Upload
vmworld
View
99
Download
0
Embed Size (px)
DESCRIPTION
VMworld 2013 Gargi Keeling, VMware Luke Youngblood, McKesson Corporation Troy Casey, McKesson Corporation Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Citation preview
Get on with Business - VMware Reference
Architectures Help Streamline Compliance Efforts
Gargi Keeling, VMware
Luke Youngblood, McKesson Corporation
Troy Casey, McKesson Corporation
SEC5253
#SEC5253
2
Security Architect May Start a Design on a Whiteboard…
Security
Architect
3
…and Then Formalize the Design as Reference Architecture
Security
Architect
5
What If You Could…
From whiteboard… …to architecture… …to reality.
Enforce actionable and repeatable policies across trust zones, as
defined by industry regulations and organizational policies – and make
this all operationally feasible in the software-defined data center?
6
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architecture
Next Steps
7
Infrastructure
Requirements
Access
Control
Segmentation
Remediation
Automation
Policy
Management
Audit
Common
Control
Frameworks
Regulations,
Standards,
Best Practices
Reference
Architectures
PCI Zone
VMware vSphere
Process for Defining Reference Architecture is Not Trivial VCM
5428
8
The Cloud Operator Has to Make This All Work…But How?
VI Admin /
Cloud Operator
Yikes.
Security Policy ≠ Security Operations
Security team asks operator to implement policies but
reference architectures only get you so far.
I need this.
Security
Architect
9
The Cloud Operator Has to Make This All Work…But How?
VI Admin /
Cloud Operator
Looks
complicated.
When THIS happens, we need
to do THAT.
Security
Architect
Manual Workflows Across Different Solutions
Security team relies on manual processes to build workflows
between different vendor solutions.
It is.
VI Admin /
Cloud Operator
10
The Cloud Operator Has to Make This All Work…But How?
VI Admin /
Cloud Operator
Maybe next
year…
We approve these
solutions. You
deploy them.
Security
Architect
Cumbersome Provisioning
Operator is responsible for deploying vendor solutions,
often with inconsistent, multi-step processes.
11
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architecture
Next Steps
12
Architecture
Design
QSA Validated
Reference
Architecture
Validation
Reference
Architectures VMware Partners
3rd Party Auditors
VMware Compliance Reference Architectures
13
DLP Encryption
BC DR
Anti Virus Endpoint Protection
Firewall
AAA
Identity and
Access 2 Factor AuthN
File Integrity Monitoring
IPS/IDS
SIEM
Penetration Testing
Vulnerability Assessment
Patch Mngmnt
Config Mngmnt
DB/App Monitor
Technology Solution Categories
14
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
15
NSX Service Composer
Security services can now be consumed more efficiently in the
software-defined data center.
Automate.
Automate workflows
across different
services, without
custom integration.
Provision.
Provision and monitor
uptime of different
services, using one
method.
Apply.
Apply and visualize
security policies for
workloads, in one place.
SEC
5749
16
Concept – Apply Policies to Workloads
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture)
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Define security policies based on service profiles already defined (or
blessed) by the security team. Apply these policies to one or more
security groups where your workloads are members.
17
Concept – Automate Workflows Across Services
AV FW
IPS DLP
Vuln. Mgmt
IF one service finds something, THEN another service can do
something about it, WITHOUT requiring integration between services!
SEC
5750
18
Automation Process Using NSX Service Composer
Use NSX security tags, either through NSX security solutions or APIs,
to define IF/THEN workflows across security services.
Step 1 - Define
security tags
based on
workflow
requirements
Security
Group =
Step 2 - Define
security group
based on tags
Step 3 - Set and
unset tags based on
security workflow
requirements.
19
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
20
About McKesson
At A Glance Founded 1833
HQ San Francisco
37,000+ employees
Focus: Distribution and Technology
Our Businesses Distribution Solutions
(pharmaceutical, medical/surgical, plasma and biologics, pharmacy and more)
Technology Solutions (information solutions, medication imaging, automation and more)
Our Businesses Ranked 14th on
Fortune 500
NYSE: MCK
Revenue: $122.7 billion in FY2012
By the Numbers #1 pharmaceutical
distribution in US, Canada
#1 generics pharmaceutical distribution
#1 hospital automation
52% of US hospitals use McKesson technology
21
McKesson OneCloud
VI Admin /
Cloud
Operator
Security
Architect
A self-service, private cloud giving users access to new
applications on-demand, with necessary security controls.
