the Data: Physical, Virtual, and Cloud... 8 V. About The Virtualization Practice... 8 VI. VII. About Trend Micro... 8 References

3 I. Introduction At the start of any reference architecture is the requirements, and the requirements for this particular architecture is to look at the entire hybrid cloud. We want to see where specific Trend Micro products fit into a spectrum that covers the entire hybrid cloud, and not just one aspect such as virtualization. While previous versions of Deep Security were virtualization specific, Trend Micro Deep Security has strengthened their cloud offerings over the last several years. Trend Micro has added in support not only for cloud infrastructures but also provides a centralized management interface for physical, cloud, and virtual end point security tools while integrating the policies for end point security into their SecureCloud offering. By combining these products at the policy level it is possible to allow SecureCloud to know whether or not specific end point security policy is met before allowing access. So the question becomes, where does Trend Micro Deep Security, SecureCloud, and other products fit into the overall hybrid cloud architecture. This architecture was presented within The Virtualizaiton Practice s Secure Hybrid Cloud Reference Architecture ( What follows is a synopsis of this architecture in a more general form. We present a security spectrum of the hybrid cloud built upon logical boundaries as shown in Figure 1 (which resides on page 4). Figure 1 shows this spectrum spanning end user computing (EUC) through the typical data center bastion, into the data center and then the application layer. At this point there is a change of control to the virtualization layers, which make more efficient use of the underlying hardware (below the spectrum) and storage (far right). Any part of this spectrum could communicate with a cloud service (above the spectrum). In addition to defining each spectrum as a different color and by name, we also present a typical flow chart of functionality for a Tier 1 application: . is rather unique today as we have many decisions to make as to how our mail moves through out a hybrid cloud. At the EUC layer of our spectrum, we have to decide do we go direct to the cloud service, through a security service residing in the cloud first or into our data center through our bastion that would often contain a DMZ where VPN end points may terminate. Once we are within the bastion we may then decide to either redirect to a cloud service via some gateway service or go deeper into our datacenter. The datacenter layer in our spectrum is a set of switches and decision logic that tells us where we go from here. We could hook into a cloud gateway service at this layer, or we could go direct to our Tier 1 App, in this case our Server. An server running as a virtual machine would either choose to go to a cloud gateway service to access in the cloud or run locally, in either case the tier 1 App changes its control to the virtualization layers and the hypervisor which then may or may not implement an introspection layer that is a part of the hypervisor. Eventually the request could be written locally to disk and also be replicated to some cloud service. Perhaps this is a combination of using Google Mail for personal data and a corporate Exchange server as your Tier 1 App as well as integrating in Microsoft Forefront capabilities as well as data protection via VMware SRM Replication to a cloud service. 3

4 4

5 II. Why a Spectrum of Security With hybrid clouds there is are a wide range of application interactions and directions you can take within the application when you start to look at how the application is accessed and then how the data within the application is secured. We are therefore looking at Data Access Security as well as Data Security (in motion and at rest) as well as Data Protection techniques to maintain availability. All three of these are looked at within this spectrum of security depicted on page 4. We start with End User Computing Devices (EUC) (Data Access) and quickly either head northbound to the Cloud (still Data Access) or Eastbound towards our Bastions hosts and DMZ. Which if consider this bastion as also the beginning of your cloud, you are really ahead of the game. What is East of our EUC devices is also what is north of them. Once you are in the Bastion and DMZ aspects of your hybrid cloud (north or eastbound) there is also choice to head further east or once more north into the cloud. Once you head east you will enter the real data center. The datacenter ends up being one big switching environment that sends data either south into the virtual environments, west with results, or even further south to the physical hardware. It could also send data north to a cloud environment. In either case, data is being sent in almost all directions with one exception. When we mover further east we are changing control from the data center layer to the virtualization layers, that change of control is where virtual machines interact with hypervisors in a many to one configuration (many VMs to one hyperviros) and hypervisors interact with physical hardware (south bound) in a one to one configuration (one hypervisor to one set of hardware). There is a subset of the hypervisor layer that is the introspective layer. The introspective layer allows security tools to gain access to what is happening within each virtual machine within the hypervisor. While all hypervisors have the capability, only a few aspects of introspection are being used outside of the VMware vsphere environment (which allows access to all resources: memory, network, CPU, and storage). Specifically, we see more third parties tying into storage introspection specifically on Hyper-V than any other resource. Introspection gives use a wonderful place to extend our security deep into the virtual environment. The last layer of our spectrum is the storage layer. We cannot escape the physical nature of storage, but storage these days is more than just a disk, we include in this layer all things related to data protection, replication, tiering, encryption, etc. In essence, whatever the storage hardware can do, while it seems pretty simplistic to treat all storage the same but from a security spectrum that covers the interactions between layers, storage is one major layer overlooked from a security perspective today. Security within storage is very simplistic, and while this is very good from a security management perspective it does require more physical security than other areas of the spectrum. We have a spectrum that goes west <-> east and north <-> south. We can enter the cloud at nearly every point in this spectrum. Each boundary of this spectrum will require some form of security. We need to extend our security measures to cover all colors of our spectrum. 5

