1. Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security Specialist

2. Agenda Security Perspective on Customer Journey to the Cloud Whiteboard Overview of How Virtualization and Cloud Affect Datacenter Security How to Secure our Cloud and Make it Compliant Network Security and Secure Multi-tenancy in the Cloud

3. Security Perspective On Customer Deployment Architectures Physical deployments are still considered to be most secure and remain in all enterprises Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ) Mixed trust clusters typically have the M&M security model, blocking important asset migration to them Private cloud is an extension of the mixed trust deployment, with more automation and self service Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance AIR GAPPED PODS MIXED TRUST CLUSTERS ON-PREMISE PRIVATE CLOUD DEDICATED PRIVATE “CLOUD” (eBay, CSC) PUBLIC MULTI-TENANT CLOUD (Terremark, EC2) 1 1 2 2 3 3 4 4 5 5 1 1 2 2 3 3 4 4 5 5 0 0 0 0 PHYSICAL

4. 4 Segmentation of applications, servers VLAN or subnet based policies Interior or Web application Firewalls DLP, application identity aware policies VLAN 1 VLANs The Datacenter needs to be secured at different levels Cost & Complexity At the vDC Edge Sprawl: hardware, FW rules, VLANs Rigid FW rules Performance bottlenecks Keep the bad guys out Perimeter security device (s) at the edge Firewall, VPN, Intrusion Prevention Load balancers End Point Protection Desktop AV agents, Host based intrusion DLP agents for privacy Perimeter Security Internal Security End Point Security

5. 5 Simple Definition of a Virtual Datacenter DMZ Tenant 1 App1 App2 DMZ Tenant 2 App1 App2 DMZ Tenant … App1 App2 The isolated and secured share of a virtualized multitenant environment. Like a physical datacenter shares the Internet for interconnectivity, the tenants of a cloud (public or private) share the local network within the private datacenter or in the service providers network, and also like a physical datacenter, each tenant also has their own private, isolated, and secured virtual networking infrastructure.

6. 6 Securing virtual Data Centers (vDC) with legacy security solutions Legacy security solutions do not allow the realization of true virtualization and cloud benefits VIRTUALIZED DMZ WITH FIREWALLS APPLICATION ZONE DATABASE ZONE WEB ZONE ENDPOINT SECURITY INTERNAL SECURITY PERIMETER SECURITY Internet vSphere Air Gapped Pods with dedicated physical hardware Mixed trust clusters without internal security segmentation Configuration Complexity o VLAN sprawl o Firewall rules sprawl o Rigid network IP rules without resource context Private clouds (?)

7. Platform Sec.  

8. Secure the Underlying Platform FIRST Use the Principles of Information Security Hardening and Lockdown Defense in Depth Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges Administrative Controls For virtualization this means: Harden the Virtualization layer Setup Access Controls Secure the Guests Leverage Virtualization Specific Administrative Controls What Auditors Want to See: Network Controls Change Control and Configuration Management Access Controls & Management Vulnerability Management

9. Protection of Management Interfaces is Key Segment out all non-production networks Use VLAN tagging, or Use separate vSwitch (see diagram) Strictly control access to management network, e.g. RDP to jump box, or VPN through firewall 9 vSwitch1 vmnic1234 Production vSwitch2 VMkernel Mgmt Storage vnic vCenter IP-based Storage Other ESX/ESXi hosts Mgmt Network Prod Network VMware vSphere 4 Hardening Guidelines http://www.vmware.com/resources/techresources/10109

10. More Power Less Power Super Cloud Admin Cloud Networking Admin Cloud Server Admin Tenant A Admin VM Admin Tenant B Admin VM Admin Tenant C Admin VM Admin Cloud Storage Admin Separation of Duties Must Be Enforced

11. 11 Air Gapped Design – Costly and Inefficient Company Z Firewall Load Balancer Switch Company YCompany X Aggregation Access Internet L2-L3 Switch Firewall Load Balancer L2-L3 Switch Firewall Load Balancer L2-L3 Switch Switch vSphere VPN Gateway Remote Access

12. 12 VLAN 1002 VLAN 1001 VLAN1000 Multi-tenancy – Physical Firewall and VLAN Company ZCompany YCompany X Access- Aggregation Internet L2-L3 Switch VMware vSphere + vShield PG-X (vlan1000)PG-Y (vlan 1001)PG-Z (vlan 1002) PG-Z PG-X Port group Company X n/w PG-Y Port group Company Y n/w Port group Company Z n/w Legend : Port group to VM Links VLAN 1000 VLAN 1001 VLAN 1002 VLAN 1000 VLAN 1001 VLAN 1002 Virtual to Ext. Switch Links Firewalls vDS/vSS

13. 13 Multi-tenancy Virtualization Aware Company ZCompany YCompany X Access- Aggregation Internet L2-L3 Switch VMware vSphere + vShield PG-X(vlan1000)PG-Y(vlan1000)PG-Z(vlan1000) PG-Z PG-X Port group Company X n/w PG-Y Port group Company Y n/w Port group Company Z n/w Legend : PG-C External uplink Port group PG-C(vlan100) Internal Company Links External Up Link Infrastructure VLAN (VLAN 1000) VLAN1000 vShield Edge VM Provider VLAN (VLAN 100) vDS to Ext. Switch Links Traffic flow not allowed vDS

14. 14 Virtual Datacenter 2 ESX Hardening Cluster ACluster B VMware vSphere + vCenter Enforce Microsegmentation Inside the vDC  Protect applications against Network Based Threats Application-Aware Full Stateful Packet Inspection FW Control on per-VM/per vNIC level See VM-VM traffic within the same host Security groups enforced with VM movement CIS & PCI Virtual Datacenter 1 DISA & PCIDatabase AppWeb

15. 15 Offload Endpoint Based Security Functions with VM Introspection Techniques Improves performance and effectiveness of existing endpoint security solutions Offload Functions AV File Integrity Monitoring Application Whitelisting Improves performance and effectiveness of existing endpoint security solutions Offload Functions AV File Integrity Monitoring Application Whitelisting

16. 16 Virtualized Security and Edge Services Internal Security and Compliance Endpoint Security Edge/Perimeter Protection Elastic Logical Efficient Automated Programmable Security as a Service Cloud Aware Security Micro-segmentation Discover and report regulated data in the Datacenter and Cloud Secure the edge of the virtual datacenter Security and Edge networking services gateway Efficient offload of endpoint based security into the cloud infrastructure – i.e.- anti-virus and file integrity monitoring

17. 17 Continuous and Automated Compliance Ongoing Change and Compliance Management  Understand Pervasive Change  Capture in-band and out-of-band changes  Are you still Compliant? Remediate Exceptions  Fit within current enterprise change mgmt workflow process Protect against vulnerabilities  Hypervisor-based anti-virus provides superior protection  Patch Management guards against known attacks  Software provisioning tied to compliance  Day to day vulnerability checks Deployed from Gold Standard Compliant State Noncompliant State Compliant State Mark as Exception Remediate (RFC Optional) Planned Change Unplanned Change

18. 18 Confidential Conclusion The Cloud Had Great Benefits and like any Technology its Associated Risks These Risks Can Be Mitigated With Proper Controls The Classic Principles of Information Security Should be Applied Key Architecture Decisions must be made for Security Tools Designed for the Cloud Must Be Utilized

19. Questions? Rob Randell, CISSP, CCSK Principal Security and Compliance Specialist