VMworld 2013: Get on with Business - VMware Reference Architectures Help Streamline Compliance Efforts

Get on with Business - VMware Reference
Architectures Help Streamline Compliance Efforts
Gargi Keeling, VMware
Luke Youngblood, McKesson Corporation
Troy Casey, McKesson Corporation
SEC5253
#SEC5253

2
Security Architect May Start a Design on a Whiteboard…
Security
Architect

3
…and Then Formalize the Design as Reference Architecture
Security
Architect

5
What If You Could…
From whiteboard… …to architecture… …to reality.
Enforce actionable and repeatable policies across trust zones, as
defined by industry regulations and organizational policies – and make
this all operationally feasible in the software-defined data center?

6
Agenda
 Transform Architecture Into Reality
 Compliance Challenges in the SDDC
 Auditors and Partners Are On Board
 Technology Catching Up with Policy
 Customer Perspective: McKesson OneCloud
 Example: Simplify Management of PCI DSS Controls
 Summary of NSX Service Composer Features for
Implementing Compliance Reference Architecture
 Next Steps

7
Infrastructure
Requirements
 Access
Control
 Segmentation
 Remediation
 Automation
 Policy
Management
 Audit
Common
Control
Frameworks
Regulations,
Standards,
Best Practices
Reference
Architectures
PCI Zone
VMware vSphere
Process for Defining Reference Architecture is Not Trivial VCM
5428

8
The Cloud Operator Has to Make This All Work…But How?
VI Admin /
Cloud Operator
Yikes.
Security Policy ≠ Security Operations
Security team asks operator to implement policies but
reference architectures only get you so far.
I need this.
Security
Architect

9
VI Admin /
Cloud Operator
Looks
complicated.
When THIS
happens, we need
to do THAT.
Security
Architect
Manual Workflows Across Different Solutions
Security team relies on manual processes to build workflows
between different vendor solutions.
It is.
VI Admin /
Cloud Operator

10
VI Admin /
Cloud Operator
Maybe next
year…
We approve these
solutions. You
deploy them.
Security
Architect
Cumbersome Provisioning
Operator is responsible for deploying vendor solutions,
often with inconsistent, multi-step processes.

11
Agenda
 Next Steps

12
Architecture
Design
QSA Validated
Reference
Architecture
Validation
Reference
ArchitecturesVMware Partners
3rd Party Auditors
VMware Compliance Reference Architectures

13
DLP
Encryption
BC
DR
Anti Virus
Endpoint Protection
Firewall
AAA
Identity
and
Access
2 Factor
AuthN
File Integrity
Monitoring
IPS/IDS
SIEM
Penetration
Testing
Vulnerability
Assessment
Patch
Mngmnt
Config
Mngmnt
DB/App
Monitor
Technology Solution Categories

14
Agenda
Implementing Compliance Reference Architectures
 Next Steps

15
NSX Service Composer
Security services can now be consumed more efficiently in the
software-defined data center.
Automate.
Automate workflows
across different
services, without
custom integration.
Provision.
Provision and monitor
uptime of different
services, using one
method.
Apply.
Apply and visualize
security policies for
workloads, in one place.
SEC
5749

16
Concept – Apply Policies to Workloads
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture)
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Define security policies based on service profiles already defined (or
blessed) by the security team. Apply these policies to one or more
security groups where your workloads are members.

17
Concept – Automate Workflows Across Services
AVFW
IPS DLP
Vuln. Mgmt
IF one service finds something, THEN another service can do
something about it, WITHOUT requiring integration between services!
SEC
5750

18
Automation Process Using NSX Service Composer
Use NSX security tags, either through NSX security solutions or APIs,
to define IF/THEN workflows across security services.
Step 1 - Define
security tags
based on
workflow
requirements
Security
Group =
Step 2 - Define
security group
based on tags
Step 3 - Set and
unset tags based on
security workflow
requirements.

19
Agenda
 Next Steps

20
About McKesson
At A Glance
 Founded 1833
 HQ San Francisco
 37,000+ employees
 Focus: Distribution
and Technology
Our Businesses
 Distribution Solutions
(pharmaceutical,
medical/surgical, plasma and
biologics, pharmacy and
more)
 Technology Solutions
(information solutions,
medication imaging,
automation and more)
Our Businesses
 Ranked 14th on
Fortune 500
 NYSE: MCK
 Revenue: $122.7
billion in FY2012
By the Numbers
 #1 pharmaceutical
distribution in US,
Canada
 #1 generics
pharmaceutical
distribution
 #1 hospital automation
 52% of US hospitals use
McKesson technology

21
McKesson OneCloud
VI Admin /
Cloud
Operator
Security
Architect
A self-service, private cloud giving users access to new
applications on-demand, with necessary security controls.

