Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.

Slides:

Advertisements

Similar presentations

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

Advertisements

Ed Duguid with subject: MACE Cloud

© 2009 VMware Inc. All rights reserved VMware vShield – Foundation for the Most Secure Cloud Deployments.

System Center 2012 R2 Overview

© Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Securing You Cyberoam Virtual UTM Our Products Unified Threat Management.

© 2010 VMware Inc. All rights reserved Confidential VMware Security Briefing Dan Watson, Senior Systems Engineer, VMware VMUG, Edinburgh, Feb 24, 2011.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

© 2011 VMware Inc. All rights reserved Confidential VMware Direction Jonathan Gohstand, Director, Security & Networking Product Marketing.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

Information Security in Real Business

RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.

Agenda Who needs an Architect? Cloud and Security Key Security Differences in Private Cloud Cloud Security Challenges Secondary to Essential Characteristics.

N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Additional SugarCRM details for complete, functional, and portable deployment.

Data Center Network Redesign using SDN

© 2009 VMware Inc. All rights reserved VMworld Update Ian Moore - Country Manager Ireland ie.linkedin.com/in/iantmooreiantmoore.

© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.

CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer.

Virtualization Infrastructure Administration Network Jakub Yaghob.

Dell Connected Security Solutions Simplify & unify.

MDC-B350: Part 1 Room: You are in it Time: Now What we introduced in SP1 recap How to setup your datacenter networking from scratch What’s new in R2.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Deploying XenApp and XenDesktop with BIG-IP Brent Imhoff – Field Systems Engineer Gary Zaleski – Solutions Architect Michael Koyfman – Solutions Architect.

UnitedLayer Managed Private Cloud Saad Saleem Director of Customer Engineering.

MDC417 Follow me on Working as Practice Manager for Insight, he is a subject matter expert in cloud, virtualization and management.

Securing Wired Local Area Networks(LANs)

CON Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.

Trust: A Cloudy Concept Infrastructure Security in The Cloud Kartik Shahani Country Manager - India & SAARC RSA, The Security Division of EMC.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

How to Integrate Security Tools to Defend Data Assets Robert Lara Senior Enterprise Solutions Consultant, GTSI.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Module 11: Designing Security for Network Perimeters.

© 2009 VMware Inc. All rights reserved Diagram & Icon Library - Community 2 of 3 April 2012 Copyright © 2012 VMware, Inc. All rights reserved. This product.

Micro segmentation with Next Generation Firewall and Vmware NSX

Security fundamentals Topic 10 Securing the network perimeter.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

A Deep Dive on the vSphere Distributed Switch Jason Nash VCDX #49, vExpert Director, Datacenter Practice Varrow.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

Reid Purvis Rob Tappenden Microsoft Cloud meets Cisco ACI CLD23 4.

Russell Rice Senior Director, Product Management Skyport Systems

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1.

IS3220 Information Technology Infrastructure Security

© 2015 VMware Inc. All rights reserved. Software-Defined Data Center Module 2.

© 2011 VMware Inc. All rights reserved VMware – Cloud Security Solutions.

EN Spring 2016 Lecture Notes FUNDAMENTALS OF SECURE DESIGN (NETWORK TOPOLOGY)

1 CONFIDENTIAL – INTERNAL ONLY1 Fortinet Confidential June 23, 2016 Securing The Cloud & Data Center.

Software Defined Datacenter – from Vision to Solution

Deep Security and VMware NSX Advanced Security Framework for the Software-Defined Data Center Anand Patil National Sales Manager, SDDC CONFIDENTIAL1.

Architecting Enterprise Workloads on AWS Mike Pfeiffer.

Check Point vSEC STORY [Protected] Non-confidential content.

Security fundamentals

Welcome! Thank you for joining us. We’ll get started in a few minutes.

Virtualization & Security real solutions

Secure & Unified Identity

VMware NSX and Micro-Segmentation

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Company Overview & Strategy

How to Mitigate the Consequences What are the Countermeasures?

Presentation transcript:

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security Specialist

Agenda Security Perspective on Customer Journey to the Cloud Whiteboard Overview of How Virtualization and Cloud Affect Datacenter Security How to Secure our Cloud and Make it Compliant Network Security and Secure Multi-tenancy in the Cloud

Security Perspective On Customer Deployment Architectures Physical deployments are still considered to be most secure and remain in all enterprises Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ) Mixed trust clusters typically have the M&M security model, blocking important asset migration to them Private cloud is an extension of the mixed trust deployment, with more automation and self service Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance AIR GAPPED PODS MIXED TRUST CLUSTERS ON-PREMISE PRIVATE CLOUD DEDICATED PRIVATE “CLOUD” (eBay, CSC) PUBLIC MULTI-TENANT CLOUD (Terremark, EC2) PHYSICAL

4 Segmentation of applications, servers VLAN or subnet based policies Interior or Web application Firewalls DLP, application identity aware policies VLAN 1 VLANs The Datacenter needs to be secured at different levels Cost & Complexity At the vDC Edge Sprawl: hardware, FW rules, VLANs Rigid FW rules Performance bottlenecks Keep the bad guys out Perimeter security device (s) at the edge Firewall, VPN, Intrusion Prevention Load balancers End Point Protection Desktop AV agents, Host based intrusion DLP agents for privacy Perimeter Security Internal Security End Point Security

5 Simple Definition of a Virtual Datacenter DMZ Tenant 1 App1 App2 DMZ Tenant 2 App1 App2 DMZ Tenant … App1 App2 The isolated and secured share of a virtualized multitenant environment. Like a physical datacenter shares the Internet for interconnectivity, the tenants of a cloud (public or private) share the local network within the private datacenter or in the service providers network, and also like a physical datacenter, each tenant also has their own private, isolated, and secured virtual networking infrastructure.

