VMworld 2013: Get on with Business - VMware Reference Architectures Help Streamline Compliance Efforts

Get on with Business - VMware Reference

Architectures Help Streamline Compliance Efforts

Gargi Keeling, VMware

Luke Youngblood, McKesson Corporation

Troy Casey, McKesson Corporation

SEC5253

#SEC5253

2

Security Architect May Start a Design on a Whiteboard…

Security

Architect

3

…and Then Formalize the Design as Reference Architecture

Security

Architect

5

What If You Could…

From whiteboard… …to architecture… …to reality.

Enforce actionable and repeatable policies across trust zones, as

defined by industry regulations and organizational policies – and make

this all operationally feasible in the software-defined data center?

6

Agenda

Transform Architecture Into Reality

Compliance Challenges in the SDDC

Auditors and Partners Are On Board

Technology Catching Up with Policy

Customer Perspective: McKesson OneCloud

Example: Simplify Management of PCI DSS Controls

Summary of NSX Service Composer Features for

Implementing Compliance Reference Architecture

Next Steps

7

Infrastructure

Requirements

Access

Control

Segmentation

Remediation

Automation

Policy

Management

Audit

Common

Control

Frameworks

Regulations,

Standards,

Best Practices

Reference

Architectures

PCI Zone

VMware vSphere

Process for Defining Reference Architecture is Not Trivial VCM

5428

8

The Cloud Operator Has to Make This All Work…But How?

VI Admin /

Cloud Operator

Yikes.

Security Policy ≠ Security Operations

Security team asks operator to implement policies but

reference architectures only get you so far.

I need this.

Security

Architect

9


VI Admin /

Cloud Operator

Looks

complicated.

When THIS happens, we need

to do THAT.

Security

Architect

Manual Workflows Across Different Solutions

Security team relies on manual processes to build workflows

between different vendor solutions.

It is.

VI Admin /

Cloud Operator

10


VI Admin /

Cloud Operator

Maybe next

year…

We approve these

solutions. You

deploy them.

Security

Architect

Cumbersome Provisioning

Operator is responsible for deploying vendor solutions,

often with inconsistent, multi-step processes.

11

Agenda









Next Steps

12

Architecture

Design

QSA Validated

Reference

Architecture

Validation

Reference

Architectures VMware Partners

3rd Party Auditors

VMware Compliance Reference Architectures

13

DLP Encryption

BC DR

Anti Virus Endpoint Protection

Firewall

AAA

Identity and

Access 2 Factor AuthN

File Integrity Monitoring

IPS/IDS

SIEM

Penetration Testing

Vulnerability Assessment

Patch Mngmnt

Config Mngmnt

DB/App Monitor

Technology Solution Categories

14

Agenda








Implementing Compliance Reference Architectures

Next Steps

15

NSX Service Composer

Security services can now be consumed more efficiently in the

software-defined data center.

Automate.

Automate workflows

across different

services, without

custom integration.

Provision.

Provision and monitor

uptime of different

services, using one

method.

Apply.

Apply and visualize

security policies for

workloads, in one place.

SEC

5749

16

Concept – Apply Policies to Workloads

Security Groups

WHAT you want to

protect

Members (VM, vNIC…) and

Context (user identity, security

posture)

HOW you want to

protect it

Services (Firewall, antivirus…)

and Profiles (labels representing

specific policies)

APPLY

Define security policies based on service profiles already defined (or

blessed) by the security team. Apply these policies to one or more

security groups where your workloads are members.

17

Concept – Automate Workflows Across Services

AV FW

IPS DLP

Vuln. Mgmt

IF one service finds something, THEN another service can do

something about it, WITHOUT requiring integration between services!

SEC

5750

18

Automation Process Using NSX Service Composer

Use NSX security tags, either through NSX security solutions or APIs,

to define IF/THEN workflows across security services.

Step 1 - Define

security tags

based on

workflow

requirements

Security

Group =

Step 2 - Define

security group

based on tags

Step 3 - Set and

unset tags based on

security workflow

requirements.

19

Agenda









Next Steps

20

About McKesson

At A Glance Founded 1833

HQ San Francisco

37,000+ employees

Focus: Distribution and Technology

Our Businesses Distribution Solutions

(pharmaceutical, medical/surgical, plasma and biologics, pharmacy and more)

Technology Solutions (information solutions, medication imaging, automation and more)

Our Businesses Ranked 14th on

Fortune 500

NYSE: MCK

Revenue: $122.7 billion in FY2012

By the Numbers #1 pharmaceutical

distribution in US, Canada

#1 generics pharmaceutical distribution

#1 hospital automation

52% of US hospitals use McKesson technology

21

McKesson OneCloud

VI Admin /

Cloud

Operator

Security

Architect

A self-service, private cloud giving users access to new

applications on-demand, with necessary security controls.

