05 RSA Virtual Cloud Security-Svoboda CIMIB

8/3/2019 05 RSA Virtual Cloud Security-Svoboda CIMIB

1/68

RSA: Vision of Secure Virtualization andTrusted Cloud

RNDr. Ivan Svoboda, CSc.RSA, The Security Division of EMC


2/68

Agenda

About RSA

Virtualization and Cloud Computing (definitions)

RSA / EMC: our experience with cloud

Virtualization and Cloud: Risks, Security and Compliance

Virtualization and Cloud: RSA security solutions


3/68

Meeting our Customers Challenges

ProveComplianceConsistently &

Affordably

SecureVirtualization& CloudComputing

Secure Accessfor IncreasedMobility &Collaboration

Manage Riskand ThreatsThroughoutEnterprise

3

How?


4/68

How We Do ItSystem for Managing Security, Risk and Compliance

Identity Security

Data Security

Governance, Risk & ComplianceArcher eGRC Suite

Policy

Management

Risk

Management

Incident

Management

Compliance

Management

Enterprise

Management

Authentication

Provision

Prevention

SecurIDAccess

ManagerFraudAction

AdaptiveAuth

TransactionMonitoring

Auth. ManagerExpress

FederatedIdentity Mgr

eFraudNetwork

Prevention

DLP

CiscoIronPort

NetworkPartners

EndpointPartners

DPM App

DPM DC

BSAFE

MicrosoftRMS

Tokenization

Tokenization

Monitoring / Audit / ReportingNetwork Analysis / ForensicsenVision NetWitness

SIEM


5/68

RSA, The Security Division of EMC

Authentication1st

Data LossPrevention

LeaderWeb FraudDetection

LeaderSIEM

LeadereGRC

Leader


6/68

Analyze / Discover(Data, Threats)

GRC: Risk/ Policy Management

RSA DLP, FraudAction,NetWitness

RSA Archer

How We Do ItSystem for Managing Security, Risk and Compliance

Enforce Controls

Log / Report / Audit

RSA Encryption, Authentication,Access control, Transaction Monit

RSA enVision


7/68

RSA Komplexn pstup k een bezpenosti

Governance, Risk & ComplianceArcher eGRC Suite

PolicyManagement

RiskManagement

IncidentManagement

ComplianceManagement

EnterpriseManagement

Authentication Access /Provision

FraudPrevention

Data LossPrevention

Encryption &Tokenization

Network / System Security

Cisco Microsoft VMware

Monitoring / Audit / Reporting

SIEM (enVision) NAV (NetWitness)


8/68

Virtualizace a cloud computing

8


9/68

The OpportunityEnterprise IT Has Many Challenges

Enterprise ITEnterprise ITEnterprise ITEnterprise IT

SimpleLow CostFlexible

Public CloudPublic CloudPublic CloudPublic Cloud

The Public Cloud Has Broad Appeal

ComplexExpensiveInflexible

9 Copyright 2010 EMC Corporation. All rights reserved.

InfrastructureInfrastructureInfrastructureInfrastructure

ynam c

Over Time, Enterprise IT Will Evolve Towards Public Cloud Ideals

Siloed


10/68

The Opportunity: The Journey to the CloudThe Private Cloud is a Logical First Step

Private CloudPrivate CloudPrivate CloudPrivate CloudEnterprise ITEnterprise ITEnterprise ITEnterprise IT Public CloudPublic CloudPublic CloudPublic Cloud

SimpleLow CostFlexibleD namic

TrustedControlled

Reliable


70% Will Spend More On Private Cloud through 2012- Gartner DC Conference 2009



11/68

The Opportunity: The Journey to the CloudVirtualize Everything, Standardize & Automate

Private CloudPrivate CloudPrivate CloudPrivate CloudEnterprise ITEnterprise ITEnterprise ITEnterprise IT Public CloudPublic CloudPublic CloudPublic Cloud

