The world of computing is moving to the cloud – shared infrastructures, shared systems, instant provisioning and pay-as-you-go services. And users can enjoy anytime, anywhere access to services and their data. But how secure is your data in the cloud and do conventional security products offer the optimal approach to securing your virtualised environments?
In this presentation we examine security and performance concerns along your journey to the cloud and explore new technologies from VMware and Trend Micro. These innovations are all ready helping thousands of businesses to address the security challenges with Physical, Virtual and cloud platforms.
2. JOURNEY TO THE CLOUD
Where is Your Data?
HYBRID CLOUD PUBLIC CLOUD
SERVER
VIRTUALIZATION
where is your BYOPC
Data?
DESKTOP PHYSICAL
VIRTUALIZATION DESKTOPS & SERVERS
MOBILE PRIVATE CLOUD
3. CROSS-PLATFORM SECURITY
One Security Model is Possible
across Physical, Virtual, and Cloud Environments
Physical Virtual Cloud
New platforms don’t change the threat landscape
Each platform has unique security risks
Integrated security is needed across all platforms
4. PLATFORM-SPECIFIC SECURITY RISKS
One Security Model is Possible
across Physical, Virtual, and Cloud Environments
Manageability Performance & Threats Visibility & Threats
Glut of security products Traditional security Less visibility
Less security degrades performance
New VM-based threats More external risks
Higher TCO
Reduce Complexity
Physical Increase Efficiency
Virtual Deliver Agility
Cloud
Integrated Security: Single Management Console
13. Agent-less Security Architecture
Trend Micro Trend Micro
Deep Security Deep Security Virtual Appliance
Manager Guest VM’s
Security
Admin Network Security Anti-Malware
- IDS/IPS - Real-time Scan
APPs
- Web App Protection
APPs
- Application Control
- Scheduled & APPs
Manual Scan
- Firewall
OS
VMsafe-net vShield
API Endpoint API VM tools
ESX
VI Trend Micro vShield Endpoint
Admin vShield Manager filter driver ESX Module
vCenter vSphere Platform
Trend Micro vShield
VMware
Legend product
Platform
Endpoint
components Components
14. VIRTUALIZATION SECURITY
What is the Solution?
Layered, Virtualization-Aware Security in One Platform
Deep Security Integrated Modules:
With Agentless Security
• Antivirus Security
VM
Virtual VM VM VM
• Integrity Monitoring Appliance
• Intrusion Prevention
• Web Application Protection VM VM VM VM VM VM
• Application Control
• Firewall
• Log Inspection
Higher Optimized Simplified Stronger
Density Resources Management Security
Maximizes Performance and ROI
15. CASE STUDY
Agentless Anti-malware
City of Oulu, Finland
Industry Municipal Government
Number of Employees 10,000
Challenge Solution Business Results
• Merge infrastructures of four • vShield Endpoint and Trend • Protection that is easy to
surrounding cities in less Micro Deep Security, for deploy, administer, and scale
than one year agentless protection of • Agentless security that is
• Extend the lives of existing virtual desktop infrastructure more resource
PCs that cannot be (VDI)
• Instant protection of new
upgraded to Windows 7 VMs at time of spin-up
• Minimize the start-up efforts
for the infrastructure merger
• Avoid complexity that would
slow systems or increase
workload
17. CLOUD SECURITY
Cloud Models: Who Has Control?
Servers Virtualization & Public Cloud Public Cloud Public Cloud
Private Cloud IaaS PaaS SaaS
End-User (Enterprise) Service Provider
Who is responsible for security?