6 III. Trend Micro within the Spectrum Trend Micro has many tools that provide coverage through our spectrum of security; in addition, Trend Micro has teamed up with VMware to provide further coverage of our spectrum of security. There are a number of tools that Trend Micro provides to cover the spectrum of security, specifically: Trend Micro Deep Security (DS) Trend Micro SecureCloud Trend Micro Mobile Security While VMware provides vcloud Network and Security (vcns) Edge vcloud Network and Security APIs VMware Horizon Mobile VMware Horizon Application Manager (HAM) Within the page 4 diagram, you can see where each of these tools fit with their respective Trend Micro and VMware icons. As we move through our spectrum the following tools have been placed. Spectrum Element Trend Micro VMware Notes End User Computing (EUC) Mobile Security Horizon Mobile Securing the EUC device is not only about encrypting the device but ensuring data access security. Bastion Deep Security vcns Edge All items within a DMZ 6 should have active end point security Data Center vcns Edge, HAM The data center can be viewed as a switching fabric. Once in the data center we must control access to any cloud or enterprise applications. Applications Deep Security vcns Edge All tier one applications and cloud gateways should have end point security and virtualization management layers need to be segregated.

7 Virtual Machines VMware provides lowlevel protection via built-in hypervisor security including use of Intel TXT. Hypervisor Deep Security vcns APIs VMware provides all APIs to access introspective and other security mechanisms. While Deep Security provides a mechanism to set the TPM/TXT registers. Introspection Deep Security Deep Security hooks into the vcns network and storage (DS versions < v8) APIs to perform its introspective security. DS on vsphere provides per VM firewalls as well as end point security. Storage SecureCloud SecureCloud provides an encrypted share that virtual machines can use as storage for application data. Cloud Hardware Deep Security, SecureCloud DS can run within a cloud service provider to provide integrated management of all DS end point security countermeasures. In addition, SecureCloud can be used within various clouds as well. The hardware vendor provides hardware security. As can be seen from this table and the page 4 diagram, Trend Micro fits within nearly all aspects of hybrid cloud security. Deep Security covers not only virtual but also physical or even cloud aspects of end point security all centrally managed from your own datacenter. This is a big win when trying to manage policy. Tie Deep Security with SecureCloud you have a mechanism to not 7

8 only provide end point security, but ways to provide a policy store for access to your data. Even so, we are looking at a solution to the problem of hybrid cloud security, not point products. The solution includes point solutions from VMware as well as Trend Micro. IV. Protect the Data: Physical, Virtual, and Cloud When you look at protecting your data within all aspects of the hybrid cloud: physical, virtual, and cloud locations, we need to start considering solutions that span products instead of specific products. No one product can cover the entire spectrum of security. At best they can be used in many different bands of the spectrum, but there needs to be some glue that holds them together, we need to consider how the data is accessed, how to secure the data, while providing data protection in the form of disaster recovery, business continuity, and high availability. No man is an island, and no single security product will currently cover all aspects of the hybrid cloud. While we looked only at VMware vsphere based clouds, the Trend Micro security solution can be applied as well to non-vsphere based clouds and datacenters. All we loose is the ability to make use of the introspective layers of the hypervisor. Trend Micro Deep Security works just as well in agent-full mode as it does in agent-less mode while the Trend Micro Mobile Security and SecureCloud products and VMware Mobile Horizon and HAM work as part of this solution regardless of hypervisor framework. The one change when not using VMware vsphere products is to find another Edge firewall capability. V. About The Virtualization Practice The Virtualization Practice is the leading online resource of objective and educational analysis focusing upon the virtualization and cloud computing industries. Edward L. Haletky is the author of VMware vsphere(tm) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2 nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. VI. About Trend Micro Trend Micro Incorporated (TYO: 4704; TSE: 4704), the global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years' experience, we deliver top-ranked client, server and cloud-based security that fits our 8

9 customers' and partners' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the industry-leading Trend Micro Smart Protection Network global threat intelligence data mining framework, our products and services stop threats where they emerge from the Internet. They are supported by 1,000+ threat intelligence experts around the globe. Additional information about Trend Micro Incorporated and the products and services are available at Trend Micro.com. This Trend Micro news release and other announcements are available at and as part of an RSS feed at Or follow our news on Twitter SOURCE Trend Micro Incorporated VII. References Edward L. Haletky. VMware vsphere(tm) and Virtual Infrastructure Security: Securing the Virtual Environment, Prentice Hall PTR; 1 edition (June, 2009) Edward L. Haletky. Secure Hybrid Cloud Reference Architecture, The Virtualization Practice, LLC ( Version 1.1 (September 2012) 9