Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010 VMware Inc. All rights reserved Confidential Achieving A Trusted Cloud with VMware George Gerchow – VMware Director, Center for Policy & Compliance.

Similar presentations


Presentation on theme: "© 2010 VMware Inc. All rights reserved Confidential Achieving A Trusted Cloud with VMware George Gerchow – VMware Director, Center for Policy & Compliance."— Presentation transcript:

1 © 2010 VMware Inc. All rights reserved Confidential Achieving A Trusted Cloud with VMware George Gerchow – VMware Director, Center for Policy & Compliance CISSP, ITIL, CCNA, MCPS, SCP

2 2 Confidential Physical, Virtual, Cloud cannot stop the Human Factor  Step 1 – Get great job at NG  Step 2 – New Laptop from IT  Step 3 – The Rebuild  Step 4 – Labs at CSU

3 3 Confidential How to make a name for yourself in the Industry  Step 1 – Get back on the NG Network  Step 2 – A Flood of (30,000 with Adult content)  Step 3 – Visit from the Jefe  Step 4 – Melissa Boy for Life

4 4 Confidential Agenda  Challenges in Cloud Adoption  VMware Trusted Cloud Solutions  VMware Trusted Cloud Ecosystem  VMware Center for Policy & Compliance  Key Takeaways  Q&A

5 5 Confidential Security and Compliance are Key Concerns for CIOs Moving to Cloud Q.What are the top challenges or barriers to implementing a cloud computing strategy? Source: 2010 IDG Enterprise Cloud-based Computing Research, November 2010 Top 4 Concerns are on Security and Compliance

6 6 Confidential Challenges Cloud Brings and the Issue of Trust Mixed Mode Levels of Trust VM’s riding on the same Guest with different Trust Levels (PCI) Multi-Tenancy protecting Intellectual Property (IP) with shared Resources Auditor, QSA Approval of Design Evidence Based Compliance How is my data being protected and segmented by level of security? What standards and frameworks do I adopt to minimize risk? How do I Automate best practices, regulatory guidelines and vendor standards? Separation of consumer and provider Consumer needs governance around its workloads Evidence from provider around its infrastructure compliance How do I address data governance, privacy, etc? How do we account for Change? (Loss of Service) vSphere ! PCI CDE vSphere PCI CDE ! vSphere PCI CDE ! Capture Changes Assess Report Remediate

7 7 Confidential

8 8 What is the Industry saying about Cloud Security & Compliance “Survey finds most providers don't protect data, because they don't think it's their job” (Identity Week, IT security & news) “70% of Cloud Providers don’t believe that Security is a core responsibility (Ponemon 2010)” not-care.aspx “A Wall Street Journal article by Ben Rooney reported that the majority of cloud service providers do not consider security as one of their most important responsibilities”

9 9 Confidential VPN Traditional Security Solutions: Complex, Expensive and Rigid App Stack A App Stack B App Stack C Load balancer Firewall Management Back up DR Availability Res Mgmt Back up DR Availability Res Mgmt Back up DR Availability Res mgmt

10 10 Confidential Agenda  Challenges in Cloud Adoption  VMware Trusted Cloud Solutions  VMware Trusted Cloud Ecosystem  VMware Center for Policy & Compliance  Key Takeaways  Q&A

11 11 Confidential VMware’s Approach to Trusted Cloud “A Trusted Cloud provides enhanced reliability through enforcement of mandatory constraints, defined by policy and validated by regular audits. ” Move assets with confidence Assessment Prevention Detection VMware’s Trusted vCloud VMware vShield and vCenter Configuration Manager

12 12 Confidential Key Attributes of VMware Trusted vCloud Containment and isolation of portions of a whole for their protection Data Applications Systems Prevention Risk reduction through review of application, network, storage data and servers based on business goals Detection Compliance from demonstration of adherence to a policy, standard or regulatory requirement Assessment

13 13 Confidential VMware’s Virtualized Security and Compliance solutions App Stack A App Stack B App Stack C Management VPN Load balancer Firewall vSphere Exchange Operating System File/Print Operating System SAP ERP Operating System

14 14 Confidential Continuous Compliance for Business Critical Applications Discover sensitive data Map application environment Create logical trust zones Ensure VMs are configured to compliance templates Insert partner security services on demand Automated & Self-healing

15 15 Confidential Attaining PCI Compliance – CDE Scope Discovery  Use vSDS to scan environment  VMs with credit card data are reported  Create CDE and Non-CDE ! ! ! ! ! !! ! ! !! CDE Non-CDE What VMs need to be considered in my PCI Environment?

