Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect.

Published byShannon Park Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect."— Presentation transcript:

1 © 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect Security, NSBU April 2015

2 Where are we today? The only thing outpacing security spend… is security losses 2 IT Spend Security Spend Security Breaches

3 What does our battlefield look like today?

4 The data center 4 IT Stack NetworkStorageCompute Application Layer

5 Securing the data center 5 Security Stack Network FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS Storage Encryption, Key Management, Tokenization Compute AV, HIPS, AMP, Encryption, Exec/Device Control Identity Controls Advanced Authentication, SSO, Authorization, User Provisioning App/Database Controls Vulnerability Management, Storage Security, Web Services Security, Secure OS

6 Security Policy 6 People Applications Data

7 The changing battlefield 7 Multi-tiered Distributed Architecture Monolithic Stack Composed Services on Converged Infrastructure

8 CONFIDENTIAL 8 How do hackers take advantage of misalignment

9 1.Prep Attack Vector R&D Human Recon Delivery Mechanism 213

10 2. Intrusion Strain B Dormant Strain A Active Compromise Primary Entry Point 4 Install Command & Control I/F 5

11 Install C2 I/F Wipe Tracks Escalate Priv Strain A Active Escalate Privileges on Primary Entry Point 6 Lateral Movement 7 8 3. Recon

12 4. Recovery Strain B Active Strain C Dormant Strain A Active Attack Identified ResponseWake Up & Modify Next Dormant Strain 9 Strain D Dormant

13 5. Act on intent & Exfiltration 13 Attack Identified 10 Parcel & Obfuscate 11 Exfiltration 1213 Cleanup

14 Modern attack: targeted, interactive, stealthy 14 Why is it so difficult to move security controls inside the datacenter? An architectural challenge. Stop infiltrationLack visibility, control to stop exfiltration Perimeter-centric Managing Compliance Application and User-centric Managing Risk Shift to…

15 The Impact of Architecture 15 Distributed application architectures comingled on a common infrastructure Creates a hyper-connected compute base with little context of how to connect the two layers Resulting in massive misalignment 1. Lateral Movement 2. Comingled Policy 3. Distributed Policy 4. Chain Alignment 5. Orchestration 6. Context

16 1. Lateral movement Moving from asymmetry to symmetrical concerns inside the data center 16 Perimeter Firewall Inside Firewall Data Breach Composed Services on Converged Infrastructure Entry Point

17 2. Comingled policy Converged infrastructure means many firewall policies for many comingled applications 17 Composed Services on Converged Infrastructure Perimeter firewall Inside firewall Policy mixing across multiple apps Mis-aligned over time due to above

18 3. Distributed policy Traversing the network could represent encountering 10,000+ policies 18 Composed Services on Converged Infrastructure Perimeter firewall Inside firewall Firewall #1 100 rules Firewall #2 700 rules Firewall #3 900 rules Inconsistent policies create misalignment

19 4. Chain alignment 19 Perimeter firewall Inside Firewall Composed Services on Converged Infrastructure Blue App: Green App: Improper sequencing of controls leads to issues

20 5. Orchestration Each security service is acting in a silo and not sharing states with each other Perimeter Firewall Inside Firewall Composed Services on Converged Infrastructure Vulnerability Management AntivirusNext-gen Firewall Intrusion Protection Anti-malware 20

21 21 Perimeter firewall Inside Firewall HTTP://192.159.2.10:8080 End Point Agent HTTP://192.163.8.10:8080 10.20.2.1409:00:02:A3:D1:3D HTTP://192.162.5.8:8080 10.18.3.13 08:00:03:A4:C2:4C 6. Context Poor handles for policy and analytics Composed Services on Converged Infrastructure

22 Visualization is the key. A ubiquitous abstraction layer between the applications and the infrastructure.

23 A traditional data center starts with compute capacity 23

24 Then you network systems together 24 Internet

25 Then you virtualize your compute 25

26 And create “virtual data centers” 26 Virtual Networks Software Containers, Like VMs Virtual Network Topology

27 Micro-segmentation More than a barrier: a policy primitive 27 Assess Capture and expose application structural context to policy management (how do things connect together) Demonstrate the security posture of a service, in any state into which it may be driven (understand security posture) Align Align investment to risk—align controls to what they are protecting and to each other. Align candidate mitigations/remediation across an application topology 3 Isolate Compartmentalize the environment so a breach of one thing isn’t a breach of everything Provide a mechanism for structuring the right controls at the right position in the app topology

28 Take those comingled distributed applications… 28 App Services DB AD NTPDHCPDNSCERT DMZ

29 And can create a zero trust model 29 IsolationExplicit Allow Comm.Secure CommunicationsStructured Secure Comms. NGFW IPS NGFW IPS WAF And align your controls to what you are protecting

30 Implementing Security in the Virtualization Layer 30 SECURITY SERVICES MANAGEMENT Security Service Insertion and Orchestration SECURITY SERVICES MANAGEMENT Visibility, Provisioning, and Orchestration SOC SIEM, Security Analytics, Forensics GOVERNANCE/COMPLIANCE Vul Management, Log Management, GRC, Posture Management, DLP NETWORK FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS STORAGE Encryption, Key Management, Tokenization COMPUTE AV, HIPS, AMP, Encryption, Exec/Device Control SECURITY INFRASTRUCTURE IDENTITY CONTROLS Advanced Authentication, SSO, Authorization, User Provisioning APP/DATABASE CONTROLS Vulnerability Management, Storage Security, Web Services Security, Secure OS ISOLATION CONTEXT

31 Virtualization: making your security controls better 31 1 Ubiquity Place controls everywhere 2 Context Visibility into app/user/data 3 Mitigation Leverage the I/F and the ecosystem 4 Isolation Protect your controls from attackers 5 Orchestration and state distribution SECURITY SERVICES MANAGEMENT Visibility, Provisioning, and Orchestration SOC SIEM, Security Analytics, Forensics GOVERNANCE/COMPLIANCE Vul Management, Log Management, GRC, Posture Management, DLP NETWORK FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS STORAGE Encryption, Key Management, Tokenization COMPUTE AV, HIPS, AMP, Encryption, Exec/Device Control SECURITY INFRASTRUCTURE IDENTITY CONTROLS Advanced Authentication, SSO, Authorization, User Provisioning APP/DATABASE CONTROLS Vulnerability Management, Storage Security, Web Services Security, Secure OS

32 Summary 32 We’re experiencing a changing battlefield We must re-align controls to what they are protecting Virtualization/SDDC holds the key to solving this The real value is not in simply looking at how to secure an SDDC but in how you can leverage an SDDC to secure the things that matter?

33 Thank you

Download ppt "© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Network Systems Sales LLC

Network Systems Sales LLC
THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.

THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Solutions & Services to ‘Multiply your Business Performance’ 2013.

Solutions & Services to ‘Multiply your Business Performance’ 2013.
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.

RSA Approach for Securing the Cloud Bernard Montel Directeur Technique RSA France Juillet 2010.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.

Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
© 2004-2014. Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.

© Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Similar presentations

Ads by Google