With IaaS the customer is responsible for VM-level security
With SaaS or PaaS the service provider is responsible for security
20. CLOUD SECURITY
Challenge: Data Destruction
10011
01110
0
00101
10011
01110
00101
When data is moved, unsecured data remnants can remain
21. CLOUD SECURITY
What is the Solution? Data Protection
Data Security
Server & App Security Encryption
Modular Protection with Policy-based
Sensitive Research Results Key Management
• Unreadable for unauthorized
users
• Control of when and
• Self-defending VM security
where data is accessed
• Agentless and agent-based
• Server validation
• One management portal for
• Custody of keys
all modules, all deployments
Integration ensures servers have up-to-date security before
encryption keys are released
vSphere & vCloud 2
2
22. CLOUD SECURITY
Fitting Encryption into a VMware Ecosystem
Trend Micro
SecureCloud VMware vCloud
VMware
vSphere
Key Service Data Center Private Cloud Public Cloud
Console
VM VM VM VM VM VM VM VM VM VM VM VM
Enterprise Key
Encryption throughout your cloud journey—data protection for
virtual & cloud environments
2
23. Deep Security / Secure Cloud Example
Customer 1 Customer 2
Unix/
Win
Server
VMware Vsphere ESX
Customer Test
24. TREND MICRO DEEP SECURITY
Specialized Protection
for Physical, Virtual, and Cloud
Physical Virtual Cloud
Only fully integrated server security platform
First hypervisor-integrated agentless antivirus
First agentless file integrity monitoring (FIM)
Only solution in its category to be EAL4+
and FIPS certified
25. TREND MICRO: VMWARE’S NUMBER 1 SECURITY PARTNER
2011 Technology Alliance Partner of the Year
Improves Security Improves Virtualization
by providing the most secure virtualization by providing security solutions architected to fully
infrastructure, with APIs, and certification programs exploit the VMware platform
Dec: Deep Security 7.5
VMworld: Trend virtsec Nov: Deep Security 7 w/ Agentless Antivirus
customer, case study, with virtual appliance
webinar, video RSA: Trend Micro RSA: Other
May: Trend Demos Agentless vendors
Feb: Join acquires Sale of DS 7.5 “announce” VMworld: Announce
VMsafe program Third Brigade Before GA Agentless Deep Security 8
w/ Agentless FIM
2008 2009 2010 2011
July:
VMworld:
CPVM 1000 Agentless
RSA: Trend Micro VMsafe Announce
GA Q4: Joined 2010: customers
demo, announces Deep Security 7.5
Coordinated approach & RSA: Trend Micro EPSEC vShield >100 customers
Virtual pricing announces virtual appliance Program >$1M revenue
26. VIRTUALIZATION AND CLOUD SECURITY
Trend is No.1 in Server and Virtualization
Security
Physical Virtual Cloud
Trend
Micro
Trend 13%
Micro
23.7%
Source: IDC, 2011 - Worldwide Endpoint Security Revenue Share by Vendor, 2010 Source: 2011 Technavio – Global Virtualization Security Management Solutions
Hinweis der Redaktion
[Interactive Opportunity: Ask the audience where they have deployed their applications and data (e.g., which of the slide categories they have implemented).]The order in which these elements are deployed and to what degree will vary depending on business needs and resources. [If you get responses from a group, the fact that they vary will be evident. You can comment on the responses you receive. You can use the responses to customize the rest of this presentation—comment on security for their current deployments and how the right security can help them implement additional platforms sooner.]
The different aspects of the journey to the cloud that we saw on the previous slide can be placed into three platforms: The first is physical; The second is virtual, including server and desktop virtualization; And the third is cloud, including private, public, and hybrid clouds.But just because the data center is evolving to include new platforms doesn’t mean the threat landscape is static—we still have evolving threats like data-stealing malware, botnets and targeted attacks (sometimes called APTs or Advanced Persistent Threats) and others. Integrated, layered security is needed across all of three of these platforms to defend against these threats. So although the threat landscape still has all these elements, there are unique security risks that must be considered for each platform. So the solution must recognize the specific security requirements of each individual platform.
