RSA Solution for Cloud Security and Compliance

seedgemsbokΑποθήκευση

10 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

203 εμφανίσεις

RSA Solution for Cloud Security and
Compliance

RSA, The Security Division of EMC

Bernard Montel

Directeur

Technique, RSA France


Bernard.montel@rsa.com

2

2

Customer Challenges, Key Messages

Solution Capabilities

Cloud Computing by NIST and VMware

Cloud is a way of
doing computing

Cloud Service

Providers

Hybrid Cloud

Composition of 2 or
more interoperable
clouds, enabling data
and application
portability

Public Cloud

Accessible over the
Internet for general
consumption

Private Cloud

Operated solely for
an organization,
typically within the
firewall

Enterprises

Bridging

Cloud Computing is an
approach to computing
that leverages the efficient pooling

of on
-
demand, self
-
managed virtual infrastructure, consumed as a service.

Security
-
Specific Factors That Would Enable More
Widespread Usage of Server Virtualization

© 2010 Enterprise Strategy Group

4

16%

18%

20%

22%

23%

24%

24%

26%

26%

27%

33%

33%

0%
5%
10%
15%
20%
25%
30%
35%
New host-based security tools designed for virtual servers
Log management or SIEM tools that recognize virtual server events
Additional virtualization training for security staff
Network encryption to protect virtual machines in flight
Virtual firewalls and filtering devices to secure virtual machine to virtual
machine traffic
Data/storage encryption to protect virtual machines on disk
A better understanding of how server virtualization security will align with
cloud-based security services
Tighter integration between security management and security
management tools
Need better tools to identify and configure relationships between virtual
machines
Compliance management tools that recognize virtual server events
Virtual security tools that use the same formats as my physical security
devices
More secure virtualization management and operations
From an information security perspective, which of the following developments
need
to take place in order to
enable more widespread server virtualization
usage?
(Percent of respondents, N=105, multiple responses
accepted)

Customer Challenges

Lack of visibility into and control over security
and compliance status of the virtual
infrastructure

Lack of guidance and orchestration for securing
virtual infrastructure comprehensively

High cost and difficulty of responding to
compliance audits for virtual environments

Inefficient management of security and
compliance across IT and security operations
teams

Difficult to rationalize the complexity of
compliance requirements across virtual and
physical environments

Lack of consistency in physical and virtual
security increases cost and complexity of
virtualization

Fragmented views of data across hybrid
infrastructure causes delays in identifying risk
and compliance breaches/concerns

PAINS

Business Objective (CISO)

Manage risk and compliance while going from
IT production to business production

Business Objective (CIO)

Accelerate/start virtualization of business critical
apps to continue optimizing costs

Negative Consequences

Increased risk of fines and failed audits



“we are flying blind”


“we are going to be painted into a corner” (if something that fails
an audit gets into production and the company is committed, it is
really hard to fix it later!)


Policy for meeting regulations (e.g. PCI) in virtualized
environments still evolving

Compliance concerns stall the adoption of virtualization


Mission critical applications with sensitive data are riskier


Segmenting regulated data onto separate virtualized hardware


Limits the cost savings inherent in virtualization


Negative Consequences (cont.)

Responding to audits is time consuming, error prone and
costly


Across mixed virtual and non
-
virtual IT infrastructure


No time for other value
-
added security projects


20% of IT time and resources spent on compliance; this is
compounded by virtualization

Delays in identifying risk and compliance
breaches/concern


Due to fragmented views across virtual and physical infrastructure


IT Production

Business Production

IT
-
As
-
A
-
Service

Lower Costs

Improve Quality Of Service

Improve Agility

The Enterprise Journey to the Hybrid Cloud

8

15%

30%

70%

85%

95%

High

Availability

Data

Protection

% Virtualized

Software

as a Service

Platform

as a Service

Infrastructure

as a Service

Public cloud

adoption

IT Production

Business Production

IT
-
As
-
A
-
Service

Lower Costs

Improve Quality Of Service

Improve Agility

15%

30%

70%

85%

95%

% Virtualized

Software

as a Service

Platform

as a Service

Infrastructure

as a Service

Public cloud

adoption

Securing the Enterprise Journey to the
Cloud

9

Integration with enterprise security processes

Hardening

Identity management

Multi
-
factor authentication

Information and
workload control

Security patches

Compliance monitoring

Trust management

Visibility and compliance

Service provider control

Security event

management

10

10

Use Case Examples

Use Case : Reducing Risk of VM Theft

Risk:
Securing virtual infrastructure is often a check list of best practices.
Hardening VMware environment is complex and difficult to verify. What can I
do to limit the risk of VM theft from my datacenter?

Need to take preventative steps that limit access to VM file in the first place
(e.g.)


Disable Datastore Browser


Storage User Access


Limit use of service console


Use least privileged role concept for system and data access (also: possible strong
authentication to ensure access of only approved people and roles)

Archer has built in Control Procedures to check for VM file access best
practices

Security and IT Ops can easily see if controls enforce policy

Cloud Solution identifies VMware devices, assesses configuration status, and
informs responsible VI admin

EnVision provides “electronic bread crumb trail” for forensics to ensure
security events not disrupting compliance posture




12

12

Customer Challenges, Key Messages

Solution Capabilities

RSA Archer eGRC Solutions

Compliance Management

Document your control framework,
assess design and operational
effectiveness, and respond to policy
and regulatory compliance issues.

