The Virtualization Practice

Similar documents
The Virtualization Practice

The Virtualization Practice

The Virtualization Practice

HOW TO PROTECT YOUR VIRTUAL DESKTOPS AND SERVERS? Security for Virtual and Cloud Environments

Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««;

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

IOS110. Virtualization 5/27/2014 1

RESEARCH PAPERS FACULTY OF MATERIALS SCIENCE AND TECHNOLOGY IN TRNAVA SLOVAK UNIVERSITY OF TECHNOLOGY IN BRATISLAVA

VMware Integrated Partner Solutions for Networking and Security

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

Meeting the Challenges of Virtualization Security

Hardening and Hacking vsphere and Private Cloud Everything you need to know about vsphere Security

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Netzwerkvirtualisierung? Aber mit Sicherheit!

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

Foundations and Concepts

Understanding Cisco Cloud Fundamentals CLDFND v1.0; 5 Days; Instructor-led

How To Make A Virtual Machine Aware Of A Network On A Physical Server

Course Title: Virtualization Security, 1st Edition

Securing the Journey to the Private Cloud. Dominique Dessy RSA, the Security Division of EMC

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Devising a Server Protection Strategy with Trend Micro

RSA Security Solutions for Virtualization

How To Compare The Cost Of A Microsoft Private Cloud To A Vcloud With Vsphere And Vspheon

Top 5 Reasons to choose Microsoft Windows Server 2008 R2 SP1 Hyper-V over VMware vsphere 5

Expert tips for realizing maximum private cloud benefits

EMA Radar for Private Cloud Platforms: Q1 2013

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

Comprehensive security platform for physical, virtual, and cloud servers

Devising a Server Protection Strategy with Trend Micro

The Virtualization Practice

Cisco Intelligent Automation for Cloud

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Security in the Software Defined Data Center

Mitigating Information Security Risks of Virtualization Technologies

Data Center Manager (DCM)

Learn the Essentials of Virtualization Security

Effective End-to-End Cloud Security

VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Data Center Connector for vsphere 3.0.0

Red Hat enterprise virtualization 3.0 feature comparison

Deployment Options for Microsoft Hyper-V Server

Cloud Platform Comparison: CloudStack, Eucalyptus, vcloud Director and OpenStack

With Red Hat Enterprise Virtualization, you can: Take advantage of existing people skills and investments

Learn the essentials of virtualization security

Managing Physical and Virtual Machines in Paragon Protect & Restore

How To Protect Your Cloud From Attack

Evaluation of Enterprise Data Protection using SEP Software

Trend Micro Deep Security

CA Virtual Assurance for Infrastructure Managers

VMware vsphere 4. Pricing, Packaging and Licensing Overview W H I T E P A P E R

Asigra Cloud Backup V13.0 Provides Comprehensive Virtual Machine Data Protection Including Replication

Our Cloud Backup Solution Provides Comprehensive Virtual Machine Data Protection Including Replication

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Leveraging Public Cloud for Affordable VMware Disaster Recovery & Business Continuity

Networking for Caribbean Development

VMware Solution Guide for. Payment Card Industry (PCI) September v1.3

The Challenge of Workload Portability in a Multi-Provider Cloud

Thinspace deskcloud. Quick Start Guide

Bitdefender GravityZone Sales Presentation

Agentless Security for VMware Virtual Data Centers and Cloud

Global Headquarters: 5 Speen Street Framingham, MA USA P F

How to survive in a world of Virtualization and Cloud Computing, where you even can t trust your own environment anymore. Raimund Genes, CTO

Cisco Unified Data Center

Cloud Computing: Elastic, Scalable, On-Demand IT Services for Everyone. Table of Contents. Cloud.com White Paper April Executive Summary...

ONE Cloud Services Secure Cloud Applications for E-Health

SDN Security for VMware Data Center Environments

App App App App App App App App. VMware vcenter Suite. VMware vsphere 4. Availability Security Scalablity. vshield Zones VMSafe

Measuring Hypervisor Footprints: Assessing Risk

Veritas Cluster Server from Symantec

SUSE OpenStack Cloud 4 Private Cloud Platform based on OpenStack. Gábor Nyers Sales gnyers@suse.com

vcloud Automation Center Support Matrix vcloud Automation Center 5.2

Presentation for ISACA Chapter NL. Auditing Virtual Servers. VMware: Security and Operations. Gert-Jan Timmer 3. September, 2012