22
NIST Cloud Computing Model
Service Models
Deployment Models
Public Private Hybrid Community
Platform as a Service
(PaaS)
Infrastructure as a Service
(IaaS)
Software as a Service
(SaaS)
Essential Characteristics
Broad Network
Access
Resource Pooling
Rapid Elasticity On-Demand
Self-Service
Measured
Service
With OneCloud, McKesson IT delivers the essential
characteristics of Cloud Computing in a Private
Cloud, Infrastructure as a Service (IaaS) model.
Customers can build their own customized VM
catalogs and deliver Platform (PaaS) services to
authorized users within their own organizations.
23
Infrastructure
Requirements
Access
Control
Segmentation
Remediation
Automation
Policy
Management
Audit
Common
Control
Frameworks
Regulations,
Standards,
Best Practices
Reference
Architectures
How McKesson Defines Reference Architectures
24
OneCloud Administration Roles
WLAN
WAN
LAN
Network
VMM / Hypervisor
Virtualization Management
Compute Storage
Infrastructure McK-IT
Platform McK-IT
Software / Applications
Group Mgrs
Users
Physical
Virtual
virtualApp
Templates
Server VM
Instances
Server VM
Templates
McKesson IT designs, engineers,
implements, manages & supports the
virtual infrastructure and the
underlying physical infrastructure
McKesson IT designs, engineers,
creates, and publishes the base OS
templates for use in OneCloud with
monitoring and management tools pre-
installed and pre-configured
Administrators of OneCloud consumer groups
consume single-machines templates and
assemble them into multi-machine templates
called vApps. They assign User roles and
publish deployment Blueprints for their groups
OneCloud Users consume vApps by creating
application instances from the Blueprints and
Templates published for their groups. Their
rights are limited by role assignments and
resource pooling. They either use the
instantiated systems directly or provision
them for their teams’ compute requirements.
25
McKesson SecureCloud 2011-2012
Management & Admin Network
Zone PCI Internal Service
Networks CoLo Internal Service
Network
ASP-MSP
Internal
Service
Network
0000
Network Core Layer
McKIT
WAN-MPLS
B2B
Extranet Internet McKesson
CareBridge
Edge Perimeter Zone
Edge
Router
ISP 1
F/W
F/W
F/W F/W
F/W
F/W CoLo’s
External Hosting ASP
MPS
Partners, Vendors,
Sub-Contractors McKIT
Shared DMZ
PCI
DMZ
VPN
Remote Access
Core Edge Firewall Layer
ISP 2
Internal
Router Infrastructure Distribution Layer
External Untrusted Layer
McK
Remote Offices
McK Remote Sites
Internal Trusted Layer
HIPAA Internal
Service
Network
26
Data Classification Framework
PUBLIC
INTERNAL
CONFIDENTIAL
RESTRICTED
27
YELLOW
McKesson OneCloud Hosting Zones
GREEN AMBER
TBD
QUARANTINE
DMZ
Web-facing
systems
Non-Sensitive
Information
(Public, Internal)
Sensitive
Information
(Confidential)
Highly Sensitive
Information
(Restricted)
Infected /
Compromised VM
Remediation
OneCloud 1.0
OneCloud 1.5
OneCloud 2.0
OneCloud 1.5 OneCloud v.TBD
OneCloud 1.5
Vulnerable,
Unpatched
Systems
28
AMBER
MONITORING
& AUDIT
CAPTURE
YELLOW
McKesson OneCloud Infrastructure Zones
GREEN
TBD
QUARANTINE
DMZ
OneCloud 1.0
OneCloud 1.5
OneCloud 2.0
OneCloud 1.5 OneCloud v.TBD
OneCloud 1.5
THREAT DEFENSE
SECURE MANAGEMENT PARTNER INTEGRATION
Security Services
B2B & 3d Party
Cloud Providers
Event & Alert
Feeds
Infrastructure
Administration
29
McKesson SecureCloud 2011-2012
Management & Admin Network
Zone PCI Internal Service
Networks CoLo Internal Service
Network
ASP-MSP Internal
Service Network
McKIT ONE CLOUD
Network Core Layer McKIT
WAN-MPLS
B2B
Extranet Internet McKesson CareBridge
Edge Perimeter Zone
Edge
Router
ISP 1
F/W
F/W
F/W F/W
F/W
F/W
CoLo’s
External Hosting ASP
MPS
Partners, Vendors,
Sub-Contractors McKIT
Shared DMZ
PCI
DMZ
VPN
Remote Access
Core Edge Firewall Layer
O/S
Build
VM
Build
VM
Repository
vCloud
Mgmt Tools
vCenter
VCD
VCAC
EP Agent
VSE 8.8
Auth-LDAP
SYSLOG
VM1…n
Hypervisor Layer
Vuln Scan
Cred Forensics
Hosts 1…n
vNet Fabric vSwitch1 vSwitch2 vSwitch3 vSwitchn
Management &
Security Services
(Physical)
Host F/W
Security
& Mgmt
VMs
* DASD
* SAN
* NAS
-NFS
-ISCSI
-SMB
ISP 2
Internal
Router
Infrastructure Distribution Layer
External Untrusted Layer
McK
Remote Offices
McK Remote Sites
Internal Trusted
Layer vSphere
Mgmt I/F
vShield Endpoint API Support
Anti-Virus
Vulnerability Mgmt
SIEM
EndPoint Security
Directory Services
Resource
Reservation
Policy Automation
