RSA Security Solutions for Virtualization Grzegorz Mucha grzegorz.mucha@rsa.com
Securing the Journey to the Cloud The RSA Solution for Virtualized Datacenters The RSA Solution for VMware View The RSA Solution for Cloud Security and Compliance 2
What do these numbers mean? Why Question is this bad? Does your IT Restricted security address potential the value risks associated with Increased virtualization potential and for private data cloud breaches before they are implemented? 24% 43% 22% 11% Yes, in all cases In some cases, but there are gaps No, security is brought in after the fact The business moves ahead without security Source: Live EMC Forum pole conducted in 5 cities across N. America, 10/09
Securing the Journey to The Cloud IT Production Lower Costs Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% 95% 70% 30% 15% Platinum Gold Secure multi-tenancy, Verifiable chain of trust Security Compliance, information-centric security, risk-driven policies, IT and security operations alignment Visibility into virtualization infrastructure, privileged user monitoring, access management, network security
Gartner: Most Common Security Risks in Data Center Virtualization Projects* Gartner Risks Information Security Isn't Initially Involved in the Virtualization Projects Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking There Is a Potential Loss of Separation of Duties for Network and Security Controls How RSA can help Security Virtualization Assessment Gartner Says 60 Percent of Virtualized Servers Will Be Less Secure Than the Physical Servers RSA envision They Replace Through 2012 RSA DLP Suite RSA envision RSA SecurID RSA SecurID * http://www.gartner.com/it/page.jsp?id=1322414
End to end chain of trust and visibility (Physical and Virtual) Better Security with Virtualization Trusted zone DMZ APP OS APP OS VM layer APP OS Logical security zones that move with virtual machines (e.g. VMware vshield Zones virtual firewall) Unified Point of Control Deep visibility and unified reporting e.g. RSA envision & RSA Archer support for VMware Compute Virtual Infrastructure (including hypervisor) Network Storage Unified Security controls embedded deep within Reporting virtual infrastructure (e.g., VMsafe APIs for deep security Efficient, introspection) Flexible Integrity monitoring for hardware and hypervisor to ensure a trusted computing environment (e.g., Intel, VMware, RSA PoC)
The RSA Solution for Virtualized Datacenters
RSA SecurID Same OTP 159759 159759 Algorithm Time Same Time Algorithm Time Authentication Manager Seed Same Seed Seed 2 Factor Authentication Time-based OTP has precise clock that changes password every 60 seconds Multiple form factors of tokens
RSA envision Event Log Management Simplifying Compliance Enhancing Security Optimizing IT & Network Operations Compliance reports for regulations and internal policy Reporting Auditing Real-time security alerting and analysis Forensics Alert / correlation IT monitoring across the infrastructure Network baseline Visibility Purpose-built database (IPDB) RSA envision Log Management Platform Security Devices Network Devices Applications / Databases Servers Storage
Event Anomaly Recognized
envision in the VMware Environment envision Collector uses VMware native API s to retrieve the logs from vcenter and all ESX/ESXi servers Only SIEM that collects 2 distinct logs from VMware environment thru 1 seamless, agentless connection vcenter logs ESX/ESXi server logs 19 Event Categories (Auth.Failures, System.Shutdown etc) Over 380 distinct messages (vmotion, Snapshots, User Login, VM Power On/Off/Reset, VM Clone etc.) Ease of analysis, implementation and change control in VMware environment
Auto Discover All Managed ESX Servers through Virtual Center
Purpose-built Virtualization Reports
Easily Build Customized Virtualization Reports
envision Dashboard VMware Events and Activity
Vblock A New Way of Delivering IT to Business Production-ready Pre-integrated, tested and modular packages of virtualized infrastructure Best of breed technologies Compute: Cisco UCS Network: Cisco Nexus family, Cisco MDS 9000 series Storage: EMC Symmetrix V-Max or EMC Unified Storage (Celerra and CLARiiON) Hypervisor: VMware vsphere 4 Management: Cisco UCS Manager, EMC Ionix Unified Infrastructure Manager, VMware vcenter Security: RSA
RSA s Approach to Securing Vblock 2 Secure each application validated with Vblock (e.g., VMware View, SAP) Central Security Management and Reporting 1 Secure the core Vblock platform (VMware, Cisco, EMC components)
Secure the Core Vblock Platform Validated with Vblock Vmware Administrator vsphere Management Assistant RSA SecurID Strong authentication before access to ESX Service Console and vsphere Management Assistant Virtual Machines and Applications vsphere UCS Storage Security and compliance officer RSA envision Comprehensive visibility into security events Security incident management, compliance reporting
envision Dashboard: Monitoring Vblock Event Sources by Event Category
Understand and Monitor Admin Activity of your Virtualized Storage
Understanding Activity in your Virtualized World Do you need to be alerted when VM s are restarted? Do you need to monitor permission changes in VMWare? Would you like to know when VM s are being created and by whom? Would you like to know when VM s are moved to another ESX Server? Would you like to know when Virtualized Storage has been reconfigured? Do you need to incorporate VMWare activity into your Compliance Audits? Would you like to be able to correlate events from VMWare administration with events from the Operating Systems Logs and Application Logs?
