RSA: Vision of Secure Virtualization and Trusted Cloud

RNDr. Ivan Svoboda, CSc. RSA, The Security Division of EMC

Agenda
About RSA Virtualization and Cloud Computing (definitions) RSA / EMC: our experience with cloud Virtualization and Cloud: Risks, Security and Compliance Virtualization and Cloud: RSA security solutions

Meeting our Customers Challenges

Secure Access for Increased Mobility & Collaboration

Manage Risk and Threats Throughout Enterprise

Prove Compliance Consistently & Affordably

Secure Virtualization & Cloud Computing

How?

How We Do It

System for Managing Security, Risk and Compliance

Governance, Risk & Compliance

Archer eGRC Suite
Policy Management Risk Management Incident Management Compliance Management Enterprise Management

Identity Security
Authentication
SecurID Adaptive Auth Auth. Manager Express

Data Security
Data Loss Prevention
DLP Cisco IronPort Network Partners Endpoint Partners

Access / Provision
Access Manager Federated Identity Mgr

Fraud Prevention
Fraud Action Transaction Monitoring eFraud Network

Encryption & Tokenization

DPM App DPM DC BSAFE Tokenization Microsoft RMS

Monitoring / Audit / Reporting

SIEM
enVision

Network Analysis / Forensics

NetWitness

RSA, The Security Division of EMC

Authentication

1st

Leader
Data Loss Prevention

Leader
Web Fraud Detection

Leader
SIEM

Leader
eGRC

How We Do It

System for Managing Security, Risk and Compliance

GRC: Risk/ Policy Management

RSA Archer

Analyze / Discover
(Data, Threats)

RSA DLP, FraudAction, NetWitness

Enforce Controls

RSA Encryption, Authentication, Access control, Transaction Monit

Log / Report / Audit

RSA enVision

RSA Komplexn pstup k een bezpenosti

Governance, Risk & Compliance
Archer eGRC Suite
Policy Management Risk Management Incident Management Compliance Management Enterprise Management

Identity Security
Authentication Access / Provision Fraud Prevention

Data Security
Data Loss Prevention Encryption & Tokenization

Network / System Security

Cisco Microsoft VMware

Monitoring / Audit / Reporting

SIEM (enVision) NAV (NetWitness)

Virtualizace a cloud computing

The Opportunity
Enterprise IT Has Many Challenges The Public Cloud Has Broad Appeal
Enterprise IT
Complex Expensive Inflexible Siloed

Public Cloud
Simple Low Cost Flexible Dynamic

Infrastructure

Over Time, Enterprise IT Will Evolve Towards Public Cloud Ideals

Copyright 2010 EMC Corporation. All rights reserved.

The Opportunity: The Journey to the Cloud

The Private Cloud is a Logical First Step
Enterprise IT
Trusted Controlled Reliable Secure

Private Cloud

Public Cloud
Simple Low Cost Flexible Dynamic

Infrastructure
70% Will Spend More On Private Cloud through 2012
- Gartner DC Conference 2009

Copyright 2010 EMC Corporation. All rights reserved.

10

The Opportunity: The Journey to the Cloud

Virtualize Everything, Standardize & Automate Hybrid Cloud: Utilize Service Provider Infrastructure
Enterprise IT Private Cloud Public Cloud

Virtualization Converged Infrastructure Automation

Federation GRC

Infrastructure asas-a-Service

Infrastructure

Hybrid Cloud

Copyright 2010 EMC Corporation. All rights reserved.

