SlideShare ist ein Scribd-Unternehmen logo

Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates

H
HyTrust
TechnologieBusiness
1 von 25
Downloaden Sie, um offline zu lesen
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates Tim Grance, Senior Computer Scientist, NIST Sushant Rao, Product Management Director, HyTrust Curtis Salinas, Systems Engineer, HyTrust © 2012, HyTrust, Inc. www.hytrust.com 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 1
Security and Compliance Will Be Key to Virtualizing the Next 50% of the Data Center   Discussion   Growth depends on virtualizing mission critical workloads   Virtualization platform provides basic security: OK for non- critical workloads   Tier 1/2 workloads have higher security, compliance needs   Purpose-built solutions needed © 2012, HyTrust, Inc. www.hytrust.com 2
Privileged Users Can Have Huge Impact Percentage of companies that 87% have experienced a data breach — IT Compliance Institute Shionogi & Co: $3.2B pharmaceutical company Percentage of breached 74% Laid off IT admin: companies who lost customers •  Logged in remotely to vSphere from as a result of the breach local McDonald’s WIFI — IT Compliance Institute •  Deleted 88 virtual production servers •  Took down email, order entry, payroll, BlackBerry, & other services •  Caused $800K damage Percent of all breaches that 48% involved privileged user misuse — Verizon report, 2010 © 2012, HyTrust, Inc. www.hytrust.com 3
Expert Consensus on Virtualization Best Practices •  “Restrict and protect administrator access to the virtualization solution.” •  “Secure each management interface” •  “Monitor and analyze logs at all layers of the virtualization infrastructure” •  “Enforce least privilege and separation of duties” •  “It is critical that independent monitoring of all activities be enforced” •  “Require multi-factor authentication for all administrative functions.” •  “Administrative access to the hypervisor/VMM layer must be tightly controlled” * NIST SP 800-125: Guide to Security for Full Virtualization Technologies ** PCI-DSS 2.0 Information Supplement – Virtualization Security *** Neil MacDonald, vice president and Gartner fellow © 2012, HyTrust, Inc. www.hytrust.com 4
HyTrust Appliance Provides Necessary Controls to Confidently Virtualize Mission-Critical Applications Secures the administration of the hypervisor & virtual infrastructure:   Enforces consistent access and authorization policies covering all access methods   Provides granular, user-specific, audit-quality logs   Enables strong, multi-factor authentication   Verifies platform integrity, ensuring the hypervisor is hardened and the virtual infrastructure is trusted Provides complete visibility into and control over who accesses the infrastructure, the integrity of the infrastructure, and the validity of the changes requested. © 2012, HyTrust, Inc. www.hytrust.com 5
HyTrust’s Unique Role in Virtual Infrastructure Security © 2012, HyTrust, Inc. www.hytrust.com 6
Major Partners Trust HyTrust HyTrust is key "go to" HyTrust is part of CA HyTrust is the platform HyTrust provides partner for vSphere Access Control for security solution - combined reporting security and compliance Virtual Environments access control and with Trend's Deep auditing - for vBlock Security product HyTrust provides HyTrust reporting and HyTrust is part of Intel's HyTrust event reporting and native integration with controls being integrated trusted cloud architecture TXT integration being SecurID and enVision with Symantec CCS based on TXT integrated with McAfee ePO © 2012, HyTrust, Inc. www.hytrust.com 7
Virtualize More With HyTrust   Admin compliance and controls essential for mission critical workloads   Capabilities not available from the virtual infrastructure   Granular, audit-quality administration logs   Granular, consistent privileged user and VM control policies   Multi-tenancy logical segmentation   Trusted by market leaders   Key component of major partners’ solutions © 2012, HyTrust, Inc. www.hytrust.com 8
NIST Special Publication (SP) 800-125 Guide To Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Tim Grance Senior Computer Scientist in the Computer Security Division 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 9
Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. 10
Agenda   What is SP 800-125   Why virtualization   Full virtualization   Security concerns   Recommendations for Security for full virtualization technologies   Summary   Questions and answers   Resources 11
SP 800-125   Full Virtualization technologies   Server and desktop virtualization   Security threats   Security recommendations for protecting full virtualization 12
Why Virtualization?   Reduce hardware footprint   More efficiency   Reduce energy, operations, and maintenance costs, e.g., disaster recovery, dynamic workload, security benefits, etc.   Consolidation 13
Forms of Virtualization   Simulated environment   Not cover OS and application virtualization   Full virtualization – CPU, storage, network, display, etc   Hypervisor and host OS   Virtual Machine (VM) – Guest OS  Isolated  Encapsulated  Portable 14
Full Virtualization   Bare metal virtualization   Hosted virtualization   Server virtualization   Desktop virtualization 15
Virtualization and Security Concerns   Additional layers of technology   Many systems on a physical system   Sharing pool of resources   Lack of visibility   Dynamic environment   May increase the attack surface 16