VirtualizationVirtualizationVirtualizationVirtualizationConverged InfrastructureConverged InfrastructureConverged InfrastructureConverged Infrastructure

AutomationAutomationAutomationAutomation

FederationFederationFederationFederationGRCGRCGRCGRC

InfrastructureInfrastructureInfrastructureInfrastructureasasasas----aaaa----ServiceServiceServiceService

Hybrid Cloud: Utilize Service Provider Infrastructure



HybridHybridHybridHybridCloudCloudCloudCloud


12/68

Securing the Journey to The Private Cloud

70%

85%95%

IT ProductionLower Costs

Business ProductionImprove Quality Of Service

IT-As-A-ServiceImprove Agility

% Virtualized

15%

30%

PlatinumPlatinum

GoldGold

Security Compliance Information-centric

security

Risk-driven policies IT and security operations

alignment

Secure multi-tenancy Verifiable chain of trust

Visibility into virtualizationinfrastructure

privileged user monitoring

access management network security


13/68

RSA / EMC: nae zkuenosti s cloudem a

13


14/68

RSA / EMC: nae zkuenosti s virtualizac

14


15/68

RSA / EMC: nae zkuenosti s cloudem

ijeme cloudem Jsme na cest k privtnmu cloudu (pes 75% virtualizace)

Pouvme public cloud aplikace (nap. CRM)

Jsme dodavatelem een pro cloud: VCE (VMware, Cisco, EMC)

RSA: een bezpenosti pro VCE (Vblock)

o v me ezpe nost prov er m c ou u Verizon, CSC, AT&T,

Poskytujeme een SaaS Adaptivn autentizace

Transakn monitoring

3D Secure

Mme vizi bezpenho cloudu Jsme leny CSA (Cloud Security Alliance)

Uvedli jsme een Cloud Trust Authority

15


16/68

EMC ITs Journey to the Private Cloud

% Virtualized

ITIT--asas--aa--ServiceServiceITIT--asas--aa--ServiceServiceIT ProductionIT ProductionIT ProductionIT Production Business ProductionBusiness ProductionBusiness ProductionBusiness ProductionAgilityAgilityAgilityAgilityEfficiencyEfficiencyEfficiencyEfficiency Quality of serviceQuality of serviceQuality of serviceQuality of service

75%

We areWe areWe areWe areherehereherehereDevelopment,Development,

test and ITtest and IT--ownedownedapplicationsapplications

100%

86%


2004-08 2009-10 2011+

15%

30%

40%

Run IT as aRun IT as abusinessbusiness

MissionMission--criticalcriticalapplicationsapplications


17/68

Deliver IT as a ServiceDefine Service Catalog, Publish to Self-service IT Portal

Policy/SLA-

drivenManagement

Availability

Security Performance

Cost

99.99% 0.2msHigh $500K Self

Self

Self

Self----S

S

S

S

Self

Self

Self

Self----S

S

S

S


EMCEMCEMCEMCUIMUIMUIMUIM

InfrastructureService

Catalogue

vCloudvCloudvCloudvCloudDirectorDirectorDirectorDirector

ServiceCatalogue

Platinum

GoldGold

SilverSilver

BronzeBronze

e

rvice

IT

Portal

e

rvice

IT

Port

al

e

rvice

IT

Port

al

e

rvice

IT

Portal

e

rvice

IT

Portal

e

rvice

IT

Port

al

e

rvice

IT

Port

al

e

rvice

IT

Portal

ServiceCatalog


18/68

www.EMC.com/emcit


EMC IT Journey to the Private Cloud:A Practitioner's Guidehttp://www.emc.com/collateral/software/white-papers/h7298-it-journey-private-cloud-wp.pdf


19/68

Jak jsou doporuen ostatnch?

