RSA: Vision of Secure Virtualization and Trusted Cloud. RNDr. Ivan Svoboda, CSc. RSA, The Security Division of EMC

RSA: Vision of Secure Virtualization and Trusted Cloud RNDr. Ivan Svoboda, CSc. RSA, The Security Division of EMC

Agenda About RSA Virtualization and Cloud Computing (definitions) RSA / EMC: our experience with cloud Virtualization and Cloud: Risks, Security and Compliance Virtualization and Cloud: RSA security solutions

Meeting our Customers’ Challenges

Secure Access for Increased Mobility & Collaboration

Manage Risk and Threats Throughout Enterprise

Prove Compliance Consistently & Affordably

Secure Virtualization & Cloud Computing

How?

3

How We Do It

System for Managing Security, Risk and Compliance

Governance, Risk & Compliance Archer eGRC Suite Policy Management

Risk Management

Incident Management

Identity Security

Compliance Management

Enterprise Management

Data Security

Authentication

Access / Provision

Fraud Prevention

Data Loss Prevention

Encryption & Tokenization

SecurID

Access Manager

Fraud Action

DLP

DPM App

Federated Identity Mgr

Transaction Monitoring

Cisco IronPort

DPM DC

Adaptive Auth Auth. Manager Express

eFraud Network

BSAFE

Network Partners

Tokenization

Endpoint Partners

Microsoft RMS

Monitoring / Audit / Reporting SIEM

Network Analysis / Forensics

enVision

NetWitness

RSA, The Security Division of EMC

1st

Authentication

Leader

Leader

Leader

Leader


Web Fraud Detection

SIEM

eGRC

How We Do It

System for Managing Security, Risk and Compliance

GRC: Risk/ Policy Management

Analyze / Discover (Data, Threats)

RSA Archer

RSA DLP, FraudAction, NetWitness

Enforce Controls

RSA Encryption, Authentication, Access control, Transaction Monit

Log / Report / Audit

RSA enVision

RSA – Komplexní přístup k řešení bezpečnosti Governance, Risk & Compliance Archer eGRC Suite Policy Management

Risk Management

Incident Management

Identity Security Authentication

Access / Provision

Compliance Management

Enterprise Management

Data Security

Fraud Prevention



Network / System Security Cisco

Microsoft

VMware

Monitoring / Audit / Reporting SIEM (enVision)

NAV (NetWitness)

Virtualizace a cloud computing

8

The Opportunity Enterprise Has Many Challenges The Public IT Cloud Has Broad Appeal Enterprise IT

Public Cloud Complex Expensive Inflexible Siloed

Simple Low Cost Flexible Dynamic

Infrastructure

Over Time, Enterprise IT Will Evolve Towards Public Cloud Ideals

© Copyright 2010 EMC Corporation. All rights reserved.

9

The Opportunity: The Journey to the Cloud The Private Cloud is a Logical First Step Enterprise IT

Private Cloud

Public Cloud Simple Low Cost Flexible Dynamic

Trusted Controlled Reliable Secure

Infrastructure “70% Will Spend More On Private Cloud through 2012” - Gartner DC Conference 2009


10

The Opportunity: The Journey to the Cloud Virtualize Everything, Standardize & Automate Hybrid Cloud: Utilize Service Provider Infrastructure Enterprise IT

Private Cloud

Virtualization Converged Infrastructure Automation

Infrastructure


Public Cloud

Federation GRC

Infrastructure asas-a-Service

Hybrid Cloud

11

Securing the Journey to The Private Cloud IT Production

Business Production

IT-As-A-Service

Lower Costs

Improve Quality Of Service

Improve Agility

% Virtualized

85%

95%

70% 30% Platinum

15%

• • • •

Visibility into virtualization infrastructure privileged user monitoring access management network security

Gold

• • • •

Security Compliance Information-centric security Risk-driven policies IT and security operations alignment