Recommendations for Security for Full Virtualization Technologies   Risk based approach   Secure all elements of a full virtualization solution and perform continuous monitoring   Restrict and protect administrator access to the virtualization solution   Ensure that the hypervisor is properly secured   Carefully plan the security for a full virtualization solution before installing, configuring, and deploying it 17
Summary of Threats and Countermeasures   Intra-guest vulnerabilities  Hypervisor partitioning   Lack of visibility in the guest OS  Hypervisor instrumentation and monitoring   Hypervisor management  Protect management interface, patch management, secure configuration   Virtual workload security  Management of the guest OS, applications, data protection, patch management, secure configuration, etc   Virtualized infrastructure exposure  Manage access control to the hardware, hypervisors, network, storage, etc. 18
Resources   Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is available on the following Web page: http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing- unneeded-federal-real-estate   NIST publications that provide information and guidance on planning, implementing and managing information system security and protecting information include:   Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems   NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations   NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide   NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle   NIST SP 800-88, Guidelines for Media Sanitization   NIST SP 800-115, Technical Guide to Information Security Testing and Assessment   NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)   For information about these NIST standards and guidelines, as well as other security- related publications, see NIST’s Web page http://csrc.nist.gov/publications/index.html 19
HyTrust Fills Critical Platform Access Gaps Virtualization Platform Gap HyTrust Solution Multiple administrators can log into hosts Uses root password vaulting (check-in/out) anonymously by sharing a root account to ensure admins are individually accountable An admin can bypass vCenter access controls Controls and logs access via any and logging by connecting directly to hosts connection method, creating accountability An admin can access another organization’s Ensures that admins can only access their virtualized workloads in multi-tenant own organization’s data and applications, environments enabling secure multi-tenancy Prevents use of default passwords and Platform allows access via default password supports multi-factor authentication to stop or compromised admin password unauthorized access A current or terminated admin can connect to Controls and logs access to every admin the platform undetected using a backdoor account, preventing major security breaches account © 2012, HyTrust, Inc. www.hytrust.com 20
HyTrust Fills Critical Platform Authorization Gaps Virtualization Platform Gap HyTrust Solution An administrator can shut down any Protects business continuity by controlling virtualized application or switch what resources an admin can manage An admin can create unapproved VMs, with Prevents damaging outcomes by controlling negative operations or compliance impacts VM creation privileges An admin can disable security such as Preserves security by blocking unapproved virtualized firewalls and antivirus shutdowns of virtual security measures An admin can copy sensitive data from a VM Keeps sensitive data confidential by applying to external storage controls to virtual resources An admin can replace a critical VM with a Exposes tampering by creating a permanent, compromised copy while leaving no tracks unchangeable record of every operation An admin can move a low trust virtualized Mitigates security and compliance risks by workload to a high trust server or virtual preventing mixing of trust levels subnet, and vice versa © 2012, HyTrust, Inc. www.hytrust.com 21
HyTrust Fills Critical Log Data Gaps Log Data Data for Allowed Data for Denied Usability and Provider Operation (example) Operation (example) Productivity Virtualization User: root none •  Separate log files for Platform Time/date vCenter and each host Target resource name, server URL Operation executed •  Different log formats for vCenter vs. hosts HyTrust All of the above, plus: •  User ID •  Consolidated, centrally •  User ID •  Date/time managed logs covering •  Source IP address •  Source IP address vCenter and all hosts •  Resource reconfigured •  Operation requested •  Previous resource state •  Operation denial •  Single, uniform format for •  New resource state •  Target resource name, combined vCenter and host •  Label (Production) IP address, port, and log data •  Required privileges protocol •  Evaluated rules/ •  Required privileges •  Logs sent to central constraints •  Missing privileges repository or SIEM via •  Evaluated rules/ syslog constraints © 2012, HyTrust, Inc. www.hytrust.com 22
HyTrust In Action – Live Demo 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 23
HyTrust is a Critical Component in Virtualizing Mission-Critical Applications Visibility Control Validation • Authentication • Role-Based • Configuration • Logging Access Assessment & Control Remediation • Policy © 2012, HyTrust, Inc. www.hytrust.com 24
Thank You! Questions and Answers © 2012, HyTrust, Inc. www.hytrust.com 25