6 Securing virtual Data Centers (vDC) with legacy security solutions Legacy security solutions do not allow the realization of true virtualization and cloud benefits VIRTUALIZED DMZ WITH FIREWALLS APPLICATION ZONE DATABASE ZONE WEB ZONE ENDPOINT SECURITY INTERNAL SECURITY PERIMETER SECURITY Internet vSphere Air Gapped Pods with dedicated physical hardware Mixed trust clusters without internal security segmentation Configuration Complexity o VLAN sprawl o Firewall rules sprawl o Rigid network IP rules without resource context Private clouds (?)

Platform Sec.  

Secure the Underlying Platform FIRST Use the Principles of Information Security Hardening and Lockdown Defense in Depth Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges Administrative Controls For virtualization this means: Harden the Virtualization layer Setup Access Controls Secure the Guests Leverage Virtualization Specific Administrative Controls What Auditors Want to See: Network Controls Change Control and Configuration Management Access Controls & Management Vulnerability Management

Protection of Management Interfaces is Key Segment out all non-production networks Use VLAN tagging, or Use separate vSwitch (see diagram) Strictly control access to management network, e.g. RDP to jump box, or VPN through firewall 9 vSwitch1 vmnic1234 Production vSwitch2 VMkernel Mgmt Storage vnic vCenter IP-based Storage Other ESX/ESXi hosts Mgmt Network Prod Network VMware vSphere 4 Hardening Guidelines

More Power Less Power Super Cloud Admin Cloud Networking Admin Cloud Server Admin Tenant A Admin VM Admin Tenant B Admin VM Admin Tenant C Admin VM Admin Cloud Storage Admin Separation of Duties Must Be Enforced

11 Air Gapped Design – Costly and Inefficient Company Z Firewall Load Balancer Switch Company YCompany X Aggregation Access Internet L2-L3 Switch Firewall Load Balancer L2-L3 Switch Firewall Load Balancer L2-L3 Switch Switch vSphere VPN Gateway Remote Access

12 VLAN 1002 VLAN 1001 VLAN1000 Multi-tenancy – Physical Firewall and VLAN Company ZCompany YCompany X Access- Aggregation Internet L2-L3 Switch VMware vSphere + vShield PG-X (vlan1000)PG-Y (vlan 1001)PG-Z (vlan 1002) PG-Z PG-X Port group Company X n/w PG-Y Port group Company Y n/w Port group Company Z n/w Legend : Port group to VM Links VLAN 1000 VLAN 1001 VLAN 1002 VLAN 1000 VLAN 1001 VLAN 1002 Virtual to Ext. Switch Links Firewalls vDS/vSS

13 Multi-tenancy Virtualization Aware Company ZCompany YCompany X Access- Aggregation Internet L2-L3 Switch VMware vSphere + vShield PG-X(vlan1000)PG-Y(vlan1000)PG-Z(vlan1000) PG-Z PG-X Port group Company X n/w PG-Y Port group Company Y n/w Port group Company Z n/w Legend : PG-C External uplink Port group PG-C(vlan100) Internal Company Links External Up Link Infrastructure VLAN (VLAN 1000) VLAN1000 vShield Edge VM Provider VLAN (VLAN 100) vDS to Ext. Switch Links Traffic flow not allowed vDS

14 Virtual Datacenter 2 ESX Hardening Cluster ACluster B VMware vSphere + vCenter Enforce Microsegmentation Inside the vDC  Protect applications against Network Based Threats Application-Aware Full Stateful Packet Inspection FW Control on per-VM/per vNIC level See VM-VM traffic within the same host Security groups enforced with VM movement CIS & PCI Virtual Datacenter 1 DISA & PCIDatabase AppWeb

15 Offload Endpoint Based Security Functions with VM Introspection Techniques Improves performance and effectiveness of existing endpoint security solutions Offload Functions AV File Integrity Monitoring Application Whitelisting Improves performance and effectiveness of existing endpoint security solutions Offload Functions AV File Integrity Monitoring Application Whitelisting

16 Virtualized Security and Edge Services Internal Security and Compliance Endpoint Security Edge/Perimeter Protection Elastic Logical Efficient Automated Programmable Security as a Service Cloud Aware Security Micro-segmentation Discover and report regulated data in the Datacenter and Cloud Secure the edge of the virtual datacenter Security and Edge networking services gateway Efficient offload of endpoint based security into the cloud infrastructure – i.e.- anti-virus and file integrity monitoring

17 Continuous and Automated Compliance Ongoing Change and Compliance Management  Understand Pervasive Change  Capture in-band and out-of-band changes  Are you still Compliant? Remediate Exceptions  Fit within current enterprise change mgmt workflow process Protect against vulnerabilities  Hypervisor-based anti-virus provides superior protection  Patch Management guards against known attacks  Software provisioning tied to compliance  Day to day vulnerability checks Deployed from Gold Standard Compliant State Noncompliant State Compliant State Mark as Exception Remediate (RFC Optional) Planned Change Unplanned Change

18 Confidential Conclusion The Cloud Had Great Benefits and like any Technology its Associated Risks These Risks Can Be Mitigated With Proper Controls The Classic Principles of Information Security Should be Applied Key Architecture Decisions must be made for Security Tools Designed for the Cloud Must Be Utilized

Questions? Rob Randell, CISSP, CCSK Principal Security and Compliance Specialist