Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
#vmworld
Taming Security with Tools: Making Compliance a Reality
Brad Doctor, VMware, Inc.Craig Savage, VMware, Inc.
LDT1719BU
#LDT1719BUVMworld 2018 Content: Not for publication or distribution
Disclaimer
2©2018 VMware, Inc.
This presentation may contain product features orfunctionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
VMworld 2018 Content: Not for publication or distribution
‹#› 3©2018 VMware, Inc.
Security Needs to Be Synonymous with Simplicity
VMworld 2018 Content: Not for publication or distribution
Agenda
4©2018 VMware, Inc.
IntroductionsWho are these two people?
What tools should be tamed?And which should we let go free
Case study – VMwareHow we’ve transformed our Information Security
How to best use your VMware toolsKeeping it simple and successful
Wrap upConsider how you’ll use these insightsVMworld 2018 Content: Not for publication or distribution
5©2018 VMware, Inc.
What Does Brad Do?Brad Doctor (CISSP): Innovative security professional with over 20 years of experience. As the Sr. Director of Security Architecture and Engineering currently for VMware and previously for Level 3 Communications, I have been at the forefront of cloud security architecture for nearly 10 years, and have led design efforts for several commercially available security products. With nearly 20 patents in various technology domains I not only lead, I innovate and influence the cloud security industry.
VMworld 2018 Content: Not for publication or distribution
6©2018 VMware, Inc.
What Does Craig Do?
Craig Savage (CISSP): Craig has been an Enterprise Architect and Governance, Risk and Compliance consultant for VMware and previously Accenture, Airbus and Capgemini. Based in the UK, Craig has worked with many VMware customers helping them adopt a service driven culture, enhancing working practices and making best use of VMware technologies.
Technology
People Process
VMworld 2018 Content: Not for publication or distribution
7©2018 VMware, Inc.
Taming Tool SprawlEnabling clarity
VMworld 2018 Content: Not for publication or distribution
8©2018 VMware, Inc.
Struggling to Transform
Operations teams are so reactive that there’s little time for
innovation
Operational practices are hugely complex and based
on legacy IT
Siloed organization inhibiting effective communication
and collaborative working
Can’t respond quickly enough to meet changing needs of the
business
Lack of trust in InfoSec’s abilityto deliver high quality,
cost-transparent services
Trouble achieving orhesitant to even offer SLAs
VMworld 2018 Content: Not for publication or distribution
9©2018 VMware, Inc.
The Scale of IT Security Tools
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc. 10
Case StudyThe VMware Journey
Applying the 5 pillars of cyber
hygiene at VMware
VMworld 2018 Content: Not for publication or distribution
12©2018 VMware, Inc.
Snapshot of our Internal Infrastructure
OfficesData Centers
9 117
Avg. No of VMs Created & Deleted
Weekly
1,000,000
VMware ESXiTM
Hosts
6,000
Avg. No of Containers Created & Deleted
Weekly
130,000
Apps Micro-segmented Using VMware NSX®
55
Production Apps in VMware Cloud on AWS
3 10.3PB 73,000
VMwarevSANTM Raw storage
Devices Managed by AirWatch
IT-MANAGED ENVIRONMENT
VMworld 2018 Content: Not for publication or distribution
14©2018 VMware, Inc.
This Is Where We Are Today
VMworld 2018 Content: Not for publication or distribution
16©2018 VMware, Inc.
What Are the Five Pillars of Cyber Hygiene?
16
VMworld 2018 Content: Not for publication or distribution
17©2018 VMware, Inc.
Pillar 1: Micro-segmentation
IoTCloudData center Branch office
APP
Abstract networking and security from the underling infrastructure
All new environments are micro-segmented
Moving toward NSX-T
Traffic rules are bidirectional
Existing environments are transitioned to NSX on a regular basisVMworld 2018 Content: Not for publication or distribution
18©2018 VMware, Inc.
Pillar 2: Patching
All production systems are patched on a regular basis
All systems are scanned on a regular basis
Patching metrics are CIO-level reported
Extensive automation is in place to make the process easier
VMworld 2018 Content: Not for publication or distribution
19©2018 VMware, Inc.
Pillar 3: Encryption
All managed user devices are encrypted
All traffic served to the world is
encrypted
All WAN links are encrypted
All cloud-hosted data is encryptedVMworld 2018 Content: Not for publication or distribution
‹#›©2018 VMware, Inc.
Pillar 4: Multi-factor Authentication
All access to VMware networks requires MFA with no exceptions
Certificates are pushed to managed endpoints and are used to access Workspace ONE, Wi-Fi, etc.