Empfohlen

Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
HyTrust
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
HyTrust
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud Security
IT@Intel
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
KVH Co. Ltd.
 
Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10
Avirot Mitamura
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
Trend Micro
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec
 

Empfohlen

Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
HyTrust
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
HyTrust
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud Security
IT@Intel
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
KVH Co. Ltd.
 
Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10Guardium value proposition for fss pn 12 02-10
Guardium value proposition for fss pn 12 02-10
Avirot Mitamura
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
Trend Micro
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec
 
Cloud securityperspectives cmg
Cloud securityperspectives cmgCloud securityperspectives cmg
Cloud securityperspectives cmg
Neha Dhawan
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
IntelAPAC
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance
1CloudRoad.com
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Acrodex
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
Andrew Wong
 
Silicon Overdrive IT Services
Silicon Overdrive IT ServicesSilicon Overdrive IT Services
Silicon Overdrive IT Services
Ryan Fullerton
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15final
Mahmoud Moustafa
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
tovmug
 
Defense Foundation Product Brief
Defense Foundation Product BriefDefense Foundation Product Brief
Defense Foundation Product Brief
wdjohnson1
 
TrendMicro
TrendMicroTrendMicro
TrendMicro
1CloudRoad.com
 
IBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewIBM InfoSphere Guardium overview
IBM InfoSphere Guardium overview
nazeer325
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
Amazon Web Services
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2
JD Sherry
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
Cisco Security
 
Regulatory Compliance Financial Institution
Regulatory Compliance Financial InstitutionRegulatory Compliance Financial Institution
Regulatory Compliance Financial Institution
Apani Enterprise Security Software
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Forefront - Unified Access Gateway (UAG) PresentationMicrosoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Private Cloud
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
Amazon Web Services
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
CloudPassage
 

Weitere ähnliche Inhalte

Was ist angesagt?

Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
IntelAPAC
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust
 
Silicon Overdrive IT Services
Silicon Overdrive IT ServicesSilicon Overdrive IT Services
Silicon Overdrive IT Services
Ryan Fullerton
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15final
Mahmoud Moustafa
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
tovmug
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
Amazon Web Services
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2
JD Sherry
 
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Forefront - Unified Access Gateway (UAG) PresentationMicrosoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Private Cloud
 

Was ist angesagt? (20)