22
NIST Cloud Computing Model
Service Models
Deployment Models
Public Private Hybrid Community
Platform as a Service
(PaaS)
Infrastructure as a Service
(IaaS)
Software as a Service
(SaaS)
Essential Characteristics
Broad Network
Access
Resource Pooling
Rapid Elasticity
On-Demand
Self-Service
Measured
Service
With OneCloud, McKesson IT delivers the essential
characteristics of Cloud Computing in a Private
Cloud, Infrastructure as a Service (IaaS) model.
Customers can build their own customized VM
catalogs and deliver Platform (PaaS) services to
authorized users within their own organizations.

23
Infrastructure
Requirements
 Access
Control
 Segmentation
 Remediation
 Automation
 Policy
Management
 Audit
Common
Control
Frameworks
Regulations,
Standards,
Best Practices
Reference
Architectures
How McKesson Defines Reference Architectures

24
OneCloud Administration Roles
WLAN
WAN
LAN
Network
VMM / Hypervisor
Virtualization Management
Compute Storage
Infrastructure
McK-IT
Platform McK-IT
Software / Applications
Group Mgrs
Users
Physical
Virtual
virtualApp
Templates
Server VM
Instances
Server VM
Templates
McKesson IT designs, engineers,
implements, manages & supports the
virtual infrastructure and the
underlying physical infrastructure
McKesson IT designs, engineers,
creates, and publishes the base OS
templates for use in OneCloud with
monitoring and management tools pre-
installed and pre-configured
Administrators of OneCloud consumer groups
consume single-machines templates and
assemble them into multi-machine templates
called vApps. They assign User roles and
publish deployment Blueprints for their groups
OneCloud Users consume vApps by creating
application instances from the Blueprints and
Templates published for their groups. Their
rights are limited by role assignments and
resource pooling. They either use the
instantiated systems directly or provision
them for their teams’ compute requirements.

25
McKesson SecureCloud 2011-2012
Management & Admin Network
Zone
PCI Internal Service
Networks
CoLo Internal Service
Network
ASP-MSP
Internal
Service
Network
0000
Network Core Layer
McKIT
WAN-MPLS
B2B
Extranet
Internet McKesson
CareBridge
Edge Perimeter Zone
Edge
Router
ISP 1
F/W
F/W
F/WF/W
F/W
F/W
CoLo’s
External Hosting
ASP
MPS
Partners, Vendors,
Sub-Contractors
McKIT
Shared DMZ
PCI
DMZ
VPN
Remote Access
Core Edge Firewall Layer
ISP 2
Internal
RouterInfrastructure Distribution Layer
External Untrusted Layer
McK
Remote Offices
McK Remote Sites
Internal Trusted Layer
HIPAA Internal
Service
Network

26
Data Classification Framework
PUBLIC
INTERNAL
CONFIDENTIAL
RESTRICTED

27
YELLOW
McKesson OneCloud Hosting Zones
GREEN AMBER
TBD
QUARANTINE
DMZ
Web-facing
systems
Non-Sensitive
Information
(Public, Internal)
Sensitive
Information
(Confidential)
Highly Sensitive
Information
(Restricted)
Infected /
Compromised VM
Remediation
OneCloud 1.0
OneCloud 1.5
OneCloud 2.0
OneCloud 1.5
OneCloud v.TBD
OneCloud 1.5
Vulnerable,
Unpatched
Systems

28
AMBER
MONITORING
& AUDIT
CAPTURE
YELLOW
McKesson OneCloud Infrastructure Zones
GREEN
TBD
QUARANTINE
DMZ
OneCloud 1.0
OneCloud 1.5
OneCloud 2.0
OneCloud 1.5
OneCloud v.TBD
OneCloud 1.5
THREAT DEFENSE
SECURE MANAGEMENT PARTNER INTEGRATION
Security Services
B2B & 3d Party
Cloud Providers
Event & Alert
Feeds
Infrastructure
Administration