Backup & Recovery
Data Discovery
VM Inventory
OneCloud
GREEN ZONE
Forensics
30
McKesson OneCloud 1.0 – VM Security Placement
31
McKesson OneCloud 1.0 – Internal Hosting Zone
32
McKesson OneCloud 1.0 – ‘Green Zone’
SIEM
Integration
Active Directory
Cloud Management
Platform
Security hardening of the Cloud infrastructure and
management systems is assured using hardening
baselines from VMware, ISRM and CIS and live
scanning for vulnerabilities and missing patches
Authentication, Authorization and
Role Assignment are enabled via
Active Directory. Dedicated AD
Groups are leveraged to assign
administrator and user roles for
both VMs and Infrastructure
ISRM’s event management and
incident response services are
brought to bear via integration
with the existing deployment of
the RSA Envision Security
Information & Event
Management (SIEM) solution.
Incident Response and Forensic
Analysis is enabled by integration
of the forensic data collection
agent into the VM Templates
underlying OneCloud services
Endpoint security management for OneCloud uses
McKesson’s standard package, installed at time of
provisioning (Windows VMs) or integrated into the
OS Template image (Linux VMs)
OS
APP
DATA
VM
OneCloud workloads benefit from
placement inside McKesson’s
firewalled and segmented internal
data center networks – VMs and
applications hosted in the Green
Zone are firewalled from the
Internet by default
The initial OneCloud offering will provide a
Baseline level of security for the hosting of
internal workloads handling non-sensitive
information. Rapid provisioning is leveraged to
eliminate the need to patch short-lived systems,
as re-provisioning the VM from an updated
OneCloud VM Template is an effective
replacement for conventional patch management
approaches.
33
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
34
NSX Service Composer – Canvas View
Nested Security Groups: A security group can contain other groups. These nested groups
can be configured to inherit security policies of the parent container. Members of any nested
groups are protected by the parent container policy.
e.g. “Financial Department” can contain “Financial Application”
35
NSX Service Composer – Canvas View
Members: Security Groups contain VMs, vNICs, vApps and more…to define WHAT you
want to protect.
e.g. “Financial Applications”, “Desktop Users”, “Quarantine Zone”
36
NSX Service Composer – Canvas View
Nested containers –
other groupings within
the container
e.g. “Quarantine Zone” is
a sub group within “My
Data Center”
Apps and workloads that belong to this
container.
e.g. “Apache-Web-VM”, “Exchange Server-
VM”
Policies: Collection of service profiles - assigned to this container…to define HOW you want
to protect this container
e.g. “PCI Compliance” or “Quarantine Policy’
37
NSX Service Composer – Canvas View
Profiles: When solutions are registered and deployed, these profiles point to actual security
policies that have been defined by the security management console (e.g. AV, network IPS).
Only exception is the firewall rules, which can be defined within Service Composer, directly. for
*deployed* solutions, are assigned to these policies.
Services supported today:
• Distributed Virtual Firewall Anti-virus File Integrity Monitoring
• Vulnerability Management Network IPS Data Security (DLP scan)
38
Compliance Automation Use Case
Compliance Processes
• Group systems that must be compliant
with a specific regulation and apply
necessary controls to the group
• Specify systems based on actual data
(through sensitive data discovery) or
desired compliance state
• Move systems in and out of compliance
zones based on above
• Optional: Require approval before any
workload is moved to compliance zone
Properties of Compliance Zone
• Apply security policies as dictated by
the applicable regulation or standard
(e.g. antivirus, firewall, encryption, etc.)
Application
Owner
DLP / Discovery
Solution VI Admin /
Cloud Operator
39
Automate Compliance Workflow with NSX Service Composer
Prerequisites: Security groups
defined by tag membership and
relevant policies
1. Desktop group scanned
scanned for credit card data
2. Data security/DLP solution
tags VMs with sensitive data
3. VM with sensitive data
automatically gets added to
PCI DSS group, based on tag
4. VM is re-scanned for
continuous compliance
5. Tag is only removed if credit
card data no longer present.