CA ARCserve Replication and High Availability Deployment Options for Hyper-V

Building on these core skills, customers can work on advanced concepts, such as:

Microsoft Private Cloud. A comparative look at Functionality, Benefits, and Economics

Alliance Key Manager Solution Brief

OpenStack Cloud Migration:

VMware vsphere 4.1. Pricing, Packaging and Licensing Overview. E f f e c t i v e A u g u s t 1, W H I T E P A P E R

vsphere 6.0 Advantages Over Hyper-V

OPEN CLOUD INFRASTRUCTURE BUILT FOR THE ENTERPRISE

Hyper-V: Microsoft s

A unified architecture of IaaS cloud solutions

OUR MISSION IS TO PROTECT EVERYONE FROM CYBERCRIME

Microsoft Private Cloud. A comparative look at Functionality, Benefits, and Economics

Enterprise Cloud Management

Virtualization. as a key enabler for Cloud OS vision. Vasily Malanin Datacenter Product Management Lead Microsoft APAC

Comprehensive Monitoring of VMware vsphere ESX & ESXi Environments

Accenture Cloud Platform Unlocks Agility and Control

Protecting your Data in a New Generation Virtual and Physical Environment

Top 10 things a NetBackup Administrator must know about virtualization, SDDC and Cloud Abdul Rasheed, George Winter, John Kjell

Server Virtualization A Game-Changer For SMB Customers

Technology Insight Series

A Perfect Fit: Converged Solution for the Software-Defined Data Center. Bob Ingram, Senior Solutions Architect February 26, 2014

Onboarding VMs to Cisco OpenStack Private Cloud

Security and Billing for Azure Pack. Presented by 5nine Software and Cloud Cruiser

Evolving Datacenter Architectures

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

Transcription:

The Virtualization Practice White Paper: Security Requirements of Hybrid Clouds: A Product Comparison! Edward L. Haletky Analyst Virtualization and Cloud Security! The Virtualization Practice Sponsored by Symantec Version 1.0 February 2013 2013 The Virtualization Practice, LLC. All Rights Reserved. All other marks are property of their respective owners. Abstract For the past few years I've been working on comparing virtualization and hybrid cloud security products, identifying what they protect, and where they fit within the virtual and cloud environment. One aspect of this type of comparison is determining requirements and figuring out what to secure. Ultimately, we need to secure our data to be compliant, but how that is done, depends on requirements. In this white paper I present the requirements tied to a reference architecture in order to determine where each set of solutions from each company fit into the secure hybrid cloud. SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON) 1!

Table of Contents II.! Requirements... 3! III.! Hypervisor Vendor Provided... 4! VMware vcloud Suite... 4! Microsoft Hyper-V... 5! Citrix XenServer/ Redhat Enterprise Virtualization (RHEV)... 6! IV.! Third Parties... 7! Trend Micro... 7! McAfee... 9! Symantec... 10! V.! Conclusion... 11! VI.! About The Virtualization Practice... 12! VII.! About Symantec... 12! VIII.! References... 13! 2) SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON!

II. Requirements Requirements come from an organization's security and compliance policies, but these requirements should also address a defense in depth based approach on how an what data flows through the secure hybrid cloud. Some data needs more security than others. As such we present here a logical reference architecture taken from The Virtualization s Practice s Secure Hybrid Cloud Reference Architecture, to provide a fail-safe defense in depth with properly placed security controls. This desire translates into a set of logical controls based on the way data flows through the hybrid cloud environment and that all starts with the end user computing device. Eventually the end user computing device will talk to a datacenter and inside that datacenter will exist some form of defense in depth whose requirements follow. While we can never forget the security of the end user computing device the varied forms of this can be a daunting task. So for this purpose we are ignoring the end user computing device and starting only within the data center. We can also assume that all communication to the device will be unprotected unless an encrypted virtual private network is in use to our external switch and since we are discussing hybrid clouds we can also assume the internals of the hybrid cloud are 100% virtualized. Figure 1: Complete Hybrid Cloud Defense in Depth Given that we have a 100% virtualized cloud we can assume a few more items: virtual switches will be involved, there is a need for defense in depth within the virtual environment as well as the physical environment, and that these should work hand in hand. As such we have a logical diagram of defense in depth protections in figure 1. Figure 1 is divided into rows and columns but more importantly show a flow of data and policy within the virtual and cloud environments. SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON) 3!

