Securing Business Critical App VMUG San Diego, March 7, 2012 Gargi Mitra Keeling, CISA Staff Product Manager, VMware, Inc.
Feb 25, 2016
Securing Business Critical AppVMUG San Diego, March 7, 2012
Gargi Mitra Keeling, CISAStaff Product Manager, VMware, Inc.
2
Agenda
Introductions
The Cloud Journey
Security and Compliance Challenges
Security and Compliance Goals
Securing Business Critical Apps – An Example
VMware Security and Compliance Solutions
Background Info
3
Introductions
4 Confidential
Who I Am and How I Got Here
4 Confidential
IT Management Product Management / Marketing
5 Confidential
?
Introduction – What is your role?
5 Confidential
1. VI Administrator2. Cloud Architect3. Info security Administrator4. Network security
Administrator5. IT Auditor6. App Development 7. Executive8. Other?
6 Confidential
?
Introduction – What industries do you represent?
6 Confidential
1. Financial services2. Government3. Healthcare4. Retail 5. Manufacturing6. Other?
7 Confidential
?
Introduction – Why are you here?
7 Confidential
1. I want to understand virtualization / cloud security and compliance risks
2. I understand the risks, but want to know what VMware is doing about these risks
3. I want to know how to get our business critical apps to the cloud, without compromising security
4. Other?
8 Confidential
CIO
Risk $ Speed
INTERNAL? EXTERNAL?
And Is Your CIO Trying to Figure This Out?
9 Confidential
The Cloud Journey
10
Virtualization is Only the Beginning
VirtualizationOperating System
Application
Operating SystemOperating System
Application Application
˃ Hardware˃ Software license utilization˃ Operational efficiency
Improves
11 Confidential
Virtualizing Business Critical Apps is Crucial
CloudComputing
Your Cloud
Self-service provisioning for faster application lifecycle
Business Production
Virtualizing business critical applications for higher availability and better service levels
IT Production
Basic consolidation for infrastructure workloads (file, print…)
96% of CIOs view the virtualization of business critical applications as a foundation for enabling cloud computing*
*VMware customer study. Business and Financial Benefits of Virtualization, IDG Research, March 2011
12
Virtualizing Apps Delivers Significant Improvements
Companies who have virtualized their apps have seen significant improvements, specifically over 60% in BCDR, security/compliance, and test/dev cycles
The Hidden Truth of Virtualizing Business Critical Apps, IDG Research, March 2011
For each of the benefits your company has achieved by virtualizing business critical applications, please approximate the amount of
improvement compared to before virtualization.
Reduced infrastructure cost
Better quality of service
Reduced software licensing cost
Increased efficiency
Improved business continuity and disaster recovery
Accelerated test and development cycles
Better compliance management
Improved security
52% 54% 56% 58% 60% 62% 64% 66%
57%
58%
58%
59%
60%
60%
63%
64%
60% Of Our Customers Are Virtualizing BCA
38%
43%
53%
25% 25%
18%
% of Workload Instances Running on VMware in Customer Base
MSExchange
MS SQL
MS SharePoint
OracleMiddleware
OracleDB SAP
Source: VMware customer survey, Jan 2010 and June 2011Data: Total number of instances of that workload deployed in your organization and the percentage of those instances that are virtualized
Jan 2010
June 2011
41%
47%
68%
34% 28% 28%
14 Confidential
But Security and Compliance Concerns Slow Down Cloud Efforts
Q.What are the top challenges or barriers to implementing a cloud computing strategy?
Source: 2010 IDG Enterprise Cloud-based Computing Research, November 2010
Employees are not receptive
Business leaders are not receptive
Lack of clear strategy or help from key vendors in adapting their applications
Difficulty measuring ROI
Concerns about the ability to meet enterprise and/or industry standards
Concerns about information governance
Concerns about access to information
Concerns about security
11%
14%
24%
30%
31%
37%
41%
67%
Security and Compliance Challenges
16 Confidential
Enterprise Data Center Security & Networking Today
vSphere
Users
Sites
Backend Services
- Network Segmentation, Firewalls, IDS/IPS- Server A/V Agents- App | data | identity aware security, compliance
- DMZ firewall, NAT, IPAM, VR- Site and user VPNs- Web load balancers
- Desktop A/V Agents- DLP, FIM, white listing
DMZ
Web
View
17 Confidential
Challenges in Cloud Security and Compliance
• Mixed Mode Levels of Trust• VM’s riding on the same Guest with different Trust Levels (PCI)
• Multi-Tenancy protecting Intellectual Property (IP) with shared Resources
• Auditor, QSA Approval of Design
• Evidence Based Compliance• How is my data being protected and segmented by level of
security?