• •

Secure multi-tenancy Verifiable chain of trust

RSA / EMC: naše zkušenosti s cloudem a virtualizací

13

RSA / EMC: naše zkušenosti s virtualizací

14

RSA / EMC: naše zkušenosti s cloudem Žijeme cloudem

• •

Jsme na cestě k privátnímu cloudu (přes 75% virtualizace) Používáme public cloud aplikace (např. CRM)

Jsme dodavatelem řešení pro cloud:

• • •

VCE (VMware, Cisco, EMC)

RSA: řešení bezpečnosti pro VCE (Vblock) Dodáváme bezpečnost providerům cloudu • Verizon, CSC, AT&T, …

Poskytujeme řešení „SaaS“

• • •

Adaptivní autentizace Transakční monitoring 3D Secure

Máme vizi bezpečného cloudu

• •

Jsme členy CSA (Cloud Security Alliance) Uvedli jsme řešení „Cloud Trust Authority“ 15

EMC IT’s Journey to the Private Cloud IT Production

Business Production

ITIT-asas-a-Service

Efficiency

Quality of service

Agility

% Virtualized We are here

Development, test and ITIT-owned applications

100% 86%

75% 40% 30% 15%

2004-08


Mission-critical Missionapplications

Run IT as a business

2009-10

2011+

16

Deliver IT as a Service Define Service Catalog, Publish to Self-service IT Portal Policy/SLAdriven Management

Security

Performan ce

Cost

99.99%

High

0.2ms

$500K

VMware vCloud Director Service Catalog Platinum

Infrastructure Service Catalogue

EMC UIM


Gold

Self -Service IT Portal

Application Service Catalogue

Availabilit y

Silver Bronze

17

www.EMC.com/emcit

EMC IT Journey to the Private Cloud: A Practitioner's Guide http://www.emc.com/collateral/software/white-papers/h7298-it-journey-private-cloud-wp.pdf


18

Jaká jsou doporučení ostatních? US Government CIO (Kundra):

•

25% of Fed IT Spend on Cloud Services

NIST:

•

Guidelines on Security and Privacy in Public Cloud (800-144 Draft)

Cloud Security Alliance:

•

Cloud Assesment Initiative

„Fraud-as-a-Service“ – running in cloud

•

Trojans as a Service

19

Virtualizace a cloud computing: problémy bezpečnosti a souladu

20

Hlavní změny na cestě ke cloudu

Enterprise IT Trusted Controlled Reliable Secure

Private Cloud

Virtualizace

Public Cloud Simple Low Cost Flexible Dynamic

Důvěra

Infrastructure

Availabilit y

Security Private Cloud Performan ce

99.99%

High

0.2ms

Cost

$500K

Hlavní změny na cestě ke cloudu: krok 1 Bezpečnost virtualizace / privátní cloud

Dohled (SIEM, DLP, GRC, …)

Virtual Datacenter 1 DMZ

Síťová bezpečnost Fyzická bezpečnost

Firma A DMZ

ERP HR

PCI

HIPAA

FW, AV, IDS, IPS, VPN, AAA, …

Virtual Datacenter 2 Test

Dev

Hlavní změny na cestě ke cloudu: krok 2 Důvěra (Trust = Visibility + Control)

Bezpečnost virtualizace / privátní cloud

Dohled (SIEM, DLP, GRC, …)

Virtual Datacenter 1 DMZ

Síťová bezpečnost Firma A

Fyzická bezpečnost

DMZ

ERP HR

Bezpečnost cloudu

PCI

FW, AV, IDS, IPS, VPN, AAA, …

HIPAA

Virtual Datacenter 2 Test

Dev

Hlavní změny na cestě ke cloudu: důvěra = SLA ?

Enterprise IT

Private Cloud

Virtualizace

Public Cloud

Důvěra = SLA ?

