Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist
Agenda What is the Cloud? Virtualization Basics How Virtualization and Cloud Affect Datacenter Security How to Secure our Cloud and Make it Compliant Network Security and Secure Multi-tenancy in the Cloud
What is the Cloud and What Does it Means To Security SaaS Salesforce.com, Google Apps, etc The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself. PaaS Vmforce, Google AppEngine, etc IaaS Terremark, Rackspace, Savvis, etc *Graphics Courtesy of Chris Hoff and the Cloud Security Alliance
Security Considerations of Each Type of Cloud Software (SaaS) Least extensibility and greatest amount of security responsibility taken on by the cloud provider Infrastructure (IaaS) Greatest extensibility and least amount of security responsibility taken on by the cloud provider Platform (PaaS) Lies somewhere in the middle, with extensibility and security features which must be leveraged by the customer
Infrastructure as a Service Hardware Virtualization is the basis of the IaaS Model Examples include: VMware vsphere MS HyperV Citrix XenServer Redhat KVM
Virtualization Basics
Next Step is to Leverage Virtualization to Provide Pools of Shared Resources Traditional View Virtual Datacenter Exchange Operating VMware Infrastructure System PCI Operating VMware Infrastructure System VMware vsphere DNS Operating VMware Infrastructure System CRM Operating VMware Infrastructure System CPU Pool Memory Pool Storage Pool Interconnect Pool
Platform Sec.
Secure the Underlying Platform 1st Use the Principles of Information Security Hardening and Lockdown Defense in Depth Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges Administrative Controls For virtualization this means: Harden the Virtualization layer Setup Access Controls Secure the Guests Leverage Virtualization Specific Administrative Controls What Auditors Want to See: Network Controls Change Control and Configuration Management Access Controls & Management Vulnerability Management
Protection of Management Interfaces is Key vnic vnic vnic VMkernel Production vswitch1 Mgmt Storage vswitch2 vmnic1 2 3 4 Segment out all non-production networks Use VLAN tagging, or Use separate vswitch (see diagram) Strictly control access to management network, e.g. RDP to jump box, or VPN through firewall Prod Network Mgmt Network VMware vsphere 4 Hardening Guidelines http://www.vmware.com/resources/techresources/10109 vcenter Other ESX/ESXi hosts IP-based Storage 10
Separation of Duties Must Be Enforced More Power Super Cloud Admin Cloud Networking Admin Cloud Server Admin Cloud Storage Admin Less Power Tenant A Admin Tenant B Admin Tenant C Admin VM Admin VM Admin VM Admin VM Admin VM Admin VM Admin
Security Perspective On Customer Deployment Architectures 0 PHYSICAL AIR GAPPED PODS MIXED TRUST CLUSTERS ON-PREMISE PRIVATE CLOUD DEDICATED PRIVATE CLOUD (ebay, CSC) 1 2 3 4 5 PUBLIC MULTI-TENANT CLOUD (Terremark, EC2) 0 1 2 3 4 5 Physical deployments are still considered to be most secure and remain in all enterprises Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ) Mixed trust clusters typically have the M&M security model, blocking important asset migration to them Private cloud is an extension of the mixed trust deployment, with more automation and self service Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance
The Datacenter needs to be secured at different levels Perimeter Security Sprawl: hardware, FW rules, VLANs Rigid Perimeter FW rules security device (s) at the edge Performance Firewall, VPN, bottlenecks Intrusion Prevention Load balancers Cost & Complexity Keep the bad guys out At the vdc Edge Internal Security VLAN 1 VLANs VLAN or subnet based policies Interior or Web application Firewalls DLP, application identity aware policies Segmentation of applications, servers End Point Security Desktop AV agents, Host based intrusion DLP agents for privacy End Point Protection 13
Simple Definition of a Virtual Datacenter The isolated and secured share of a virtualized multitenant environment. Like a physical datacenter shares the Internet for interconnectivity, the tenants of a cloud (public or private) share the local network within the private datacenter or in the service providers network, and also like a physical datacenter, each tenant also has their own private, isolated, and secured virtual networking infrastructure. DMZ Tenant 1 Tenant 2 Tenant App1 App2 DMZ App1 App2 DMZ App1 App2 14