11

Securing the Journey to The Private Cloud

IT Production
Lower Costs
% Virtualized

Business Production
Improve Quality Of Service 85% 70%

IT-As-A-Service
Improve Agility 95%

30% 15%
Platinum Gold

Visibility into virtualization infrastructure privileged user monitoring access management network security

Security Compliance Information-centric security Risk-driven policies IT and security operations alignment

Secure multi-tenancy Verifiable chain of trust

RSA / EMC: nae zkuenosti s cloudem a virtualizac

13

RSA / EMC: nae zkuenosti s virtualizac

14

RSA / EMC: nae zkuenosti s cloudem

ijeme cloudem

Jsme na cest k privtnmu cloudu (pes 75% virtualizace) Pouvme public cloud aplikace (nap. CRM) VCE (VMware, Cisco, EMC)

Jsme dodavatelem een pro cloud:

RSA: een bezpenosti pro VCE (Vblock) Dodvme bezpenost providerm cloudu
Verizon, CSC, AT&T,

Poskytujeme een SaaS

Adaptivn autentizace Transakn monitoring 3D Secure

Mme vizi bezpenho cloudu

Jsme leny CSA (Cloud Security Alliance) Uvedli jsme een Cloud Trust Authority
15

EMC ITs Journey to the Private Cloud

IT Production
Efficiency % Virtualized We are here 86% 75% 40% 30% 15% MissionMission-critical applications Run IT as a business 100%

Business Production
Quality of service

IT-as-a-Service IT-asAgility

Development, test and IT-owned ITapplications

2004-08

2009-10

2011+

Copyright 2010 EMC Corporation. All rights reserved.

16

Deliver IT as a Service
Define Service Catalog, Publish to Self-service IT Portal
Policy/SLAdriven Management
Availabilit y Security Performan ce Cost

99.99%

High

0.2ms

$500K

Self -Service IT Portal Self -Service IT Portal Self -Service IT Portal Self -Service IT Portal Service IT Portal Service IT Portal Service IT Portal Service IT Portal Self -Service IT Portal Self -Service IT Portal Self -Service IT Portal Self -Service IT Portal Service IT Portal Service IT Portal Service IT Portal Service IT Portal

Application Service Catalogue

VMware vCloud Director

Service Catalog
Platinum

Infrastructure Service Catalogue

EMC UIM

Gold Silver Bronze

Copyright 2010 EMC Corporation. All rights reserved.

17

www.EMC.com/emcit

EMC IT Journey to the Private Cloud: A Practitioner's Guide

http://www.emc.com/collateral/software/white-papers/h7298-it-journey-private-cloud-wp.pdf

Copyright 2010 EMC Corporation. All rights reserved.

18

Jak jsou doporuen ostatnch?

US Government CIO (Kundra):

25% of Fed IT Spend on Cloud Services

NIST:
Guidelines on Security and Privacy in Public Cloud (800-144 Draft)

Cloud Security Alliance:

Cloud Assesment Initiative

Fraud-as-a-Service running in cloud

Trojans as a Service

19

Virtualizace a cloud computing: problmy bezpenosti a souladu

20

Hlavn zmny na cest ke cloudu

Enterprise IT
Trusted Controlled Reliable Secure

Private Cloud

Public Cloud
Simple Low Cost Flexible Dynamic

Virtualizace
Infrastructure

Dvra

Availabilit y

Security Private Cloud Performan ce

Cost

99.99%

High

0.2ms

$500K

Hlavn zmny na cest ke cloudu: krok 1

Dohled (SIEM, DLP, GRC, )
DMZ

Bezpenost virtualizace / privtn cloud

Virtual Datacenter 1
PCI HIPAA

Virtual Datacenter 2
Test Dev

Sov bezpenost Fyzick bezpenost

Firma A DMZ HR ERP

FW, AV, IDS, IPS, VPN, AAA,

Hlavn zmny na cest ke cloudu: krok 2

Dvra (Trust = Visibility + Control)

Bezpenost cloudu

Dohled (SIEM, DLP, GRC, )

DMZ PCI

Bezpenost virtualizace / privtn cloud

Virtual Datacenter 1
HIPAA

Virtual Datacenter 2
Test Dev

Sov bezpenost
Firma A

FW, AV, IDS, IPS, VPN, AAA,

Fyzick bezpenost

DMZ HR

ERP

Hlavn zmny na cest ke cloudu: dvra = SLA ?

Enterprise IT

Private Cloud

Public Cloud

Virtualizace
Infrastructure

Dvra = SLA ?

Availability

Security Private CloudPerformance

Cost

99.99%

High

0.2ms

$500K

Examples: Security at SalesForce.Com

Examples: Security at Google

Examples: Security at Cloud - examples

Does XXXX give third parties access to my organization's data?

