Post on 19-Jun-2015
description
VMware Compliance Reference Architecture
Framework Overview
Jerry Breaud, VMware
Allen Shortnacy, VMware
SEC5428
#SEC5428
2
Agenda
VMware Compliance Reference Architecture Framework
Compliance Reference Architecture Methodology
NSX Service Composer for Compliance Architectures
Network Virtualization
NSX Network Services
Other VMware Product Capabilities Relative to Compliance
Summary
Next Steps VMworld and Beyond
3
Competing Concerns – Pick Any 2
“Are you getting the maximum efficiency
out of your infrastructure?”
“How quickly can IT respond to LOB
requests?”
• Legislative Compliance • Security – Corp Assets & IP
• Risk Reduction • SLAs & Business Continuity
?
4
Infrastructure
Requirements
Access
Control
Segmentation
Remediation
Automation
Policy
Management
Audit
Common
Control
Frameworks
Regulations,
Standards,
Best Practices
Reference
Architectures
PCI Zone
VMware vSphere
Security & Compliance Influence Design of the SDDC
5
VMware Compliance Reference Architectures
Reference
Architectures VMware Partners
Auditors
Product
Applicability
Architecture
Design
Auditor
Validated
Referfence
Architecture
6
Technology Solution Categories Mapped to Regulations
Description ISO
PCI
HIP
AA
SANS
CSA
FIS
MA LOW
FIS
MA M
OD
FIS
MA H
IGH
FedRAMP LOW
FedRAMP M
OD
PCI
Requirements
NIST
RequirementsCommon Required Technical Security Solutions1 VAM Vulnerability Assessment and Management Identify and track vulnerabilities 6.2, 6.5, 6.6, 11.2 RA-5
2 PT Penetration Testing Validate vulnerabilities 11.3 CA-2
3 SEIM Security Event Information Monitoring Log and correlate environment data 10, A.1.3 SI-4, AU-2/3/6/10/12
4 IPS Intrusion Prevention System Identify attacks 11.4 SI-3, SI-4
5 FIM File Integrity Monitoring Identify changed files 11.5 SI-7
6 2FA Two Factor Authentication Authenticate users 8.3 IA-2
7 IdM Identity Management Provision and deprovision users 8.1, 8.2, 8.5.1 IA-4
8 AAA Authentication, Authorization, Accounting (3A) Identity interaction nonrepudiation 7, 8.5 IA-5, AC-3
9 FW Network (N) and Host (H) Firewall Segment and protect networks 1 SC-7
10 AV Server and Endpoint Antivirus Protect against malware 5 SI-3
11 BU System Backups Systems survivability 10.5.3, 12.9.1 CP-9
12 DARE Data At Rest Encryption Protect data 3.4, 3.5, 3.6 SC-12/13/28, IA-7
13 DIME Data In Motion Encryption Protect data 2.3, 4, 8.4 SC-9/12/13, IA-7
14 DBM Database Monitoring Protect database environment 10, A.1.3 SI-4
15 CM Configuration Management Protect infrastructure 2.1, 2.2 SI-2, SA-10, CM-1/2/6
16 PM Patch Management Protect infrastructure 6.1 CM-2, SI-2
17 WAF* Web Application Firewall Protect user services 6.6 SI-3, SI-4, SC-7
18 DLP** Data Leakage Protection Identify sensitive data
* Specifically called out in some authorities and implied control in others. Highly recommended where the Internet will be the primary use case.