Cloud securityperspectives cmg
Cloud securityperspectives cmgCloud securityperspectives cmg
Cloud securityperspectives cmg
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data CenterHyTrust-FISMA Compliance in the Virtual Data Center
HyTrust-FISMA Compliance in the Virtual Data Center
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
Silicon Overdrive IT Services
Silicon Overdrive IT ServicesSilicon Overdrive IT Services
Silicon Overdrive IT Services
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15final
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
 
Defense Foundation Product Brief
Defense Foundation Product BriefDefense Foundation Product Brief
Defense Foundation Product Brief
 
TrendMicro
TrendMicroTrendMicro
TrendMicro
 
IBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewIBM InfoSphere Guardium overview
IBM InfoSphere Guardium overview
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
 
Regulatory Compliance Financial Institution
Regulatory Compliance Financial InstitutionRegulatory Compliance Financial Institution
Regulatory Compliance Financial Institution
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the Application
 
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Forefront - Unified Access Gateway (UAG) PresentationMicrosoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 

Andere mochten auch

Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
CloudPassage
 
Simplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data CenterSimplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data Center
AlgoSec
 
Outils numériques
Outils numériquesOutils numériques
Outils numériques
SKennel
 

Andere mochten auch (14)

Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
 
Simplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data CenterSimplifying Security Management in the Virtual Data Center
Simplifying Security Management in the Virtual Data Center
 
Secure Multi Tenancy In the Cloud
Secure Multi Tenancy In the CloudSecure Multi Tenancy In the Cloud
Secure Multi Tenancy In the Cloud
 
SDDC Study: SDDC Goes Mainstream
SDDC Study: SDDC Goes MainstreamSDDC Study: SDDC Goes Mainstream
SDDC Study: SDDC Goes Mainstream
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
Outcome of democracy
Outcome of democracyOutcome of democracy
Outcome of democracy
 
VMware Outlines Its Own Journey to the Cloud
VMware Outlines Its Own Journey to the CloudVMware Outlines Its Own Journey to the Cloud
VMware Outlines Its Own Journey to the Cloud
 
Control the Creep: Streamline Security and Compliance by Sharing the Workload
Control the Creep: Streamline Security and Compliance by Sharing the WorkloadControl the Creep: Streamline Security and Compliance by Sharing the Workload
Control the Creep: Streamline Security and Compliance by Sharing the Workload
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
 
Protecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data BreachProtecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data Breach
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
Atelier IFOCOP " Quels outils numériques pour les assistantes en 2014"
Atelier IFOCOP " Quels outils numériques pour les assistantes en 2014" Atelier IFOCOP " Quels outils numériques pour les assistantes en 2014"
Atelier IFOCOP " Quels outils numériques pour les assistantes en 2014"
 
Outils numériques
Outils numériquesOutils numériques
Outils numériques
 

Ähnlich wie Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates

Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
HyTrust
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?
doan_slideshares
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
HyTrust
 
Virtela Corp Brochure
Virtela Corp BrochureVirtela Corp Brochure
Virtela Corp Brochure
tmcleland
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 
The Cloud according to VMware
The Cloud according to VMwareThe Cloud according to VMware
The Cloud according to VMware
OpSource
 
Jaime cabrera v mware. su nube. acelere ti. acelere su negocio
Jaime cabrera v mware. su nube. acelere ti. acelere su negocioJaime cabrera v mware. su nube. acelere ti. acelere su negocio
Jaime cabrera v mware. su nube. acelere ti. acelere su negocio
datacentersummit
 
Securing Your Infrastructure: Identity Management and Data Protection
Securing Your Infrastructure: Identity Management and Data ProtectionSecuring Your Infrastructure: Identity Management and Data Protection
Securing Your Infrastructure: Identity Management and Data Protection
Lumension
 
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud ComputingCloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
OpSource
 

Ähnlich wie Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates (20)

Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
IBM Tivoli Endpoint Manager - PCTY 2011
IBM Tivoli Endpoint Manager - PCTY 2011IBM Tivoli Endpoint Manager - PCTY 2011
IBM Tivoli Endpoint Manager - PCTY 2011
 