29
McKesson SecureCloud 2011-2012
Management & Admin Network
Zone PCI Internal Service
Networks
CoLo Internal Service
Network
ASP-MSP Internal
Service Network
McKIT ONE CLOUD
Network Core Layer
McKIT
WAN-MPLS
B2B
Extranet
Internet McKesson CareBridge
Edge Perimeter Zone
Edge
Router
ISP 1
F/W
F/W
F/WF/W
F/W
F/W
CoLo’s
External Hosting
ASP
MPS
Partners, Vendors,
Sub-Contractors
McKIT
Shared DMZ
PCI
DMZ
VPN
Remote Access
Core Edge Firewall Layer
O/S
Build
VM
Build
VM
Repository
vCloud
Mgmt Tools
vCenter
VCD
VCAC
EP Agent
VSE 8.8
Auth-LDAP
SYSLOG
VM1…n
Hypervisor Layer
Vuln Scan
Cred
Forensics
Hosts 1…n
vNet Fabric
vSwitch1 vSwitch2 vSwitch3 vSwitchn
Management &
Security Services
(Physical)
Host F/W
Security
& Mgmt
VMs
* DASD
* SAN
* NAS
-NFS
-ISCSI
-SMB
ISP 2
Internal
Router
Infrastructure Distribution Layer
External Untrusted Layer
McK
Remote Offices
McK Remote Sites
Internal Trusted
LayervSphere
Mgmt I/F
vShield Endpoint API Support
Anti-Virus
Vulnerability Mgmt
SIEM
EndPoint Security
Directory Services
Resource
Reservation
Policy Automation
Backup & Recovery
Data Discovery
VM Inventory
OneCloud
GREEN ZONE
Forensics

30
McKesson OneCloud 1.0 – VM Security Placement

31
McKesson OneCloud 1.0 – Internal Hosting Zone

32
McKesson OneCloud 1.0 – ‘Green Zone’
SIEM
Integration
Active Directory
Cloud Management
Platform
Security hardening of the Cloud infrastructure and
management systems is assured using hardening
baselines from VMware, ISRM and CIS and live
scanning for vulnerabilities and missing patches
Authentication, Authorization and
Role Assignment are enabled via
Active Directory. Dedicated AD
Groups are leveraged to assign
administrator and user roles for
both VMs and Infrastructure
ISRM’s event management and
incident response services are
brought to bear via integration
with the existing deployment of
the RSA Envision Security
Information & Event
Management (SIEM) solution.
Incident Response and Forensic
Analysis is enabled by integration
of the forensic data collection
agent into the VM Templates
underlying OneCloud services
Endpoint security management for OneCloud uses
McKesson’s standard package, installed at time of
provisioning (Windows VMs) or integrated into the
OS Template image (Linux VMs)
OS
APP
DATA
VM
OneCloud workloads benefit from
placement inside McKesson’s
firewalled and segmented internal
data center networks – VMs and
applications hosted in the Green
Zone are firewalled from the
Internet by default
The initial OneCloud offering will provide a
Baseline level of security for the hosting of
internal workloads handling non-sensitive
information. Rapid provisioning is leveraged to
eliminate the need to patch short-lived systems,
as re-provisioning the VM from an updated
OneCloud VM Template is an effective
replacement for conventional patch management
approaches.

33
Agenda
 Next Steps

34
NSX Service Composer – Canvas View
Nested Security Groups: A security group can contain other groups. These nested groups
can be configured to inherit security policies of the parent container. Members of any nested
groups are protected by the parent container policy.
e.g. “Financial Department” can contain “Financial Application”

35
Members: Security Groups contain VMs, vNICs, vApps and more…to define WHAT you
want to protect.
e.g. “Financial Applications”, “Desktop Users”, “Quarantine Zone”

36
Policies: Collection of service profiles - assigned to this container…to define HOW you want
to protect this container
e.g. “PCI Compliance” or “Quarantine Policy’

37
Profiles: When solutions are registered and deployed, these profiles point to actual security
policies that have been defined by the security management console (e.g. AV, network IPS).
Only exception is the firewall rules, which can be defined within Service Composer, directly. for
*deployed* solutions, are assigned to these policies.
Services supported today:
• Distributed Virtual Firewall  Anti-virus  File Integrity Monitoring
• Vulnerability Management  Network IPS  Data Security (DLP scan)

38
Compliance Automation Use Case
 Compliance Processes
• Group systems that must be compliant
with a specific regulation and apply
necessary controls to the group
• Specify systems based on actual data
(through sensitive data discovery) or
desired compliance state
• Move systems in and out of compliance
zones based on above
• Optional: Require approval before any
workload is moved to compliance zone
 Properties of Compliance Zone
• Apply security policies as dictated by
the applicable regulation or standard
(e.g. antivirus, firewall, encryption, etc.)
Application
Owner
DLP / Discovery
Solution
VI Admin /
Cloud Operator