Each of these platforms has unique security concerns. With physical machines, the manageability of various security solutions can be an issue.There can be a glut of security products—either through excessive layering or overly specialized products. This increases hardware and software costs. Also, management across the different products can be difficult – causing security gaps. And collectively these issues create a higher Total Cost of Ownership.The solution is to reduce complexity by consolidating security vendors and correlating protection.[click]With virtualization, the risks pertain to both performance and threats specific to virtual environments. There is a concern that security will reduce performance, which reduces the ROI of a virtual infrastructure. Also there are unique virtual machine attacks, such as inter-VM threats. Here the solution is increased efficiency—security that optimizes performance while also defending against traditional as well as virtualization-specific threats. [click]With cloud services, the risks pertain to less visibility and cloud-specific threats. Companies are concerned about having less visibility into their applications and data. And they are concerned about increased external threats, especially in multi-tenant environments.For the cloud, businesses need security that allows them to use the cloud to deliver IT agility. Data must be able to safely migrate from on-premise data centers to private clouds to public clouds so organizations can make the best use of resources. [click]As we’ll see later, all of these concerns can be addressed. And through protection that is provided in an integrated security solution all managed through one console. With cross-platform security, you’ll stay protected as your data center and virtual or cloud deployments evolve, allowing you to leverage the benefits of each platform while defending against the threats unique to each environment.
Now we’ll step through each platform individually, starting with physical servers and endpoints. Regardless of how your business evolves, you’ll still need dedicated physical servers. They give you the highest level of visibility and control, provide dedicated computing resources, and support specialty hardware and software. Today, the security that is needed for physical machines is relatively well known. The issue is more, how do I deploy effective protection while reducing management. Integrating security onto one platform reduces the glut of security products which in turn reduces management and costs.
As you can see here, an integrated approach to server security includes a Firewall, HIPS and Virtual Patching, Web Application Protection, Antivirus, File Integrity Monitoring, and Log Inspection. [click]To reduce complexity, all of these capabilities should be integrated into one solution and should be managed through one console with advanced reporting capabilities. Here we’re talking about how to reduce complexity with your physical server security. But when this protection is provided in a cross-platform solution, your security can also travel with you as your business evolves to use virtualization and the cloud.
The next platform we’ll discuss is virtualization. Most companies are virtualizing their data centers. In a recent survey by Trend Micro, 59% of respondents had server virtualization in production or trial, and 52% had desktop virtualization in As the foundation to the cloud, businesses should deploy virtualization security that protects their data center virtual machines as well as their virtual machines that are moved to private and public cloud environments. In the next few slides, we will discuss virtualization security challenges and the solutions to address these challenges, using virtualization-aware security.
Next we’ll cover instant-on gaps. [click]Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. [click]Also when dormant VMs are reactivated, they may have out-of-date security. [click]One of the benefits of virtualization is the ease at which VMs can be cloned. However, if a VM with out-of-date security is cloned the new VM will have out-of-date security as well. New VMs must have a configured security agent and updated pattern files to be effectively protected. [click]Again the solution is a dedicated security virtual appliance that can ensure that guest VMs on the same host have up-to-date security if accessed or reactivated, and can make sure that newly provisioned VMs also have current security. This security virtual appliance should include layered protection that integrates multiple technologies such as antivirus, integrity monitoring, intrusion detection and prevention, virtual patching, and more. .
Next we’ll cover instant-on gaps. [click]Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. [click]Also when dormant VMs are reactivated, they may have out-of-date security. [click]One of the benefits of virtualization is the ease at which VMs can be cloned. However, if a VM with out-of-date security is cloned the new VM will have out-of-date security as well. New VMs must have a configured security agent and updated pattern files to be effectively protected. [click]Again the solution is a dedicated security virtual appliance that can ensure that guest VMs on the same host have up-to-date security if accessed or reactivated, and can make sure that newly provisioned VMs also have current security. This security virtual appliance should include layered protection that integrates multiple technologies such as antivirus, integrity monitoring, intrusion detection and prevention, virtual patching, and more. .