360is Capabilities
360is Capabilities360is Capabilities
360is Capabilities
 
Virtela Corp Brochure
Virtela Corp BrochureVirtela Corp Brochure
Virtela Corp Brochure
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
The Cloud according to VMware
The Cloud according to VMwareThe Cloud according to VMware
The Cloud according to VMware
 
VMworld 2014: Virtualization 101
VMworld 2014: Virtualization 101VMworld 2014: Virtualization 101
VMworld 2014: Virtualization 101
 
2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap
 
Jaime cabrera v mware. su nube. acelere ti. acelere su negocio
Jaime cabrera v mware. su nube. acelere ti. acelere su negocioJaime cabrera v mware. su nube. acelere ti. acelere su negocio
Jaime cabrera v mware. su nube. acelere ti. acelere su negocio
 
Strengthen Operational Efficiencies with IT Infrastructure Managed Services b...
Strengthen Operational Efficiencies with IT Infrastructure Managed Services b...Strengthen Operational Efficiencies with IT Infrastructure Managed Services b...
Strengthen Operational Efficiencies with IT Infrastructure Managed Services b...
 
Securing Your Infrastructure: Identity Management and Data Protection
Securing Your Infrastructure: Identity Management and Data ProtectionSecuring Your Infrastructure: Identity Management and Data Protection
Securing Your Infrastructure: Identity Management and Data Protection
 
Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2
 
Siebel to Salesforce
Siebel to Salesforce Siebel to Salesforce
Siebel to Salesforce
 
Top 10 Reasons Why F5 Makes Sense
Top 10 Reasons Why F5 Makes SenseTop 10 Reasons Why F5 Makes Sense
Top 10 Reasons Why F5 Makes Sense
 
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud ComputingCloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
 

Mehr von HyTrust

PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
HyTrust
 
S24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veS24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.ve
HyTrust
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
HyTrust
 
IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011
HyTrust
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
HyTrust
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
HyTrust
 

Mehr von HyTrust (6)

PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
 
S24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.veS24 – Virtualiza.on Security from the Auditor Perspec.ve
S24 – Virtualiza.on Security from the Auditor Perspec.ve
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011IBM X-Force 2010 Trend and Risk Report-March 2011
IBM X-Force 2010 Trend and Risk Report-March 2011
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates

