VMworld 2013
Gargi Keeling, VMware
Luke Youngblood, McKesson Corporation
Troy Casey, McKesson Corporation
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Streamline Compliance Efforts
1. Get on with Business - VMware Reference
Architectures Help Streamline Compliance Efforts
Gargi Keeling, VMware
Luke Youngblood, McKesson Corporation
Troy Casey, McKesson Corporation
SEC5253
#SEC5253
4. 5
What If You Could…
From whiteboard… …to architecture… …to reality.
Enforce actionable and repeatable policies across trust zones, as
defined by industry regulations and organizational policies – and make
this all operationally feasible in the software-defined data center?
5. 6
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architecture
Next Steps
6. 7
Infrastructure
Requirements
Access
Control
Segmentation
Remediation
Automation
Policy
Management
Audit
Common
Control
Frameworks
Regulations,
Standards,
Best Practices
Reference
Architectures
PCI Zone
VMware vSphere
Process for Defining Reference Architecture is Not Trivial VCM
5428
7. 8
The Cloud Operator Has to Make This All Work…But How?
VI Admin /
Cloud Operator
Yikes.
Security Policy ≠ Security Operations
Security team asks operator to implement policies but
reference architectures only get you so far.
I need this.
Security
Architect
8. 9
The Cloud Operator Has to Make This All Work…But How?
VI Admin /
Cloud Operator
Looks
complicated.
When THIS
happens, we need
to do THAT.
Security
Architect
Manual Workflows Across Different Solutions
Security team relies on manual processes to build workflows
between different vendor solutions.
It is.
VI Admin /
Cloud Operator
9. 10
The Cloud Operator Has to Make This All Work…But How?
VI Admin /
Cloud Operator
Maybe next
year…
We approve these
solutions. You
deploy them.
Security
Architect
Cumbersome Provisioning
Operator is responsible for deploying vendor solutions,
often with inconsistent, multi-step processes.
10. 11
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architecture
Next Steps
13. 14
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
14. 15
NSX Service Composer
Security services can now be consumed more efficiently in the
software-defined data center.
Automate.
Automate workflows
across different
services, without
custom integration.
Provision.
Provision and monitor
uptime of different
services, using one
method.
Apply.
Apply and visualize
security policies for
workloads, in one place.
SEC
5749
15. 16
Concept – Apply Policies to Workloads
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture)
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Define security policies based on service profiles already defined (or
blessed) by the security team. Apply these policies to one or more
security groups where your workloads are members.
16. 17
Concept – Automate Workflows Across Services
AVFW
IPS DLP
Vuln. Mgmt
IF one service finds something, THEN another service can do
something about it, WITHOUT requiring integration between services!
SEC
5750
17. 18
Automation Process Using NSX Service Composer
Use NSX security tags, either through NSX security solutions or APIs,
to define IF/THEN workflows across security services.
Step 1 - Define
security tags
based on
workflow
requirements
Security
Group =
Step 2 - Define
security group
based on tags
Step 3 - Set and
unset tags based on
security workflow
requirements.
18. 19
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
19. 20
About McKesson
At A Glance
Founded 1833
HQ San Francisco
37,000+ employees
Focus: Distribution
and Technology
Our Businesses
Distribution Solutions
(pharmaceutical,
medical/surgical, plasma and
biologics, pharmacy and
more)
Technology Solutions
(information solutions,
medication imaging,
automation and more)
Our Businesses
Ranked 14th on
Fortune 500
NYSE: MCK
Revenue: $122.7
billion in FY2012
By the Numbers
#1 pharmaceutical
distribution in US,
Canada
#1 generics
pharmaceutical
distribution
#1 hospital automation
52% of US hospitals use
McKesson technology
20. 21
McKesson OneCloud
VI Admin /
Cloud
Operator
Security
Architect
A self-service, private cloud giving users access to new
applications on-demand, with necessary security controls.
21. 22
NIST Cloud Computing Model
Service Models
Deployment Models
Public Private Hybrid Community
Platform as a Service
(PaaS)
Infrastructure as a Service
(IaaS)
Software as a Service
(SaaS)
Essential Characteristics
Broad Network
Access
Resource Pooling
Rapid Elasticity
On-Demand
Self-Service
Measured
Service
With OneCloud, McKesson IT delivers the essential
characteristics of Cloud Computing in a Private
Cloud, Infrastructure as a Service (IaaS) model.
Customers can build their own customized VM
catalogs and deliver Platform (PaaS) services to
authorized users within their own organizations.