US Government CIO (Kundra): 25% of Fed IT Spend on Cloud Services

NIST: Guidelines on Security and Privacy in Public Cloud

(800-144 Draft)

Cloud Security Alliance: Cloud Assesment Initiative

Fraud-as-a-Service running in cloud Trojans as a Service

19


20/68

Virtualizace a cloud computing:

20


21/68

Enterprise ITEnterprise ITEnterprise ITEnterprise IT Public CloudPublic CloudPublic CloudPublic Cloud

SimpleLow CostFlexibleDynamic

TrustedControlled

ReliableSecure

Hlavn zmny na cest ke cloudu

PrivatePrivatePrivatePrivate CloudCloudCloudCloud


Private CloudPrivate CloudPrivate CloudPrivate CloudAvailability


Cost

99.99% 0.2msHigh $500K


22/68

Hlavn zmny na cest ke cloudu: krok 1

Virtual Datacenter 2

DevTestHIPAA


PCIDMZ

Bezpenost virtualizace /privtn cloud

Dohled(SIEM, DLP,

GRC, )

Fyzick

bezpenost DMZ ERP

HR

Firma A

Sovbezpenost

FW, AV,IDS, IPS, VPN,

AAA,


23/68

Hlavn zmny na cest ke cloudu: krok 2

Bezpenost virtualizace/ privtn cloud

Dohled(SIEM, DLP,

Bezpenost clouduDvra(Trust =

Visibility + Control)

Fyzickbezpenost

DMZ ERP

HR

Firma A

Sov

bezpenost


DevTestHIPAA


PCIDMZ

FW, AV,

IDS, IPS, VPN,AAA,

,


24/68

Enterprise ITEnterprise ITEnterprise ITEnterprise IT Public CloudPublic CloudPublic CloudPublic Cloud

Hlavn zmny na cest ke cloudu: dvra = SLA ?

PrivatePrivatePrivatePrivate CloudCloudCloudCloud


= SLA ?

Private CloudPrivate CloudPrivate CloudPrivate CloudAvailability Security Performance Cost

99.99% 0.2msHigh $500K


25/68

Examples: Security at SalesForce.Com


26/68

Examples: Security at Google


27/68

Examples: Security at Cloud - examples

Does XXXX give third parties access to my

organization's data?XXXX does not share or reveal private user content such as email or

personal information with third partiesexce t as re uired b law on re uest b a user or s stem administrator

or to protect our systems. These exceptions include requests by usersthat XXXX support staff access their email messages in order todiagnose problems; when XXXX is required by law to do so; and when

we are compelled to disclose personal information because wereasonably believe it's necessary in order to protect the rights, property

or safety of XXXX , its users and the public.


28/68

Enabling Trust in the Cloud

Enterprises Cloud Service Providers

Security & ComplianceVisibility & Reporting

Identities Information Workload

Public CloudPrivate CloudHybrid Cloud

https://cloudsecurityalliance.org/


29/68

Examples: CSA questions (1)

Compliance - Independent Audits: Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or

similar third party audit reports?

Compliance - Third Party Audits: Do you permit tenants to perform independent vulnerability assessments?

Data Governance - Secure Disposal: Do ou support secure deletion (ex. de ausin / cr pto raphic wipin ) of archived

data as determined by the tenant?

Data Governance - Information Leakage Do you have controls in place to prevent data leakage or intentional/accidential

compromise between tenants in a multi-tenant environment?

Do you have a DLP solution in place for all systems which interface with yourcloud service offering?

Data Governance - Risk Assessments Do you provide security control health data in order to allow tenants to implement

industry standard Continuous Monitoring (which allows continual tenant validationof your physical and logical control status?)


30/68

Examples: CSA questions (2)

Information Security - Baseline Requirements: Do you have documented information security baselines for every component of your

infrastructure (ex. Hypervisors, operating systems, routers, DNS servers, etc?)

Do you have a capability to continuously monitor and report the compliance of yourinfrastructure against your information security baselines?