• What standards and frameworks do I adopt to minimize risk?• How do I automate best practices, regulatory guidelines and
vendor standards?
• Separation of consumer and provider• Consumer needs governance around its workloads
• Evidence from provider around its infrastructure compliance
• How do I address data governance, privacy, etc?• How do we account for Change? (Loss of Service)
vSphere
!PCI CDE
vSphere
PCI CDE
!
vSphere
PCI CDE
!
Capture Changes
AssessReport
Remediate
18 Confidential
Security and Compliance Goals
19 Confidential
You Organization Cares About Security and Compliance
Security OperationsTeam Compliance
Officer
How do I implement compliance controls
and audits for resources in the cloud?
InfrastructureTeam
How can I enable security without
affecting applications or limiting cloud
flexibility ?
How do I secure applications and
data in the cloud ?
20 Confidential
Secure The Platform and Isolate the Provider
Platform Hardening Memory protection (ASLR, NX/XD) Kernel integrity (sign modules) Trusted boot with Intel TPM/TXT Deploy workloads and store data
only in trusted infrastructure
Admin Separation of Duties Across functional areas Between provider and tenant
User Activity Monitoring Of privileged users in Cloud
Infrastructure
Provider
Tenant
vCloud Infrastructure
21 Confidential
Segment and Isolate Workloads
At the organization level Isolate tenants from each other Restrict provider access Control traffic to/from org –
including to outside world
Based on security or compliance Elastic zones with membership
based on classification Control traffic between zones Control traffic within zones
Based on workload / app Encapsulate and control access
to/from app Protect guest OS with endpoint
security
PCI DSS
Intellectual Property
Tenant XYZ
Share Point
22 Confidential
Securing Business Critical Apps
An example
23 Confidential
App Developers Are Also Stakeholders for Security
I need better Qos and availability and faster deployment times for my apps…and I’m assuming another team is taking
care of my app security.
Application Development Team
The Journey to Production-Ready Isn’t Always Smooth
24
Staging (Sandbox)
Development and Testing
Production
If security wasn’t a consideration during development, applications may not work in production. Network security teams lock things down – but developers don’t know until it’s too late
In some cases, staging environments are not properly isolated from production. This results in data leaks to production environments.
Developers and architects focus on ideas, as they should. Security is the last thing on their mind. But this causes problems in the long run.
Back to the drawing board
What if security could enable efficient application deployment?
25 Confidential
Staging (Sandbox)
Development and Testing
Production
Production environment has necessary controls in place and application is deployed with no surprises…and no rewrites.
Staging environments also mimic production, and are completely isolated from production networks. No more data leaks!
Developer environment mimics production. No perceived change, other than less likelihood of re-writing app to address security issues found in production.