Use Case Scenarios Protecting Management Console Applying Patch to Production System Lost Laptop Unauthorized Administrator
Scenario Apply Patch to Production System - Before Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc Is the test Is this A common an way to apply 1 Clone patches virtual is to try environment Who them accessed out in a the test environment Was the VM 3 Apply environment authorized Patch 2to Test production Patch data environment in the test destroyed after In a virtual This sufficiently is world difficult protected you and can time-consuming clone the system, in a production data and all procedure? environment? it was used? environment, & controlled? but very easy in a virtual environment
Scenario Apply Patch to Production System - After Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc 3 Apply 1Patch Clone 2to virtual Test production Patch environment environment VM Cloned VM Cloned Patch Applied RSA envision can log the administrative activity from vcenter, like the VM being cloned RSA envision Patch Applied Patch Applied VM Deleted If this is out of policy If the test we environment can alert a security is properly protected, analyst then it will also be monitored by RSA envision
Scenario Protecting Your Management Console Remote desktop into your Management LAN via VPN Management LAN vcenter Server ESX Service Console Vblock Management Console SSL VPN supporting RSA SecurID
Scenario Unauthorized Administrator PCI Zone Non-PCI Zone Store Management Windows VM Transaction Management Application Transaction DB Credit Card numbers In a PCI environment, you Suppose permissions are set up need VM to Moved validate that only incorrectly, and an unauthorized authorized administrators administrator by kpbrady can move a VM are modifying the system RSA envision Authorized PCI Admin? Active Directory RSA If the envision RSA administrator envision can check logs is not against what authorized, activities a watchlist RSA envision of were authorized performed can alert PCI a and administrators security by whom analyst
RSA Solution for VMware View
Today s Endpoint Security Challenges Expensive but still vulnerable 60% of the security budget is consumed by endpoint security software (1) Lost or stolen laptops is the largest single source of breaches (2) Gateway to infection and theft 35% of infected PCs had up-to-date antivirus software installed. (3) Malware, typically contracted through web browsing, contributed to 82% of records compromised in 2009 (4) Fraudsters Physical endpoint Virtual Data Center Online Banking, Social Networking e-commerce, etc. Source: (1) Gartner, Inc. (2) OSF Data loss DB (3) Panda Labs (4) Verizon Business
So how does VDI make me more secure?