Information Security - Segregation of Duties : Do you provide tenants with documentation on how you maintain segregation of duties

within your cloud service offering?

n orma on ecur y - ncryp on ey anagemen : Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you maintain key management procedures?

Information Security - Incident Management Do you publish a roles and responsibilities document specifying what you vs. your

tenants are responsible for during security incidents? Do you have a DLP solution in place for all systems which interface with your cloud

service offering?

Information Security - Incident Reporting Does your security information and event management (SIEM) system merge data

sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granularanalysis and alerting?

O C A A ki Th l


31/68

Our Customers Are Asking Themselves

Can I ensure my virtualized business

critical applications are running in a secureand compliant environment?

mixed VMware and physical IT environments?

Can I respond more quickly to securityevents in my virtual environment?

How do I begin to assess hybrid and publiccloud service providers?


32/68

Virtualizace a cloud computing:

32

J t b ? A j t l d ?


33/68

Je to bezpen ? A je to v souladu ?

Bn odpov provozovatele IT: ANO! Na bezpenost velmi dbme

Mme implementovnu spoustu firewall,

Dodrujeme zkony .

Proli jsme auditem

Vidte dovnit? Kde jsou Vae data, kdo k nim pistoupil, co se stalo

Mete zmit compliance? Jak je aktuln realita (technick konfigurace) ?

Co pesn je/nen splnno ?

Mete to dokzat/reportovat?

S i th J t Th Cl d


34/68

Securing the Journey to The Cloud

70%

85% 95%

IT ProductionLower Costs

Business ProductionImprove Quality Of Service

IT-As-A-ServiceImprove Agility

% Virtualized

15%

30%

PlatinumPlatinum

GoldGold

Security Compliance, information-centric security, risk-drivenpolicies, IT and security operations alignment

Secure multi-tenancy,Verifiable chain of trust

Visibility into virtualization infrastructure, privileged user monitoring, access management, network security

Bezpenost virtulnho a cloudovho prosted


35/68

Bezpenost virtulnho a cloudovho prosted

VMware: sov bezpenost vShield, vCloud Director

Virtual firewalls, application protection,

RSA: dohled, compliance , , , ,

enVision, DLP, Archer, SecurID,

RSA Sada een (nejen) pro virtuln prosted


36/68


Ochrana identit, zen pstupu Siln dvoufaktorov a multifaktorov autentizace pro uivatele

a administrtory

Ochrana citlivch dat ped jejich nikem (DLP) Na loitch, na sti, na virtulnch desktopech

Bezpenostn monitoring cel virtualizovan infrastruktury Kompletn SIEM een plnc roli Security Operations Center

Audit a zajitn shody s legislativou a internmi pedpisy men/prokazovn compliance:

VMware (virtuln i fyzick infrastruktura, privtn cloud) Cloud (compliance podle CSA)



37/68

Identity Security

Data Security

Compliance (GRC)Archer eGRC Suite

VMware Cloud


Authentication

Provision

Prevention

Prevention

Tokenization


SIEM (enVision)

RSA Solution for VMware View


38/68

VMwareInfrastructure

ActiveDirectory

RSA Solution for VMware View

RSA ArcherComplianceDashboard

RSA SecurIDfor remote

RSA DLP forprotection of data

in use

Clients

VMwareView Manager

VMwarevCenter

authentication

RSA SecurIDfor ESX ServiceConsole and vMA

RSA enVision log management for

VMware vCenter & ESX(i) VMware View RSA SecurID RSA DLP Active Directory

Validated with Vblock



39/68

Identity Security

Data Security


VMware Cloud


Authentication

Provision

Prevention

Prevention

Tokenization


SIEM (enVision)

Visibility and Monitoring: RSA enVision


40/68

Visibility and Monitoring: RSA enVision

Consolidated event log management, analysis, andreporting Allows for cross-environment correlation

Collects logs from the VMware stack

VMware Collector for RSA enVision leverages VMware

APIs

RSA enVision

VMware View Manager VMware vCloud Director

Can pull logs from multiple vCenters!