22

NIST Cloud Computing Model

Service Models

Deployment Models

Public Private Hybrid Community

Platform as a Service

(PaaS)

Infrastructure as a Service

(IaaS)

Software as a Service

(SaaS)

Essential Characteristics

Broad Network

Access

Resource Pooling

Rapid Elasticity On-Demand

Self-Service

Measured

Service

With OneCloud, McKesson IT delivers the essential

characteristics of Cloud Computing in a Private

Cloud, Infrastructure as a Service (IaaS) model.

Customers can build their own customized VM

catalogs and deliver Platform (PaaS) services to

authorized users within their own organizations.

23

Infrastructure

Requirements

Access

Control

Segmentation

Remediation

Automation

Policy

Management

Audit

Common

Control

Frameworks

Regulations,

Standards,

Best Practices

Reference

Architectures

How McKesson Defines Reference Architectures

24

OneCloud Administration Roles

WLAN

WAN

LAN

Network

VMM / Hypervisor

Virtualization Management

Compute Storage

Infrastructure McK-IT

Platform McK-IT

Software / Applications

Group Mgrs

Users

Physical

Virtual

virtualApp

Templates

Server VM

Instances

Server VM

Templates

McKesson IT designs, engineers,

implements, manages & supports the

virtual infrastructure and the

underlying physical infrastructure

McKesson IT designs, engineers,

creates, and publishes the base OS

templates for use in OneCloud with

monitoring and management tools pre-

installed and pre-configured

Administrators of OneCloud consumer groups

consume single-machines templates and

assemble them into multi-machine templates

called vApps. They assign User roles and

publish deployment Blueprints for their groups

OneCloud Users consume vApps by creating

application instances from the Blueprints and

Templates published for their groups. Their

rights are limited by role assignments and

resource pooling. They either use the

instantiated systems directly or provision

them for their teams’ compute requirements.

25

McKesson SecureCloud 2011-2012

Management & Admin Network

Zone PCI Internal Service

Networks CoLo Internal Service

Network

ASP-MSP

Internal

Service

Network

0000

Network Core Layer

McKIT

WAN-MPLS

B2B

Extranet Internet McKesson

CareBridge

Edge Perimeter Zone

Edge

Router

ISP 1

F/W

F/W

F/W F/W

F/W

F/W CoLo’s

External Hosting ASP

MPS

Partners, Vendors,

Sub-Contractors McKIT

Shared DMZ

PCI

DMZ

VPN

Remote Access

Core Edge Firewall Layer

ISP 2

Internal

Router Infrastructure Distribution Layer

External Untrusted Layer

McK

Remote Offices

McK Remote Sites

Internal Trusted Layer

HIPAA Internal

Service

Network

26

Data Classification Framework

PUBLIC

INTERNAL

CONFIDENTIAL

RESTRICTED

27

YELLOW

McKesson OneCloud Hosting Zones

GREEN AMBER

TBD

QUARANTINE

DMZ

Web-facing

systems

Non-Sensitive

Information

(Public, Internal)

Sensitive

Information

(Confidential)

Highly Sensitive

Information

(Restricted)

Infected /

Compromised VM

Remediation

OneCloud 1.0

OneCloud 1.5

OneCloud 2.0

OneCloud 1.5 OneCloud v.TBD

OneCloud 1.5

Vulnerable,

Unpatched

Systems

28

AMBER

MONITORING

& AUDIT

CAPTURE

YELLOW

McKesson OneCloud Infrastructure Zones

GREEN

TBD

QUARANTINE

DMZ

OneCloud 1.0

OneCloud 1.5

OneCloud 2.0

OneCloud 1.5 OneCloud v.TBD

OneCloud 1.5

THREAT DEFENSE

SECURE MANAGEMENT PARTNER INTEGRATION

Security Services

B2B & 3d Party

Cloud Providers

Event & Alert

Feeds

Infrastructure

Administration

29

McKesson SecureCloud 2011-2012

Management & Admin Network

Zone PCI Internal Service

Networks CoLo Internal Service

Network

ASP-MSP Internal

Service Network

McKIT ONE CLOUD

Network Core Layer McKIT

WAN-MPLS

B2B

Extranet Internet McKesson CareBridge

Edge Perimeter Zone

Edge

Router

ISP 1

F/W

F/W

F/W F/W

F/W

F/W

CoLo’s

External Hosting ASP

MPS

Partners, Vendors,

Sub-Contractors McKIT

Shared DMZ

PCI

DMZ

VPN

Remote Access

Core Edge Firewall Layer

O/S

Build

VM

Build

VM

Repository

vCloud

Mgmt Tools

vCenter

VCD

VCAC

EP Agent

VSE 8.8

Auth-LDAP

SYSLOG

VM1…n

Hypervisor Layer

Vuln Scan

Cred Forensics

Hosts 1…n

vNet Fabric vSwitch1 vSwitch2 vSwitch3 vSwitchn

Management &

Security Services

(Physical)

