RSA Security Solutions for Virtualization

Transcription

1 RSA Security Solutions for Virtualization Grzegorz Mucha

2 Securing the Journey to the Cloud The RSA Solution for Virtualized Datacenters The RSA Solution for VMware View The RSA Solution for Cloud Security and Compliance 2

3 What do these numbers mean? Why Question is this bad? Does your IT Restricted security address potential the value risks associated with Increased virtualization potential and for private data cloud breaches before they are implemented? 24% 43% 22% 11% Yes, in all cases In some cases, but there are gaps No, security is brought in after the fact The business moves ahead without security Source: Live EMC Forum pole conducted in 5 cities across N. America, 10/09

4 Securing the Journey to The Cloud IT Production Lower Costs Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% 95% 70% 30% 15% Platinum Gold Secure multi-tenancy, Verifiable chain of trust Security Compliance, information-centric security, risk-driven policies, IT and security operations alignment Visibility into virtualization infrastructure, privileged user monitoring, access management, network security

5 Gartner: Most Common Security Risks in Data Center Virtualization Projects* Gartner Risks Information Security Isn't Initially Involved in the Virtualization Projects Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking There Is a Potential Loss of Separation of Duties for Network and Security Controls How RSA can help Security Virtualization Assessment Gartner Says 60 Percent of Virtualized Servers Will Be Less Secure Than the Physical Servers RSA envision They Replace Through 2012 RSA DLP Suite RSA envision RSA SecurID RSA SecurID *

6 End to end chain of trust and visibility (Physical and Virtual) Better Security with Virtualization Trusted zone DMZ APP OS APP OS VM layer APP OS Logical security zones that move with virtual machines (e.g. VMware vshield Zones virtual firewall) Unified Point of Control Deep visibility and unified reporting e.g. RSA envision & RSA Archer support for VMware Compute Virtual Infrastructure (including hypervisor) Network Storage Unified Security controls embedded deep within Reporting virtual infrastructure (e.g., VMsafe APIs for deep security Efficient, introspection) Flexible Integrity monitoring for hardware and hypervisor to ensure a trusted computing environment (e.g., Intel, VMware, RSA PoC)

7 The RSA Solution for Virtualized Datacenters

8 RSA SecurID Same OTP Algorithm Time Same Time Algorithm Time Authentication Manager Seed Same Seed Seed 2 Factor Authentication Time-based OTP has precise clock that changes password every 60 seconds Multiple form factors of tokens

9 RSA envision Event Log Management Simplifying Compliance Enhancing Security Optimizing IT & Network Operations Compliance reports for regulations and internal policy Reporting Auditing Real-time security alerting and analysis Forensics Alert / correlation IT monitoring across the infrastructure Network baseline Visibility Purpose-built database (IPDB) RSA envision Log Management Platform Security Devices Network Devices Applications / Databases Servers Storage

10 Event Anomaly Recognized

11 envision in the VMware Environment envision Collector uses VMware native API s to retrieve the logs from vcenter and all ESX/ESXi servers Only SIEM that collects 2 distinct logs from VMware environment thru 1 seamless, agentless connection vcenter logs ESX/ESXi server logs 19 Event Categories (Auth.Failures, System.Shutdown etc) Over 380 distinct messages (vmotion, Snapshots, User Login, VM Power On/Off/Reset, VM Clone etc.) Ease of analysis, implementation and change control in VMware environment

12 Auto Discover All Managed ESX Servers through Virtual Center

13 Purpose-built Virtualization Reports

14 Easily Build Customized Virtualization Reports

15 envision Dashboard VMware Events and Activity

16 Vblock A New Way of Delivering IT to Business Production-ready Pre-integrated, tested and modular packages of virtualized infrastructure Best of breed technologies Compute: Cisco UCS Network: Cisco Nexus family, Cisco MDS 9000 series Storage: EMC Symmetrix V-Max or EMC Unified Storage (Celerra and CLARiiON) Hypervisor: VMware vsphere 4 Management: Cisco UCS Manager, EMC Ionix Unified Infrastructure Manager, VMware vcenter Security: RSA

17 RSA s Approach to Securing Vblock 2 Secure each application validated with Vblock (e.g., VMware View, SAP) Central Security Management and Reporting 1 Secure the core Vblock platform (VMware, Cisco, EMC components)

