Contenu connexe Similaire à Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers: (20) Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:1. Increasing Security while Decreasing
Costs when Virtualizing In-Scope Servers:
How to virtualize more by building a security fortress around
your "in-scope” virtual environment with HyTrust
First in a three-part series for IS and IT professionals responsible for
virtualization and data center architecture, management, and optimization
1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com
© 2012, HyTrust, Inc. www.hytrust.com 1
2. Overview
Meet the Experts
What are the key business drivers for the virtualization security
blueprint ?
Can you recommend a strategy, framework, and tools to help us
succeed with compliance audits and beyond?
What cross-vendor architectures exist to help virtualize more mission-
critical applications, more securely this year?
What best practices and methodologies can you outline for planning
and undertaking these newer virtualization security initiatives?
Summary
Q&A
© 2012, HyTrust, Inc. www.hytrust.com 2
3. Today’s Experts
Justin Lute
Director, Product Management - Virtualization, Cloud, and
Technology Integrations – Qualys
Extensively-certified, technical and business leader in
cloud security
Strategic product, technical consulting, and engineering
roles at VCE, EMC, RSA, and more.
Justin has studied at Stanford University and The Ohio
State University.
© 2012, HyTrust, Inc. www.hytrust.com 3
4. Today’s Experts
Dave Shackleford
SVP of Research and CTO, IANS
Former consultant at Voodoo Security
Author of SANS Virtualization Security and Cloud
Security courses, and SANS curriculum lead for
Virtualization and Cloud Security
Sybex “Virtualization Security” book coming in Q3 2012
Helped create and publish first virtualization security
hardening guides while CTO at Center for Internet
Security
© 2012, HyTrust, Inc. www.hytrust.com 4
5. Today’s Experts
Eric Chiu
Eric Chiu is CEO and co-founder of HyTrust, Inc.
(http://www.hytrust.com/),
Vice President of Sales and Business Development at
Cemaphore Systems, a leader in disaster recovery for
Microsoft Exchange, Business Development at MailFrontier
and mySimon
Instrumental in building OEM partnerships and technology
alliances and driving new product initiatives.
Formerly a Venture Capitalist for Brentwood (now Redpoint)
and Pinnacle, he also served in the M&A Group for
Robertson, Stephens and Company.
Eric holds a BS in Materials Science and Engineering from
UC Berkeley.
© 2012, HyTrust, Inc. www.hytrust.com 5
6. HyTrust Backgrounder
Founded: Fall 2007
Headquarters: Mountain View, CA
Venture Funding: $16 million
Strategic Partners:
Awards & Top Ten Lists: VMworld 2009 Best of Show, VMworld 2009 Gold,
VMworld 2010 Finalist, TechTarget 2009 Product of the Year, RSA Innovation Sandbox
2009/2010 Finalist, SC Magazine 2010 Rookie Company of the Year, Network World
Startup to Watch 2010, InfoWorld Tech Company to Know 2010, Forbes “Who’s Who”
in Virtualization, Red Herring 2010 North America winner, Gartner Cool Vendor 2011
© 2012, HyTrust, Inc. www.hytrust.com 66
7. Data Center of the Future – 3 year Vision
“Rented” Cloud
SaaS Application Infrastructure Self-Service
Access
Identity and
Usage
Consolidation & IT as a
Virtualization Service
Ubiquitous Access
Data Cost
End result of datacenter transformation: IT is delivered as-a-service;
Role of Corporate IT is transformed from operational to control / governance
© 2012, HyTrust, Inc. www.hytrust.com 7
8. What security concern ranks highest in importance in your
virtualized environments heading into 2012?
Lack of automation (admin is brought in for every update and change)