Infrastructure

Availability

Security Performance Private Cloud

99.99%

High

0.2ms

Cost

$500K

Examples: Security at SalesForce.Com

Examples: Security at Google

Examples: Security at Cloud - examples

Does XXXX give third parties access to my organization's data? XXXX does not share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect our systems. These exceptions include requests by users that XXXX support staff access their email messages in order to diagnose problems; when XXXX is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of XXXX , its users and the public.

Enabling Trust in the Cloud

Enterprises

Cloud Service Providers

Security & Compliance Visibility & Reporting Identities

Private Cloud

https://cloudsecurityalliance.org/

Information

Workload

Hybrid Cloud

Public Cloud

Examples: CSA questions (1) Compliance - Independent Audits:

•

Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports?

Compliance - Third Party Audits:

•

Do you permit tenants to perform independent vulnerability assessments?

Data Governance - Secure Disposal:

•

Do you support secure deletion (ex. degausing / cryptographic wiping) of archived data as determined by the tenant?

Data Governance - Information Leakage

•

Do you have controls in place to prevent data leakage or intentional/accidential compromise between tenants in a multi-tenant environment?

•

Do you have a DLP solution in place for all systems which interface with your cloud service offering?

Data Governance - Risk Assessments

•

Do you provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring (which allows continual tenant validation of your physical and logical control status?)

Examples: CSA questions (2) Information Security - Baseline Requirements:

• •

Do you have documented information security baselines for every component of your infrastructure (ex. Hypervisors, operating systems, routers, DNS servers, etc?) Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines?

Information Security - Segregation of Duties :

•

Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering?

Information Security - Encryption Key Management:

• •

Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you maintain key management procedures?

Information Security - Incident Management

• •

Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? Do you have a DLP solution in place for all systems which interface with your cloud service offering?

Information Security - Incident Reporting

•

Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

Our Customers Are Asking Themselves

Can I ensure my virtualized business critical applications are running in a secure and compliant environment? How do I centrally manage compliance across mixed VMware and physical IT environments? Can I respond more quickly to security events in my virtual environment? How do I begin to assess hybrid and public cloud service providers?

Virtualizace a cloud computing: RSA řešení bezpečnosti a souladu

32

Je to bezpečné ? A je to v souladu ? Běžná odpověď provozovatele IT: ANO!

• • • •

Na bezpečnost velmi dbáme … Máme implementovánu spoustu firewallů, … Dodržujeme zákony …. Prošli jsme auditem …

„Vidíte dovnitř“?

•

Kde jsou Vaše data, kdo k nim přistoupil, co se stalo …

Můžete „změřit compliance“?

• •

Jaká je aktuální realita (technická konfigurace) ? Co přesně je/není splněno ?

Můžete to dokázat/reportovat?

Securing the Journey to The Cloud IT Production

Business Production

IT-As-A-Service

Lower Costs

Improve Quality Of Service

Improve Agility

% Virtualized

85%

95%

70% 30% 15%

Platinum Gold

Secure multi-tenancy, Verifiable chain of trust Security Compliance, information-centric security, risk-driven policies, IT and security operations alignment Visibility into virtualization infrastructure, privileged user monitoring, access management, network security

Bezpečnost virtuálního a cloudového prostředí VMware: „síťová bezpečnost“

• •

vShield, vCloud Director… Virtual firewalls, application protection, …

RSA: „dohled, compliance“

• •

SIEM, DLP, GRC, Authentication, … enVision, DLP, Archer, SecurID, …

RSA – Sada řešení (nejen) pro virtuální prostředí Ochrana identit, řízení přístupu

•

Silná dvoufaktorová a multifaktorová autentizace pro uživatele a administrátory

Ochrana citlivých dat před jejich únikem (DLP)

•

Na úložištích, na síti, na virtuálních desktopech

Bezpečnostní monitoring celé virtualizované infrastruktury

•

Kompletní SIEM řešení plnící roli Security Operations Center

Audit a zajištění shody s legislativou a interními předpisy

•

„měření/prokazování compliance“: • VMware (virtuální i fyzická infrastruktura, privátní cloud) • Cloud (compliance podle CSA)

