Achieving A Trusted Cloud with VMware

chirpskulkInternet and Web Development

Nov 3, 2013 (4 years and 5 days ago)

86 views

© 2010 VMware Inc. All rights reserved

Confidential

Achieving A Trusted Cloud with VMware


George Gerchow


VMware Director, Center for Policy & Compliance

CISSP, ITIL, CCNA, MCPS, SCP


2

Confidential

Physical, Virtual, Cloud cannot stop the Human Factor


Step 1


Get great job at NG



Step 2


New Laptop from IT



Step 3


The Rebuild



Step 4


Labs at CSU


3

Confidential

How to make a name for yourself in the Industry


Step 1


Get back on the NG Network



Step 2


A Flood of Email (30,000 with
Adult content)



Step 3


Visit from the Jefe



Step 4


Melissa Boy for Life

4

Confidential

Agenda


Challenges in Cloud Adoption


VMware Trusted Cloud Solutions


VMware Trusted Cloud Ecosystem


VMware Center for Policy & Compliance


Key Takeaways


Q&A

5

Confidential

Security and Compliance are Key Concerns for CIOs Moving to Cloud

Q.
What are the top challenges or barriers to implementing a cloud computing strategy?

Source: 2010 IDG Enterprise Cloud
-
based Computing Research, November 2010

Top 4 Concerns are on Security and Compliance

6

Confidential

Challenges Cloud Brings and the Issue of Trust


Mixed Mode Levels of Trust


VM’s riding on the same Guest with different Trust Levels (PCI)


Multi
-
Tenancy protecting Intellectual Property (IP) with shared
Resources


Auditor, QSA Approval of Design


Evidence Based Compliance


How is my data being protected and segmented by level of
security?


What standards and frameworks do I adopt to minimize risk?


How do I Automate best practices, regulatory guidelines and
vendor standards?


Separation of consumer and provider


Consumer needs governance around its workloads


Evidence from provider around its infrastructure compliance


How do I address data governance, privacy, etc?


How do we account for Change? (Loss of Service
)


vSphere

!

PCI CDE

vSphere

PCI CDE

!

vSphere

PCI CDE

!

Capture
Changes

Assess

Report

Remediate

7

Confidential

8

Confidential

What is the Industry saying about Cloud Security & Compliance

“Survey finds most providers don't protect data, because they
don't think it's their job” (Identity Week, IT security & news)


“70% of Cloud Providers don’t believe that Security is a core
responsibility (Ponemon 2010)”


http://gcn.com/articles/2011/05/06/cloud
-
security
-
vendors
-
do
-
not
-
care.aspx



A
Wall Street Journal
article by Ben Rooney reported that the
majority of cloud service providers do not consider security as
one of their most important responsibilities”




9

Confidential

VPN

Traditional Security Solutions: Complex, Expensive and Rigid

App Stack A

App Stack B

App Stack C

Load balancer

Firewall

Management

Back up

DR

Availability

Res Mgmt

Back up

DR

Availability

Res Mgmt

Back up

DR

Availability

Res mgmt

10

Confidential

Agenda


Challenges in Cloud Adoption


VMware Trusted Cloud Solutions


VMware Trusted Cloud Ecosystem


VMware Center for Policy & Compliance


Key Takeaways


Q&A

11

Confidential

VMware’s Approach to Trusted Cloud

“A Trusted Cloud provides enhanced reliability through
enforcement of mandatory constraints, defined by policy

and validated by regular audits.


