LDT1720BE Securing the Hybrid Cloud (Agility vs. Control ...· Securing the Hybrid Cloud (Agility

  • View
    212

  • Download
    0

Embed Size (px)

Text of LDT1720BE Securing the Hybrid Cloud (Agility vs. Control ...· Securing the Hybrid Cloud (Agility

  • Craig SavagePaul Wiggett

    LDT1720BE

    #VMworld #LDT1720BE

    Securing the Hybrid Cloud (Agility vs. Control)

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • This presentation may contain product features that are currently under development.

    This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

    Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

    Technical feasibility and market demand will affect final delivery.

    Pricing and packaging for any new technologies or features discussed or presented have not been determined.

    Disclaimer

    2#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • OverviewsConsider the perspectivesGeneral Security and Governance ConsiderationsKey control areas

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • Perspectives

    #LDT1720BE CONFIDENTIAL 4

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • Agility for whom?

    #LDT1720BE CONFIDENTIAL

    Management?

    Consumers?

    Service Teams?

    Platform Teams?

    #LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • So what are these controls?

    Data protection

    UK Data Protection Act

    GDPR

    POPI

    etc

    Security standards

    ISO27000

    Regulation and industry specific security requirements

    Banking regulation

    Pharmaceutical regulation

    PCI-DSS

    etc

    6

    Overview of general security and governance considerations for large scale hybrid cloud deployments

    #LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • Key control areas

    Technology control points

    Coming up in detail next

    Process control points

    Consider the points where data/code comes into and exits your environment, Cloud for Dev and Cloud for Production

    Access control for the environments

    People controls

    Knowledge, knowledge, knowledge! Make sure people know what they are doing

    What you measure is what you get, revise objectives and ways of working

    Cultural considerations

    Quick response requires openness and honesty

    Move from CYA to CYBusiness

    7

    Not always what you might think!

    #LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • How do we do this then?User Access ManagementProduct Hardening Vulnerability ScanningSecurity Event Monitoring

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • Standard VMware Cloud Roles

    9

    Cloud Infrastructure

    Services Team

    Cloud Infra Service Owner

    Cloud Infra Service

    Architect

    Cloud Infra Service

    Engineer

    Cloud Infra Service Analyst

    Cloud Infra Service

    Administrator

    Cloud Infra Service

    Developer

    Cloud Service Team

    Service Owner

    Service Architect

    Service QA

    Service Analyst

    Service Administrator

    Service Developer

    Portfolio Management

    Team

    Cloud Business Manager

    Portfolio Manager

    Policy / Blueprint Manager

    Business Relationship

    Manager

    #LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • User Access Management

    Key Guidelines

    God Mode should not be granted to anyone on a permanent basis

    Service accounts must be tightly controlled

    Segregation of duties. Just enough privilege should be granted to perform daily role

    Some personas to use as starting point:

    Super Admin (God Mode). Only in Emergency

    Admin (Privileged - Incident/Change. No Security Administration)

    Security Admin (Maintaining Product Security Permissions ONLY)

    Operator (Daily Tasks)

    User (Read Only)

    Use default product roles as starting point. Large number of customised roles are a nightmare to operate and maintain

    Perform detailed mapping to your Cloud teams

    10#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • Product Hardening

    Dont reinvent the wheel

    https://www.vmware.com/uk/security/hardening-guides.html

    NSX

    vSphere

    vRealize Automation

    vRealize Operations

    These actions have mostly already been performed on appliance based deployment methods

    Measure Hardening Compliance in vRealize Operations

    11#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

    https://www.vmware.com/uk/security/hardening-guides.html

  • Vulnerability Scanning

    VMware uses a number of techniques throughout the software development cycle to improve upon the security of its products. These standard techniques include:

    Threat Modeling

    Static Code Analysis

    Penetration Testing using both internal and external security expertise

    Incident Response Planning

    Member of BSIMM, SAFECode, CII

    Sign up for product security advisories

    https://www.vmware.com/security/advisories.html

    12#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

    https://www.vmware.com/security/advisories.html

  • Vulnerability Scanning (Best Practice)

    Use a scanning tool that supports scanning without credentials

    Scanning with user created credentials potentially violates VMware support conditions

    It is not supported to modify VMware virtual appliances (vCSA, vROPS, etc) including adding additional service accounts, packages

    Any modifications could also potentially be lost in product upgrades

    Test initial vulnerability scans on a small subset of your non-production clusters/hosts

    Some tools have been known to cause outages on scans

    VMware will act on any vulnerabilities you may find through tooling scans and subsequently report to us

    https://www.vmware.com/support/policies/security_response.html

    13#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

    https://www.vmware.com/support/policies/security_response.html

  • Security Event Monitoring

    Well designed Security Event Monitoring should pre-emptively detect and report on all events, that may impact the security level of a cloud management system.

    As a minimum the following should be tracked:

    Log on and access to files/programs using privileged accounts

    Log on using normal user accounts

    System start-up and stop

    I/O device attachment/detachment

    Unauthorized access attempts

    Log deletion and modification

    Account creation and deletion

    Unavailability of system or key services

    14#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • Security Event Monitoring

    Enter vRealize Log Insight

    Log Insight agent now supported and included on most GA product virtual appliances

    Large amount of content packs with targeted security dashboards out of the box

    Conditional event forwarding to upstream log consolidation tools such as SIEM or Splunk

    Archive logs for long term auditing

    15#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • 16#LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • SummarySee the clouds from above

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • In conclusion

    Technology control points

    Understand the business requirement, match it to the security/governance requirements and implement controls only where necessary

    Process control points

    Differentiate between Mature IT and Cloud processes, combine where possible

    Constantly review your cloud processes, optimize often and focus on delivering managed speed

    People controls

    Train and develop, operating at speed requires focus and discipline

    Incentivize stability in Mature IT, speed of execution in the Cloud

    Cultural considerations

    Must be led top down, encourage senior management to be part of the change

    Cover Your Business, its a team effort now

    18

    Transform your way of working

    #LDT1720BE CONFIDENTIAL

    VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • VMworld

    2017 C

    ontent: N

    ot for p

    ublicatio

    n or dis

    tribution

  • Craig Savage, Operations Architect, VMwaresavagec@vmware.com @craig_savage

    Paul Wiggett, Technical Operations Architect, VMwarepwiggett@Vmware.com @mrporcles

    Thank you

    VMworld

    2017 C

    ontent: N

    ot for p

    ubli