The final virtualization challenge we’ll discuss is the complexity of management. Virtual machines are dynamic. They can quickly be reverted to previous instances, paused, and restarted, all relatively easily. They can also be readily cloned and seamlessly moved between physical servers. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.[click]This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Hypervisor introspection is needed for visibility and control. Security that leverages the hypervisor APIs can ensure that each guest VM on the host remains secure and that this security coordinates with the virtualization platform.
I’d now like to highlight a couple of additional virtualization challenges. The next one we’ll discuss today is inter-VM attacks and blind spots. [click]When a threat penetrates a virtual machine, the threat can then spread to other virtual machines on the same host. Traditional security such as hardware-based firewalls might protect the host, but not the guest virtual machines. And cross-VM communication might not leave the host to be routed through other forms of security, creating a blind spot. [click]For the solution, protection must be applied on an individual virtual machine level, not host level, to ensure security. And integration with the virtualization platform, such as VMware, provide the ability to communicate with the guest virtual machines. Also, virtual patching ensures that VMs stay secure until patches can be deployed.
So what is the solution to these final two challenges? Layered virtualization-aware security in one platform. The security virtual appliance with agentless security that we discussed earlier can provide multiple modules, as listed here—antivirus, integrity monitoring, intrusion prevention, Web application protection, application control, firewall, and log inspection. With this integrated protection that is designed for a virtual environment, you can achieve higher consolidation ratios, faster performance, better manageability, and stronger overall security.
[Step through content on slide—should be self explanatory.] As our customers expand their agentless security options, we look forward to hearing how their benefits increase.https://myhome.trendmicro.com/NR/rdonlyres/C1EB92AC-776D-4EA3-B085-D05080C37FAA/32570/CS_OULU_DS75_MAR2012.pdf
VMware controls more than half of the virtualization market. Virtualization security must fit into the VMware ecosystem to effectively support enterprise virtualization efforts. Here we demonstrate the different VM-security aspects and how they can fit into a VMware infrastructure.[click]The pairing of agent-less antivirus and agentless integrity monitoring with vShield Endpoint enables massive reduction in memory footprint for security on virtual hosts by eliminating security agents from the guest virtual machines and centralizing those functions on a dedicated security virtual machine. [click]Protection such as intrusion detection and prevention, web application protection, application control, and firewall can be integrated with VMware using VMsafe APIs, integrating security with VMware vSphere environments. Again this can be an agent-less option.[click]And finally, log inspection which optimizes the identification of important security events buried in log entries, can be applied through agent-based protection on each VM. [click]These elements can be integrated and centrally managed with VMware vCenter Server. Together, these provide comprehensive, integrated virtual server and desktop security.
Now we’ll cover the final platform, cloud computing. Cloud computing is usually built on virtualization. So, all of the previous challenges and solutions we discussed in the previous section on virtualization apply to the cloud. But cloud computing also introduces its own challenges as well as solutions. Let’s take a look.
When planning to deploy your data to the cloud, you must assess your security requirements and select a cloud model that is going to meet your business needs and objectives. Visibility and control decrease as you move from on-site virtualization and private cloud environments to public cloud models. With a private cloud, you control your assets, but with a public cloud, the service provider controls the underlying infrastructure, ultimately controlling access to your IT assets. This raises particular security concerns for a public cloud environment.[click]The degree to which you control and are responsible for security in the public cloud varies by public cloud model. [click]With an Infrastructure as a Service cloud, the service provider is responsible for securing the underlying hardware, but businesses are expected to secure their virtual infrastructure and their applications and data built on top of it.[click]With Software as a Service and Platform as a Service clouds, the service provider is responsible for most of the security. However, businesses should not assume that service providers provide sufficient security and should ask about the types of protection provided. In addition, you need to secure your endpoints that connect to the service to ensure that the cloud service does not compromise endpoint resources and data. For this presentation, when discussing the public cloud, we’ll focus on Infrastructure as a Service cloud because businesses are responsible for most of the security, including protecting their virtual infrastructure and their applications and data built on top of it..