Move assets with confidence

Assessment

Prevention

Detection

VMware’s Trusted vCloud

VMware vShield and vCenter Configuration Manager

12

Confidential

Key Attributes of VMware Trusted vCloud

Containment and
isolation of portions of
a whole for their
protection


Data


Applications


Systems

Prevention

Risk reduction through
review of application,
network, storage data
and servers based on
business goals

Detection

Compliance from
demonstration of
adherence to a policy,
standard or regulatory
requirement

Assessment

13

Confidential

VMware’s Virtualized Security and Compliance solutions

App Stack A

App Stack B

App Stack C

Management

VPN

Load balancer

Firewall

vSphere

vSphere

vSphere

vSphere

Exchange

Operating System

File/Print

Operating System

SAP ERP

Operating System


14

Confidential

Continuous Compliance for Business Critical Applications

Discover

sensitive

data

Map

application
environment

Create
logical

trust zones

Ensure VMs are
configured to
compliance
templates

Insert partner
security services
on demand

Automated &

Self
-
healing

15

Confidential

Attaining PCI Compliance


CDE Scope Discovery


Use vSDS to scan
environment


VMs with credit card data
are reported


Create CDE and Non
-
CDE

!

!

!

!

!

!

!

!

!

!

!

CDE

Non
-
CDE

What VMs need to be considered
in my PCI Environment?

16

Confidential

Attaining PCI Compliance


CDE Scope
-

Finding Connections

CDE

Non
-
CDE

!

!

!

?


Need to consider the
connections


Leverage VIN to find
application connectivity


These VMs need to be
considered in your CDE

17

Confidential

Attaining PCI Compliance


CDE Scope Enforcement

CDE

Non
-
CDE

PCI Security Group

Src

Dest

Protocol

Action

Payment

CDE

DB

Allow

CDE

Outside
CDE

Any

Deny

Any

Any

Any

Deny

Strict vShield App
PCI Security Group

More Lenient
Security Groups


Create isolated CDE network with
Layer 2 isolation without using
VLANs


Define stateful firewall rules for
interaction with CDE


Micro
-
segmentation based on VIN
discovered connections

18

Confidential

Attaining PCI Compliance


CDE Scope Compliance

CDE


Leverage out
-
of
-
the
-
box PCI 2.0
compliance templates


Place CDE resources into PCI
Compliance Machine Group


Collect/assess/report/remediate


“Rinse and repeat”

VCM PCI
Compliance
Group

Capture
Changes

Assess

Report

Remediate

Non
-
CDE

PCI 2.0

VCM
Templates


PCI DSS


2.0

Made some
tweaks

19

Confidential

Assumed Non
-
CDE???

Attaining PCI Compliance


Automating Continuous PCI Compliance

Assumed CDE


Scan environment to validate
boundaries of PCI CDE


VMs with credit card data are
figuratively moved to a
temporary holding area


VMs are automatically
associated with a more strict
vApp Security Group


VMs automatically added to
VCM PCI Compliance Group


Based on compliance results
determine next action


Remove CDE data from VM and
place back into Non
-
CDE


VM is compliant, officially move
to CDE


Remediate and move to CDE


“Rinse and repeat”



!

!

!

!

!

!

CDE Holding Area

VCM PCI
Compliance
Group

vShield App
PCI Monitoring
Security Group

This solution
can be used for
ANY compliance
standard!

20

Confidential

PCI 2.0 Automation

21

Confidential

Better than
Physical

Automated and self
-
healing

Security and compliance Trust Zones

Power of cloud infrastructure automation

The VMware Difference

22

Confidential

SCAP in Virtualization & Cloud

23

Confidential

Virtualization Security use Case
-

Open Virtualization Format (OVF)


Patch Management Scenario


VA Scan Across 1,000 Servers for Patch Level


512 return with missing Security Patches


640 Actual, a differential of (128)


120 Systems were Virtual Powered Down Machines



Virtual Systems


For the Virtual Systems the OVF Envelope was leveraged


Last time it was boot time


Hypervisor it was running on


Current patch levels



Virtual Systems offer more Security Information and control than a
physical system which is "dark" when it is powered down.


Moving VM’s


Easily Identified and can be moved for Maintenance or Containment before powering
on spanning time zones



24

Confidential




VCM
-
VSM: Integration Use Cases




Discover installed Windows
and UNIX software and their
relationships with servers and
desktops into the CMDB.
Compare discovered software
with the software license
inventory to produce
discrepancy reports.