23. 24
OneCloud Administration Roles
WLAN
WAN
LAN
Network
VMM / Hypervisor
Virtualization Management
Compute Storage
Infrastructure
McK-IT
Platform McK-IT
Software / Applications
Group Mgrs
Users
Physical
Virtual
virtualApp
Templates
Server VM
Instances
Server VM
Templates
McKesson IT designs, engineers,
implements, manages & supports the
virtual infrastructure and the
underlying physical infrastructure
McKesson IT designs, engineers,
creates, and publishes the base OS
templates for use in OneCloud with
monitoring and management tools pre-
installed and pre-configured
Administrators of OneCloud consumer groups
consume single-machines templates and
assemble them into multi-machine templates
called vApps. They assign User roles and
publish deployment Blueprints for their groups
OneCloud Users consume vApps by creating
application instances from the Blueprints and
Templates published for their groups. Their
rights are limited by role assignments and
resource pooling. They either use the
instantiated systems directly or provision
them for their teams’ compute requirements.
24. 25
McKesson SecureCloud 2011-2012
Management & Admin Network
Zone
PCI Internal Service
Networks
CoLo Internal Service
Network
ASP-MSP
Internal
Service
Network
0000
Network Core Layer
McKIT
WAN-MPLS
B2B
Extranet
Internet McKesson
CareBridge
Edge Perimeter Zone
Edge
Router
ISP 1
F/W
F/W
F/WF/W
F/W
F/W
CoLo’s
External Hosting
ASP
MPS
Partners, Vendors,
Sub-Contractors
McKIT
Shared DMZ
PCI
DMZ
VPN
Remote Access
Core Edge Firewall Layer
ISP 2
Internal
RouterInfrastructure Distribution Layer
External Untrusted Layer
McK
Remote Offices
McK Remote Sites
Internal Trusted Layer
HIPAA Internal
Service
Network
31. 32
McKesson OneCloud 1.0 – ‘Green Zone’
SIEM
Integration
Active Directory
Cloud Management
Platform
Security hardening of the Cloud infrastructure and
management systems is assured using hardening
baselines from VMware, ISRM and CIS and live
scanning for vulnerabilities and missing patches
Authentication, Authorization and
Role Assignment are enabled via
Active Directory. Dedicated AD
Groups are leveraged to assign
administrator and user roles for
both VMs and Infrastructure
ISRM’s event management and
incident response services are
brought to bear via integration
with the existing deployment of
the RSA Envision Security
Information & Event
Management (SIEM) solution.
Incident Response and Forensic
Analysis is enabled by integration
of the forensic data collection
agent into the VM Templates
underlying OneCloud services
Endpoint security management for OneCloud uses
McKesson’s standard package, installed at time of
provisioning (Windows VMs) or integrated into the
OS Template image (Linux VMs)
OS
APP
DATA
VM
OneCloud workloads benefit from
placement inside McKesson’s
firewalled and segmented internal
data center networks – VMs and
applications hosted in the Green
Zone are firewalled from the
Internet by default
The initial OneCloud offering will provide a
Baseline level of security for the hosting of
internal workloads handling non-sensitive
information. Rapid provisioning is leveraged to
eliminate the need to patch short-lived systems,
as re-provisioning the VM from an updated
OneCloud VM Template is an effective
replacement for conventional patch management
approaches.
32. 33
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
33. 34
NSX Service Composer – Canvas View
Nested Security Groups: A security group can contain other groups. These nested groups
can be configured to inherit security policies of the parent container. Members of any nested
groups are protected by the parent container policy.
e.g. “Financial Department” can contain “Financial Application”
34. 35
NSX Service Composer – Canvas View
Members: Security Groups contain VMs, vNICs, vApps and more…to define WHAT you
want to protect.
e.g. “Financial Applications”, “Desktop Users”, “Quarantine Zone”
35. 36
NSX Service Composer – Canvas View
Policies: Collection of service profiles - assigned to this container…to define HOW you want
to protect this container
e.g. “PCI Compliance” or “Quarantine Policy’
36. 37
NSX Service Composer – Canvas View
Profiles: When solutions are registered and deployed, these profiles point to actual security
policies that have been defined by the security management console (e.g. AV, network IPS).
Only exception is the firewall rules, which can be defined within Service Composer, directly. for
*deployed* solutions, are assigned to these policies.
Services supported today:
• Distributed Virtual Firewall Anti-virus File Integrity Monitoring
• Vulnerability Management Network IPS Data Security (DLP scan)
37. 38
Compliance Automation Use Case
Compliance Processes
• Group systems that must be compliant
with a specific regulation and apply
necessary controls to the group
• Specify systems based on actual data
(through sensitive data discovery) or
desired compliance state
• Move systems in and out of compliance
zones based on above
• Optional: Require approval before any
workload is moved to compliance zone
Properties of Compliance Zone
• Apply security policies as dictated by
the applicable regulation or standard
(e.g. antivirus, firewall, encryption, etc.)