18 Secure the Core Vblock Platform Validated with Vblock Vmware Administrator vsphere Management Assistant RSA SecurID Strong authentication before access to ESX Service Console and vsphere Management Assistant Virtual Machines and Applications vsphere UCS Storage Security and compliance officer RSA envision Comprehensive visibility into security events Security incident management, compliance reporting

19 envision Dashboard: Monitoring Vblock Event Sources by Event Category

20 Understand and Monitor Admin Activity of your Virtualized Storage

21 Understanding Activity in your Virtualized World Do you need to be alerted when VM s are restarted? Do you need to monitor permission changes in VMWare? Would you like to know when VM s are being created and by whom? Would you like to know when VM s are moved to another ESX Server? Would you like to know when Virtualized Storage has been reconfigured? Do you need to incorporate VMWare activity into your Compliance Audits? Would you like to be able to correlate events from VMWare administration with events from the Operating Systems Logs and Application Logs?

22 Use Case Scenarios Protecting Management Console Applying Patch to Production System Lost Laptop Unauthorized Administrator

23 Scenario Apply Patch to Production System - Before Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc Is the test Is this A common an way to apply 1 Clone patches virtual is to try environment Who them accessed out in a the test environment Was the VM 3 Apply environment authorized Patch 2to Test production Patch data environment in the test destroyed after In a virtual This sufficiently is world difficult protected you and can time-consuming clone the system, in a production data and all procedure? environment? it was used? environment, & controlled? but very easy in a virtual environment

24 Scenario Apply Patch to Production System - After Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc 3 Apply 1Patch Clone 2to virtual Test production Patch environment environment VM Cloned VM Cloned Patch Applied RSA envision can log the administrative activity from vcenter, like the VM being cloned RSA envision Patch Applied Patch Applied VM Deleted If this is out of policy If the test we environment can alert a security is properly protected, analyst then it will also be monitored by RSA envision

25 Scenario Protecting Your Management Console Remote desktop into your Management LAN via VPN Management LAN vcenter Server ESX Service Console Vblock Management Console SSL VPN supporting RSA SecurID

26 Scenario Unauthorized Administrator PCI Zone Non-PCI Zone Store Management Windows VM Transaction Management Application Transaction DB Credit Card numbers In a PCI environment, you Suppose permissions are set up need VM to Moved validate that only incorrectly, and an unauthorized authorized administrators administrator by kpbrady can move a VM are modifying the system RSA envision Authorized PCI Admin? Active Directory RSA If the envision RSA administrator envision can check logs is not against what authorized, activities a watchlist RSA envision of were authorized performed can alert PCI a and administrators security by whom analyst

27 RSA Solution for VMware View

28 Today s Endpoint Security Challenges Expensive but still vulnerable 60% of the security budget is consumed by endpoint security software (1) Lost or stolen laptops is the largest single source of breaches (2) Gateway to infection and theft 35% of infected PCs had up-to-date antivirus software installed. (3) Malware, typically contracted through web browsing, contributed to 82% of records compromised in 2009 (4) Fraudsters Physical endpoint Virtual Data Center Online Banking, Social Networking e-commerce, etc. Source: (1) Gartner, Inc. (2) OSF Data loss DB (3) Panda Labs (4) Verizon Business

29 So how does VDI make me more secure?

30 How VDI addresses the Lost Laptop Scenario vshield protected network RSA SecurID Endpoint with NO sensitive data Virtual Desktop with access to sensitive data Application with sensitive data Virtual Desktop No USB or only secure USB allowed via RSA DLP Network access controlled via VMware vshield The process is fully logged by RSA envision

31 RSA Solution for VMware View Validated with Vblock VMware VCM for security config and patch management VMware Infrastructure RSA DLP for protection of data in use RSA SecurID for remote authentication Active Directory VMware View Manager VMware vcenter Clients RSA SecurID for ESX Service Console and vma RSA envision log collection VMware vcenter & ESX(i) VMware View RSA SecurID RSA DLP Active Directory

32 RSA SecurBook for VMware View RSA Solutions Multi-product solutions Validated in the RSA Solutions Center RSA SecurBooks Guides for planning, deploying, and administering RSA solutions. Comprehensive reference architecture, screenshots, practical guidance Google rsa securbook view