RSA – Sada řešení (nejen) pro virtuální prostředí Compliance (GRC) Archer eGRC Suite

VMware

Cloud


Access / Provision

Fraud Prevention

Data Security Data Loss Prevention



RSA Solution for VMware View RSA DLP for protection of data in use

RSA Archer Compliance Dashboard

VMware Infrastructure Active Directory

RSA SecurID for remote authentication

VMware View Manager

Clients

Validated with Vblock

RSA SecurID for ESX Service Console and vMA

VMware vCenter

RSA enVision log management for • VMware vCenter & ESX(i) • VMware View • RSA SecurID • RSA DLP • Active Directory


VMware

Cloud


Access / Provision

Fraud Prevention




Visibility and Monitoring: RSA enVision Consolidated event log management, analysis, and reporting

•

Allows for cross-environment correlation

Collects logs from the VMware stack VMware vShield

VMware vCenter

VMware View Manager

VMware ESX/ESXi

VMware vCloud Director

VMware Collector for RSA enVision leverages VMware API’s Can pull logs from multiple vCenters!

RSA enVision

Use Case Scenarios

Protecting Management Console

Applying Patch to Production System

Lost Laptop

Unauthorized Administrator

Scenario

Apply Patch to Production System - Before Production Datacenter

Test Environment

HR Application Server VM


PATCH

PATCH

HR Database Server VM


HRDB

HRDB

Name, SSN, DoB, etc

Name, SSN, DoB, etc

Is the test Is this an Who accessed the Was the VM Clone virtual environment 1 A common way to apply patches is to try them out in a test environment environment Patch production authorized 3 Apply Patch2to Test dataenvironment in the test destroyed after sufficiently protected In a virtual world you can clone the system, data and all This is difficult and time-consuming in a production procedure? environment? it was used? & controlled? environment, but very easy in a virtual environment

Scenario

Apply Patch to Production System - After Production Datacenter

Test Environment



PATCH

PATCH



HRDB

HRDB

Name, SSN, DoB, etc

Name, SSN, DoB, etc

Test Patch Clone production environment environment 3 Apply1Patch 2to virtual VM Cloned VM Cloned RSA enVision can log the administrative activity from Patch Applied

vCenter, like the VM being cloned

Patch Applied

RSA enVision

If this is out of policy Patch Applied If the test is properly weenvironment can alert a security protected, then it will also VM Deleted analyst be monitored by RSA enVision

Use Case: Monitoring events in the virtual datacenter


VMware

Cloud


Access / Provision

Fraud Prevention




Use Case: Reducing Risk of VM Theft RISK Securing virtual infrastructure is often a check list of best practices. Hardening VMware environment is complex and difficult to verify. What can I do to limit the risk of VM theft from my datacenter? Need to take preventative steps that limit access to VM file, such as: • Disable Datastore Browser • Limit Storage User Access • Limit use of service console • Use least privileged role concept for system and data access

Use Case: Reducing Risk of VM Theft SOLUTION • Archer has built in control procedures to check for VM file access and other best practices • From a centralized console security and IT ops can easily see if controls enforce policy • Solution identifies VMware devices, assesses configuration status, and informs responsible administrator • EnVision monitors to ensure security events not disrupting compliance posture Results: Security and compliance best practices directly aligned with regulations and company policies are implemented and verified

Cycle of Compliance: RSA Solution for Cloud Security and Compliance

RSA Securbook

Discover VMware infrastructure Define security policy

Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards

Manual and automated configuration assessment

Manage security incidents that affect compliance RSA Archer eGRC

RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards

Remediation of non-compliant controls

Solution component automatically assesses VMware configuration and updates Archer

Mapping VMware Security Controls to Regulations and Standards

Authoritative Source Regulations (PCI-DSS, etc.) “10.10.04 Administrator and Operator Logs”

CxO RSA Archer eGRC

Control Standard Generalized security controls “CS-179 Activity Logs – system start/stop/config changes etc.”