** Not specifically called out in any authority.
7
DLP Encryption
BC DR
Anti Virus Endpoint Protection
Firewall
AAA
Identity and
Access 2 Factor AuthN
File Integrity Monitoring
IPS/IDS
SIEM
Penetration Testing
Vulnerability Assessment
Patch Mngmnt
Config Mngmnt
DB/App Monitor
Technology Solution Categories
8
Remediation
Automation
Audit Policy
Privileged User Control
Segmentation
Compliance Use Cases
9
Compliance Regulations
HIPAA HITECH
FISMA FedRAMP
NERC FINRA
FFIEC
PCI DSS
10
Compliance Reference Architecture Methodology
Dynamic Composition with Line of Sight
• Regulatory Specificity for Audit
• Regulation Independent Use Case Controls
• Technology Partner Choice
• Process Methodology for Delivery and Maturity
11
11
Compliance Challenges: Many Systems - Dashboards of Wonder
Vulnerability
Mgmt System
Antivirus
System
Firewall
vCenter
IDS System
DLP System
12
VMware NSX
VMware NSX
Logical
Switch
Logical
Router
Logical
Firewall
Logical
Load Balancer
• No multicast requirement
• Bridge Physical - Virtual
• GSLB & L7 LB
• SSL Termination
Logical
VPN • Site-to-Site
• Remote Access Gateway
• Distributed & Line Rate
• Identity Aware
• Distributed L3
• Perimeter Routing
NSX API
NSX Controller
NSX vSwitch – vDS on ESXi
NSX Service Composer
Extensibility
Any Network Hardware
13
NSX Service Composer
Security services can now be consumed more efficiently in the
software-defined data center.
Apply.
Apply and visualize
security policies for
workloads, in one place.
Automate.
Automate workflows
across different
services, without
custom integration.
Provision.
Provision and monitor
uptime of different
services, using one
method.
14
Concept – Apply Policies to Workloads
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Define security policies based on service profiles already defined (or
blessed) by the security team. Apply these policies to one or more
security groups where your workloads are members.
15
Software Defined Data Center Anti-Virus (AV), Anti-Malware
Application Delivery Controller (ADC)
Application Whitelisting
Application Firewall
Data Loss Prevention (DLP)
Encryption
File Integrity Monitoring (FIM)
Firewall (Host/Network)
Identity and Access Management
Intrusion Detection/Prevention System (IDS/IPS)
Load Balancer
Network Forensics
Network Gateway (VXLAN)
Network Port Profile
Network Switch
Policy and Compliance Solution
Security Intelligence and Event Management (SIEM)
User Access Control (closest to our SAM)
Vulnerability Management
WAN Optimizer
Web Filter
Extend Platform to Best of Breed Services
Properties of virtual services:
• Programmatic provisioning
• Place any workload anywhere
• Move any workload anywhere
• Decoupled from hardware
• Operationally efficient
16
NSX Integrated Partners
NSX Controller & NSX Manager
NSX API
Partner Extensions
L2 Gateway
Firewall ADC/LB IDS/IPS
+
Cloud Management
Platforms
AV/FIM Vulnerability Management
Security Services
17
Priv User Network Activity
Monitoring
Solution Categories
CMP
vCD, vCAC, etc.
NSX
Service Composer
Automation
vCO, Scripts, etc.
API
REST, Java, .NET
NW Iso
VXLAN, NAT
Firewall
TCP, Identity
VPN
IPsec, SSL
DLP
At Rest, Wire
Priv User AAA, Session
Recording
AV Malware, Whitelist
FIM Config Files,
Registry
IPS/IDS Monitor, Prevent,
Report
Vulnerability Penetration Testing
Next Gen FW App Aware, Fine Grained
App Layer IPS
Encryption VMFS, VMDK, OS
Configuration Management
Patching
SIEM Syslog, Event
Correlation
Platform (Future
NSX Enabled)
Extensibility
NSX
NSX Enabled
Consumption
VMware & Platform Partner
VMware
NSX Enabled Partner
VMware + Customer/ 3rd Party/ Open Src
Platform Partner
Logging
18
Compute Virtualization
The Network is a Barrier to Software Defined Data Center
Any Physical Infrastructure
• Provisioning is slow
• Placement is limited
• Mobility is limited
• Hardware dependent
• Operationally intensive
Software Defined Data Center
SOFTWARE-DEFINED DATACENTER SERVICES
VDC
19
Network and Security Virtualization Must…
1. Decouple
Physical
Virtual
2. Reproduce 3. Automate
Network
Operations
Cloud
Operations
Hardware
independence
