Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
040711 webcast securing vmachine
1. How to Secure your Virtual Machine Sharon Isaacson Erin K. Banks, CISSP, CISA / www.commondenial.com / @banksek
2. Our Customers Are Asking Themselves How do I centrally manage compliance across mixed VMware and physical IT environments? Can I secure access and information in my VMware View environment? Can I respond more quickly to security events in my virtual environment? Can I ensure my virtualized business critical applications are running in a secure and compliant environment?
3. Implications of Challenges CISOs need to manage security and compliance across virtual and physical IT Security and compliance concerns stall the adoption of virtualization Missing opportunity for “better than physical” security
8. VMware Secure Development Lifecycle Process Protect Customer Data & Infrastructure Enable Policy Compliance Protect Brand Architecture Risk Analysis Response Preparation Code Analysis & Inspection Security Testing Security Response Kickoff & Business Risk Analysis Training Product Security Policy
9.
10.
11.
12.
13.
14.
15. vShield Products DMZ Application 1 Application 2 Securing the Private Cloud End to End: from the Edge to the Endpoint Edge vShield Edge Secure the edge of the virtual datacenter Security Zone vShield App and Zones Create segmentation between enclaves or silos of workloads Endpoint = VM vShield Endpoint Offload anti-virus processing Endpoint = VM vShield Manager Centralized Management
28. RSA Solution for Cloud Security and Compliance v1.0 VMware-specific Controls RSA Archer eGRC RSA enVision Automated Measurement Agent VI Configuration Measurement VI Component Discovery and Population alerts
Based on our primary research during discussions with customers like you, our customers are asking themselves these questions. Four basic questions; 1) Can I virtualize my Tier 1 applications and make sure that they are secure 2) How do I really manage compliance across both a physical and virtualized environment? 3) How quickly respond to Security events in my Physical and virtual data center? 4) How can I secure the access information in my Virtualized environment? All virtualization platforms are not the same. As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization technology and the platform you choose. VMware offers the most robust and secure virtualization platform available. Separate fact from fiction when it comes to virtualization and IT security Understand the most significant ways in which virtualization affects security Find resources as well as the latest news on virtualization security
VMware offers secure and robust virtualization solutions for virtual data centers and cloud infrastructures, and has both the technology and the processes to ensure that this high standard is maintained in all current and future products. VMware virtualization gives you Secure architecture and design: Based on its streamlined and purpose-built architecture, vSphere is considered by experts to be the most secure virtualization platform. Third-party validation of security standards: VMware has validated the security of our software against standards set by Common Criteria, NIST and other organizations. Proven technology: More than 250,000 customers—including all of the Fortune 100 as well as military and government installations—trust VMware to virtualize their mission-critical applications. NSA being one of Vmware customers!! Title Month Year
Today most security is enforced as an add-on to the OS or the application, making it ineffective, inconsistent and complex. Pushing information security enforcement in the virtualization and cloud infrastructure ensures consistency, simplifies security management and enables customers to surpass the levels of security possible in today ’s physical infrastructures by making security SEAMLESS . You won't need to sacrifice security, control or compliance on your journey to the cloud or virtualization. With the VMware vShield family and the RSA product line security solutions, you get virtualization-aware protection that adapts to dynamic cloud environments, making it "better-than-physical." Reduce the complexity of endpoint, application and edge network security by improving visibility and accelerating compliance, all within a single framework.
When discussing Security with customers it really come down to three basic principles… TRUST Polices Visiablity 2) First a baseline of what your company or your customers require = creating Polices implementing these polices and enforcement of these 3) But a big part of security or Trust has to be visiablity into what is happening = proving compliance = being able to act on any security alert/alarm issue that comes up and resolve it. All of these together Title Month Year
vCloud Infrastructure Underlying vSphere vCloud-specific Resource Sharing Ensure isolation Logging and Monitoring Watch for anomalies and violations User Management Title Month Year
Virtual Machines running on an ESX Server are truly isolated from each other, they cannot see each others' CPU instructions, memory, network or storage, and they do not share a "parent domain" which is a full OS. The hypervisor can enforce more restrictive controls on a VM ethernet network by not allowing it to set its MAC to promiscuous mode, or change the MAC address, or forge the source MAC address. There are other controls on the interaction between a virtual machine and the hypervisor such as the ability to copy data between the guest and the host. ---- - Lack of intra-server network visibility : Traditional network-based security tools rely upon access to the traffic traversing physical switches, typically through a hardware appliance. When the switch is virtual, new solutions must be employed that access virtual networking traffic, by running in a virtual appliance for example. ___________ Title Month Year
What security framework do the VMware engineers work to? VMware engineers, have security practices built in to their coding practices. In addition to automated tools imposing security best practices, engineers have guidelines to follow and review each others' code once checked in. VMware software engineers value security very highly and dedicate a significant amount of focus and effort on ensuring code is secure by design and implementation to reduce the risk of insecure code entering the product line VMware Selected as Virtualization Partner for the National Security Agency ’s Secure Workstation Solution Federal Agency Contracts with General Dynamics to Develop High Assurance Platform Workstations Using VMware Software to Enable Secure Access to Varying Levels of Classified Materials PALO ALTO, Calif., August 29, 2007 — What audits does VMware carry out on its software? Security by design – 1 -VMware carries out both internal audits, by it's security and engineering teams, and also periodical external audits by a leading security organization. VMware, like other software companies, acts upon the results of these audits in a timely manner to ensure that its products are as secure as possible. Like other software companies, VMware does not disclose the results of these audits, but should updates be required to released products then a security notice and update will be released via the normal channel
