Contenu connexe Similaire à Protecting the Software-Defined Data Center from Data Breach (20) Plus de CA Technologies (20) Protecting the Software-Defined Data Center from Data Breach1. Protecting the Software-Defined Data Center
from Data Breach
Mordecai Rosen
Security
CA Technologies
Vice President, Product Management and Strategy
SCT33S
Jeremiah Cornelius
VMware
Security Architect and Partner Product Strategist
2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Session Abstract:
Protecting the Software Defined Data Center
from Breach
In this session, we will discuss:
Security Requirements for our next generation software defined
data centers
VMware NSX™, VMware’s network virtualization platform, and how
it protects the software defined data center
CA Privileged Access Manager for VMware NSX™, and how it
protects the management plane of VMware NSX™
Mordecai
Rosen
CA Technologies
VP Product Mgmt.
Jeremiah
Cornelius
VMware
Security Architect
4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Existing security layers have been breached
1
5 6
Possibly after months of
reconnaissance, the infiltration
relays secret data to the attacker.
Today’s data centers are protected by
strong perimeter defense…
But threats and exploits still infect servers.
Low-priority systems are often the target, and
SSL is no guarantee of protection.
Targeted
system
Attacks spread inside the data center,
where internal controls are often weak.
Critical systems are targeted.
Attackers follow a predictable pattern
of actions, called a kill chain, in
attempting their attacks.
Compromised identities and privileged
accounts are at the core of the kill chain..
5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Problem: 25 years of perimeter security has failed
Internet
Series1 Series2 Series3
Today’s security model
focuses on perimeter defense
But continued security breaches
show this model is not enough
Service
providers
Partners
Auditors
Customers
Hacker
Employees
6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Repurposing existing tools doesn’t work
…
2 firewalls
1000 workloads
vs
A typical data center has:
Directing all traffic (virtual + physical)
through chokepoint firewalls is inefficient
And a physical firewall per workload
is cost prohibitive and unmanageable
Internet
7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Solution: New software defined data center model
Integrating identity, security, & manageability into the fabric
STARTING ASSUMPTIONS DESIGN PRINCIPLES
Assume everything is a threat
and act accordingly
1
2
Identity centric micro-segmentation
Secure policy based management plane
8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How do you:
move as fast as the business needs you to move
while securing an ever-growing and changing environment—
without having to start over?
9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
You need a new approach to networking
and security that gives you:
the agility and speed you need to support the business, while
providing an inherently more secure infrastructure
10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security is needed everywhere, but we can’t have our
controls everywhere
Why can’t we have individual firewalls for every VM?
Data Center
Perimeter
Internet
Expensive and complex
Physical firewalls
With traditional technology,
this is operationally infeasible.
Slow, costly, and complicated
Virtual firewalls
12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The next-generation networking model
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services
now in the hypervisor
13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Switching
Routing
Firewalling/ACLs
Load Balancing
High throughput rates
East-west firewalling
Native platform capability
The next-generation networking model
14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The next-generation networking model
NSX value proposition
Network Virtualization is at
the core of an SDDC
approach
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual networks
15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Business value
More secure and 1/3 the cost of
less secure infrastructure
Security
Delivering inherently secure infrastructure
Data Center Perimeter
Internet
DMZ
Secure User
Environments
Security policies simplified
Logical groups enabled
Threats contained
16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Intelligent grouping
Groups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security PostureRegulatory
Requirements
17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
NSX: at the “Goldilocks Zone” of security
UbiquityIsolation Context
Ecosystem of
Distributed Services
Core Services Built Into
Hypervisor Kernel
better security
through insight
fine-grained containment
Switching Routing Firewalling
18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
VMware Partners with CA for Privileged Access
Management
1
19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Technologies Announce CA Privileged Access
Manager for VMware NSX
CA Technologies Collaborates with VMware®
on Comprehensive Privileged Access Management
Solution for VMware NSX
20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access Manager
Privileged Identity and Access Management for the Hybrid Enterprise
HYBRID ENTERPRISE
Hardware Appliance AWS AMIOVF Virtual Appliance
Identity Integration Enterprise-Class Core
Vault Credentials
Centralized Authentication
Federated Identity
Privileged Single Sign-on
Role-Based Access Control
Monitor and Enforce Policy
Record Sessions and Metadata
Full Attribution
Control and Audit All Privileged Access
Unified Policy Management
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
Software Defined Data Center
SDDC Console and APIs
Public Cloud - IaaS
Cloud Console and APIs
SaaS Applications
SaaS Consoles and APIs
CA Privileged Access Manager
21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access Manager
Privileged Identity and Access Management for the Hybrid Enterprise
HYBRID ENTERPRISE
Hardware Appliance AWS AMIOVF Virtual Appliance
Identity Integration Enterprise-Class Core
Vault Credentials
Centralized Authentication
Federated Identity
Privileged Single Sign-on
Role-Based Access Control
Monitor and Enforce Policy
Record Sessions and Metadata
Full Attribution
A New Security Layer - Control and Audit All Privileged Access
Unified Policy Management
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
Software Defined Data Center
SDDC Console and APIs
Public Cloud - IaaS
Cloud Console and APIs
SaaS Applications
SaaS Consoles and APIs
CA Privileged Access Manager
22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
Fully manual process with
potential for human error.
No visibility into what the
admin did during the session.
An overly broad rule permits
bad actors.
Problem
You have a requirement that all
management ports on
production resources be closed
when not in use, and you must
demonstrate this to an auditor
on-demand.
Traditional Solution
Admin opens a ticket with SOC
who adds a firewall rule which
permits the admin to do their
work.