Control Procedure Technology-specific control “CP-108324 Persistent logging on ESXi Server”

VI Admin

Distribution and Tracking Control Procedures

Security Admin Server Admin

Project Manager

Network Admin

RSA Archer eGRC

VI Admin

RSA Solution for Cloud Security and Compliance

Automated Measurement Agent

VI Component Discovery and Population

VI Configuration Measurement

VMware-specific Controls

alerts RSA Archer eGRC

RSA enVision

51

VMware compliance: live demo

52

Control Procedures – List, Status and Measurement Method

Control Procedures – List, Status and Measurement Method

Compliance Dashboard across Physical and Virtual


VMware

Cloud


Access / Provision

Fraud Prevention




Making Archer the Best GRC Solution for Hybrid Clouds

Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery

Assessing Service Provider Compliance

Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Virtualization Identity and Access Management

Cloud Security Alliance’s 13 domains of focus for cloud computing

RSA Solution for Cloud Security and Compliance aligns with CSA Consensus Assessment Questions by automating 195 questions that customers can issue to assess cloud service providers.

CSA Assessment Questionnaire in Archer

Use Case: Assessing Cloud Service Providers RISK: Choosing the wrong service provider

Results: Benchmarking vendors based on CSA standards

Creating the Trusted Cloud

Trust = Visibility + Control Control:

• • •

Availabilit y


Cost

Availability Integrity

99.99%

High

0.2ms

$500K

Confidentiality

Visibility:

• • •

Compliance Governance Risk Management

60

Hlavní změny na cestě ke cloudu

Enterprise IT

Private Cloud

Public Cloud Cloud provider A

Virtualizace

Důvěra Cloud provider B = SLA ?

Infrastructure

Cloud provider C

Availabilit y


Cost

Cloud provider D

99.99%

High

0.2ms

$500K

RSA Cloud Trust Authority Identity Services Compliance profiling …

62

RSA řešení pro bezpečnost a compliance

„Vidíte dovnitř“?

•

Kde jsou Vaše data, kdo k nim přistoupil, co se stalo …

Můžete „změřit compliance“?

• •

Jaká je aktuální realita (technická konfigurace) ? Co přesně je/není splněno ?

Můžete to dokázat/reportovat?

More Information Info o RSA resenich pro virtualizaci a cloud: www.rsa.com/rsavirtualization uvodni demo: http://www.rsa.com/experience/virtual/RSA_Virtual_Journ ey.html Reseni pro VMware: http://www.rsa.com/node.aspx?id=3684 Reseni pro Cloud (zakladem je zase virtualizace): http://www.rsa.com/node.aspx?id=1130 reseni pro VMware View: http://www.rsa.com/node.aspx?id=1334

RSA SecurBook: Cloud Security and Compliance www.rsa.com/rsavirtualization A technical guide for deploying and operating RSA Solution for Cloud Security and Compliance

– –

Documents solution architecture

–

Operational guidance for effectively using the solution

–

Troubleshooting guidance

Solution deployment and configuration guides

65

More Information www.rsa.com/rsavirtualization RSA SecurBooks – Technical guides for deploying and operating RSA Solutions

EMC Solutions for VMware Webcasts - Every Thursday at 11:00 AM ET Join us for Webcasts:

http://mediazone.brighttalk.com/comm/ISC2/a7082f81e6-17335-2838-18812

Questions/Feedback/Discussion RSA Contacts: Ivan Svoboda: Key Account Manager [email protected] + 420 604 293 394

67

www.rsa.com/securecloud

Thank you!

RSA: Vision of Secure Virtualization and Trusted Cloud. RNDr. Ivan Svoboda, CSc. RSA, The Security Division of EMC

Recommend Documents