26
vShield App Simplifies Security for SAP Dev and Sand Box
10.128.140.118
SNDBXDB
10.128.140.116
DEVDB+CI
10.128.140.119
SNDBXCI
SANDBOX DEV
All ports Blocked
Unblock ports for SAP GUI (dispatcher + msg server) + NFS
10.128.140.117
DEVApp
NFS: /usr/sap/trans
loadable kernel module loadable kernel module loadable kernel module
vShieldMgr + firewall VM
per ESX host
27
vShield App Example – Define Environment as vApp in vCenter
vApp
vApp:logical entity ofone or more VMs
28
vShield App Example – Define Rules in vCenter using vApps
• Blocks all access in and out of vApp environment• rule applies to all VMs within the vApp• then create exceptions to allow required access e.g. SAP GUI port, NFS for CTS filesystem
Allow SAP GUI to connect to dispatcher port
29
Security and Compliance Solutions
30 Confidential
Overview of vShield and vCenter Configuration Manager
vShield App with Data Security vShield EndpointvShield Edge vCenter Configuration
Manager
• Segment and isolate at org level
• Firewall (IP), VPN, Web load balancer, NAT, DHCP, static routing…
• Segment and isolate based on security, compliance
• Firewall (vNIC), security groups, sensitive data discovery
• Segment and isolate based on workload, app
• Enablement for endpoint security (AV, File Integrity Monitoring, and more)
• IT compliance management across the stack
• Controls validation, compliance reporting, change management, patching, and more
31 Confidential
Trusted vCloud: Compliance – Product View
End User Computing
Cloud Applications
Public/Private/Hybrid Cloud Virtualized Infrastructure
Network Security
Platform Security
Data Security
Configuration Management
White Listing
Config & Log Management
Identity Management
End Point Security
Authorization
Horizon
vShield + 3rd party
Horizon & VIEW
vShield + 3rd Party
VCM
3rd Party
vShield + 3rd Party
VCM + SIEM
VUM +VCM + 3rd Party
RegulationsHealthcare
HIPAA, HITECH,HITRUST, FDA
GovernmentNIST, FISMA,FDCC, DISA
FinanceSOX, PCI DSS,
Basel, GLBA
EnergyFERC, ISO,
NERC CIP, CIS
GRC
Meet Customers’ Compliance Requirements to Migrate Tier 1 Apps to vSphere
Thank youQuestion & Answer Session
Background Slides
34
Multiple edge security services in one appliance• Stateful inspection firewall• Network Address Translation (NAT)• Dynamic Host Configuration Protocol (DHCP)• Site to site VPN (IPsec)• Web Load Balancer
Edge port group isolation Detailed network flow statistics for chargebacks, etc. Policy management through UI or REST APIs Logging and auditing based on industry standard
syslog format
vShield EdgeSecure the Edge of the Virtual Data Center
VMware vSphere
Tenant A Tenant X
Features
Load balancer
firewall
VPN
35
Multiple edge security services in one appliance• Stateful inspection firewall• Network Address Translation (NAT)• Dynamic Host Configuration Protocol (DHCP)• Site to site VPN (IPsec)• Web Load Balancer
Edge port group isolation Detailed network flow statistics for chargebacks, etc. Policy management through UI or REST APIs Logging and auditing based on industry standard
syslog format
vShield EdgeSecure the Edge of the Virtual Data Center
VMware vSphere
Tenant A Tenant X
Features
Load balancer
firewall
VPN
36
vShield AppApplication Protection for Network Based Threats
VMware vSphere
DMZ PCI HIPAA
Features Hypervisor-level firewall
• Inbound, outbound connection control applied at vNIC level
Elastic security groups - “stretch” as virtual machines migrate to new hosts
Robust flow monitoring Policy Management
• Simple and business-relevant policies• Managed through UI or REST APIs
Logging and auditing based on industry standard syslog format
37
Network segmentation
Two approaches• vCenter Server container objects:
• Datacenters
• Clusters
• Resource pools
• vApps
• Port groups
• Topology-independent
• Security groups are administrator-defined, business-relevant groupings of any virtual machines by their virtual NICs.
37
Examples:• Deny traffic from Contractors Desktops pool to the Business Apps pool.
• Allow DNS traffic from DC01 to the DNS server at 10.91.245.129.• Allow VMs in Web-Tier to communicate with VMs in DB-Tier.
38
Layer 4 Firewall Policies
• Ability to enforce based on network, application port, protocol type (TCP, UDP), application type
• IP-based stateful firewall and application layer gateway for a broad range of protocols
• Eliminates need to list individual port numbers for well-known multi-port protocols
• Automatically handles dynamic and ephemeral ports
38
Source Source Port
Destination
Destination
Application
Destination Port
Protocol Action Log
View ANY Outside DC01 HTTP ANY TCP ALLOW
View ANY 10.91.245.129/32 DNS ANY TCP ALLOW
Web-Tier ANY DB-Tier ORACLE-TNS 1521 TCP ALLOW
Web-Tier ANY Web-Tier - ANY TCP DENY
39
vShield App – Flow Monitoring
40 Confidential
Cloud Infrastructure(vSphere, vCenter, vShield, vCloud Director)
! ! !