2. Asset Management





When a change is initiated
from VCM, automatically
initiate a Request for
Change (RFC) workflow in
VSM, passing it the
impacted servers/desktops.
Once the Change Manager
examines the impact, the
RFC workflow in VSM can
call back to VCM to either
Approve or Deny the change
as appropriate.


Track unplanned changes
from within VSM

3. Change Management

Discover Windows and UNIX
servers and desktops from
VCM into the VSM CMDB so
service desk users can
classify incidents against
them.

1. Service Desk

25

Confidential

Closed Loop Change Management



Cloud requires a higher level of change governance but with fewer
bottlenecks

Elements
of Change
in the
Cloud

Rapid rate
of change

Remove
process
bottlenecks

Provide
discrepancy
reports

Enforce IT
governance

Discover
out of band
change

26

Confidential

Closed Loop Change Management

Enforce PCI
Compliance

RFC
Automatically
Created in VSM

VSM Workflow
and Tasks
Initiated

Review and
Approve

Approval
Received & Job
Started

Job Completed

RFC Updated








Faster IT responsiveness


Fewer instances of human
error


Increased productivity

27

Confidential

Agenda


Challenges in Cloud Adoption


VMware Trusted Cloud Solutions


VMware Trusted Cloud Ecosystem


VMware Center for Policy & Compliance


Key Takeaways


Q&A

28

Confidential

Trusted
vCloud

Requirements

End User Computing

Cloud Applications

VMware Solutions

Public/Private/Hybrid Cloud

Virtualized Infrastructure

Network Security

Vulnerability
Management

Data Security

Configuration
Management

White Listing

Config

& Log
Management

Identity Management

End Point Security

Authorization

Regulations

Healthcare

HIPAA, HITECH,

HITRUST, FDA

Government

NIST, FISMA,

FDCC, DISA

Finance

SOX, PCI DSS,

Basel, GLBA

Energy

FERC, ISO,

NERC CIP, CIS

Horizon

vShield

Horizon & VIEW

vShield

+ 3
rd

Party

VCM

3
rd

Party

vShield

+ NCM

VCM + Envision

3
rd

Party

29

Confidential

Extending VMware Trusted vCloud Components to a Partner Ecosystem


Audit/Advisory Partners


GRC

Cloud Compliance Technology

VMware Solutions


Infrastructure & Operations Management

Application Management

End
-
User Computing Management

Vendor Alliances

30

Confidential

Key Elements of an Operational Trusted Cloud


Provider


Select partners that have baked in Security & Continuous Compliance offerings
that are cost
-
effective with a good understanding of your business


Trusted Platform


Ensure that your provider is using a Trusted Platform and can deliver a process
that accounts for change control, log information and configuration audit checks


Integration Framework


Leverage some of your existing tools and applications, work with provider to build
a trusted ecosystem of vendors and auditors


Evidence
-
based Validation of Audit


Data Governance, a Compliance Framework (GRC)


SSAE 16/ SOC 2


Service Oriented Control


Regulatory Guidelines


PCI, HIPAA, BASEL III, SOC


Segmentation of Assets, IP


Data Protection (Continuous Discovery and Monitoring)


31

Confidential

Sample
-

Locking down Virtualized Enviroments


Authentication


Restricting Admin
\

Root Access



Communication
\

Networking


Making sure network is segmented properly


Leak Prevention


Guest from Host


Guest to Guest



Configuration
\

Patching


Changing Root Password (90 days)


Patching Host



32

Confidential

Sample
-

Questions to ask your QSA


Industry Knowledge


Have you successfully taken a virtual environment through a PCI Certification



Submitted an ROC to the Council (Report On Compliance)



Scope


Does your virtual environment require for you to put everything in scope?


What would they (QSA) do to reduce scope



Segmentation


What does it mean to segment in a Virtual Environment?