XXXX does not share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect our systems. These exceptions include requests by users that XXXX support staff access their email messages in order to diagnose problems; when XXXX is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of XXXX , its users and the public.

Enabling Trust in the Cloud

Enterprises

Cloud Service Providers

Security & Compliance Visibility & Reporting Identities Information Workload

Private Cloud

Hybrid Cloud

Public Cloud

https://cloudsecurityalliance.org/

Examples: CSA questions (1)

Compliance - Independent Audits:

Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports? Do you permit tenants to perform independent vulnerability assessments? Do you support secure deletion (ex. degausing / cryptographic wiping) of archived data as determined by the tenant? Do you have controls in place to prevent data leakage or intentional/accidential compromise between tenants in a multi-tenant environment? Do you have a DLP solution in place for all systems which interface with your cloud service offering? Do you provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring (which allows continual tenant validation of your physical and logical control status?)

Compliance - Third Party Audits: Data Governance - Secure Disposal:

Data Governance - Information Leakage

Data Governance - Risk Assessments

Examples: CSA questions (2)

Information Security - Baseline Requirements:

Do you have documented information security baselines for every component of your infrastructure (ex. Hypervisors, operating systems, routers, DNS servers, etc?) Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering? Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you maintain key management procedures? Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? Do you have a DLP solution in place for all systems which interface with your cloud service offering? Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

Information Security - Segregation of Duties :

Information Security - Encryption Key Management:

Information Security - Incident Management

Information Security - Incident Reporting

Our Customers Are Asking Themselves

Can I ensure my virtualized business critical applications are running in a secure and compliant environment? How do I centrally manage compliance across mixed VMware and physical IT environments? Can I respond more quickly to security events in my virtual environment? How do I begin to assess hybrid and public cloud service providers?

Virtualizace a cloud computing: RSA een bezpenosti a souladu

32

Je to bezpen ? A je to v souladu ?
Bn odpov provozovatele IT: ANO!

Na bezpenost velmi dbme Mme implementovnu spoustu firewall, Dodrujeme zkony . Proli jsme auditem

Vidte dovnit?
Kde jsou Vae data, kdo k nim pistoupil, co se stalo

Mete zmit compliance?

Jak je aktuln realita (technick konfigurace) ? Co pesn je/nen splnno ?

Mete to dokzat/reportovat?

Securing the Journey to The Cloud

IT Production
Lower Costs
% Virtualized

Business Production
Improve Quality Of Service 85% 70%

IT-As-A-Service
Improve Agility 95%

30% 15%
Platinum Gold

Secure multi-tenancy, Verifiable chain of trust Security Compliance, information-centric security, risk-driven policies, IT and security operations alignment Visibility into virtualization infrastructure, privileged user monitoring, access management, network security

Bezpenost virtulnho a cloudovho prosted

VMware: sov bezpenost

vShield, vCloud Director Virtual firewalls, application protection,

RSA: dohled, compliance

SIEM, DLP, GRC, Authentication, enVision, DLP, Archer, SecurID,

RSA Sada een (nejen) pro virtuln prosted

Ochrana identit, zen pstupu

Siln dvoufaktorov a multifaktorov autentizace pro uivatele a administrtory

Ochrana citlivch dat ped jejich nikem (DLP)

Na loitch, na sti, na virtulnch desktopech

Bezpenostn monitoring cel virtualizovan infrastruktury

Kompletn SIEM een plnc roli Security Operations Center

Audit a zajitn shody s legislativou a internmi pedpisy

men/prokazovn compliance: VMware (virtuln i fyzick infrastruktura, privtn cloud) Cloud (compliance podle CSA)

RSA Sada een (nejen) pro virtuln prosted

Compliance (GRC)
Archer eGRC Suite

VMware

Cloud

Identity Security
Authentication Access / Provision Fraud Prevention

Data Security
Data Loss Prevention Encryption & Tokenization

Monitoring / Audit / Reporting

SIEM (enVision)