33 RSA Solution for Cloud Security and Compliance

34 Security-Specific Factors That Would Enable More Widespread Usage of Server Virtualization From an information security perspective, which of the following developments need to take place in order to enable more widespread server virtualization usage? (Percent of respondents, N=105, multiple responses accepted) More secure virtualization management and operations Virtual security tools that use the same formats as my physical security devices 33% 33% Compliance management tools that recognize virtual server events Need better tools to identify and configure relationships between virtual machines Tighter integration between security management and security management tools A better understanding of how server virtualization security will align with cloud-based security services Data/storage encryption to protect virtual machines on disk Virtual firewalls and filtering devices to secure virtual machine to virtual machine traffic Network encryption to protect virtual machines in flight 27% 26% 26% 24% 24% 23% 22% Additional virtualization training for security staff 20% Log management or SIEM tools that recognize virtual server events 18% New host-based security tools designed for virtual servers 16% 2010 Enterprise Strategy Group 0% 5% 10% 15% 20% 25% 30% 35%

35 Customer Challenges Business Objective (CIO) Accelerate/start virtualization of business critical apps to continue optimizing costs PAINS Lack of visibility into and control over security and compliance status of the virtual infrastructure Business Objective (CISO) Manage risk and compliance while going from IT production to business production Difficult to rationalize the complexity of compliance requirements across virtual and physical environments Lack of guidance and orchestration for securing virtual infrastructure comprehensively High cost and difficulty of responding to compliance audits for virtual environments Inefficient management of security and compliance across IT and security operations teams Lack of consistency in physical and virtual security increases cost and complexity of virtualization Fragmented views of data across hybrid infrastructure causes delays in identifying risk and compliance breaches/concerns

36 Securing the Journey to The Cloud IT Production Lower Costs Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% 95% 70% 30% 15% Platinum Gold Secure multi-tenancy, Verifiable chain of trust Security Compliance, information-centric security, risk-driven policies, IT and security operations alignment Visibility into virtualization infrastructure, privileged user monitoring, access management, network security

37 How we do it: Solution Components v1.0 RSA Archer egrc Platform 130+ control procedures mapped to VMware best practices Automated deployment workflow, configuration measurement, incident notification and reporting Maps technical security controls to Authoritative Sources (Regulations like PCI) Single business view of compliance for both physical and virtual RSA envision (SIEM) Correlate security and compliance events across virtual and physical environments, fed into Archer E.g. VMware vshield, VMware vcloud Director, HyTrust Appliance, EMC Ionix, etc RSA Data Loss Prevention (DLP) Suite RSA SecurBook

38 Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls

39 Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy What s New Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls

40 RSA Archer: Mapping VMware security controls to regulations and standards Authoritative Source Regulations (PCI-DSS, etc.) Administrator and Operator Logs CxO Control Standard Generalized security controls CS-179 Activity Logs system start/stop/config changes etc. Control Procedure Technology-specific control CP Persistent logging on ESXi Server VI Admin

41 Discover VMware infrastructure and define policy/controls to manage

42 Distribution and Tracking Control Procedures Security Admin Server Admin Project Manager Network Admin VI Admin

43 Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls What s New New solution component automatically assesses VMware configuration and updates Archer

44 Initial Deployment Questionnaire

45 Automated Assessment via PowerCLI Automatically discover and assess VMware infrastructure via PowerCLI RSA Archer egrc VMware objects (ESX, vswitches, etc ) are automatically populated into Archer They are then mapped to control procedures. Over 40% are automatically assessed via PowerCLI and the results fed into Archer for reporting and remediation.

46 Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls

47 Control Procedure List, Status and Measurement Method

48 Deployment and Remediation Work Queues

49 Overall Virtual Infrastructure Compliance Dashboard

50 Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment What s New RSA envision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards (e.g. DLP, vshield, HyTrust, etc.) RSA Archer egrc Remediation of non-compliant controls

51 RSA Solution for Cloud Security and Compliance: Architecture Regulations, standards Generalized security controls VMware-specific security controls Automated assessment RSA envision Configuration State VMware cloud infrastructure (vsphere, vshield, VCD) Security Events Ecosystem (HyTrust, Ionix,)

52 VMware vshield Network Security Events Fed to Archer

53 Overall Compliance Dashboard and Reporting: Physical and Virtual

54 RSA SecurBook A technical guide for deploying and operating RSA Solution for Cloud Infrastructure Model: RSA SecurBook for VMware View / MS SharePoint Solution architecture Solution deployment and configuration guides Operational guidance for effective using the solution Troubleshooting guidance

55