Operational benefits
of virtualization
No change to network
from end host perspective
Virtual
Physical
20
VMware NSX
VMware NSX
Logical
Switch
Logical
Router
Logical
Firewall
Logical
Load Balancer
• No multicast requirement
• Bridge Physical - Virtual
• GSLB & L7 LB
• SSL Termination
Logical
VPN • Site-to-Site
• Remote Access Gateway
• Distributed & Line Rate
• Identity Aware
• Distributed L3
• Perimeter Routing
NSX API
NSX Controller
NSX vSwitch – vDS on ESXi
NSX Service Composer
Extensibility
Any Network Hardware
21
Logical Switching and Routing
• Tightly coupled with physical networks
• Hairpins and bottlenecks reduce performance and scale
Before
• Completely decoupled from hardware – Dynamic routing, no Multicast
• Line rate performance with distributed scale out architecture
• Connect existing networks with logical networks – L2 bridging
With NSX
• Speed of provisioning applications across racks, rows or data centers (up to Metro distances)
• Enable higher server utilization, leverage existing physical network, only require basic IP hardware for future purchases
• Create on demand networks to meet application needs
Benefits
Dyn
am
ic R
ou
tin
g
Dynam
ic R
ou
tin
g
Dynam
ic R
ou
tin
g
Physical
Workload
22
Logical Load Balancing
• Physical appliances are costly and create bottlenecks
• Rigid architectures tie the application down
Before
• Cloud level feature set for SLB and GSLB with full HA
• TSAM with enhanced health checks, connection throttling and CLI
• Simplified Deployment in one-armed or inline mode
With NSX
• On demand LB services for any application enabling speedy deployment
• Pay as you go model for services
• Manage multiple LB instances with centralized management
Benefits
Logical
Network
Web1a Web1c Web1b
23
Logical VPN
• VPN Concentrators become bottlenecks and chokepoints
Before
• Per Tenant VPN appliance when needed
• High Performance – hardware acceleration for IPSec and SSL
• Site-2-Site, Client and Cloud VPN extends Corporate LAN
With NSX
• Network can be extended when needed for different use cases
• No investment needed in large VPN Concentrators upfront
Benefits
Public
Cloud
24
NSX Next Generation Firewall
• Scale out architecture “bolted-on” to L3 with limited performance
• Limited visibility and control unless hair-pinning (E/W) to L3
• Error prone, static VLANs and IP/port based policies
Before
• Massive scale and line rate performance
• Virtualization and identity context
• Centralized management across entire Datacenter
With NSX
• Simplified operations – single policy definition
Benefits
Physical View
Web
App
DB
Web
App
DB
Servers
Users
“skinny VLANs” Business and
Virtual Context
Logical View
VMware
Logical View
25
vCenter Infrastructure Navigator Capabilities
Automated
discovery and
dependency
mapping
Speedy and accurate discovery and dependency
mapping of application services across virtual
infrastructure & adjoining physical servers one hop away
Rapid updates that keep mapping
information up-to-date
26
Cloud Infrastructure (vSphere, vCenter, vShield, vCloud Director)
! ! !
Overview
Benefits
More than 80 pre-defined templates for
country/industry specific regulations
Accurately discover and report sensitive
data in unstructured files with analysis
engine
Segment off VMs with sensitive data in
separate trust zones
Quickly identify sensitive data
exposures
Reduce risk of non-compliance and
reputation damage
Improve performance by offloading data
discovery functions to a virtual
appliance
NSX Data Security
Visibility Into Sensitive Data to Address Regulatory Compliance
27
vShield Endpoint Partners
VMware vSphere Introspection
SVM
OS Hardened
AV
VM
APP
OS Kernel
BIOS
VM
APP
OS Kernel
BIOS
VM
APP
OS Kernel
BIOS
28
vCenter Operations and Log Insight
Machine Data comprises:
• Structured Data
• vCenter Operations
• Unstructured Data
• Log Insight
Log Insight and vCenter Operations
together provide a complete solution
for Cloud Operations Management
29
vCenter Operations Configuration Manager
Harden the VMware Infrastructure
• Harden the configuration for ESX, network, storage, etc.