16 16 Confidential Attaining PCI Compliance – CDE Scope - Finding Connections CDE Non-CDE ! ! ! ?  Need to consider the connections  Leverage VIN to find application connectivity  These VMs need to be considered in your CDE

17 17 Confidential Attaining PCI Compliance – CDE Scope Enforcement CDE Non-CDE PCI Security Group SrcDestProtocolAction PaymentCDEDBAllow CDEOutside CDE AnyDeny Any Deny Strict vShield App PCI Security Group More Lenient Security Groups  Create isolated CDE network with Layer 2 isolation without using VLANs  Define stateful firewall rules for interaction with CDE  Micro-segmentation based on VIN discovered connections

18 18 Confidential Attaining PCI Compliance – CDE Scope Compliance CDE  Leverage out-of-the-box PCI 2.0 compliance templates  Place CDE resources into PCI Compliance Machine Group  Collect/assess/report/remediate  “Rinse and repeat” VCM PCI Compliance Group Capture Changes AssessReport Remediate Non-CDE PCI 2.0 VCM Templates PCI DSS 2.0 Made some tweaks

19 19 Confidential Assumed Non-CDE??? Attaining PCI Compliance – Automating Continuous PCI Compliance Assumed CDE  Scan environment to validate boundaries of PCI CDE  VMs with credit card data are figuratively moved to a temporary holding area  VMs are automatically associated with a more strict vApp Security Group  VMs automatically added to VCM PCI Compliance Group  Based on compliance results determine next action Remove CDE data from VM and place back into Non-CDE VM is compliant, officially move to CDE Remediate and move to CDE  “Rinse and repeat” ! ! ! !!! CDE Holding Area VCM PCI Compliance Group vShield App PCI Monitoring Security Group This solution can be used for ANY compliance standard!

20 20 Confidential PCI 2.0 Automation

21 21 Confidential Better than Physical Automated and self-healing Security and compliance Trust Zones Power of cloud infrastructure automation The VMware Difference

22 22 Confidential SCAP in Virtualization & Cloud

23 23 Confidential Virtualization Security use Case - Open Virtualization Format (OVF) Patch Management Scenario VA Scan Across 1,000 Servers for Patch Level 512 return with missing Security Patches 640 Actual, a differential of (128) 120 Systems were Virtual Powered Down Machines Virtual Systems For the Virtual Systems the OVF Envelope was leveraged Last time it was boot time Hypervisor it was running on Current patch levels Virtual Systems offer more Security Information and control than a physical system which is "dark" when it is powered down. Moving VM’s Easily Identified and can be moved for Maintenance or Containment before powering on spanning time zones

24 24 Confidential VCM-VSM: Integration Use Cases Discover installed Windows and UNIX software and their relationships with servers and desktops into the CMDB. Compare discovered software with the software license inventory to produce discrepancy reports. 2. Asset Management  When a change is initiated from VCM, automatically initiate a Request for Change (RFC) workflow in VSM, passing it the impacted servers/desktops. Once the Change Manager examines the impact, the RFC workflow in VSM can call back to VCM to either Approve or Deny the change as appropriate.  Track unplanned changes from within VSM 3. Change Management Discover Windows and UNIX servers and desktops from VCM into the VSM CMDB so service desk users can classify incidents against them. 1. Service Desk

25 25 Confidential Closed Loop Change Management Cloud requires a higher level of change governance but with fewer bottlenecks Elements of Change in the Cloud Rapid rate of change Remove process bottlenecks Provide discrepancy reports Enforce IT governance Discover out of band change

26 26 Confidential Closed Loop Change Management Enforce PCI Compliance RFC Automatically Created in VSM VSM Workflow and Tasks Initiated Review and Approve Approval Received & Job Started Job Completed RFC Updated  Faster IT responsiveness  Fewer instances of human error  Increased productivity  Faster IT responsiveness  Fewer instances of human error  Increased productivity

27 27 Confidential Agenda Challenges in Cloud Adoption VMware Trusted Cloud Solutions VMware Trusted Cloud Ecosystem VMware Center for Policy & Compliance Key Takeaways Q&A

28 28 Confidential Trusted vCloud Requirements End User Computing Cloud Applications VMware Solutions Network Security Vulnerability Management Data Security Configuration Management White Listing Config & Log Management Identity Management End Point Security Authorization Regulations Healthcare HIPAA, HITECH, HITRUST, FDA Healthcare HIPAA, HITECH, HITRUST, FDA Government NIST, FISMA, FDCC, DISA Government NIST, FISMA, FDCC, DISA Finance SOX, PCI DSS, Basel, GLBA Finance SOX, PCI DSS, Basel, GLBA Energy FERC, ISO, NERC CIP, CIS Energy FERC, ISO, NERC CIP, CIS Horizon vShield Horizon & VIEW vShield + 3 rd Party VCM 3 rd Party vShield + NCM VCM + Envision 3 rd Party