Thousands of customers use in production Passed security audit and put into production use by largest banks in the US Passed Defense and Security Agencies scrutiny and audit 3 rd -party Validation Audit by Foundstone Common Criteria Certification EAL2: achieved for ESX 2.5/VirtualCenter 1.5 EAL4+: in progress for VMware Infrastructure 3
Introduction of a new management layer Virtualization software, like all other infrastructure software, requires the ability to manage the components of the solution. This occurs through a management interface which connect together virtualization hosts, management servers, IP-based storage, and ancillary services such as authentication and monitoring. Since there is isolation between the virtual machines and the hypervisor ’s interfaces, the most important step in securing a virtual deployment is to design and implement a strict separation for the management layer from any other network traffic. This greatest reduces the possibility of any attacks on a virtual machine affecting the virtualization layer or any other virtual machine. Switches and Servers combined into one device With VMware Infrastructure, not only can you create multiple VMs on a single host but also virtual networks as well. This is implemented using software layer-2 virtual switches with enterprise-class features such as VLANs and hardware NIC teaming for availability and performance. Virtual networking provides a tremendous amount of flexibility and cost-savings. You can create a switch with as many ports as you need—and you can create a large number of switches. However, there are several aspects of virtual networking that affect security: Lack of intra-server network visibility : Traditional network-based security tools rely upon access to the traffic traversing physical switches, typically through a hardware appliance. When the switch is virtual, new solutions must be employed that access virtual networking traffic, by running in a virtual appliance for example. No separation-by-default of administration : In a non-virtual infrastructure at a large enterprise, the server team is distinct from the network team, which might be distinct from the security team. With virtualization, a single administrative interface controls both virtual machines and virtual networks and the separation must be re-introduced through the proper definition of roles and privileges. Elevated risk of misconfiguration : The fact that it is possible to have more than one virtual switch on a host also represents a significant change. Now, instead of requiring you to physically unplug a network cable from one switch and insert into another, you can change the virtual switch of a VM with a simple drop-down menu. This flexibility of course brings about tremendous efficiencies, but it also elevates the risk of misconfiguration. This must be mitigated through familiar techniques such as strong change controls and meticulous log and event monitoring. Title Month Year
For vSphere-based environments, vShield solutions provide capabilities to secure the edge of the vDC, protect virtual applications from network-based threats, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security VMs. These new product offerings can start securing infrastructure almost immediately since all the underlying compute resources are already present in the vsphere environment. These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center. So what is vshield edge and how is it LIKE what you ’ve already seen in the physical data center? The solution provides a virtual appliance with the following capabilities: DHCP – to automate IP address assignment to virtual machines in the vDC NAT – network address translation to mask private IP addresses in the vDC when they send traffic to untrusted networks Firewall – inbound and outbound connection control based on source/destination IP address and application port Site to site VPN: to encrypt traffic between vDCs to allow for confidentiality between organizations or partner extranets Web load balancer – actually load balancing based on IP address but in practice, since over 70% of server virtualization is for the web tier, organizations use load balancing for HTTP/S traffic And for each vSphere host, the virtual network can be carved up just as a physical network can be carved up using VLANs. This “Network Isolation” keeps traffic within the organization contained within a single port group. But while there are similarities with security in the physical world, there are key differences – and benefits – to vshield Edge over the alternatives: 1. No additional hardware: the virtual appliance with all the aforementioned edge features is provisioned using existing vsphere resources 2. No complicated VLAN rules: network isolation is enforced at the hypervisor layer, not requiring VLAN-enabled switches 3. Rapid and scalable provisioning: each ‘tenant’ gets their edge security virtually on-demand, rather than through some complicated change management process which would require budget and rack space for new edge security hardware 4. Centralized management and logging: with traditional security, each point solution would require its own management interface and logging infrastructure. With vShield, all policy management is done from one interface and logs written in syslog format to a single location. Demonstrating compliance is a breeze. Offload Anti-virus process Tighter collaborative effort with leading AV partners Hypervisor-based introspection for all major AV functions File-scanning engines and virus definitions offloaded to security VM – scheduled and realtime Thin file-virtualization driver in-guest >95%+ reduction in guest footprint (eventually fully agentless) Deployable as a service No agents to manage - thin-guest driver bundling with VMTools (est vSphere 4.1U1) Turnkey, security-as-service delivery Applicable to all virtualized deployment models – private clouds (virtual datacenters), public clouds (service providers), virtual desktops
What is VMware doing to continuously improve the security of their products? In addition to the inclusion of fine-grained security controls, such as roles and permissions, and granular controls on virtual machines such as ethernet controls, VMware is focused on reducing the security footprint and exposure of their products as well as innovating new features with partners. To reduce the footprint, VMware recently released ESXi which shows that the custom built, "I was born to be a hypervisor" at the heart of ESXi, is only 32MB (compared to the bloated, 2GB+ fully-loaded OS's that act as the all-powerful "parent domain" in Hyper-V and Citrix Xen).