RSA Solution for VMware View

RSA DLP for protection of data in use
VMware Infrastructure Active Directory

RSA Archer Compliance Dashboard

RSA SecurID for remote authentication

VMware View Manager

VMware vCenter

Clients

Validated with Vblock

RSA SecurID for ESX Service Console and vMA

RSA enVision log management for VMware vCenter & ESX(i) VMware View RSA SecurID RSA DLP Active Directory

RSA Sada een (nejen) pro virtuln prosted

Compliance (GRC)
Archer eGRC Suite

VMware

Cloud

Identity Security
Authentication Access / Provision Fraud Prevention

Data Security
Data Loss Prevention Encryption & Tokenization

Monitoring / Audit / Reporting

SIEM (enVision)

Visibility and Monitoring: RSA enVision

Consolidated event log management, analysis, and reporting

Allows for cross-environment correlation

Collects logs from the VMware stack

VMware vShield VMware vCenter VMware ESX/ESXi VMware View Manager VMware vCloud Director

VMware Collector for RSA enVision leverages VMware APIs

Can pull logs from multiple vCenters!

RSA enVision

Use Case Scenarios

Protecting Management Console

Applying Patch to Production System

Lost Laptop

Unauthorized Administrator

Scenario

Apply Patch to Production System - Before

Production Datacenter
HR Application Server VM
PATCH

Test Environment
HR Application Server VM
PATCH

HR Database Server VM
HRDB
Name, SSN, DoB, etc

HR Database Server VM
HRDB
Name, SSN, DoB, etc

Is test Is this an Who Was the Clone virtual environment test 1 the patches is to try them out in athe environmentVM A common way toenvironment Test Patch accessed apply to authorized 3 Apply Patch2 production environment destroyed after data in the test sufficiently you can clone the system, data and all In a virtual world protected This is difficult and time-consuming in a production procedure? environment? it was used? & controlled? easy in a virtual environment environment, but very

Scenario

Apply Patch to Production System - After

Production Datacenter
HR Application Server VM
PATCH

Test Environment
HR Application Server VM
PATCH

HR Database Server VM
HRDB
Name, SSN, DoB, etc

HR Database Server VM
HRDB
Name, SSN, DoB, etc

production 3 Apply Patch2to virtual environment 1 Clone Test Patch environment

VM Cloned VM Cloned RSA enVision can log the administrative activity from Patch Applied
If this is out of policy Patch Applied If the test environment is properly we can alert a security protected, Deleted also VM analyst then it will be monitored by RSA enVision

Patch Applied

vCenter, like the VM being cloned

RSA enVision

Use Case: Monitoring events in the virtual datacenter

RSA Sada een (nejen) pro virtuln prosted

Compliance (GRC)
Archer eGRC Suite

VMware

Cloud

Identity Security
Authentication Access / Provision Fraud Prevention

Data Security
Data Loss Prevention Encryption & Tokenization

Monitoring / Audit / Reporting

SIEM (enVision)

Use Case: Reducing Risk of VM Theft

RISK
Securing virtual infrastructure is often a check list of best practices. Hardening VMware environment is complex and difficult to verify. What can I do to limit the risk of VM theft from my datacenter? Need to take preventative steps that limit access to VM file, such as:
Disable Datastore Browser Limit Storage User Access Limit use of service console Use least privileged role concept for system and data access

Use Case: Reducing Risk of VM Theft

SOLUTION
Archer has built in control procedures to check for VM file access and other best practices From a centralized console security and IT ops can easily see if controls enforce policy Solution identifies VMware devices, assesses configuration status, and informs responsible administrator EnVision monitors to ensure security events not disrupting compliance posture Results: Security and compliance best practices directly aligned with regulations and company policies are implemented and verified

Cycle of Compliance: RSA Solution for Cloud Security and Compliance

Discover VMware infrastructure Define security policy
Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards

RSA Securbook

Manage security incidents that affect compliance

RSA Archer eGRC

Manual and automated configuration assessment

Solution component automatically assesses VMware configuration and updates Archer

RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards

Remediation of non-compliant controls

Mapping VMware Security Controls to Regulations and Standards

Authoritative Source Regulations (PCI-DSS, etc.)

