© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect.

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Advertisements

Network Systems Sales LLC
THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Solutions & Services to ‘Multiply your Business Performance’ 2013.
Web Services, SOA and Security May 11, 2009 Michael Burnett.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
© Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.
The Next Phase of Virtual Infrastructure Kevin Bailey Director - Product Marketing EMEA Symantec Corporation.
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Dell Connected Security Solutions Simplify & unify.
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Secure & Unified Identity for End Users & Privileged Users.
VMware NSX and Micro-Segmentation
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Small Business Security Keith Slagle April 24, 2007.
2015 Security Conference Dave Gill Intel Security.
Micro segmentation with Next Generation Firewall and Vmware NSX
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Copyright © 2014 Juniper Networks, Inc. 1 Juniper Unite Cloud-Enabled Enterprise Juniper’s Innovation in Enterprise Networks.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.
Russell Rice Senior Director, Product Management Skyport Systems
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Company Overview & Strategy Lance McAndrew Product Line Sales Engineer.
Zentera Guardia Fabric ™ Securely Connects Client-Server Apps between Microsoft Azure, Enterprise Datacenters & Other Public Clouds MICROSOFT AZURE ISV.
IS3220 Information Technology Infrastructure Security
BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.
Why SIEM – Why Security Intelligence??
CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.
1 CONFIDENTIAL – INTERNAL ONLY1 Fortinet Confidential June 23, 2016 Securing The Cloud & Data Center.
Blue Coat Cloud Continuum
Deep Security and VMware NSX Advanced Security Framework for the Software-Defined Data Center Anand Patil National Sales Manager, SDDC CONFIDENTIAL1.
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Securing Enterprise Identities Against Cyberthreats Brian Krause Manager of North America.
Protect your Digital Enterprise
Stop Cyber Threats With Adaptive Micro-Segmentation
Case studies on Authentication, Authorization and Audit in SOA Environments Dr. Srini Kankanahalli.
Juniper Software-Defined Secure Network
Real-time protection for web sites and web apps against ATTACKS
Cybersecurity Reference Architecture
Threat Ready: The Benefits of Segmentation
Secure & Unified Identity
VMware NSX and Micro-Segmentation
Company Overview & Strategy
Securing Cloud-Native Applications Jason Schmitt CEO
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Developing a Baseline On Cloud Security Jim Reavis, Executive Director
Shifting from “Incident” to “Continuous” Response
Identity & Access Management
Security as Risk Management
Chapter 4: Protecting the Organization
NSX Data Center for Security
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
Presentation transcript:

© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect Security, NSBU April 2015

Where are we today? The only thing outpacing security spend… is security losses 2 IT Spend Security Spend Security Breaches

What does our battlefield look like today?

The data center 4 IT Stack NetworkStorageCompute Application Layer

Securing the data center 5 Security Stack Network FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS Storage Encryption, Key Management, Tokenization Compute AV, HIPS, AMP, Encryption, Exec/Device Control Identity Controls Advanced Authentication, SSO, Authorization, User Provisioning App/Database Controls Vulnerability Management, Storage Security, Web Services Security, Secure OS

Security Policy 6 People Applications Data

The changing battlefield 7 Multi-tiered Distributed Architecture Monolithic Stack Composed Services on Converged Infrastructure

CONFIDENTIAL 8 How do hackers take advantage of misalignment

1.Prep Attack Vector R&D Human Recon Delivery Mechanism 213

2. Intrusion Strain B Dormant Strain A Active Compromise Primary Entry Point 4 Install Command & Control I/F 5

Install C2 I/F Wipe Tracks Escalate Priv Strain A Active Escalate Privileges on Primary Entry Point 6 Lateral Movement Recon

4. Recovery Strain B Active Strain C Dormant Strain A Active Attack Identified ResponseWake Up & Modify Next Dormant Strain 9 Strain D Dormant

5. Act on intent & Exfiltration 13 Attack Identified 10 Parcel & Obfuscate 11 Exfiltration 1213 Cleanup

Modern attack: targeted, interactive, stealthy 14 Why is it so difficult to move security controls inside the datacenter? An architectural challenge. Stop infiltrationLack visibility, control to stop exfiltration Perimeter-centric Managing Compliance Application and User-centric Managing Risk Shift to…