• Harden the vSphere guest VM settings
• Harden vCD/vCenter settings
Harden the Guest OS
• Physical and Virtual; Desktop and Servers; Win, UNIX, Mac
Virtual Datacenter 1 Virtual Datacenter 2
PCI – PoS PCI Zone Non-PCI Zone
ESX Hardening
Cluster A Cluster B
VMware vSphere + vCenter
Vendor Hardening Guidelines
CIS Benchmarks
FISMA HIPAA SOX
NERC/
FERC NIST
ISO
27002 GLBA DISA
PCI DSS PCI DSS
30
Applicability to PCI Requirements
PCI Requirement Products
1 Install/maintain a firewall configuration to protect cardholder data vSphere, NSX App/Edge, VIN
2 Don’t use defaults for system passwords/security parameters ESXi, vCenter, VCM, NSX
3 Protect stored cardholder data NSX, VCM
4 Encrypt transmission of cardholder data on public networks NSX Edge
5 Use and regularly update anti-virus software or programs vShield Endpoint + Partners
6 Develop and maintain secure systems and applications vSphere, NSX , VIN, VCM,
VUM
7 Restrict access to cardholder data by business need to know vSphere, NSX, vCM
8 Assign a unique ID to each person with computer access ESXi, vSphere, NSX, VCM
9 Restrict physical access to cardholder data
10 Track and monitor all access to network resources/cardholder data vSphere, NSX, VIN, VCM,
Log Insight
11 Regularly test security systems and processes VIN, VCM
12 Maintain a policy that addresses information security
A1 Shared hosting providers must protect the cardholder data vSphere, NSX, vCD, VCM
31
Competing Concerns – Take All 3!
“Are you getting the maximum efficiency
out of your infrastructure?”
“How quickly can IT respond to LOB
requests?”
• Legislative Compliance • Security – Corp Assets & IP
• Risk Reduction • SLAs & Business Continuity
32
Summary – Key Takeaways
VMware, its Technology Partners and Audit Partners are working to validate
reference architectures pertaining to mainstream regulations
Guidance is intended to educate SDDC architects, Information Risk personnel
and Auditors involved in customer environments
Best practices for VMware and Technology Partner products, their
configurations and usage in order to meet regulatory controls
VMware Compliance Reference Architectures will evolve to support new
versions of products and the regulations themselves
33
VMworld: Security and Compliance Sessions
Category Topic
NSX
• 5318: NSX Security Solutions In Action (201)
• 5753: Dog Fooding NSX at VMware IT (201)
• 5828: Datacenter Transformation (201)
• 5582: Network Virtualization across Multiple Data Centers (201)
NSX Firewall
• 5893: Economies of the NSX Distributed Firewall (101)
• 5755: NSX Next Generation Firewalls (201)
• 5891: Build a Collapsed DMZ Architecture (301)
• 5894: NSX Distributed Firewall (301)
NSX Service
Composer
• 5749: Introducing NSX Service Composer (101)
• 5750: NSX Automating Security Operations Workflows (201)
• 5889: Troubleshooting and Monitoring NSX Service Composer (301)
Compliance
• 5428: Compliance Reference Architecture Framework Overview (101)
• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)
• 5253: Streamlining Compliance (201)
• 5775: Segmentation (301)
• 5820: Privileged User Control (301)
• 5837: Operational Efficiencies (301)
Other
• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird – Jefferson radiology)
• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)
34
For More Information…
VMware Collateral VMware Approach to Compliance
VMware Solution Guide for PCI
VMware Architecture Design Guide for PCI
VMware QSA Validated Reference Architecture PCI
Partner Collateral VMware Partner Solution Guides for PCI
How to Engage?
compliance-solutions@vmware.com
@VMW_Compliance on Twitter
35 35
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
HOL-SDC-1317
vCloud Suite Use Cases - Business Critical Applications
HOL-PRT-1306
Compliance Reference Architecture- Catbird, HyTrust and LogRhythm
Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall, Antivirus,
Logging and IPS in the SDDC with Allen Shortnacy
SEC5428
THANK YOU
VMware Compliance Reference Architecture
Framework Overview
Allen Shortnacy, VMware
SEC5428
#SEC5428