Securing virtual Data Centers (vdc) with legacy security solutions Internet PERIMETER SECURITY WEB ZONE INTERNAL SECURITY APPLICATION ZONE DATABASE ZONE ENDPOINT SECURITY Air Gapped Pods with dedicated physical hardware Mixed trust clusters without internal security segmentation Configuration Complexity vsphere vsphere vsphere o VLAN sprawl VIRTUALIZED DMZ WITH FIREWALLS o Firewall rules sprawl o Rigid network IP rules without resource context Private clouds (?) Legacy security solutions do not allow the realization of true virtualization and cloud benefits 15
Air Gapped Design Costly and Inefficient Internet Remote Access VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch L2-L3 Switch L2-L3 Switch Aggregation Firewall Firewall Firewall Load Balancer Load Balancer Load Balancer Access Switch Switch Switch vsphere vsphere vsphere vsphere vsphere vsphere Company X Company Y Company Z 16
Multi-tenancy Physical Firewall and VLAN Internet Access- Aggregation L2-L3 Switch VLAN1000 VLAN 1001 VLAN 1002 Firewalls VLAN 1002 VLAN 1001 VLAN 1000 Legend : PG-X PG-Y PG-Z Port group Company X n/w Port group Company Y n/w Port group Company Z n/w VLAN 1000 VLAN 1001 VLAN 1002 vds/vss Port group to VM Links PG-X (vlan1000) PG-Y (vlan 1001) PG-Z (vlan 1002) Virtual to Ext. Switch Links VMware vsphere + vshield Company X Company Y Company Z 17
Multi-tenancy Virtualization Aware Internet Access- Aggregation L2-L3 Switch Infrastructure VLAN (VLAN 1000) Legend : Provider VLAN (VLAN 100) PG-X PG-Y PG-Z PG-C Port group Company X n/w Port group Company Y n/w Port group Company Z n/w External uplink Port group VLAN1000 VLAN1000 VLAN1000 Internal Company Links External Up Link vds vds to Ext. Switch Links PG-X(vlan1000) PG-C(vlan100) PG-Y(vlan1000) PG-Z(vlan1000) VMware vsphere + vshield vshield Edge VM Traffic flow not allowed Company X Company Y Company Z 18
Enforce Microsegmentation Inside the vdc Protect applications against Network Based Threats Application-Aware Full Stateful Packet Inspection FW Control on per-vm/per vnic level Web Virtual Datacenter 1 App See VM-VM traffic within the same host Security groups enforced with VM movement Database DISA & PCI Virtual Datacenter 2 CIS & PCI VMware vsphere + vcenter ESX Hardening Cluster B Cluster A 19
Offload Endpoint Based Security Functions with VM Introspection Techniques Improves performance and effectiveness of existing endpoint security solutions Offload Functions AV File Integrity Monitoring Application Whitelisting 20
Virtualized Security and Edge Services Cloud Aware Security Elastic Logical Efficient Automated Programmable Security as a Service Edge/Perimeter Protection Secure the edge of the virtual datacenter Security and Edge networking services gateway Internal Security and Compliance Micro-segmentation Discover and report regulated data in the Datacenter and Cloud Endpoint Security Efficient offload of endpoint based security into the cloud infrastructure i.e.- anti-virus and file integrity monitoring 21
Continuous and Automated Compliance Ongoing Change and Compliance Management Understand Pervasive Change Capture in-band and out-of-band changes Are you still Compliant? Remediate Exceptions Fit within current enterprise change mgmt workflow process Protect against vulnerabilities Hypervisor-based anti-virus provides superior protection Patch Management guards against known attacks Software provisioning tied to compliance Day to day vulnerability checks Remediate (RFC Optional) Compliant State Deployed from Gold Standard Compliant State Noncompliant State Planned Change Unplanned Change Mark as Exception 22
Conclusion The Cloud Had Great Benefits and like any Technology its Associated Risks These Risks Can Be Mitigated With Proper Controls The Classic Principles of Information Security Should be Applied Key Architecture Decisions must be made for Security Tools Designed for the Cloud Must Be Utilized 23 Confidential
Questions? Rob Randell, CISSP Senior Security and Compliance Specialist