Row 2 ends up being more about the virtual machines (2B and 2D) and applications (2A) to be run within your virtual environment as well as the defense in depth that surrounds the virtual machines (2C and 2E) in the form of introspective APIs in which security can get as close to the virtual machines as possible without having to understand either the application or the guest operating systems involved. In essence, introspection sits below the virtual machine. These APIs provided additional security functionality, and while available to most hypervisors only one (vsphere) has fully implemented them. Row 3 is about endpoint security, and a very important part in any defense in depth as well as a way to meet compliance requirements. This is the layer of our logical requirements and architecture where many third party vendors have products, as they are not truly implemented by hypervisor vendors, instead the hypervisor vendors concentrate on providing APIs to enable workload offload and introspective capabilities. In some cases, there are proof of concept products from hypervisor vendors that fit this space but they are very limited. Row 4 are base requirements for most defense in depth implementations seen today and all but Early Warning Systems (4A) well known today for both the physical and virtual environments. Early Warning Systems specifically designed for a virtual environment do not necessarily exist today, but they are becoming available. This is an opportunity for security vendors. The last element of our requirements and reference architecture is a security assessment that wraps the entire hybrid cloud environment. This assessment should cover as many compliance requirements as possible but also provide a real measure of security, not just compliance. III. Hypervisor Vendor Provided Each hypervisor vendor provides some level of security that meets some of our requirements but not all. For that we always need to include third party products. We will look at third party plugins later, but for now we need to see what each hypervisor vendor brings to the table. VMware vcloud Suite VMware brings one of the more complete solutions to the table. They have filled almost all our requirements in rows 1 (infrastructure) and 2 (virtual machine protection) as well as a comprehensive assessment tool, however they are lacking in the last two rows (3 and 4) with respect to endpoint security and the more traditional components of any defense in depth. After all VMware is not a security vendor, even though they provide security tools and APIs for use with security. Figure 2 shows what VMware brings to the table with the colored boxes indicate that VMware has a solution for the requirement, while partial colored boxes imply a partial solution within their security tool portfolio. Those elements in white (1C, etc.) are missing from VMware s security portfolio. However, as we stated before, VMware provides a comprehensive set of APIs and they have a proof of concept for data loss prevention (vcns App + Data Security) that covers a very small part of all DLP requirements, specifically looking for indication of personal identifiable information (PII) such as social security, credit card, and other numbers in clear text within the virtual 4) SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON!

machine. Data security does not prevent data from leaving the system but does look for unencrypted data. This proof of concept may actually be sufficient for small retail establishments as it looks for specific personally identifiable information only. Hence why it is a partial fill of the requirements. The other point in which VMware provides a partial capability is in the area of policy management. VMware can manage the policy of their own tools quite well and provides usable APIs into which third parties can connect, but do not manage the policy on more than their own tools. In the infrastructure arena the one major lack is in the ability to provide an encrypted repository in order to maintain encryption of data at rest. Their approach is to depend upon third parties and underlying hardware. Figure 2: VMware vcloud Suite (colored boxes => requirement met) VMware vsphere itself provides some protections, but you really need VMware vcns, SRM, and Configuration Manager (vcm) to provide the other bits of the puzzle, which are all available at differing levels of VMware vcloud Suite. vcm requires vcloud Suite Enterprise but vcns and SRM are available at vcloud Suite Standard. When you tie these tools with the Cisco Nexus 1000V or IBM 5000V virtual switch extensions you gain more in the way of network port level security than exists natively within VMware s virtual switch components. Microsoft Hyper-V Microsoft has provided a new version of their hypervisor, which adds quite a few features. From the security perspective, Microsoft has added more port level network security capabilities, that are only found in third party virtual switch for VMware vsphere as well as the ability to encrypt data at rest by allowing the encryption of the entire storage repository used by virtual machines. SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON) 5!

As seen in Figure 3, Hyper-V provides less overall functionality than VMware vcloud Suite as indicated by the colored boxes. Figure 3: Hyper-V + System Center Defense in Depth (colored boxes => requirement met) Yet, when you add System Center to the mix for Hyper-V, you do gain the ability to manage your own hyper-v based cloud but without any new security controls. Microsoft provides the majority of the operating systems virtualized today, so most if not all their endpoint security mechanisms are part of those operating systems. For Windows based virtual environments these add quite a bit of benefit, but lack for other operating systems, hence why the requirements are not met for much of rows 2-4. Citrix XenServer/ Redhat Enterprise Virtualization (RHEV) The last entry into our hypervisor discussion is Citrix XenSever and RHEV that is based on KVM. Figure 4 shows how Citrix XenServer and RHEV fair with our full list of requirements with the colored boxes implying the requirement has been met. Other than port level security provided by the open vswitch project, there is no vendor provided additional security mechanisms available. While it is possible to deploy Linux systems as firewalls, proxies, authentication and authorization sources, they are not bundled as part of the hypervisor or any cloud packages. 6) SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON!