The Impact of Architecture 15 Distributed application architectures comingled on a common infrastructure Creates a hyper-connected compute base with little context of how to connect the two layers Resulting in massive misalignment 1. Lateral Movement 2. Comingled Policy 3. Distributed Policy 4. Chain Alignment 5. Orchestration 6. Context

1. Lateral movement Moving from asymmetry to symmetrical concerns inside the data center 16 Perimeter Firewall Inside Firewall Data Breach Composed Services on Converged Infrastructure Entry Point

2. Comingled policy Converged infrastructure means many firewall policies for many comingled applications 17 Composed Services on Converged Infrastructure Perimeter firewall Inside firewall Policy mixing across multiple apps Mis-aligned over time due to above

3. Distributed policy Traversing the network could represent encountering 10,000+ policies 18 Composed Services on Converged Infrastructure Perimeter firewall Inside firewall Firewall #1 100 rules Firewall #2 700 rules Firewall #3 900 rules Inconsistent policies create misalignment

4. Chain alignment 19 Perimeter firewall Inside Firewall Composed Services on Converged Infrastructure Blue App: Green App: Improper sequencing of controls leads to issues

5. Orchestration Each security service is acting in a silo and not sharing states with each other Perimeter Firewall Inside Firewall Composed Services on Converged Infrastructure Vulnerability Management AntivirusNext-gen Firewall Intrusion Protection Anti-malware 20

21 Perimeter firewall Inside Firewall End Point Agent :00:02:A3:D1:3D :00:03:A4:C2:4C 6. Context Poor handles for policy and analytics Composed Services on Converged Infrastructure

Visualization is the key. A ubiquitous abstraction layer between the applications and the infrastructure.

A traditional data center starts with compute capacity 23

Then you network systems together 24 Internet

Then you virtualize your compute 25

And create “virtual data centers” 26 Virtual Networks Software Containers, Like VMs Virtual Network Topology

Micro-segmentation More than a barrier: a policy primitive 27 Assess Capture and expose application structural context to policy management (how do things connect together) Demonstrate the security posture of a service, in any state into which it may be driven (understand security posture) Align Align investment to risk—align controls to what they are protecting and to each other. Align candidate mitigations/remediation across an application topology 3 Isolate Compartmentalize the environment so a breach of one thing isn’t a breach of everything Provide a mechanism for structuring the right controls at the right position in the app topology

Take those comingled distributed applications… 28 App Services DB AD NTPDHCPDNSCERT DMZ

And can create a zero trust model 29 IsolationExplicit Allow Comm.Secure CommunicationsStructured Secure Comms. NGFW IPS NGFW IPS WAF And align your controls to what you are protecting

Implementing Security in the Virtualization Layer 30 SECURITY SERVICES MANAGEMENT Security Service Insertion and Orchestration SECURITY SERVICES MANAGEMENT Visibility, Provisioning, and Orchestration SOC SIEM, Security Analytics, Forensics GOVERNANCE/COMPLIANCE Vul Management, Log Management, GRC, Posture Management, DLP NETWORK FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS STORAGE Encryption, Key Management, Tokenization COMPUTE AV, HIPS, AMP, Encryption, Exec/Device Control SECURITY INFRASTRUCTURE IDENTITY CONTROLS Advanced Authentication, SSO, Authorization, User Provisioning APP/DATABASE CONTROLS Vulnerability Management, Storage Security, Web Services Security, Secure OS ISOLATION CONTEXT

Virtualization: making your security controls better 31 1 Ubiquity Place controls everywhere 2 Context Visibility into app/user/data 3 Mitigation Leverage the I/F and the ecosystem 4 Isolation Protect your controls from attackers 5 Orchestration and state distribution SECURITY SERVICES MANAGEMENT Visibility, Provisioning, and Orchestration SOC SIEM, Security Analytics, Forensics GOVERNANCE/COMPLIANCE Vul Management, Log Management, GRC, Posture Management, DLP NETWORK FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS STORAGE Encryption, Key Management, Tokenization COMPUTE AV, HIPS, AMP, Encryption, Exec/Device Control SECURITY INFRASTRUCTURE IDENTITY CONTROLS Advanced Authentication, SSO, Authorization, User Provisioning APP/DATABASE CONTROLS Vulnerability Management, Storage Security, Web Services Security, Secure OS

Summary 32 We’re experiencing a changing battlefield We must re-align controls to what they are protecting Virtualization/SDDC holds the key to solving this The real value is not in simply looking at how to secure an SDDC but in how you can leverage an SDDC to secure the things that matter?

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.