Where can we get help on security from VMware? VMware have provided an online Security Center . Check out the VMware Knowledge Base where you can search for "security" and other topics. Read the VMware Security Blog . Subscribe to the VMware Security Feed . Security services are also available from VMware Professional Services Organization . Speak with your local VMware representative to find out more Title Month Year
Title Month Year
Compliance (depending on your industry), information governance, and reporting to ensure all these measures are in place are a big concern for customers. This is another opportunity for RSA security solutions to help.
Solution provides multiple views into the compliance posture of the VMware infrastructure. Archer has this tiered heirarchy mapping regulations to control standards and control procedures in place out of the box. From the virtual administrator who is looking at specific technical controls, to the “C-level” officer who is looking at how those roll up to affect the status of compliance with regulations such as PCI DSS. Clicked on CP would get more detail – exactly how to do it on specific device gets ….mapped to Control Standard which is more general you should be doing these kinds of things…this is what you should be doing to comply with relevant section of Authoritative Source above it. Can report on PCI posture of your infrastructure.
<1 click> The new RSA Solution for Cloud Security and Compliance is based on the Archer eGRC platform. Over 130 VMware-specific controls have been added to Archer to enable VMware security policy implementation and management tied directly to regulations, such as PCI and HIPPA. So, organizations can now use Archer to centralize management and view security compliance across both physical and virtual IT. This RSA solution also includes a new software component that continuously does two things: it discovers new virtual infrastructure devices and it interrogates about 30-40% of the 130 control procedures to verify VMware security controls have been implemented correctly. The results of these automated discovery and configuration checks are fed directly into Archer for continuous controls monitoring across the virtual infrastructure and augment answers from VI admins to web-based questionnaires. This allows security operations to more quickly and continuously remediate non-compliant controls. <1 click> Integrating enVision into this Archer solution via an internal project called “Golden Gate” ensures that log data and alerts on security events generated from virtual resources and collected by enVision are passed into RSA Archer so customers are aware of any new security events that alter their compliance posture. The entire solution is documented in a SecurBook, which is available in the SRC and online at rsa.com. - Confidential - Introduction to Selling the RSA Solution for Cloud Security and Compliance
The future direction for the RSA Cloud Solution for Security and Compliance will make Archer the best GRC solution for hybrid clouds using the same tool that is used widely to manage risk and compliance across the enterprise. RSA offers one additional differentiator today as we are first to market with this feature which helps customers assess cloud service providers. The Cloud Security Alliance is a not-for-profit organization that is producing leading guidance about best practice in cloud computing and has produced a check-list for potential users of such services. Its membership comprises RSA plus both vendors and enterprises from over 20 major companies. RSA’ s Cloud Solution aligns with the CSA Assessment Questions (part of the CSA GRC Stack) by using Archer ’ s questionnaire workflow to help customers automate the process of asking cloud service providers 195 CSA questions covering the most critical components of a service providers offering, from business and legal processes to technical infrastructure best practices. This will help customers assess against industry established best practices, standards, and critical compliance requirements which hybrid and public cloud service providers best fit their needs.
To help customers implement our solutions, we’ve developed the RSA SecurBook. This easy-to-follow solution guide provides detailed instructions for deploying and administering RSA’s solution in a virtualized environment. Designed to help organizations reduce implementation time and total cost of ownership, the RSA SecurBooks offer guidance for the Cloud Security and Compliance Solution and the VMware View Solution.
SPEAKING TRACK FOR PRESENTER Avamar is the industry leading backup and recovery solution for VMware environments. In fact, VMware, the company, uses Avamar for its enterprise data protection. Avamar provides both Guest-Level and Image Level (VMDK) backup and recovery. Read the bullets
Another area that VMware had opened up for integration is the vStorage API for Site Recovery Manager. This was a huge development, as the lack of an easy integrated disaster recovery solution was a barrier for many organizations’ adoption of VMware for their production environments. Site Recovery Manager coordinates with vendor-developed Storage Replication Adapters. These Adapters allow for automated set-up and testing of disaster recovery, as well as the automated clean failover from the production site to the recovery site. The one feature that today’s Site Recovery Manager is lacking is failback. After the disaster is over, failback to the production site is a manual process. Today, EMC is the only vendor providing an easy mechanism for automating the failback process – all managed from our Virtual Storage Integrator vCenter plug-in.