Firewall, IDS, IPS (Statefull or Stateless)



33

Confidential

Authorative Sources in the Compliance Industry


NIST
-

The National Institute of Standards and Technology


Free Guidance, have been researching Cloud Computing since early 2000’s


Definition of Cloud Computing (SP 800
-
145)


Cloud Computing Reference Architecture (SP 500
-
292)


Guidelines on Security and Privacy in Public Cloud Computing (SP 800
-
144)


CSA


Cloud Security Alliance


Membership Based (CCSK
-

Certificate of Cloud Security Knowledge)


Security Guidance for Critical Areas of Focus in Cloud Computing


14 Domains, #13 covers Virtualization


Cloud Control Matrix (CCM v1.2)


Consensus Assessments Initiative Questionnaire (CSA


CAI)


CTP


Cloud Trust Protocol (24 Elements of Trust, 4
th

Pillar of GRC)


DISA


Defense Information System Agency


Not much in Cloud Computing


vSphere

STIG

34

Confidential

Cloud Grading on Levels of Trust

35

Confidential

Cloud Security Comparison Grid

36

Confidential

Agenda


Challenges in Cloud Adoption


VMware Trusted Cloud Solutions


VMware Trusted Cloud Ecosystem


VMware Center for Policy & Compliance


Key Takeaways


Q&A

37

Confidential

VMware Center for Policy & Compliance


The Center for Policy & Compliance (CP&C) is a dedicated group comprised of
security and compliance policy experts, analysts and technical specialists
chartered to research and develop compliance solutions for cloud computing
environments


Current staff of includes team members that average over 18 years experience
and hold numerous certifications such as CISSP, CCNA, ITIL, MCSE, MCDBA,
and of course vCP.


CP&C has a Global presence and frequently meets with Customers, Auditors
and Analyst to provide guidance & thought leadership in PCI, Healthcare and
Trusted Cloud environments.

38

Confidential

CP&C Business Objectives

Support migration of highly regulated workloads to
vCloud

Infrastructure Family


Create and support content and hardening guidelines for
vSphere
, vCenter, vShield,
vCD, VIEW


Compile Deployment Information Guides (DIGs) on how to deploy the vSphere stack to
support highly regulated workloads, e.g. PCI


Set foundation and high level reference architecture for Trusted Cloud

Provide coverage of common regulatory, industry and vendor
policies


Address the Healthcare vertical first as it’s highly regulated


Will naturally provide coverage for other verticals (Finance, Federal)


Build a partner ecosystem for Trusted Cloud (RSA, EMC…)

Drive industry thought leadership


Evangelize VMware’s compliance strategy


Align and influence compliance industry initiative and bodies like CSA, CTP


Continued market education


QSAs, analysts, customers and partners

39

Confidential

Real World Examples
-

Healthcare Related Breaches

(1) http://www.thesun.co.uk/sol/homepage/news/3637704/Missing
-
Laptop
-
with
-
86milli on
-
medical
-
records.html


The computer vanished from an NHS building

in the biggest
-
ever security breach of its kind. […]
A
LAPTOP

holding the medical records of eight
MILLION patients has gone missing. […]
The
unencrypted laptop contains sensitive details of
8.63 million people plus
records of 18 million
hospital visits, operations and procedures
.

(1)

NHS

40

Confidential

HIPAA BARES IT’S TEETH!!!!!


Feb 2k11
-

Maryland health care provider was fined
$4.3 m
fine for
violations of the HIPAA Privacy Rule.


First monetary fine issued since the Act was passed in 1996.


Also in February
,
Massachusetts General Hospital
fined to pay $1 million to
settle HIPAA violations following the loss of customers' medical data.



July

2
k
11

-

University

of

California

at

Los

Angeles

Health

Services

(UCLAHS)

has

agreed

to

pay

a

$
865
,
000

breaking

the

Health

Insurance

Portability

and

Accountability

Act

(HIPAA)
.