When admin is done he
resolves the ticket, SOC
removes the rule, then closes
the ticket.
Use Case 1: Firewall Administration
Addressing a traditional problem with a more secure and agile solution
23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Access Restrictor
DFW Rules added and removed on-demand
Rules added when connections are opened and removed when closed
Removes the human element and potential for error
Enables a highly-secure “deny all” environment where exceptions are forced through CA
PAM and only CA PAM may access protected resources
Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM
Client
User
Target VM
NSX Manager
DFWCA Privileged
Access Manager
24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
In the manual case, more
human error and opportunity
for insider threat.
In the custom code case you
must hire somebody to write it
and keep code it up to date.
Problem
You want to synchronize your
security policies across
products from different
vendors.
For example, when your A/V
vendor detects a virus, you
want the VM placed into a
quarantine.
Traditional Solution
Hire somebody to keep them in
sync, or write custom code to
keep them in sync by
leveraging different APIs from
different vendors.
Use Case 2: Policy Synchronization
Different products, different data, and different policy models
25. 25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Dynamic Tagging and Grouping
CA PAM Policy in lockstep with NSX Security Tags and Groups
NSX Security Tags and Groups synced with CA PAM and tied to Policies
As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed
Synchronize CA PAM policies with changes in the NSX security posture
VMware vCenter
VM Network
NSX Manager
Sync
CA Privileged
Access Manager
26. 26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
Seeing a trend? This too relies
on a manual step – and if your
SOC is distracted, suffering
“false positive fatigue,” or
malicious, you miss a critical
opportunity to break the kill
chain.
Problem
When your security products
detect anomalies, you want
them to coordinate with other
products.
For example, when threat intel
detects an event, you want it
to terminate or begin recording
all traffic on affected VMs.
Traditional Solution
Have your SOC monitor logs
and SEIM data and take action
manually.
Use Case 3: Workflow Automation
Making different products from different vendors talk to each other
27. 27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – Service Composer Integration
Deep integration with Service Composer
As VMs enter or leave NSX Security Groups, CA PAM will:
- Enable or disable session recording
- Terminate sessions
- Force CA PAM session re-authentication
Trigger events in CA PAM via NSX Service Composer workflows
User
Session
NSX Partner
Ecosystem
Product
NSX Manager
Vmware
vCenter
Admin
Apply Tag
Apply Tag
Enable/Disable Session Recording
Terminate Sessions
Xsuite Re-Authentication
CA Privileged
Access Manager
28. 28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Challenges
API access is like leaving the
back door open – no matter
how many controls you have
on the front door, if you don’t
protect the API you expose a
very attractive target.
Credentials within scripts are
the ultimate target.
Problem
You have a plethora of scripts
and power users who interact
with management tools via
well-defined APIs, and you lack
any controls into who uses
them and visibility into what
they do.
Traditional Solution
Attempt to limit API sprawl and
hope that the users and scripts
that are using these interfaces
are trusted and kind.
Use Case 4: Programmatic/API Access
Controls for your APIs
29. 29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA PAM for VMware NSX – NSX Manager REST API Proxy
The last mile for full NSX Manager administration visibility
Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which
may rotate on a policy or schedule
CA PAM vaults – and rotates – the NSX Manager credentials
Integrates with Application to Application (A2A)
Closing the “API Loop” to the NSX management plane
Consumer NSX Manager
NAP
NSX Manager API Proxy
Logs A2A Requests Change Password
Z-side Request/ResponseA-side Request/Response
CA Privileged
Access Manager
30. 30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Privileged Access Manager for VMware NSX
Capability Summary
Vaulting and full lifecycle management of passwords and SSH access keys
NSX-based resources, NSX Manager and API, other enterprise resources
Credentials
Management
TACACS+, AD/LDAP, RADIUS, RSA, SMS Mobile Token, SAML, PIV/CAC
VMware vSphere®, NSX APIs, VMware® NSX Manager™, other
physical/virtual resources across enterprise
Federated SSO
Integrated with NSX Manager; Service Composer service insertion
Dynamic application of access control policies based on NSX security policies
Enforced via NSX micro-segmentation
Access Policy
Enforcement
Complete logs and full session recording
All access to NSX resources including NSX Manager and API
Audit Trail &
Session Recording
31. 31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Customer
Testimonial
32. 32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
33. 33 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Conclusions and Recommendations
• Existing security layers have been breached
• Next generation Software Defined Data Centers models like VMware NSX are inherently more secure
• Protecting the management plane of the hybrid enterprise is required to break the data breach kill chain
• Security has now become a business enabler versus an operational cost or tax
Summary
A Few Words to Review
34. 34 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT19T
Defend Against Data Breaches With CA Privileged Access
Management
11/18/2015 at 3:00 pm
SCT07S Roadmap: Privileged Identity Management 11/19/15 at 4:30 pm
SCT32T
Privileged Access Management for the Software-Defined
Network
11/19/2015 at 11:30 am
35. 35 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Demos
Positive Privileged
User Authentication
CA Privileged Access
Manager
Security Theater
Fine-Grained Access
Control for Servers
CA Privileged Access
Manager Server
Control
Security Theater
Privileged Access
Control
CA Privileged Access
Manager
Security Theater
Record and Analyze
User Sessions
CA Privileged Access
Manager
Security Theater
36. 36 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow On Conversations At…
Smart Bar
CA Privileged Access
Manager
Theater # location
Tech Talks
PAM for the
Software-Defined
Network
SCT32T
37. 37 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
38. 38 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15