VMware Identity Manager (vIDM) is location-aware and tailors the authentication experience accordingly
Working toward eliminating passwords and employing a 'Push' authentication model
20Confidential │ ©2018 VMware, Inc.
VMworld 2018 Content: Not for publication or distribution
21©2018 VMware, Inc.
Employ and govern well-defined roles across the
infrastructure
Use 'sudo' or similar privilege escalation
mechanism
Log all privileged operations and employ systems that
automatically look for anomalies
01 02 03
Pillar 5: Least Privilege
VMworld 2018 Content: Not for publication or distribution
22©2018 VMware, Inc.
Patching metrics – all critical patches applied within 24 hours of release, or less
Percentage of encrypted devices – 99% is the goal – eliminate legacy OS wherever possible
Percentage of applications managed by an IGA – ensure offboarding is performed immediately or as defined, reliably
Micro-segmented by default. Define the good rather than just try to prevent the bad
MFA by default – all external network access must be MFA. Eliminate the use of 1FA!
Reduce your dwell time – from days to hours, to minutes
KPI’s That Point Toward a Successful TransformationEverything is measurable – what are the goals?
VMworld 2018 Content: Not for publication or distribution
23©2018 VMware, Inc.
People – invest in your people, a happy and well performing team gets more done
Process – make it easy for users to be secure!
Technology – rationalize, use existing investments, focus on simplicity
Making InfoSec @ VMware a SuccessMaking it easy for the end user
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc. 24
Airwatch, NSX, Wavefront and others
Using Your VMware AdvantageVMworld 2018 Content: Not for publication or distribution
25©2018 VMware, Inc.
NSX - On-Demand Micro-segmentationLogical segmentation around application boundaries
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
App 1 App 2 App 3
Insidefirewall
Operationally infeasible and cost prohibitive with traditional firewalls
• Security is shrink- wrapped around each workload
• Firewall rules are enforced at the vNIC level: “micro trust zone” for each workload
• Threats are not able to infiltrate other applications and exfiltrate data to the outside
VMworld 2018 Content: Not for publication or distribution
26©2018 VMware, Inc.
WavefrontIntegrating PKS (and others) into your enterprise security
VMworld 2018 Content: Not for publication or distribution
27©2018 VMware, Inc.
Analytics Within VMware Products Today
vRealize Log InsightIntelligent log management and analytics.
Log IQSaaS-based intelligent log management and analytics.
WavefrontSaaS-based metrics monitoring and analytics platform that handles the high-scale requirements of modern cloud-native applications.
Apteligent/Workspace One IntelligenceMobile application performance and engagement insights such as: Predictive Modeling of End User Environment and Automated Anomaly Detection & Remediation.
SkylineProactive support technologythat brings high-performing technology and tools to the workbench to radically transform customer support.
vSANThe first product to build analytics feature on top of telemetry data and deliver operational value to customers through customer facing UI and support channel.
vRealize OperationsIntelligent IT operations management from applications to infrastructure with Dynamic Threshold and Capacity Planning. VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc. 28
The shift in Operational RiskCourtesy of (ISC)2
Traditional resilience measures are becoming obsolete at a rapid rate leaving companies without the ability to actively monitor for security incidents, and/or understand how to cope with the dynamic infrastructure and scale they are developing as they move over to cloud infrastructures. Operational requirements are shifting with digital transformation and companies are asking not just how do we get more skilled talent; but also, how does the team need to evolve?VMworld 2018 Content: Not for publication or distribution
29©2018 VMware, Inc.
People – Establish an organisation and teams capable of operating the core solution elements as well as being able to start managing the defined service through its entire lifecycle (Operational Readiness)
Service-Driven Implementation – Collaboratively work with your team and your business units to define the initial service supporting the identified app migration candidates and how this service will be presented and delivered
Process – Remove process barriers and gaps to establish efficiency gains and operational improvement by means of automation
Technology – Work closely with technical delivery teams to ensure success in designing and implementing the initial defined service
Everyone is responsible – Information security is everyone’s responsibility, from IT architects designing new infrastructure to system administrators.
Making Simplicity HappenHelping establish core IT Transformation building blocks
VMworld 2018 Content: Not for publication or distribution
©2018 VMware, Inc.
Q/AVMworld 2018 Content: Not for publication or distribution
31©2018 VMware, Inc.
VMworld 2018 Content: Not for publication or distribution
PLEASE FILL OUTYOUR SURVEY.Take a survey and enter a drawingfor a VMware company store gift card.
#vmworld #LDT1719BUVMworld 2018 Content: Not for publication or distribution
THANK YOU!
#vmworld #LDT1719BUVMworld 2018 Content: Not for publication or distribution