Securing the Private Cloud

Franz Kasparec PMP MBCI CISSP

EMC vSpecialist Sales – Business Development Manager EMEA East

The Aspects of Security

Confidentiality

• My data is kept secret.

Integrity

• My data is not be compromised.

Availability

• My data is there when I need it.

PLUS: Compliance

• Regulations must be followed as part of due care. E.g.

• Preventive/detective controls

• No cross-border data transfer

• ISO 27001 et al. certifications

Where Is the Enemy?

Outside?

Do computing clouds have

a perimeter to secure?

Inside?

Or do we need to be

information-centric?

What Else Does Make Cloud Special?

• Consolidation of IT

infrastructure on top of

a new software layer

below the OS layer

• A vantage security

enforcement point

Virtual host

Apps

Guest OS

Virt. FW

Virt. switch

Hypervisor

Hardware IT-as-a-

Service

• Separation of duties is

challenged

• Need to retrain and

reorient ops teams

• Opportunity to improve

security operations

5

Network

admin

Security

admin

Host

admin

Virtualization

administrator

• Visibility into

external service

providers

• Secure multi-

tenancy concerns

• Trustworthiness

RSA Approach to Securing the Cloud

1. Build security into the VCE Stack

2. Deliver integrated solutions tailored to cloud security needs

a) RSA Solution for Virtual Desktop

b) RSA Solution for Cloud Security and Compliance

3. Partner with VMware and Cloud Technology leaders to provide better security

– VMware: vShield’s new security architecture

– Intel: Hardware Chain of Trust (Technology preview)

– EMC: Content-aware cloud storage

A Holistic Approach to Cloud Security

BUSINESS CONTEXT

Define Policy

Map to Controls

Report On Risk

Assess

Compliance

Monitor | Audit | Report

Add Context

Correlate

Manage Monitor

Detect Enforce

IDENTITIES INFRASTRUCTURE INFORMATION

Manage Governance, Risk + Compliance

RSA Archer eGRC Suite RSA enVision

Authentication Access /

Provision

Fraud

Prevention

SecurID Access

Manager

Fraud

Action

Adaptive

Auth

Transaction

Monitoring

Identity

Verification

Federated

Identity Mgr

eFraud

Network

Data Loss

Prevention Encryption &

Tokenization

DLP

Cisco

IronPort

Network

Partners

Endpoint

Partners

RKM App

RKM DC

BSAFE

Microsoft

RMS

Network Security Feeds

Endpoint Security Feeds

Infrastructure Feeds

Ionix Config Mgmt

Tokenization

MENU

Cycle of Compliance: RSA Solution for Cloud Security and Compliance

Discover VMware infrastructure

Define security policy

Remediation of non-compliant controls

RSA Archer eGRC

Manage security incidents that affect

compliance

Manual and automated

configuration assessment

Over 100 VMware-specific

controls added to Archer

library, mapped to

regulations/standards

Solution component

automatically assesses

VMware configuration and

updates Archer

RSA enVision collects,

analyzes and feeds security

incidents from RSA, VMware

and ecosystem products to

inform Archer dashboards

RSA Securbook

RSA Archer for Virtualization and Cloud Coming to Vblock in 2011

RSA Archer for orchestrating security of the Vblock

vSphere

Storage

Server blades

Networking

Virtual Machines

RSA Archer eGRC

Available

now

2011

RSA SecurID

Strong authentication – need 2 of 3:

• Something you know

• Password, PIN, …

• Something you are

• Biometrics

• Something you have

• Security token (card, FOB, …)

Simplifying Compliance

Compliance reports

for regulations and

internal policy

Auditing Reporting

Enhancing Security

Real-time security

alerting and analysis

Forensics Alert /

correlation

Optimizing IT & Network Operations

IT monitoring across

the infrastructure

Visibility Network

baseline

Purpose-built

database (IPDB) RSA enVision Log Management Platform

RSA enVision

11

Servers Storage Applications /

Databases

Security

Devices

Network

Devices

RSA Data Loss Prevention Suite

Third Party Enforcement Controls

Policy

Management

System

Administration

Reporting &

Dashboard

Incident

Workflow RSA DLP

Enterprise Manager

Discover sensitive data

in content repositories

Enforce controls on

sensitive data

DLP Datacenter

Monitor all traffic for

sensitive data

Enforce controls on

sensitive transmissions

DLP Network

Discover sensitive data

and monitor user actions

Enforce controls on both

data and user actions

DLP Endpoint

Policies Incidents

RSA/VMware/Intel Vision: Verifying the Chain of Trust to control VM in the Cloud

ADML

apps

Cloud compliance dashboard

Archer

apps

Data Feed

Manager

VMware

Hardening

Guidelines

RSA Archer

RSA

Data Loss

Prevention

DFM

Integration

VMware

vCenter Server VMware ESXi

Intel Westmere

processor with Intel

Trusted Execution

Technology

RSA

enVision

RSA

ADML

Advanced Data

Management

Layer

Proof of Concept for Measuring and Monitoring Cloud Infrastructure Security at RSA Conference 2010

13

Cloud provider compliance dashboard

Security

Offering

Hardening

Guidelines

Tuned for

PCI

Trusted HW

from Intel

Dedicated

Bronze

Silver

Gold

Platinum

RSA Cloud Trust Authority (Beta 2H2011)

Set of Cloud based Services designed to facilitate secure and compliant relationships between enterprises and multiple cloud providers

Enables visibility and control of Identities, Infrastructure and Information to foster trust for organisations to adopt Cloud based services

What’s new ?

• Identity services (VMware) provide end user access and provisioning, federation and SSO

• Compliance Profiling Service, view trust profiles against CSA recommendations

• EMC Cloud Advisory Service with Cloud Optimizer to evaluate workloads for suitability for Cloud adoption

Thank you!

www.rsa.com/rsavirtualization