Use Case Scenarios


41/68

Applying Patch toProduction SystemProtectingManagement Console

Use Case Scenarios

UnauthorizedAdministrator

Lost Laptop

Scenario

A l P t h t P d ti S t m B f


42/68

Apply Patch to Production System - Before

Production Datacenter Test Environment

HR Application Server VM

HR Database Server VM



PATCHPATCH

A common way to apply patches is to try them out in a test environmentIn a virtual world you can clone the system, data and all

Clone virtual environment1This is difficult and time-consuming in a productionenvironment, but very easy in a virtual environment

Test Patch2Apply Patch to production environment3Is this anauthorizedprocedure?

Is the test

environmentsufficiently protected

& controlled?

Who accessed thedata in the testenvironment?

Was the VMdestroyed afterit was used?

HRDB

Name, SSN, DoB, etc

HRDB

Name, SSN, DoB, etc

Scenario

Apply Patch to Production System After


43/68

Apply Patch to Production System - After

Production Datacenter Test Environment





PATCHPATCH

HRDB

Name, SSN, DoB, etc

HRDB

Name, SSN, DoB, etc

Clone virtual environment1 Test Patch2Apply Patch to production environment3

VM ClonedRSA enVision can log theadministrative activity from

vCenter, like the VM being cloned

Patch AppliedIf the test environment is properly

protected, then it will also

be monitored by RSA enVision

VM ClonedPatch Applied

RSA enVision

If this is out of policywe can alert a securityanalyst

Patch AppliedVM Deleted

Use Case: Monitoring events in the virtuald t t


44/68

datacenter



45/68

Identity Security

Data Security


VMware Cloud

S Sada ee ( eje ) p o tu p ost ed

Authentication

Provision

Prevention

Prevention

Tokenization


SIEM (enVision)

Use Case: Reducing Risk of VM Theft


46/68

g

RISK

Securing virtual infrastructure is often a check list of best practices.Hardening VMware environment is complex and difficult to verify. What

can I do to limit the risk of VM theft from my datacenter?

Need to take preventative steps that limit access to VM file, such as:

Disable Datastore Browser Limit Storage User Access Limit use of service consoleUse least privileged role concept for system and data access

Use Case: Reducing Risk of VM Theft


47/68

g

SOLUTION

Archer has built in control procedures to check forVM file access and other best practices

From a centralized console security and IT ops caneasily see if controls enforce policy

Results: Security and compliance best practices directly aligned withregulations and company policies are implemented and verified

Solution identifies VMware devices, assessesconfiguration status, and informs responsibleadministrator

EnVision monitors to ensure security events not

disrupting compliance posture

Cycle of Compliance: RSA Solution forCloud Security and Compliance


48/68

Cloud Security and Compliance

Discover VMwareinfrastructure

Define security policy

Over 100 VMware-specificcontrols added to Archer

library, mapped toregulations/standards

RSASecurbook

Remediation ofnon-compliant controls

RSA Archer eGRC

Manage securityincidents that affect

compliance

Manual and

automatedconfigurationassessment

Solution component

automatically assessesVMware configuration andupdates Archer

RSA enVision collects,

analyzes and feeds securityincidents from RSA, VMwareand ecosystem products toinform Archer dashboards

Mapping VMware Security Controls to Regulations andStandards


49/68

Standards

CxO

Authoritative SourceRegulations (PCI-DSS, etc.)10.10.04 Administrator and Operator Logs

Control StandardGeneralized security controls

VI Admin

CS-179 Activity Logs system start/stop/config

changes etc.