Host F/W

Security

& Mgmt

VMs

* DASD

* SAN

* NAS

-NFS

-ISCSI

-SMB

ISP 2

Internal

Router

Infrastructure Distribution Layer

External Untrusted Layer

McK

Remote Offices

McK Remote Sites

Internal Trusted

Layer vSphere

Mgmt I/F

vShield Endpoint API Support

Anti-Virus

Vulnerability Mgmt

SIEM

EndPoint Security

Directory Services

Resource

Reservation

Policy Automation

Backup & Recovery

Data Discovery

VM Inventory

OneCloud

GREEN ZONE

Forensics

30

McKesson OneCloud 1.0 – VM Security Placement

31

McKesson OneCloud 1.0 – Internal Hosting Zone

32

McKesson OneCloud 1.0 – ‘Green Zone’

SIEM

Integration

Active Directory

Cloud Management

Platform

Security hardening of the Cloud infrastructure and

management systems is assured using hardening

baselines from VMware, ISRM and CIS and live

scanning for vulnerabilities and missing patches

Authentication, Authorization and

Role Assignment are enabled via

Active Directory. Dedicated AD

Groups are leveraged to assign

administrator and user roles for

both VMs and Infrastructure

ISRM’s event management and

incident response services are

brought to bear via integration

with the existing deployment of

the RSA Envision Security

Information & Event

Management (SIEM) solution.

Incident Response and Forensic

Analysis is enabled by integration

of the forensic data collection

agent into the VM Templates

underlying OneCloud services

Endpoint security management for OneCloud uses

McKesson’s standard package, installed at time of

provisioning (Windows VMs) or integrated into the

OS Template image (Linux VMs)

OS

APP

DATA

VM

OneCloud workloads benefit from

placement inside McKesson’s

firewalled and segmented internal

data center networks – VMs and

applications hosted in the Green

Zone are firewalled from the

Internet by default

The initial OneCloud offering will provide a

Baseline level of security for the hosting of

internal workloads handling non-sensitive

information. Rapid provisioning is leveraged to

eliminate the need to patch short-lived systems,

as re-provisioning the VM from an updated

OneCloud VM Template is an effective

replacement for conventional patch management

approaches.

33

Agenda









Next Steps

34

NSX Service Composer – Canvas View

Nested Security Groups: A security group can contain other groups. These nested groups

can be configured to inherit security policies of the parent container. Members of any nested

groups are protected by the parent container policy.

e.g. “Financial Department” can contain “Financial Application”

35


Members: Security Groups contain VMs, vNICs, vApps and more…to define WHAT you

want to protect.

e.g. “Financial Applications”, “Desktop Users”, “Quarantine Zone”

36


Nested containers –

other groupings within

the container

e.g. “Quarantine Zone” is

a sub group within “My

Data Center”

Apps and workloads that belong to this

container.

e.g. “Apache-Web-VM”, “Exchange Server-

VM”

Policies: Collection of service profiles - assigned to this container…to define HOW you want

to protect this container

e.g. “PCI Compliance” or “Quarantine Policy’

37


Profiles: When solutions are registered and deployed, these profiles point to actual security

policies that have been defined by the security management console (e.g. AV, network IPS).

Only exception is the firewall rules, which can be defined within Service Composer, directly. for

*deployed* solutions, are assigned to these policies.

Services supported today:

• Distributed Virtual Firewall Anti-virus File Integrity Monitoring

• Vulnerability Management Network IPS Data Security (DLP scan)

38

Compliance Automation Use Case

Compliance Processes

• Group systems that must be compliant

with a specific regulation and apply

necessary controls to the group

• Specify systems based on actual data

(through sensitive data discovery) or

desired compliance state

• Move systems in and out of compliance

zones based on above

• Optional: Require approval before any

workload is moved to compliance zone

Properties of Compliance Zone

• Apply security policies as dictated by

the applicable regulation or standard

(e.g. antivirus, firewall, encryption, etc.)

Application

Owner

DLP / Discovery

Solution VI Admin /

Cloud Operator

39

Automate Compliance Workflow with NSX Service Composer

Prerequisites: Security groups

defined by tag membership and

relevant policies

1. Desktop group scanned

scanned for credit card data

2. Data security/DLP solution

tags VMs with sensitive data

3. VM with sensitive data

automatically gets added to

PCI DSS group, based on tag

4. VM is re-scanned for

continuous compliance

5. Tag is only removed if credit

card data no longer present.