Figure 4: Xen/KVM/OpenStack Defense in Depth (colored boxes => requirement met) IV. Third Parties There exists a rich ecosystem surrounding each of these hypervisor vendors with respect to security offerings. Choosing a starting point is always difficult so we are going to concentrate on those that fill in the requirements for rows 3 and 4 of our defense in depth logical architecture. In addition, we are also looking at any form of security assessment that meets not only many compliance requirements but also that provides a real view of security within the hybrid cloud. Trend Micro One of the first to hook into the introspective APIs for VMware vsphere was Trend Micro with their Deep Security product. Now Trend Micro provides three products that fill in many of our requirements: Deep Security, Secure Cloud, and Data Loss Prevention. These two products combine to fill in our requirements as seen in figure 5 (the grey-blue filled boxes) and as follows: 1C - Encrypted Repository but not for running virtual machines but for holding data accessed by those virtual machines, so while the VM is not protected, the data accessed by the application is protected 2C and 2E Deep Security provides a VMware VMsafe-Net based Introspective firewall for VMware vsphere but not for any other hypervisor. 3A - Deep Security provides some level of application security for web service based applications through its implementation of a web reputation service. SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON) 7!

3B Deep Security provides offloaded antivirus on vsphere hosts using vsphere Endpoint Security mechanisms. In addition, Deep Security provides in-vm agents for anti-virus and anti-malware protection for systems that do not have an introspective component such as physical systems, Hyper-V, Xen, or KVM. 3C Deep Security also provides offloaded and in-guest file integrity monitoring. 3E Data Lose Prevention exists as a part of Trend Micro s Data Loss Prevention product 4B Policy is managed from within Deep Security and this policy can be used by Secure Cloud to ensure data is not accessed unless all security requirements are met. In addition, Trend Micro offers a unified policy manager for many of their existing products. Figure 5: TrendMicro Defense in Depth for vcloud Suite 4E Log Analysis is provided as a component of Deep Security. The last and probably most important of our requirements, a full security assessment is not met by Trend Micro as instead market a product from Qualys under their imprint. Since this product is a, Software as a Service, cloud-based application, there is a chance based on security policy that some systems would not be assessed. TrendMicro misses some of our requirements in rows 3 and 4, but at the same time providing different approaches to solving some elements within rows 1 and 2, which we attribute directly to the virtual environment. Encryption of Data at Rest is one area that TrendMicro provides a necessary means to protect data. 8) SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON!

McAfee McAfee provides a wide range of products that fit our requirements, however some fit better than others. McAfee products work with a virtualization environment and just recently started to use introspective APIs within VMware vsphere environments. Figure 6 shows what aspects of our requirements the McAfee products, which are concentrated on row 3 of our requirements, meet. Figure 6: McAfee w/vmware vcloud Suite McAfee meets our requirements as follows: 3A Application protection is met via some aspects McAfee Application Control 3B McAfee MOVE meets our requirement for anti-virus and anti-malware protection, in addition McAfee now provides introspective support for offloaded anti-virus and antimalware detection 3C McAfee Application Control provides File Integrity Monitoring 3D McAfee Application Control provides Mandatory Access Controls that makes use of SolidCore s technology integrated into McAfee s products. 3E McAfee s Data Loss Prevention Endpoint service provides Data Loss Prevention and fills the last component of row 3 4B Policy of all McAfee s products is controlled by their own epolicy Orchestrator policy manager 4E Log Analysis is provided by McAfee s Enterprise Log Manager SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON) 9!