  • 1. Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates Tim Grance, Senior Computer Scientist, NIST Sushant Rao, Product Management Director, HyTrust Curtis Salinas, Systems Engineer, HyTrust © 2012, HyTrust, Inc. www.hytrust.com 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 1
  • 2. Security and Compliance Will Be Key to Virtualizing the Next 50% of the Data Center   Discussion   Growth depends on virtualizing mission critical workloads   Virtualization platform provides basic security: OK for non- critical workloads   Tier 1/2 workloads have higher security, compliance needs   Purpose-built solutions needed © 2012, HyTrust, Inc. www.hytrust.com 2
  • 3. Privileged Users Can Have Huge Impact Percentage of companies that 87% have experienced a data breach — IT Compliance Institute Shionogi & Co: $3.2B pharmaceutical company Percentage of breached 74% Laid off IT admin: companies who lost customers •  Logged in remotely to vSphere from as a result of the breach local McDonald’s WIFI — IT Compliance Institute •  Deleted 88 virtual production servers •  Took down email, order entry, payroll, BlackBerry, & other services •  Caused $800K damage Percent of all breaches that 48% involved privileged user misuse — Verizon report, 2010 © 2012, HyTrust, Inc. www.hytrust.com 3
  • 4. Expert Consensus on Virtualization Best Practices •  “Restrict and protect administrator access to the virtualization solution.” •  “Secure each management interface” •  “Monitor and analyze logs at all layers of the virtualization infrastructure” •  “Enforce least privilege and separation of duties” •  “It is critical that independent monitoring of all activities be enforced” •  “Require multi-factor authentication for all administrative functions.” •  “Administrative access to the hypervisor/VMM layer must be tightly controlled” * NIST SP 800-125: Guide to Security for Full Virtualization Technologies ** PCI-DSS 2.0 Information Supplement – Virtualization Security *** Neil MacDonald, vice president and Gartner fellow © 2012, HyTrust, Inc. www.hytrust.com 4
  • 5. HyTrust Appliance Provides Necessary Controls to Confidently Virtualize Mission-Critical Applications Secures the administration of the hypervisor & virtual infrastructure:   Enforces consistent access and authorization policies covering all access methods   Provides granular, user-specific, audit-quality logs   Enables strong, multi-factor authentication   Verifies platform integrity, ensuring the hypervisor is hardened and the virtual infrastructure is trusted Provides complete visibility into and control over who accesses the infrastructure, the integrity of the infrastructure, and the validity of the changes requested. © 2012, HyTrust, Inc. www.hytrust.com 5
  • 6. HyTrust’s Unique Role in Virtual Infrastructure Security © 2012, HyTrust, Inc. www.hytrust.com 6
  • 7. Major Partners Trust HyTrust HyTrust is key "go to" HyTrust is part of CA HyTrust is the platform HyTrust provides partner for vSphere Access Control for security solution - combined reporting security and compliance Virtual Environments access control and with Trend's Deep auditing - for vBlock Security product HyTrust provides HyTrust reporting and HyTrust is part of Intel's HyTrust event reporting and native integration with controls being integrated trusted cloud architecture TXT integration being SecurID and enVision with Symantec CCS based on TXT integrated with McAfee ePO © 2012, HyTrust, Inc. www.hytrust.com 7
  • 8. Virtualize More With HyTrust   Admin compliance and controls essential for mission critical workloads   Capabilities not available from the virtual infrastructure   Granular, audit-quality administration logs   Granular, consistent privileged user and VM control policies   Multi-tenancy logical segmentation   Trusted by market leaders   Key component of major partners’ solutions © 2012, HyTrust, Inc. www.hytrust.com 8
  • 9. NIST Special Publication (SP) 800-125 Guide To Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Tim Grance Senior Computer Scientist in the Computer Security Division 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 9
  • 10. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. 10
  • 11. Agenda   What is SP 800-125   Why virtualization   Full virtualization   Security concerns   Recommendations for Security for full virtualization technologies   Summary   Questions and answers   Resources 11
  • 12. SP 800-125   Full Virtualization technologies   Server and desktop virtualization   Security threats   Security recommendations for protecting full virtualization 12
  • 13. Why Virtualization?   Reduce hardware footprint   More efficiency   Reduce energy, operations, and maintenance costs, e.g., disaster recovery, dynamic workload, security benefits, etc.   Consolidation 13
  • 14. Forms of Virtualization   Simulated environment   Not cover OS and application virtualization   Full virtualization – CPU, storage, network, display, etc   Hypervisor and host OS   Virtual Machine (VM) – Guest OS  Isolated  Encapsulated  Portable 14
  • 15. Full Virtualization   Bare metal virtualization   Hosted virtualization   Server virtualization   Desktop virtualization 15
  • 16. Virtualization and Security Concerns   Additional layers of technology   Many systems on a physical system   Sharing pool of resources   Lack of visibility   Dynamic environment   May increase the attack surface 16