Now we’ll discuss a few security challenges that are specific to the public cloud. The first is multi-tenancy and mixed trust level VMs. [click]Because of the multitenant architecture of the cloud, your data can move to make the best use of resources. But you may not always know exactly where your data is located. Your critical applications and data might be located next to high risk VMs—and you may not even know it. This is particularly true in the public cloud when you don’t know your neighbors, but can also be true in private clouds when various VMs for your business are sharing a host. [click]The solution is to create self defending virtual machines that can defend themselves in a multitenant environment. And encryption can secure your data even if it is accessed by an unauthorized source—anywhere from criminals to service providers to even people in your own company that might now have permission to view the data.
Another challenge for cloud computing is data access and governance. [click]This builds on the challenge in the previous slide. The multitenant architecture and provider control of the infrastructure raises concerns about who can see your data, or who may be attaching to your storage volumes. With these concerns comes a desire for visibility. Are you able to run reports that audit who has accessed your data? [click]Businesses need security and privacy measure that address these concerns. Encryption can secure data. But encryption alone is not enough. The solution should include policy based key management to specify when and where data can be accessed, and provide server validation to provide server identity and integrity checks before encryption keys are released.
The final cloud computing challenge we’ll discuss today is data destruction. As I mentioned before, cloud data can move to make the best use of resources. [click]But when data is moved, sometimes remnants remain if the data in the previous location is not completely shredded. These remaining data remnants can create a security concern. [click]Again encryption is the solution because any remaining data remnants are unreadable if accessed by unauthorized users.
So what is the solution? Cloud protection should include self-defending VM security that travels with the virtual machine into a cloud infrastructure. This allows businesses to transfer a complete security stack into the cloud and retain control. And this cloud security should be provided in a modular infrastructure with both agentless and agent-based options so it can be customized to your individual cloud deployment needs. The security should be provided on one platform that is managed through a single console—across your physical, virtual, and cloud deployments, including private, public, and hybrid clouds. [click]Another method of protecting data in the cloud is encryption with policy-based key management. The solution should start with industry-standard encryption that renders your data unreadable to outsiders. Even if your data is moved and residual data is left behind, the data in the recycled devices is obscured. It is critical to have this encryption accessed through policy-based key management to specify when and where your data is accessed. And through policies, identity- and integrity-based validation rules specify which servers have access to decryption keys.An encryption solution should also give the option to access keys through a SaaS or on-site virtual appliance with customer control over the keys to support a clear separation of duties and to avoid vendor lock-in. An encryption solution with policy-based key management allows even heavily regulated companies to leverage the flexibility and cost savings of the public cloud while ensuring their data stays secure. [click]These two solution elements can be integrated with a context approach to security. For example, encryption policies can specify that encryption keys will not be released unless the requesting server has up-to-date security, ensuring that the data stays protected when accessed by self-defending VM security. [click]And this security should work with multiple cloud platforms—allowing you to create the right cloud environment for your business.
Earlier we reviewed how the Trend Micro server security platform with modular security integrates with a VMware ecosystem. Here we see how Trend Micro’s cloud data encryption solution—SecureCloud—supports a VMware environment.Here we see the VMware ecosystem with vSphere which creates a virtualization platform and vCloud that provides technologies to support private and public clouds. vCloud Director provides a management portal into these cloud technologies.[click]Trend Micro SecureCloud leverages information from vSphere and vCloud to provide native support for these environments. [click]Then SecureCloud can provide encryption capabilities in VMware virtual, private, and public cloud environments. [click]This gives companies encryption support today and as their data centers evolve.
As we’ve discussed here, Trend Micro’s server security platform provides specialized protection across physical, virtual, and cloud. [Briefly step through points on slide.]
Trend Micro was VMware’s 2011 Technology Alliance Partner of the Year. This timeline helps highlight some of our achievements in our partnership with VMware, starting back in 2008. [Highlight a couple of key points from the timeline—do not cover it all.]
We’ve been very successful in our approach to server security, achieving both #1 in virtualization security—the foundation of cloud computing, and #1 in server security for 2 consecutive years.