According

to

a

press

release

on

the

HHS

site
,

the

settlement

stems

from

two

claims

that

unauthorized

employees

accessed

records

of

celebrities

that

received

care

at

UCLAHS
.


41

Confidential

Agenda


Challenges in Cloud Adoption


VMware Trusted Cloud Solutions


VMware Trusted Cloud Ecosystem


VMware Center for Policy & Compliance


Key Takeaways


Q&A

42

Confidential

Where Does VMware Fit?


Cloud Infrastructure Suite Trusted Platform


vSphere
,
vCloud

Director,
vCenter


vShield



Enable Security Controls


Securing Perimeter,


Segmenting Applications


Data Discovery and Protection


vCM



Continuous Compliance


Adherence to regulatory Guidelines


Out of the Box Benchmarks


Auto Remediate Non Compliant Results


VIN & VCO


Cloud Framework, Application Relationships



Confidential

43

Confidential

Call to Action and key Takeaways


Further Education and TCO


Solutions Demo


http://info.vmware.com/content/VCMSolutionsDemo


*NEW* VMware/Forrester
vCM

ROI



https://www.gosavo.com/vmware/Document/Document.aspx?id=2222106&view=Preview


Leverage CP&C with Auditors (QSA)


Mixed Mode Environments, Trusted Cloud Architecture & Partner Ecosystem


More Security & Compliance Information


Mastermind Series


http://info.vmware.com/content/13090_VirtMng_NA_Security_ITCompliance?src=SALE
S
-
NPD&elq=&xyz


VMware Security Blog


http://blogs.vmware.com/security/


Free Compliance Checkers


http://communities.vmware.com/community/vmtn/vsphere/compliance
-
checker






44

Confidential

Enterprise Hybrid cloud requirements


best of both worlds

Agility
with

Reliable Performance


On
-
demand provisioning of virtual servers


Fast scale up at reasonable cost


Predictable, consistent SLAs

Application Portability


Compatible with existing workloads


Globally consistent service across providers

Security & Compliance


Secure & auditable cloud infrastructure


Secure apps and user access

45

Confidential

What To Expect From ITBM…..



Transition from managing technology to managing services



Expose the cost and value of IT & Compliance to your entire
organization



Understand impact of business demand and change



Identify where money saving opportunities exist



Communicate and improve quality of service



Manage the relationships with your customers and external
vendors


Find Opportunities

Identify cost savings

opportunities

Track Savings

Track cost savings

Analyze Costs

Analyze existing IT costs


Make Changes

Implement cost

Optimization strategies


46

Confidential

Agenda


Challenges in Cloud Adoption


VMware Trusted Cloud Solutions


VMware Trusted Cloud Ecosystem


VMware Center for Policy & Compliance


Key Takeaways


Q&A

© 2010 VMware Inc. All rights reserved

Confidential

Questions

48

Confidential

Network Security

Unified Threat

Management

(via
Astaro

acquisition)

Enterprise

Firewalls


Intrusion

Prevention &

Detection

Secure Web

Gateways


49

Confidential

Network Security cont.

Web

Application

Firewalls

Database

Activity

Monitoring

Firewall

Rule Analysis &

Management


Application

Control

(Whitelisting)


50

Confidential

Configuration and Change Mgmt., Identity Mgmt., Data
Security, Compliance

Data Loss

Prevention

Encryption &

Key Mgmt.

$41M funding, $10M revenue

$45M funding, $30M revenue

Data Security:

Configuration &

Change

Management

Identity &

Access

Management

51

Confidential

Configuration and Change Mgmt., Identity Mgmt., Data
Security, Compliance

Governance,

Risk Management

Compliance

Vulnerability

Assessment &

Management

Operational Log

Management


Enterprise Security Information Management
(Gartner taxonomy: ESIM = SIEM + OLM)

Security

Information &

Event Monitoring

52

Confidential

Network Management

$150M
runrate

Network

Configuration

Management

DDI

(DNS, DHCP, IPAM)

Network Access

Controller

Endpoint

Security