29 29 Confidential Extending VMware Trusted vCloud Components to a Partner Ecosystem Audit/Advisory Partners GRC Cloud Compliance Technology VMware Solutions Infrastructure & Operations Management Application Management End-User Computing Management Vendor Alliances

30 30 Confidential Key Elements of an Operational Trusted Cloud Provider Select partners that have baked in Security & Continuous Compliance offerings that are cost-effective with a good understanding of your business Trusted Platform Ensure that your provider is using a Trusted Platform and can deliver a process that accounts for change control, log information and configuration audit checks Integration Framework Leverage some of your existing tools and applications, work with provider to build a trusted ecosystem of vendors and auditors Evidence-based Validation of Audit Data Governance, a Compliance Framework (GRC)  SSAE 16/ SOC 2 – Service Oriented Control Regulatory Guidelines  PCI, HIPAA, BASEL III, SOC  Segmentation of Assets, IP  Data Protection (Continuous Discovery and Monitoring)

31 31 Confidential Sample - Locking down Virtualized Enviroments Authentication Restricting Admin\ Root Access Communication\ Networking Making sure network is segmented properly Leak Prevention  Guest from Host  Guest to Guest  Configuration\ Patching Changing Root Password (90 days) Patching Host

32 32 Confidential Sample - Questions to ask your QSA Industry Knowledge Have you successfully taken a virtual environment through a PCI Certification  Submitted an ROC to the Council (Report On Compliance) Scope Does your virtual environment require for you to put everything in scope?  What would they (QSA) do to reduce scope Segmentation What does it mean to segment in a Virtual Environment?  Firewall, IDS, IPS (Statefull or Stateless)

33 33 Confidential Authorative Sources in the Compliance Industry NIST - The National Institute of Standards and Technology Free Guidance, have been researching Cloud Computing since early 2000’s Definition of Cloud Computing (SP ) Cloud Computing Reference Architecture (SP ) Guidelines on Security and Privacy in Public Cloud Computing (SP ) CSA – Cloud Security Alliance Membership Based (CCSK - Certificate of Cloud Security Knowledge) Security Guidance for Critical Areas of Focus in Cloud Computing 14 Domains, #13 covers Virtualization Cloud Control Matrix (CCM v1.2) Consensus Assessments Initiative Questionnaire (CSA – CAI) CTP – Cloud Trust Protocol (24 Elements of Trust, 4 th Pillar of GRC) DISA – Defense Information System Agency Not much in Cloud Computing vSphere STIG

34 34 Confidential Cloud Grading on Levels of Trust

35 35 Confidential Cloud Security Comparison Grid

36 36 Confidential Agenda Challenges in Cloud Adoption VMware Trusted Cloud Solutions VMware Trusted Cloud Ecosystem VMware Center for Policy & Compliance Key Takeaways Q&A

37 37 Confidential VMware Center for Policy & Compliance  The Center for Policy & Compliance (CP&C) is a dedicated group comprised of security and compliance policy experts, analysts and technical specialists chartered to research and develop compliance solutions for cloud computing environments  Current staff of includes team members that average over 18 years experience and hold numerous certifications such as CISSP, CCNA, ITIL, MCSE, MCDBA, and of course vCP.  CP&C has a Global presence and frequently meets with Customers, Auditors and Analyst to provide guidance & thought leadership in PCI, Healthcare and Trusted Cloud environments.

38 38 Confidential CP&C Business Objectives Support migration of highly regulated workloads to vCloud Infrastructure Family Create and support content and hardening guidelines for vSphere, vCenter, vShield, vCD, VIEW Compile Deployment Information Guides (DIGs) on how to deploy the vSphere stack to support highly regulated workloads, e.g. PCI Set foundation and high level reference architecture for Trusted Cloud Provide coverage of common regulatory, industry and vendor policies Address the Healthcare vertical first as it’s highly regulated Will naturally provide coverage for other verticals (Finance, Federal) Build a partner ecosystem for Trusted Cloud (RSA, EMC…) Drive industry thought leadership Evangelize VMware’s compliance strategy Align and influence compliance industry initiative and bodies like CSA, CTP Continued market education – QSAs, analysts, customers and partners