VM would then be moved out
of PCI DSS zone.
Security Group = PCI Zone
Members = {Tag = ‘DATA_SECURITY.violationsFound ’}
Security Group = Desktops
40
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architectures
Next Steps
41
NSX Service Composer Simplifies Compliance Management
#1. Apply pre-approved security policies to workloads.
Is this
what you
wanted?
VI Admin /
Cloud Operator
Yup.
Looks
good.
Security
Architect
42
NSX Service Composer Simplifies Compliance Management
VI Admin /
Cloud
Operator
No
problem.
When THIS
happens, do
THAT.
Security
Architect
#2. Implement rules for remediating workloads when they
are comprised, at-risk, or non-compliant.
43
NSX Service Composer Simplifies Compliance Management
#3. Provision, monitor, and troubleshoot services from a
single console.
VI Admin /
Cloud Operator
We can start with
these. More
coming soon.
These are the core security controls
we need to protect our systems.
What can you do about this?
Security
Architect
AV FW
IPS DLP
Vuln. Mgmt
FIM
44
Agenda
Transform Architecture Into Reality
Compliance Challenges in the SDDC
Auditors and Partners Are On Board
Technology Catching Up with Policy
Customer Perspective: McKesson OneCloud
Example: Simplify Management of PCI DSS Controls
Summary of NSX Service Composer Features for
Implementing Compliance Reference Architecture
Next Steps
45
Back at the Office…
VI Admin /
Cloud
Operator
Wow. This will really
save me a lot of time –
thanks!
Security
Architect
Point your security team to VMware Compliance Reference
Architectures. Partner with security team to evaluate NSX
Service Composer to address compliance requirements.
AND I just learned about
VMware NSX Service
Composer. We could
automate a lot of this!
No kidding.
Prove it!
I will.
You need to look at these
VMware Compliance Reference
Architecture documents.
46
You Can…
From whiteboard… …to architecture… …to reality.
Enforce actionable and repeatable policies across trust zones, as
defined by industry regulations and organizational policies – and make
this all operationally feasible in the software-defined data center!
47
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall Antivirus,
Logging IPS in the SDDC with Allen Shortnacy
SEC5253
THANK YOU
Get on with Business - VMware Reference
Architectures Help Streamline Compliance Efforts
Gargi Keeling, VMware
Luke Youngblood, McKesson Corporation
Troy Casey, McKesson Corporation
SEC5253
#SEC5253
51
The Basic Concept
Security Groups
WHAT you want to
protect
Members: VM, vNIC, network
(virtual/Logical Switch, physical),
Distributed Virtual PG, cluster, data
center, Resource Pool, vApp, other
container, IP address, MAC
Context: User identity, sensitive
data, security posture
HOW you want to
protect it
Services: Firewall, antivirus,
intrusion prevention, vulnerability
management and more.
Profiles: Security policies from
VMware and third-party solutions
that are defined by the security
architect but implemented by the
cloud operator.
APPLY
52
McKesson OneCloud Phases
OneCloud 1.0 OneCloud 1.5 OneCloud 2.0
• Amber Zones: For
sensitive data such
as PHI, PCI
(confidential)
Beyond OneCloud 2.0
• Sensitive Data
(restricted)
• Red (quarantine)
zone: AV
disabled/missing,
missing critical
system patch;
System placed in
Sandbox
• DMZ Zone: Prevent
systems in this zone
from being attached
to other networks or
zones
• Green Zone: Fully
compliant systems;
Straight L3 pass
through with minimal
inspection
• Yellow Zone: system
patches more than xx
days out of date or
AV signatures out of
date; IPS/FW added
to inline path
53
VMware NSX Service Composer – For Compliance Scenarios
Built-In Services • Firewall, Identity-based Firewall
• Data Security (DLP / Discovery)
Security Groups • Define workloads based on many attributes (VMs,
vNICs, networks, user identity, and more) – WHAT
you want to protect
3rd Party Services • IDS / IPS, AV, Vulnerability Mgmt
• 2013 Vendors: Symantec, McAfee, Trend Micro,
Rapid 7
Any Application (without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall
Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Security Policies • Define policies using profiles from built-in services
and 3rd party services - HOW you want to protect
workloads
Automation • Use security tags and other context to drive
dynamic membership of security groups –
results in IF-THEN workflows across services
54
NSX Integrated Partners
NSX Controller & NSX Manager
NSX API
Partner Extensions
L2 Gateway
Firewall ADC/LB IDS/IPS
+
Cloud Management
Platforms
AV/FIM Vulnerability Management
Security Services