McAfee fills out all of the very important aspects of row 3 (endpoint security) and leaves the virtual environment to the hypervisor vendor or some other third party vendor. However, they show some lack in row 4 and within the security assessment requirement. It can be argued that McAfee has an authentication and authorization play as well through their work with the Cloud Security Alliance, but unfortunately, there is no distinct product that meets these needs. While McAfee does Total Protection for Compliance as a multi-compliance tool, it seems to be missing a tool that assesses overall security regardless of compliance but instead based on an organizations security policy. Symantec Symantec is the third of our series of endpoint protection tools under investigation and like McAfee has targeted row 3 and 4 of our requirements as seen in Figure 7. In essence, they provide nearly every aspect of our requirements with some notable lacks (such as an encrypted repository -1C; and what all other vendors miss as well an Early Warning System 4A). Figure 7: Symantec Defense in Depth for vcloud Suite Symantec fills out our requirements with the following tools and products: 1B Data Replication is available through Symantec NetBackup and BackupExec 3A is met via Symantec s Application HA technology 3B Symantec Endpoint Protection (SEP) provides agent-based anti-virus and antimalware protections using a heuristic approach to improve overall hit rates. 10) SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON!

3C Symantec Critical System Protection (CSP) provides agent-based file integrity monitoring 3D In addition, CSP provides mandatory access controls, white listing, and sandbox technologies to prevent applications from accessing ports, files, and other system resources. 3E Symantec Data Loss Prevention provides data loss prevention support 4B Symantec has its own integrated management tool for managing the policy across its suite of products. 4C Authorization could be provided by Symantec O3 4D Authentication could be provided by Symantec O3 4E Symantec Security Information Manager provides log analysis capabilities. Symantec also provides two methods to perform security assessments either through their Critical System Protection product for specific environments as well as the Symantec Control Compliance Suite (CCS). While CCS covers compliance, Critical System Protection covers more around security best practices for virtual environments including such things as management system isolation and other hardening guidance from virtualization vendors. V. Conclusion Given our set of requirements and the data flow architecture within a secure hybrid cloud it can easily be seen that no one tool will fit all our needs. You need a combination of tools that integrate together to provide a total defense in depth for any virtual or cloud environment. We have just touched the tip of the iceberg with this comparison. Instead of looking just single products we have endeavored to show you solutions from the leading endpoint security companies. These solutions look past endpoint security to try and fill in all the gaps that are present within a hybrid cloud spanning multiple hypervisors. Could one company provide you all tools to fill in our requirements, perhaps, but at the moment it is a combination of companies that must include the hypervisor vendor. Security needs to also be centrally managed and at the moment we also see gaps in central management of security policy that is split between products from the same company or split between the security company and the hypervisor vendor. Unified policy management and automation is a goal that can only be achieved today using scripting of sometimes hidden APIs. When we combine technologies across all vendors we find that there is only one remaining gap in our defense in depth and that is our Early Warning System. Unlike SIEM and other standard security tools, the Early Warning System we mention is a combination of tools tying into a SIEM but also into the application to determine that something untoward or unexpected has happened within an application within moments of the unexpected action happening. Could such an action be a security issue, that requires some research, but by combining knowledge of the applications SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON) 1 1!

normal behavior with security tools allows us to see if things have gone wrong faster than ever before. At the moment no vendor has combined application performance management tools and security knowledge into a product. Which is what is required to produce the early warning system we discuss. Which groupings of tools are better, well that depends mostly on the organization and their existing products, security policies, and requirements? However, we can draw the conclusion that some single source provides more coverage than others at this time. Does the count of tools within the solution matter? Not really, what does matter is whether or not they have integrated management, work within the virtual environment (and cloud), and meet our requirements. We have given you the requirements, how the tools from the vendors meet those requirements, it is now up to you to choose the best set for your environment. VI. About The Virtualization Practice The Virtualization Practice is the leading online resource of objective and educational analysis focusing upon the virtualization and cloud computing industries. Edward L. Haletky is the author of VMware vsphere(tm) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2 nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. VII. About Symantec Symantec protects the world s information, and is the global leader in security, backup and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our industry-leading expertise in protecting data, identities and interactions gives our customers confidence in a connected world. More information is available at https://www.symantec.com/critical-system-protection. 12) SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON!

VIII. References Edward L. Haletky. VMware vsphere(tm) and Virtual Infrastructure Security: Securing the Virtual Environment, Prentice Hall PTR; 1 edition (June, 2009) Edward L. Haletky. Secure Hybrid Cloud Reference Architecture, The Virtualization Practice, LLC (www.virtualizationpractice.com); Version 1.1 (September 2012) (http://www.virtualizationpractice.com/?file_id=380) SECURITY)REQUIREMENTS)OF)HYBRID)CLOUDS:)A)PRODUCT)COMPARISON) 1 3!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information