Policy Management

Centrally manage policies, map them to
objectives and guidelines, and promote
awareness to support a culture of
corporate governance.

Threat Management

Track threats through a
centralized early warning system
to help prevent attacks before
they affect your enterprise.

Enterprise Management

Manage relationships and
dependencies within your enterprise
hierarchy and infrastructure to
support GRC initiatives.

Risk Management

Identify risks to your business, evaluate
them through online assessments and
metrics, and respond with remediation
or acceptance.

Incident Management

Report incidents and ethics
violations, manage their
escalation, track investigations
and analyze resolutions.

Business Continuity Management

Automate your approach to business
continuity and disaster recovery
planning, and enable rapid, effective
crisis management in one solution.

Audit Management

Centrally manage the planning,
prioritization, staffing, procedures
and reporting of audits to increase
collaboration and efficiency.

Vendor Management

Centralize vendor data, manage
relationships, assess vendor risk, and
ensure compliance with your policies
and controls.

Summary: RSA Solution for Cloud Security
and Compliance v1.0

Discover VMware
infrastructure

Define security policy

Remediation of

non
-
compliant controls

RSA Archer eGRC

Manage security
incidents that affect
compliance

Manual and
automated
configuration
assessment

What’s New

Over 100 VMware
-
specific
controls added to Archer
library, mapped to
regulations/standards

What’s New

New solution component
automatically assesses
VMware configuration and
updates Archer

What’s New

RSA enVision collects,
analyzes and feeds security
incidents from RSA,
VMware and ecosystem
products to inform Archer
dashboards (e.g. DLP,
VMware vShield and vCD,
HyTrust, Ionix, etc.)

What’s New

RSA Securbook


Enabling the Cycle of Security Compliance

Discover VMware
infrastructure

Define security policy

Remediation of

non
-
compliant controls

Manage security
incidents that affect
compliance

Manual and
automated
configuration
assessment

What’s New

Over 100 VMware
-
specifi
c

controls added to Archer
library, mapped to
regulations/standards

RSA Archer eGRC

RSA Archer: Mapping VMware security controls to regulations
and standards

CxO


VI Admin


Authoritative Source

Regulations (PCI
-
DSS, etc.)

“10.10.04 Administrator and Operator Logs”

Control Standard

Generalized security controls

“CS
-
179 Activity Logs


system start/stop/config
changes etc.”

Control Procedure

Technology
-
specific control

“CP
-
108324 Persistent logging on ESXi Server”

Discover VMware infrastructure and define
policy/controls to manage

Distribution and Tracking Control Procedures

Project Manager


Security
Admin

Server

Admin

Network

Admin

VI

Admin

Enabling the Cycle of Security Compliance

Discover VMware
infrastructure

Define security policy

Remediation of

non
-
compliant controls

Manage security
incidents that affect
compliance

Manual and
automated
configuration
assessment

What’s New

New solution component
automatically assesses
VMware configuration and
updates Archer

RSA Archer eGRC

Initial Deployment Questionnaire

Automated Assessment via PowerCLI

RSA Archer eGRC

Automatically discover
and assess VMware
infrastructure via
PowerCLI

VMware objects (ESX,
vSwitches
, etc…) are
automatically populated
into Archer

They are then mapped to
control procedures. Over
40% are automatically
assessed via
PowerCLI

and the results fed into
Archer for reporting and
remediation.

Enabling the Cycle of Security Compliance

Discover VMware
infrastructure

Define security policy

Remediation of

non
-
compliant controls

Manage security
incidents that affect
compliance

Manual and
automated
configuration
assessment

RSA Archer eGRC

Control Procedure


List, Status and
Measurement Method

Deployment and Remediation Work Queues

Overall Virtual Infrastructure Compliance
Dashboard

Enabling the Cycle of Security Compliance

Discover VMware
infrastructure

Define security policy

Remediation of

non
-
compliant controls

Manage security
incidents that affect
compliance

Manual and
automated
configuration
assessment

RSA Archer eGRC

What’s New

RSA enVision collects,
analyzes and feeds security
incidents from RSA,
VMware and ecosystem
products to inform Archer
dashboards (e.g. DLP,
vShield, HyTrust, etc.)

RSA Solution for Cloud Security and Compliance: Architecture

Regulations, standards

Generalized security controls

VMware
-
specific security controls

VMware cloud

infrastructure

(vSphere, vShield, VCD)

Ecosystem

(HyTrust, Ionix,)

RSA

enVision

Automated

assessment

Configuration

State

Security
Events

Example: VMware vShield Network Security
Events Fed to Archer

Overall Compliance Dashboard and
Reporting: Physical and Virtual

Learn More

RSA social media release with demo

http://rsawebdev.na.rsa.net/go/press/RSATheSecurityDivisionofEMCNewsRelease_83010.html



www.rsa.com/virtualization


Secure Cloud


Thank you!

www.rsa.com/virtualization