Application
Owner
DLP / Discovery
Solution
VI Admin /
Cloud Operator
38. 39
Automate Compliance Workflow with NSX Service Composer
Prerequisites: Security groups
defined by tag membership and
relevant policies
1. Desktop group scanned
scanned for credit card data
2. Data security/DLP solution
tags VMs with sensitive data
3. VM with sensitive data
automatically gets added to
PCI DSS group, based on tag
4. VM is re-scanned for
continuous compliance
5. Tag is only removed if credit
card data no longer present.
VM would then be moved out
of PCI DSS zone.
S e cu r i t y G ro u p = P CI Z o n e
M e mb e r s = {T a g = ‘ DA T A _ S E C UR I T Y . v i ol a t i o n s Fo u n d ’ }
S e cu r i t y G ro u p = D es k t o p s
39. 40
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
40. 41
NSX Service Composer Simplifies Compliance Management
#1. Apply pre-approved security policies to workloads.
Is this
what you
wanted?
VI Admin /
Cloud Operator
Yup.
Looks
good.
Security
Architect
41. 42
NSX Service Composer Simplifies Compliance Management
VI Admin /
Cloud
Operator
No
problem.
When THIS
happens, do
THAT.
Security
Architect
#2. Implement rules for remediating workloads when they
are comprised, at-risk, or non-compliant.
42. 43
NSX Service Composer Simplifies Compliance Management
#3. Provision, monitor, and troubleshoot services from a
single console.
VI Admin /
Cloud Operator
We can start with
these. More
coming soon.
These are the core security controls
we need to protect our systems.
What can you do about this?
Security
Architect
AV FW
IPSDLP
Vuln. Mgmt
FIM
43. 44
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architecture
Next Steps
44. 45
Back at the Office…
VI Admin /
Cloud
Operator
Wow. This will really
save me a lot of time –
thanks!
Security
Architect
Point your security team to VMware Compliance Reference
Architectures. Partner with security team to evaluate NSX
Service Composer to address compliance requirements.
AND I just learned about
VMware NSX Service
Composer. We could
automate a lot of this!
No kidding.
Prove it!
I will.
You need to look at these
VMware Compliance Reference
Architecture documents.
45. 46
You Can…
From whiteboard… …to architecture… …to reality.
Enforce actionable and repeatable policies across trust zones, as
defined by industry regulations and organizational policies – and make
this all operationally feasible in the software-defined data center!
46. 47
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall Antivirus,
Logging IPS in the SDDC with Allen Shortnacy
49. Get on with Business - VMware Reference
Architectures Help Streamline Compliance Efforts
Gargi Keeling, VMware
Luke Youngblood, McKesson Corporation
Troy Casey, McKesson Corporation
SEC5253
#SEC5253
50. 51
The Basic Concept
Security Groups
WHAT you want to
protect
Members: VM, vNIC, network
(virtual/Logical Switch, physical),
Distributed Virtual PG, cluster, data
center, Resource Pool, vApp, other
container, IP address, MAC
Context: User identity, sensitive
data, security posture
HOW you want to
protect it
Services: Firewall, antivirus,
intrusion prevention, vulnerability
management and more.
Profiles: Security policies from
VMware and third-party solutions
that are defined by the security
architect but implemented by the
cloud operator.
APPLY
51. 52
McKesson OneCloud Phases
OneCloud 1.0 OneCloud 1.5 OneCloud 2.0
• Amber Zones: For
sensitive data such
as PHI, PCI
(confidential)
Beyond OneCloud 2.0
• Sensitive Data
(restricted)
• Red (quarantine)
zone: AV
disabled/missing,
missing critical
system patch;
System placed in
Sandbox
• DMZ Zone: Prevent
systems in this zone
from being attached
to other networks or
zones
• Green Zone: Fully
compliant systems;
Straight L3 pass
through with minimal
inspection
• Yellow Zone: system
patches more than xx
days out of date or
AV signatures out of
date; IPS/FW added
to inline path
52. 53
VMware NSX Service Composer – For Compliance Scenarios
Built-In Services
• Firewall, Identity-based Firewall
• Data Security (DLP / Discovery)
Security Groups
• Define workloads based on many attributes (VMs,
vNICs, networks, user identity, and more) – WHAT
you want to protect
3rd Party Services
• IDS / IPS, AV, Vulnerability Mgmt
• 2013 Vendors: Symantec, McAfee, Trend Micro,
Rapid 7
Any Application
(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall
Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Security Policies
• Define policies using profiles from built-in services
and 3rd party services - HOW you want to protect
workloads
Automation
• Use security tags and other context to drive
dynamic membership of security groups –
results in IF-THEN workflows across services