How VDI addresses the Lost Laptop Scenario vshield protected network RSA SecurID Endpoint with NO sensitive data Virtual Desktop with access to sensitive data Application with sensitive data Virtual Desktop No USB or only secure USB allowed via RSA DLP Network access controlled via VMware vshield The process is fully logged by RSA envision
RSA Solution for VMware View Validated with Vblock VMware VCM for security config and patch management VMware Infrastructure RSA DLP for protection of data in use RSA SecurID for remote authentication Active Directory VMware View Manager VMware vcenter Clients RSA SecurID for ESX Service Console and vma RSA envision log collection VMware vcenter & ESX(i) VMware View RSA SecurID RSA DLP Active Directory
RSA SecurBook for VMware View RSA Solutions Multi-product solutions Validated in the RSA Solutions Center RSA SecurBooks Guides for planning, deploying, and administering RSA solutions. Comprehensive reference architecture, screenshots, practical guidance Google rsa securbook view
RSA Solution for Cloud Security and Compliance
Security-Specific Factors That Would Enable More Widespread Usage of Server Virtualization From an information security perspective, which of the following developments need to take place in order to enable more widespread server virtualization usage? (Percent of respondents, N=105, multiple responses accepted) More secure virtualization management and operations Virtual security tools that use the same formats as my physical security devices 33% 33% Compliance management tools that recognize virtual server events Need better tools to identify and configure relationships between virtual machines Tighter integration between security management and security management tools A better understanding of how server virtualization security will align with cloud-based security services Data/storage encryption to protect virtual machines on disk Virtual firewalls and filtering devices to secure virtual machine to virtual machine traffic Network encryption to protect virtual machines in flight 27% 26% 26% 24% 24% 23% 22% Additional virtualization training for security staff 20% Log management or SIEM tools that recognize virtual server events 18% New host-based security tools designed for virtual servers 16% 2010 Enterprise Strategy Group 0% 5% 10% 15% 20% 25% 30% 35%
Customer Challenges Business Objective (CIO) Accelerate/start virtualization of business critical apps to continue optimizing costs PAINS Lack of visibility into and control over security and compliance status of the virtual infrastructure Business Objective (CISO) Manage risk and compliance while going from IT production to business production Difficult to rationalize the complexity of compliance requirements across virtual and physical environments Lack of guidance and orchestration for securing virtual infrastructure comprehensively High cost and difficulty of responding to compliance audits for virtual environments Inefficient management of security and compliance across IT and security operations teams Lack of consistency in physical and virtual security increases cost and complexity of virtualization Fragmented views of data across hybrid infrastructure causes delays in identifying risk and compliance breaches/concerns
Securing the Journey to The Cloud IT Production Lower Costs Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% 95% 70% 30% 15% Platinum Gold Secure multi-tenancy, Verifiable chain of trust Security Compliance, information-centric security, risk-driven policies, IT and security operations alignment Visibility into virtualization infrastructure, privileged user monitoring, access management, network security
How we do it: Solution Components v1.0 RSA Archer egrc Platform 130+ control procedures mapped to VMware best practices Automated deployment workflow, configuration measurement, incident notification and reporting Maps technical security controls to Authoritative Sources (Regulations like PCI) Single business view of compliance for both physical and virtual RSA envision (SIEM) Correlate security and compliance events across virtual and physical environments, fed into Archer E.g. VMware vshield, VMware vcloud Director, HyTrust Appliance, EMC Ionix, etc RSA Data Loss Prevention (DLP) Suite RSA SecurBook
Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls
Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy What s New Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls
RSA Archer: Mapping VMware security controls to regulations and standards Authoritative Source Regulations (PCI-DSS, etc.) 10.10.04 Administrator and Operator Logs CxO Control Standard Generalized security controls CS-179 Activity Logs system start/stop/config changes etc. Control Procedure Technology-specific control CP-108324 Persistent logging on ESXi Server VI Admin
Discover VMware infrastructure and define policy/controls to manage
Distribution and Tracking Control Procedures Security Admin Server Admin Project Manager Network Admin VI Admin
Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls What s New New solution component automatically assesses VMware configuration and updates Archer
Initial Deployment Questionnaire
Automated Assessment via PowerCLI Automatically discover and assess VMware infrastructure via PowerCLI RSA Archer egrc VMware objects (ESX, vswitches, etc ) are automatically populated into Archer They are then mapped to control procedures. Over 40% are automatically assessed via PowerCLI and the results fed into Archer for reporting and remediation.
Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment RSA Archer egrc Remediation of non-compliant controls
Control Procedure List, Status and Measurement Method
Deployment and Remediation Work Queues
Overall Virtual Infrastructure Compliance Dashboard
Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manage security incidents that affect compliance Manual and automated configuration assessment What s New RSA envision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards (e.g. DLP, vshield, HyTrust, etc.) RSA Archer egrc Remediation of non-compliant controls
RSA Solution for Cloud Security and Compliance: Architecture Regulations, standards Generalized security controls VMware-specific security controls Automated assessment RSA envision Configuration State VMware cloud infrastructure (vsphere, vshield, VCD) Security Events Ecosystem (HyTrust, Ionix,)
VMware vshield Network Security Events Fed to Archer
Overall Compliance Dashboard and Reporting: Physical and Virtual
RSA SecurBook A technical guide for deploying and operating RSA Solution for Cloud Infrastructure Model: RSA SecurBook for VMware View / MS SharePoint Solution architecture Solution deployment and configuration guides Operational guidance for effective using the solution Troubleshooting guidance
www.rsa.com/virtualization