VMworld 2013
Jerry Breaud, VMware
Allen Shortnacy, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
1. VMware Compliance Reference Architecture
Framework Overview
Jerry Breaud, VMware
Allen Shortnacy, VMware
SEC5428
#SEC5428
2. 2
Agenda
VMware Compliance Reference Architecture Framework
Compliance Reference Architecture Methodology
NSX Service Composer for Compliance Architectures
Network Virtualization
NSX Network Services
Other VMware Product Capabilities Relative to Compliance
Summary
Next Steps VMworld and Beyond
3. 3
Competing Concerns – Pick Any 2
“Are you getting the
maximum efficiency
out of your
infrastructure?”
“How quickly can IT
respond to LOB
requests?”
• Legislative Compliance
• Security – Corp Assets & IP
• Risk Reduction
• SLAs & Business Continuity
?
4. 4
Infrastructure
Requirements
Access
Control
Segmentation
Remediation
Automation
Policy
Management
Audit
Common
Control
Frameworks
Regulations,
Standards,
Best Practices
Reference
Architectures
PCI Zone
VMware vSphere
Security & Compliance Influence Design of the SDDC
6. 6
Technology Solution Categories Mapped to Regulations
Description
ISO
PCI
HIPAASANSCSA
FISM
A
LOW
FISM
A
MOD
FISM
A
HIGH
FedRAM
P
LOW
FedRAM
P
M
OD
PCI
Requirements
NIST
RequirementsCommon Required Technical Security Solutions
1 VAM VulnerabilityAssessment and Management Identify and track vulnerabilities 6.2, 6.5, 6.6, 11.2 RA-5
2 PT Penetration Testing Validate vulnerabilities 11.3 CA-2
3 SEIM SecurityEvent Information Monitoring Log and correlate environment data 10, A.1.3 SI-4, AU-2/3/6/10/12
4 IPS Intrusion Prevention System Identify attacks 11.4 SI-3, SI-4
5 FIM File IntegrityMonitoring Identify changed files 11.5 SI-7
6 2FA Two Factor Authentication Authenticate users 8.3 IA-2
7 IdM IdentityManagement Provision and deprovision users 8.1, 8.2, 8.5.1 IA-4
8 AAA Authentication, Authorization, Accounting (3A) Identity interaction nonrepudiation 7, 8.5 IA-5, AC-3
9 FW Network (N) and Host (H) Firewall Segment and protect networks 1 SC-7
10 AV Server and Endpoint Antivirus Protect against malware 5 SI-3
11 BU SystemBackups Systems survivability 10.5.3, 12.9.1 CP-9
12 DARE Data At Rest Encryption Protect data 3.4, 3.5, 3.6 SC-12/13/28, IA-7
13 DIME Data In Motion Encryption Protect data 2.3, 4, 8.4 SC-9/12/13, IA-7
14 DBM Database Monitoring Protect database environment 10, A.1.3 SI-4
15 CM Configuration Management Protect infrastructure 2.1, 2.2 SI-2, SA-10, CM-1/2/6
16 PM Patch Management Protect infrastructure 6.1 CM-2, SI-2
17 WAF* Web Application Firewall Protect user services 6.6 SI-3, SI-4, SC-7
18 DLP** Data Leakage Protection Identify sensitive data
* Specifically called out in some authorities and implied control in others. Highly recommended where the Internet will be the primary use case.
** Not specifically called out in any authority.
10. 10
Compliance Reference Architecture Methodology
Dynamic Composition with Line of Sight
• Regulatory Specificity for Audit
• Regulation Independent Use Case Controls
• Technology Partner Choice
• Process Methodology for Delivery and Maturity
11. 11
1
Compliance Challenges: Many Systems - Dashboards of Wonder
Vulnerability
Mgmt System
Antivirus
System
Firewall
vCenter
IDS System
DLP System
13. 13
NSX Service Composer
Security services can now be consumed more efficiently in the
software-defined data center.
Apply.
Apply and visualize
security policies for
workloads, in one place.
Automate.
Automate workflows
across different
services, without
custom integration.
Provision.
Provision and monitor
uptime of different
services, using one
method.
14. 14
Concept – Apply Policies to Workloads
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Define security policies based on service profiles already defined (or
blessed) by the security team. Apply these policies to one or more
security groups where your workloads are members.
15. 15
Software Defined Data Center Anti-Virus (AV), Anti-Malware
Application Delivery Controller (ADC)
Application Whitelisting
Application Firewall
Data Loss Prevention (DLP)
Encryption
File Integrity Monitoring (FIM)
Firewall (Host/Network)
Identity and Access Management
Intrusion Detection/Prevention System (IDS/IPS)
Load Balancer
Network Forensics
Network Gateway (VXLAN)
Network Port Profile
Network Switch
Policy and Compliance Solution
Security Intelligence and Event Management (SIEM)
User Access Control (closest to our SAM)
Vulnerability Management
WAN Optimizer
Web Filter
Extend Platform to Best of Breed Services
Properties of virtual services:
• Programmatic provisioning
• Place any workload anywhere
• Move any workload anywhere
• Decoupled from hardware
• Operationally efficient
17. 17
Priv User
Network Activity
Monitoring
Solution Categories
CMP
vCD, vCAC, etc.