VM would then be moved out

of PCI DSS zone.

Security Group = PCI Zone

Members = {Tag = ‘DATA_SECURITY.violationsFound ’}

Security Group = Desktops

40

Agenda









Next Steps

41

NSX Service Composer Simplifies Compliance Management

#1. Apply pre-approved security policies to workloads.

Is this

what you

wanted?

VI Admin /

Cloud Operator

Yup.

Looks

good.

Security

Architect

42


VI Admin /

Cloud

Operator

No

problem.

When THIS

happens, do

THAT.

Security

Architect

#2. Implement rules for remediating workloads when they

are comprised, at-risk, or non-compliant.

43


#3. Provision, monitor, and troubleshoot services from a

single console.

VI Admin /

Cloud Operator

We can start with

these. More

coming soon.

These are the core security controls

we need to protect our systems.

What can you do about this?

Security

Architect

AV FW

IPS DLP

Vuln. Mgmt

FIM

44

Agenda









Next Steps

45

Back at the Office…

VI Admin /

Cloud

Operator

Wow. This will really

save me a lot of time –

thanks!

Security

Architect

Point your security team to VMware Compliance Reference

Architectures. Partner with security team to evaluate NSX

Service Composer to address compliance requirements.

AND I just learned about

VMware NSX Service

Composer. We could

automate a lot of this!

No kidding.

Prove it!

I will.

You need to look at these

VMware Compliance Reference

Architecture documents.

46

You Can…

From whiteboard… …to architecture… …to reality.

Enforce actionable and repeatable policies across trust zones, as

defined by industry regulations and organizational policies – and make

this all operationally feasible in the software-defined data center!

47

Other VMware Activities Related to This Session

HOL:

HOL-SDC-1315

vCloud Suite Use Cases - Control & Compliance

Group Discussions:

SEC1002-GD

Compliance Reference Architecture: Integrating Firewall Antivirus,

Logging IPS in the SDDC with Allen Shortnacy

SEC5253

THANK YOU

Get on with Business - VMware Reference

Architectures Help Streamline Compliance Efforts

Gargi Keeling, VMware

Luke Youngblood, McKesson Corporation

Troy Casey, McKesson Corporation

SEC5253

#SEC5253

51

The Basic Concept

Security Groups

WHAT you want to

protect

Members: VM, vNIC, network

(virtual/Logical Switch, physical),

Distributed Virtual PG, cluster, data

center, Resource Pool, vApp, other

container, IP address, MAC

Context: User identity, sensitive

data, security posture

HOW you want to

protect it

Services: Firewall, antivirus,

intrusion prevention, vulnerability

management and more.

Profiles: Security policies from

VMware and third-party solutions

that are defined by the security

architect but implemented by the

cloud operator.

APPLY

52

McKesson OneCloud Phases

OneCloud 1.0 OneCloud 1.5 OneCloud 2.0

• Amber Zones: For

sensitive data such

as PHI, PCI

(confidential)

Beyond OneCloud 2.0

• Sensitive Data

(restricted)

• Red (quarantine)

zone: AV

disabled/missing,

missing critical

system patch;

System placed in

Sandbox

• DMZ Zone: Prevent

systems in this zone

from being attached

to other networks or

zones

• Green Zone: Fully

compliant systems;

Straight L3 pass

through with minimal

inspection

• Yellow Zone: system

patches more than xx

days out of date or

AV signatures out of

date; IPS/FW added

to inline path

53

VMware NSX Service Composer – For Compliance Scenarios

Built-In Services • Firewall, Identity-based Firewall

• Data Security (DLP / Discovery)

Security Groups • Define workloads based on many attributes (VMs,

vNICs, networks, user identity, and more) – WHAT

you want to protect

3rd Party Services • IDS / IPS, AV, Vulnerability Mgmt

• 2013 Vendors: Symantec, McAfee, Trend Micro,

Rapid 7

Any Application (without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

Logical

Firewall

Logical

Load Balancer

Logical L3

Logical

VPN

Any Hypervisor

Security Policies • Define policies using profiles from built-in services

and 3rd party services - HOW you want to protect

workloads

Automation • Use security tags and other context to drive

dynamic membership of security groups –

results in IF-THEN workflows across services

54

NSX Integrated Partners

NSX Controller & NSX Manager

NSX API

Partner Extensions

L2 Gateway

Firewall ADC/LB IDS/IPS

+

Cloud Management

Platforms

AV/FIM Vulnerability Management

Security Services