Control ProcedureTechnology-specific controlCP-108324 Persistent logging on ESXi Server

RSA Archer eGRC

Distribution and Tracking Control Procedures


50/68

SecurityAdmin

ServerAdmin

Project ManagerNetworkAdmin

VIAdmin

RSA Archer eGRC

RSA Solution for Cloud Security and Compliance


51/68

VI Configuration Measurement

VI Component Discovery and PopulationAutomatedMeasurement

Agent

51

VMware-specificControls

RSA ArchereGRC

RSA enVision

alerts


52/68

VMware compliance: live demo

52

Control Procedures List, Status andMeasurement Method


53/68

Measurement Method

Control Procedures List, Status andMeasurement Method


54/68

Measurement Method

Compliance Dashboard across Physical and Virtual


55/68



56/68

Identity Security

Data Security


VMware Cloud

Authentication

Provision

Prevention

Prevention

Tokenization


SIEM (enVision)

Making Archer the Best GRC Solutionfor Hybrid Clouds


57/68

y

RSA Solution for Cloud Security

Cloud Architecture

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Assessing Service Provider

Compliance

and Compliance aligns with CSA

Consensus Assessment Questions

by automating 195 questions that

customers can issue to assess cloud

service providers.

or a y an n eropera y

Security, Bus. Cont,, and Disaster RecoveryData Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Security Alliances 13 domains

of focus for cloud computing

CSA Assessment Questionnaire in Archer


58/68

Use Case: Assessing Cloud Service Providers


59/68

RISK: Choosing the wrong service provider

Results: Benchmarking vendors based on CSA standards

Creating the Trusted Cloud


60/68

Trust = Visibility + Control

Control: Availability Integrity



Cost

99.99% 0.2msHigh $500K

on en a y

Visibility: Compliance

Governance

Risk Management

60

Hlavn zmny na cest ke cloudu


61/68

Enterprise ITEnterprise ITEnterprise ITEnterprise IT Public CloudPublic CloudPublic CloudPublic CloudPrivatePrivatePrivatePrivate CloudCloudCloudCloud

Cloud provider A

Cloud provider D


= SLA ?



Cost

99.99% 0.2msHigh $500K

Cloud provider B

Cloud provider C

RSA Cloud Trust Authority


62/68

Identity Services

Compliance profiling

62

RSA een pro bezpenost a compliance


63/68

Vidte dovnit? Kde jsou Vae data, kdo k nim pistoupil, co se stalo

M

ete zm

it compliance? Jak je aktuln realita (technick konfigurace) ? Co pesn je/nen splnno ?

Mete to dokzat/reportovat?

More Information


64/68

Info o RSA resenich pro virtualizaci a cloud:

www.rsa.com/rsavirtualization

uvodni demo:http://www.rsa.com/experience/virtual/RSA_Virtual_Journe .html

Reseni pro VMware:http://www.rsa.com/node.aspx?id=3684

Reseni pro Cloud (zakladem je zase virtualizace):

http://www.rsa.com/node.aspx?id=1130reseni pro VMware View:http://www.rsa.com/node.aspx?id=1334

RSA SecurBook: Cloud Security and Compliance


65/68


A technical guide for deploying and

operating RSA Solution for CloudSecurity and Compliance

Solution deployment andconfiguration guides Operational guidance for effectively

using the solution

Troubleshooting guidance

65

More Information


66/68


RSA SecurBooks Technical guides for deploying and

operating RSA Solutions

EMC Solutions for VMware Webcasts - Every Thursday at 11:00 AM ET

Join us for Webcasts:http://mediazone.brighttalk.com/comm/ISC2/a7082f81e6-17335-2838-18812

Questions/Feedback/Discussion


67/68

RSA Contacts:

Ivan Svoboda: Key Account Manager

67

van.svo o a rsa.com

+ 420 604 293 394


68/68

Thank you!www.rsa.com/securecloud

05 RSA Virtual Cloud Security-Svoboda CIMIB

Documents

Transcript of 05 RSA Virtual Cloud Security-Svoboda CIMIB