NSX
Service Composer
Automation
vCO, Scripts, etc.
API
REST, Java, .NET
NW Iso
VXLAN, NAT
Firewall
TCP, Identity
VPN
IPsec, SSL
DLP
At Rest, Wire
Priv User
AAA, Session
Recording
AV
Malware,
Whitelist
FIM
Config Files,
Registry
IPS/IDS
Monitor, Prevent,
Report
Vulnerability
Penetration Testing
Next Gen FW
App Aware, Fine Grained
App Layer IPS
Encryption
VMFS, VMDK, OS
Configuration
Management
Patching
SIEM
Syslog,
Event
Correlation
Platform
(Future
NSX Enabled)
Extensibility
NSX
NSX
Enabled
Consumption
VMware &
Platform
Partner
VMware
NSX
Enabled
Partner
VMware +
Customer/
3rd Party/
Open Src
Platform
Partner
Logging
18. 18
Compute Virtualization
The Network is a Barrier to Software Defined Data Center
Any Physical
Infrastructure
• Provisioning is slow
• Placement is limited
• Mobility is limited
• Hardware dependent
• Operationally intensive
Software Defined Data Center
SOFTWARE-DEFINED
DATACENTER SERVICES
VDC
19. 19
Network and Security Virtualization Must…
1. Decouple
Physical
Virtual
2. Reproduce 3. Automate
Network
Operations
Cloud
Operations
Hardware
independence
Operational benefits
of virtualization
No change to network
from end host perspective
Virtual
Physical
21. 21
Logical Switching and Routing
• Tightly coupled with physical networks
• Hairpins and bottlenecks reduce
performance and scale
Before
• Completely decoupled from hardware
– Dynamic routing, no Multicast
• Line rate performance with distributed
scale out architecture
• Connect existing networks with logical
networks – L2 bridging
With NSX
• Speed of provisioning applications
across racks, rows or data centers (up
to Metro distances)
• Enable higher server utilization,
leverage existing physical network,
only require basic IP hardware for
future purchases
• Create on demand networks to meet
application needs
Benefits
DynamicRouting
DynamicRouting
DynamicRouting
Physical
Workload
22. 22
Logical Load Balancing
• Physical appliances are costly and
create bottlenecks
• Rigid architectures tie the application
down
Before
• Cloud level feature set for SLB and
GSLB with full HA
• TSAM with enhanced health checks,
connection throttling and CLI
• Simplified Deployment in one-armed or
inline mode
With NSX
• On demand LB services for any
application enabling speedy
deployment
• Pay as you go model for services
• Manage multiple LB instances with
centralized management
Benefits
Logical
Network
Web1a Web1cWeb1b
23. 23
Logical VPN
• VPN Concentrators become
bottlenecks and chokepoints
Before
• Per Tenant VPN appliance when
needed
• High Performance – hardware
acceleration for IPSec and SSL
• Site-2-Site, Client and Cloud
VPN extends Corporate LAN
With NSX
• Network can be extended when
needed for different use cases
• No investment needed in large
VPN Concentrators upfront
Benefits
Public
Cloud
24. 24
NSX Next Generation Firewall
• Scale out architecture “bolted-on” to
L3 with limited performance
• Limited visibility and control unless
hair-pinning (E/W) to L3
• Error prone, static VLANs and
IP/port based policies
Before
• Massive scale and line rate
performance
• Virtualization and identity context
• Centralized management across
entire Datacenter
With NSX
• Simplified operations – single policy
definition
Benefits
Physical View
Web
App
DB
Web
App
DB
Servers
Users
“skinny VLANs”
Business and
Virtual Context
Logical View
VMware
Logical View
25. 25
vCenter Infrastructure Navigator Capabilities
Automated
discovery and
dependency
mapping
Speedy and accurate discovery and dependency
mapping of application services across virtual
infrastructure & adjoining physical servers one hop away
Rapid updates that keep mapping
information up-to-date
26. 26
Cloud Infrastructure
(vSphere, vCenter, vShield, vCloud Director)
! ! !