  • 17. Recommendations for Security for Full Virtualization Technologies   Risk based approach   Secure all elements of a full virtualization solution and perform continuous monitoring   Restrict and protect administrator access to the virtualization solution   Ensure that the hypervisor is properly secured   Carefully plan the security for a full virtualization solution before installing, configuring, and deploying it 17
  • 18. Summary of Threats and Countermeasures   Intra-guest vulnerabilities  Hypervisor partitioning   Lack of visibility in the guest OS  Hypervisor instrumentation and monitoring   Hypervisor management  Protect management interface, patch management, secure configuration   Virtual workload security  Management of the guest OS, applications, data protection, patch management, secure configuration, etc   Virtualized infrastructure exposure  Manage access control to the hardware, hypervisors, network, storage, etc. 18
  • 19. Resources   Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is available on the following Web page: http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing- unneeded-federal-real-estate   NIST publications that provide information and guidance on planning, implementing and managing information system security and protecting information include:   Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems   NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations   NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide   NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle   NIST SP 800-88, Guidelines for Media Sanitization   NIST SP 800-115, Technical Guide to Information Security Testing and Assessment   NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)   For information about these NIST standards and guidelines, as well as other security- related publications, see NIST’s Web page http://csrc.nist.gov/publications/index.html 19
  • 20. HyTrust Fills Critical Platform Access Gaps Virtualization Platform Gap HyTrust Solution Multiple administrators can log into hosts Uses root password vaulting (check-in/out) anonymously by sharing a root account to ensure admins are individually accountable An admin can bypass vCenter access controls Controls and logs access via any and logging by connecting directly to hosts connection method, creating accountability An admin can access another organization’s Ensures that admins can only access their virtualized workloads in multi-tenant own organization’s data and applications, environments enabling secure multi-tenancy Prevents use of default passwords and Platform allows access via default password supports multi-factor authentication to stop or compromised admin password unauthorized access A current or terminated admin can connect to Controls and logs access to every admin the platform undetected using a backdoor account, preventing major security breaches account © 2012, HyTrust, Inc. www.hytrust.com 20
  • 21. HyTrust Fills Critical Platform Authorization Gaps Virtualization Platform Gap HyTrust Solution An administrator can shut down any Protects business continuity by controlling virtualized application or switch what resources an admin can manage An admin can create unapproved VMs, with Prevents damaging outcomes by controlling negative operations or compliance impacts VM creation privileges An admin can disable security such as Preserves security by blocking unapproved virtualized firewalls and antivirus shutdowns of virtual security measures An admin can copy sensitive data from a VM Keeps sensitive data confidential by applying to external storage controls to virtual resources An admin can replace a critical VM with a Exposes tampering by creating a permanent, compromised copy while leaving no tracks unchangeable record of every operation An admin can move a low trust virtualized Mitigates security and compliance risks by workload to a high trust server or virtual preventing mixing of trust levels subnet, and vice versa © 2012, HyTrust, Inc. www.hytrust.com 21
  • 22. HyTrust Fills Critical Log Data Gaps Log Data Data for Allowed Data for Denied Usability and Provider Operation (example) Operation (example) Productivity Virtualization User: root none •  Separate log files for Platform Time/date vCenter and each host Target resource name, server URL Operation executed •  Different log formats for vCenter vs. hosts HyTrust All of the above, plus: •  User ID •  Consolidated, centrally •  User ID •  Date/time managed logs covering •  Source IP address •  Source IP address vCenter and all hosts •  Resource reconfigured •  Operation requested •  Previous resource state •  Operation denial •  Single, uniform format for •  New resource state •  Target resource name, combined vCenter and host •  Label (Production) IP address, port, and log data •  Required privileges protocol •  Evaluated rules/ •  Required privileges •  Logs sent to central constraints •  Missing privileges repository or SIEM via •  Evaluated rules/ syslog constraints © 2012, HyTrust, Inc. www.hytrust.com 22
  • 23. HyTrust In Action – Live Demo 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 23
  • 24. HyTrust is a Critical Component in Virtualizing Mission-Critical Applications Visibility Control Validation • Authentication • Role-Based • Configuration • Logging Access Assessment & Control Remediation • Policy © 2012, HyTrust, Inc. www.hytrust.com 24
  • 25. Thank You! Questions and Answers © 2012, HyTrust, Inc. www.hytrust.com 25