39
Automate Compliance Workflow with NSX Service Composer
Prerequisites: Security groups
defined by tag membership and
relevant policies
1. Desktop group scanned
scanned for credit card data
2. Data security/DLP solution
tags VMs with sensitive data
3. VM with sensitive data
automatically gets added to
PCI DSS group, based on tag
4. VM is re-scanned for
continuous compliance
5. Tag is only removed if credit
card data no longer present.
VM would then be moved out
of PCI DSS zone.
S e cu r i t y G ro u p = P CI Z o n e
M e mb e r s = {T a g = ‘ DA T A _ S E C UR I T Y . v i ol a t i o n s Fo u n d ’ }
S e cu r i t y G ro u p = D es k t o p s

40
Agenda
 Next Steps

41
NSX Service Composer Simplifies Compliance Management
#1. Apply pre-approved security policies to workloads.
Is this
what you
wanted?
VI Admin /
Cloud Operator
Yup.
Looks
good.
Security
Architect

42
VI Admin /
Cloud
Operator
No
problem.
When THIS
happens, do
THAT.
Security
Architect
#2. Implement rules for remediating workloads when they
are comprised, at-risk, or non-compliant.

43
#3. Provision, monitor, and troubleshoot services from a
single console.
VI Admin /
Cloud Operator
We can start with
these. More
coming soon.
These are the core security controls
we need to protect our systems.
What can you do about this?
Security
Architect
AV FW
IPSDLP
Vuln. Mgmt
FIM

44
Agenda
 Next Steps

45
Back at the Office…
VI Admin /
Cloud
Operator
Wow. This will really
save me a lot of time –
thanks!
Security
Architect
Point your security team to VMware Compliance Reference
Architectures. Partner with security team to evaluate NSX
Service Composer to address compliance requirements.
AND I just learned about
VMware NSX Service
Composer. We could
automate a lot of this!
No kidding.
Prove it!
I will.
You need to look at these
VMware Compliance Reference
Architecture documents.

46
You Can…
From whiteboard… …to architecture… …to reality.
Enforce actionable and repeatable policies across trust zones, as
defined by industry regulations and organizational policies – and make
this all operationally feasible in the software-defined data center!

47
Other VMware Activities Related to This Session
 HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
 Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall Antivirus,
Logging IPS in the SDDC with Allen Shortnacy

51
The Basic Concept
Security Groups
WHAT you want to
protect
Members: VM, vNIC, network
(virtual/Logical Switch, physical),
Distributed Virtual PG, cluster, data
center, Resource Pool, vApp, other
container, IP address, MAC
Context: User identity, sensitive
data, security posture
HOW you want to
protect it
Services: Firewall, antivirus,
intrusion prevention, vulnerability
management and more.
Profiles: Security policies from
VMware and third-party solutions
that are defined by the security
architect but implemented by the
cloud operator.
APPLY

52
McKesson OneCloud Phases
OneCloud 1.0 OneCloud 1.5 OneCloud 2.0
• Amber Zones: For
sensitive data such
as PHI, PCI
(confidential)
Beyond OneCloud 2.0
• Sensitive Data
(restricted)
• Red (quarantine)
zone: AV
disabled/missing,
missing critical
system patch;
System placed in
Sandbox
• DMZ Zone: Prevent
systems in this zone
from being attached
to other networks or
zones
• Green Zone: Fully
compliant systems;
Straight L3 pass
through with minimal
inspection
• Yellow Zone: system
patches more than xx
days out of date or
AV signatures out of
date; IPS/FW added
to inline path

53
VMware NSX Service Composer – For Compliance Scenarios
Built-In Services
• Firewall, Identity-based Firewall
• Data Security (DLP / Discovery)
Security Groups
• Define workloads based on many attributes (VMs,
vNICs, networks, user identity, and more) – WHAT
you want to protect
3rd Party Services
• IDS / IPS, AV, Vulnerability Mgmt
• 2013 Vendors: Symantec, McAfee, Trend Micro,
Rapid 7
Any Application
(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall
Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Security Policies
• Define policies using profiles from built-in services
and 3rd party services - HOW you want to protect
workloads
Automation
• Use security tags and other context to drive
dynamic membership of security groups –
results in IF-THEN workflows across services

54
NSX Integrated Partners
NSX Controller & NSX Manager
NSX API
Partner Extensions
L2 Gateway FirewallADC/LB IDS/IPS
+
Cloud Management
Platforms
AV/FIM Vulnerability
Management
Security Services

VMworld 2013: Get on with Business - VMware Reference Architectures Help Streamline Compliance Efforts

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to VMworld 2013: Get on with Business - VMware Reference Architectures Help Streamline Compliance Efforts

Similar to VMworld 2013: Get on with Business - VMware Reference Architectures Help Streamline Compliance Efforts (20)

More from VMworld

More from VMworld (20)

Recently uploaded

Recently uploaded (20)

VMworld 2013: Get on with Business - VMware Reference Architectures Help Streamline Compliance Efforts