10.10.04 Administrator and Operator Logs

CxO
RSA Archer eGRC

Control Standard Generalized security controls

CS-179 Activity Logs system start/stop/config changes etc.

Control Procedure Technology-specific control

CP-108324 Persistent logging on ESXi Server

VI Admin

Distribution and Tracking Control Procedures

Security Admin Server Admin

Project Manager
RSA Archer eGRC

Network Admin VI Admin

RSA Solution for Cloud Security and Compliance

Automated Measurement Agent

VI Component Discovery and Population

VI Configuration Measurement

VMware-specific Controls

alerts RSA Archer eGRC

RSA enVision

51

VMware compliance: live demo

52

Control Procedures List, Status and Measurement Method

Control Procedures List, Status and Measurement Method

Compliance Dashboard across Physical and Virtual

RSA Sada een (nejen) pro virtuln prosted

Compliance (GRC)
Archer eGRC Suite

VMware

Cloud

Identity Security
Authentication Access / Provision Fraud Prevention

Data Security
Data Loss Prevention Encryption & Tokenization

Monitoring / Audit / Reporting

SIEM (enVision)

Making Archer the Best GRC Solution for Hybrid Clouds

Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Virtualization Identity and Access Management

Assessing Service Provider Compliance

RSA Solution for Cloud Security and Compliance aligns with CSA Consensus Assessment Questions by automating 195 questions that customers can issue to assess cloud service providers.

Cloud Security Alliances 13 domains of focus for cloud computing

CSA Assessment Questionnaire in Archer

Use Case: Assessing Cloud Service Providers

RISK: Choosing the wrong service provider

Results: Benchmarking vendors based on CSA standards

Creating the Trusted Cloud

Trust = Visibility + Control

Control:
Availabilit y Security Private Cloud Performan ce Cost

Availability Integrity Confidentiality

99.99% High 0.2ms $500K

Visibility:
Compliance Governance Risk Management

60

Hlavn zmny na cest ke cloudu

Enterprise IT

Private Cloud

Public Cloud
Cloud provider A

Virtualizace
Infrastructure

Dvra Cloud provider B = SLA ?

Cloud provider C

Availabilit y

Security Private Cloud Performan ce

Cost

Cloud provider D

99.99%

High

0.2ms

$500K

RSA Cloud Trust Authority

Identity Services Compliance profiling

62

RSA een pro bezpenost a compliance

Vidte dovnit?

Kde jsou Vae data, kdo k nim pistoupil, co se stalo

Mete zmit compliance?

Jak je aktuln realita (technick konfigurace) ? Co pesn je/nen splnno ?

Mete to dokzat/reportovat?

More Information
Info o RSA resenich pro virtualizaci a cloud: www.rsa.com/rsavirtualization uvodni demo: http://www.rsa.com/experience/virtual/RSA_Virtual_Journ ey.html Reseni pro VMware: http://www.rsa.com/node.aspx?id=3684 Reseni pro Cloud (zakladem je zase virtualizace): http://www.rsa.com/node.aspx?id=1130 reseni pro VMware View: http://www.rsa.com/node.aspx?id=1334

RSA SecurBook: Cloud Security and Compliance

www.rsa.com/rsavirtualization A technical guide for deploying and operating RSA Solution for Cloud Security and Compliance

Documents solution architecture Solution deployment and configuration guides Operational guidance for effectively using the solution Troubleshooting guidance

65

More Information
www.rsa.com/rsavirtualization RSA SecurBooks Technical guides for deploying and operating RSA Solutions

EMC Solutions for VMware Webcasts - Every Thursday at 11:00 AM ET Join us for Webcasts:
http://mediazone.brighttalk.com/comm/ISC2/a7082f81e6-17335-2838-18812

Questions/Feedback/Discussion
RSA Contacts: Ivan Svoboda: Key Account Manager ivan.svoboda@rsa.com + 420 604 293 394

67

www.rsa.com/securecloud

Thank you!