Overview
Benefits
Accurately discover and report on sensitive data in unstructured files/running VMs with proven analysis engine
More than 80 pre-defined templates for country/industry specific regulations
Move VMs with sensitive data to separate trust zones for remediation
Visibility into sensitive data at rest in virtual data center, with a guest VM agent
Address compliance and risk management requirements
Eliminate agent footprint compared to legacy software agents
Visibility into Sensitive Data to Address Regulatory Compliance
New
vShield Data Security in v5.0.1Enhanced Reporting, Export Options
41 Confidential
42 Confidential
USE
Strong and Efficient Protection Against Malware
Overview
Benefits
Offloaded anti-virus protection Leverage 3rd party anti-virus solutions Eliminate security agent from guest VM Partner provides security virtual
appliance for endpoint security such as anti-virus, file integrity monitoring, OS event logging
Efficiency - Improve performance and consolidation ratios from 30-100%*. Eliminate anti-virus ‘storms
Manageability - Streamline deployment and monitoring of endpoint security
“Better than physical” – VM protected the moment it comes online, no agent susceptible to attack
Cloud Infrastructure(vSphere, vCenter, vShield, vCloud Director)
AVPartnerProduct
Agent Agent Agent Agent Agent Agent
Agent Agent Agent Agent Agent Agent
USEUSE
AV Storm!
* Depending on whether workload stresses the AV solution – Source: Tolly Group 2010
43 Confidential
Strong and Efficient Protection Against Network Intrusions
IDSPartnerProduct
Overview
Benefits
Leverage 3rd party intrusion detection solutions (IDS) to identify network based threats
Automatically isolate compromised VMs
Contain network intrusions and prevent them from spreading in the environment
Cloud Infrastructure(vSphere, vCenter, vShield, vCloud Director)
Quarantine
New
44
Programmability and Automation
Policy Management vShield Manager APIs (REST) Full parity with GUI Java SDK, vCO plugin – Future Power CLI – Future Customers, ISVs, SIs, etc.
Endpoint Security EPSEC APIs (C libraries) Guest introspection Endpoint security partners SDK – Future
Network Security NetSec APIs (REST) - Future 10-tuple traffic redirection Network security partners
APIs, SDKs
Partner Ecosystem
Automation
45
Compliance Management through vCenter Configuration Manager
Compliance and
Remediation to Lower Risk
Manage and Control
Virtualization
Change Management to
Mitigate Outages
Harden Environment to
Reduce Threats and
Breaches
Provisioning & Patching inline
with Compliance to
Eliminate Vulnerabilities
“Operational Efficiency & Tool Consolidation”
46
Virtual Datacenter
VMware vSphere + vCenter
Service A - VDI(end users)
Service A
Physical Datacenter
SHARED SERVICES
Use Case: Provision and Secure Virtual ‘Infrastructure on Demand”Remediate Compromised VMs
Service B - VDI(end users)
Service B
Service C - VDI(end users)
Service C
Compromised VM added to Remediation Security Group
Security Groups
Firewall Rules Already in place
Compromised VM detected by network IPS
Network IPS
Remediation
47 Confidential
Programmability and Automation
Policy Management vShield Manager APIs (REST) Full parity with GUI Java SDK, vCO plugin – Q4 2011 Power CLI – future Customers, ISVs, SIs, etc.
Endpoint Security EPSEC APIs (C libraries) Guest introspection Endpoint security partners APIs 2010, SDK Q4 2011
Network Security NetSec APIs (REST) - 2012 10-tuple traffic redirection Network security partners
APIs, SDKs
Partner Ecosystem
Automation
Partner Ecosystem – Endpoint Security
Improve performance and effectiveness of existing endpoint security• Offload AV functions from in-Guest agents to the hypervisor• Hardened security virtual appliance can be optimized for better efficacy
• vShield Endpoint for partner insertion• Offload file activity to Security VM• Manage AV service across VMs• Enforce Remediation using driver in VM • Partner Integrations through EPSEC API• Policy Management: Built-in or
customizable with REST APIs
Features
Aug 2010
Partner Solution Availability
Anti-virus partners
Dec 2010 April 2011April 2011 Aug 2011 TBD
Partner Ecosystem – Network Intrusion Detection