Self service for line of businesses to access/manage their virtual machines
Strength of security policies and processes around access and change controls
Insider breach – either malicious or errant
Logging and reporting tools for audit and/or forensics purposes
All of the above
© 2011, HyTrust, Inc. Inc. www.hytrust.com 8
© 2012, HyTrust, www.hytrust.com
9. When are you planning your next server refresh?
Next 6 months as part of a full data center re-architecture
Next 6 months as standalone server refresh
Next 7-12 months as part of a full data center re-architecture
Next 7-12 months as standalone server refresh
Greater than 12 months as part of a full data center re-architecture
Greater than 12 months as standalone server refresh
No server refresh planned
Unknown
© 2011, HyTrust, Inc. www.hytrust.com 9
10. Key Drivers – Innovation Driving Business Goals
Virtualize More…
Analyst research of CIO top priorities for 2012,
40% picked virtualization as one of top three
Analyst research shows market is now 52% virtualized,
with many organizations goaled to be 75% virtualized
by 2014. *
Forrester Research CISO’s Guide to Virtualization Security
© 2012, HyTrust, Inc. www.hytrust.com 10
11. Key Drivers - Virtualization / Cloud Security Leading IT
Virtualize More Securely…
“There will be more
“By 2015, 40% of the
virtual machines
security controls used
deployed on servers
within enterprise data
during 2011 than in
centers will be
2001 through 2009
virtualized, up from
combined”2
less than 5% in 2010.”1
“Virtualization increases security risk by 60%.”1
1Gartner; “From Secure Virtualization to Secure Private Clouds”; Neil MacDonald & Thomas J. Bittman; 13 October 2010
11 2Gartner; “Q&A: Six Misconceptions About Server Virtualization”, Thomas J. Bittman; 29 July 2010
© 2012, HyTrust, Inc. www.hytrust.com 11
12. Key Drivers - Business Demands More
Virtualize More…
More Securely…
With Less!
Forrester Research CISO’s Guide to Virtualization Security
© 2012, HyTrust, Inc. www.hytrust.com 12
13. Key Drivers - Proactively Protect and Secure Your IP
87% Percentage of companies that
have experienced a data breach
— IT Compliance
Institute
48% Percent of all breaches that
involved privileged user misuse
— Verizon report, 2010
74% Percentage of breached companies
who lost customers as a result of the
breach
— IT Compliance
Institute
© 2012, HyTrust, Inc. www.hytrust.com 13
14. Key Drivers - Proactively Protect and Secure Your IP
87% Percentage of companies that
have experienced a data breach
— IT Compliance
Institute
48% Percent of all breaches that
involved privileged user misuse
— Verizon report, 2010
74% Percentage of breached companies
who lost customers as a result of the
breach
— IT Compliance
Institute
© 2012, HyTrust, Inc. www.hytrust.com 14
16. Key Drivers - Summary
Build the Business Case
External and Internal drivers
Describing What is ISO/IEC 27001?
Articulating benefits
Value to your intellectual property (IP)
Value to Brand
Value to departmental reputation and team careers
© 2012, HyTrust, Inc. www.hytrust.com 16
17. Strategy, Framework, and Tools
Scoping – the Key to Success
Planning and Design - Understanding the environment is critical
ISMS - Documented Components
Communication and Setting Expectations Internally
© 2012, HyTrust, Inc. www.hytrust.com 17
18. Strategy, Framework, and Tools
GRC Tool Benefits
ISO Controls Testing (control activities)
Obtain Certification
Maintenance, Surveillance, and Re-Audit
© 2012, HyTrust, Inc. www.hytrust.com 18
19. Why Get Started Now?
Jason Cornish, former Shionogi
Pharma IT Staffer
Plead guilty to Feb ‘11 computer
intrusion
Wiped out 88 corporate servers (VMs) –
email, order tracking, financial, & other
services – and 15 ESX hosts
Shionogi’s operations frozen for days
unable to ship product
unable to cut checks
unable to send email
Estimated cost: $800k All of this was accomplished from a McDonalds
19
19
20. Why Get Started Now?
“…down the road, the cyber
threat will be the number one
threat to the country…”
FBI Director Robert Mueller
…”service attacks … into NASDAQ,
RSA, and the IMF“ underscore
the vulnerability of key sectors
of the economy."
…"wholesale plundering" of
American intellectual property.,,
Director National Intelligence, James Clapper
© 2012, HyTrust, Inc. www.hytrust.com 20
21. Best Practices and Guidance - Getting Started
How To Get Started with Virtualization Security
Strive for virtual security that is equal to or better than the traditional
security in your environment.
Consider the following:
Apply the “Zero Trust” model of information security to your network
architecture
Consider virtualization-aware security solutions
Implement privileged identity management
Incorporate vulnerability management into the virtual server environment
© 2012, HyTrust, Inc. www.hytrust.com 21