39 39 Confidential Real World Examples - Healthcare Related Breaches (1) “ The computer vanished from an NHS building in the biggest-ever security breach of its kind. […] A LAPTOP holding the medical records of eight MILLION patients has gone missing. […] The unencrypted laptop contains sensitive details of 8.63 million people plus records of 18 million hospital visits, operations and procedures. ” (1) NHS

40 40 Confidential HIPAA BARES IT’S TEETH!!!!!  Feb 2k11 - Maryland health care provider was fined $4.3 m fine for violations of the HIPAA Privacy Rule. First monetary fine issued since the Act was passed in Also in February, Massachusetts General Hospital fined to pay $1 million to settle HIPAA violations following the loss of customers' medical data. Also in February  July 2k11 - University of California at Los Angeles Health Services (UCLAHS) has agreed to pay a $865,000 breaking the Health Insurance Portability and Accountability Act (HIPAA). According to a press release on the HHS site, the settlement stems from two claims that unauthorized employees accessed records of celebrities that received care at UCLAHS. According to a press release on the HHS site

41 41 Confidential Agenda  Challenges in Cloud Adoption  VMware Trusted Cloud Solutions  VMware Trusted Cloud Ecosystem  VMware Center for Policy & Compliance  Key Takeaways  Q&A

42 42 Confidential Where Does VMware Fit?  Cloud Infrastructure Suite Trusted Platform  vSphere, vCloud Director, vCenter  vShield – Enable Security Controls Securing Perimeter, Segmenting Applications Data Discovery and Protection  vCM – Continuous Compliance Adherence to regulatory Guidelines Out of the Box Benchmarks Auto Remediate Non Compliant Results  VIN & VCO Cloud Framework, Application Relationships Confidential

43 43 Confidential Call to Action and key Takeaways  Further Education and TCO Solutions Demo  *NEW* VMware/Forrester vCM ROI https://www.gosavo.com/vmware/Document/Document.aspx?id= &view=Preview  Leverage CP&C with Auditors (QSA) Mixed Mode Environments, Trusted Cloud Architecture & Partner Ecosystem  More Security & Compliance Information Mastermind Series S-NPD&elq=&xyz S-NPD&elq=&xyz VMware Security Blog Free Compliance Checkers

44 44 Confidential Enterprise Hybrid cloud requirements – best of both worlds Agility with Reliable Performance On-demand provisioning of virtual servers Fast scale up at reasonable cost Predictable, consistent SLAs Application Portability Compatible with existing workloads Globally consistent service across providers Security & Compliance Secure & auditable cloud infrastructure Secure apps and user access

45 45 Confidential What To Expect From ITBM….. Transition from managing technology to managing services Expose the cost and value of IT & Compliance to your entire organization Understand impact of business demand and change Identify where money saving opportunities exist Communicate and improve quality of service Manage the relationships with your customers and external vendors Find Opportunities Identify cost savings opportunities Track Savings Track cost savings Analyze Costs Analyze existing IT costs Make Changes Implement cost Optimization strategies

46 46 Confidential Agenda  Challenges in Cloud Adoption  VMware Trusted Cloud Solutions  VMware Trusted Cloud Ecosystem  VMware Center for Policy & Compliance  Key Takeaways  Q&A

47 © 2010 VMware Inc. All rights reserved Confidential Questions

48 48 Confidential Network Security Unified Threat Management (via Astaro acquisition) Enterprise Firewalls Intrusion Prevention & Detection Secure Web Gateways

49 49 Confidential Network Security cont. Web Application Firewalls Database Activity Monitoring Firewall Rule Analysis & Management Application Control (Whitelisting)

50 50 Confidential Configuration and Change Mgmt., Identity Mgmt., Data Security, Compliance Data Loss Prevention Encryption & Key Mgmt. $41M funding, $10M revenue $45M funding, $30M revenue Data Security: Configuration & Change Management Identity & Access Management

51 51 Confidential Configuration and Change Mgmt., Identity Mgmt., Data Security, Compliance Governance, Risk Management Compliance Vulnerability Assessment & Management Operational Log Management Enterprise Security Information Management (Gartner taxonomy: ESIM = SIEM + OLM) Security Information & Event Monitoring

52 52 Confidential Network Management $150M runrate Network Configuration Management DDI (DNS, DHCP, IPAM) Network Access Controller Endpoint Security


Download ppt "© 2010 VMware Inc. All rights reserved Confidential Achieving A Trusted Cloud with VMware George Gerchow – VMware Director, Center for Policy & Compliance."

Similar presentations


Ads by Google