Overview
Benefits
More than 80 pre-defined templates for
country/industry specific regulations
Accurately discover and report sensitive
data in unstructured files with analysis
engine
Segment off VMs with sensitive data in
separate trust zones
Quickly identify sensitive data
exposures
Reduce risk of non-compliance and
reputation damage
Improve performance by offloading data
discovery functions to a virtual
appliance
NSX Data Security
Visibility Into Sensitive Data to Address Regulatory Compliance
27. 27
vShield Endpoint Partners
VMware vSphere
Introspection
SVM
OS
Hardened
AV
VM
APP
OS
Kernel
BIOS
VM
APP
OS
Kernel
BIOS
VM
APP
OS
Kernel
BIOS
28. 28
vCenter Operations and Log Insight
Machine Data comprises:
• Structured Data
• vCenter Operations
• Unstructured Data
• Log Insight
Log Insight and vCenter Operations
together provide a complete solution
for Cloud Operations Management
29. 29
vCenter Operations Configuration Manager
Harden the VMware Infrastructure
• Harden the configuration for ESX, network, storage, etc.
• Harden the vSphere guest VM settings
• Harden vCD/vCenter settings
Harden the Guest OS
• Physical and Virtual; Desktop and Servers; Win, UNIX, Mac
Virtual Datacenter 1 Virtual Datacenter 2
PCI – PoS PCI Zone Non-PCI Zone
ESX Hardening
Cluster ACluster B
VMware vSphere + vCenter
Vendor Hardening Guidelines
CIS Benchmarks
FISMAHIPAASOX
NERC/
FERC
NIST
ISO
27002
GLBADISA
PCI DSSPCI DSS
30. 30
Applicability to PCI Requirements
PCI Requirement Products
1 Install/maintain a firewall configuration to protect cardholder data vSphere, NSX App/Edge, VIN
2 Don’t use defaults for system passwords/security parameters ESXi, vCenter, VCM, NSX
3 Protect stored cardholder data NSX, VCM
4 Encrypt transmission of cardholder data on public networks NSX Edge
5 Use and regularly update anti-virus software or programs vShield Endpoint + Partners
6 Develop and maintain secure systems and applications
vSphere, NSX , VIN, VCM,
VUM
7 Restrict access to cardholder data by business need to know vSphere, NSX, vCM
8 Assign a unique ID to each person with computer access ESXi, vSphere, NSX, VCM
9 Restrict physical access to cardholder data
10 Track and monitor all access to network resources/cardholder data
vSphere, NSX, VIN, VCM,
Log Insight
11 Regularly test security systems and processes VIN, VCM
12 Maintain a policy that addresses information security
A1 Shared hosting providers must protect the cardholder data vSphere, NSX, vCD, VCM
31. 31
Competing Concerns – Take All 3!
“Are you getting the
maximum efficiency
out of your
infrastructure?”
“How quickly can IT
respond to LOB
requests?”
• Legislative Compliance
• Security – Corp Assets & IP
• Risk Reduction
• SLAs & Business Continuity
32. 32
Summary – Key Takeaways
VMware, its Technology Partners and Audit Partners are working to validate
reference architectures pertaining to mainstream regulations
Guidance is intended to educate SDDC architects, Information Risk personnel
and Auditors involved in customer environments
Best practices for VMware and Technology Partner products, their
configurations and usage in order to meet regulatory controls
VMware Compliance Reference Architectures will evolve to support new
versions of products and the regulations themselves
33. 33
VMworld: Security and Compliance Sessions
Category Topic
NSX
• 5318: NSX Security Solutions In Action (201)
• 5753: Dog Fooding NSX at VMware IT (201)
• 5828: Datacenter Transformation (201)
• 5582: Network Virtualization across Multiple Data Centers (201)
NSX Firewall
• 5893: Economies of the NSX Distributed Firewall (101)
• 5755: NSX Next Generation Firewalls (201)
• 5891: Build a Collapsed DMZ Architecture (301)
• 5894: NSX Distributed Firewall (301)
NSX Service
Composer
• 5749: Introducing NSX Service Composer (101)
• 5750: NSX Automating Security Operations Workflows (201)
• 5889: Troubleshooting and Monitoring NSX Service Composer (301)
Compliance
• 5428: Compliance Reference Architecture Framework Overview (101)
• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)
• 5253: Streamlining Compliance (201)
• 5775: Segmentation (301)
• 5820: Privileged User Control (301)
• 5837: Operational Efficiencies (301)
Other
• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird – Jefferson radiology)
• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)
34. 34
For More Information…
VMware Collateral
VMware Approach to Compliance
VMware Solution Guide for PCI
VMware Architecture Design Guide for PCI
VMware QSA Validated Reference Architecture PCI
Partner Collateral
VMware Partner Solution Guides for PCI
How to Engage?
compliance-solutions@vmware.com
@VMW_Compliance on Twitter
35. 3535
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
HOL-SDC-1317
vCloud Suite Use Cases - Business Critical Applications
HOL-PRT-1306
Compliance Reference Architecture- Catbird, HyTrust and LogRhythm
Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall, Antivirus,
Logging and IPS in the SDDC with Allen Shortnacy