VMworld 2013: VMware Compliance Reference Architecture Framework Overview
0 likes1,438 views
The document provides an overview of VMware's Compliance Reference Architecture Framework, highlighting its methodology, key technologies like NSX Service Composer, and the importance of compliance in cloud environments. It discusses the integration of various compliance requirements across different regulations, as well as the role of VMware's solutions in maintaining security and operational efficiency. Key takeaways include validation of reference architectures by VMware and partners to meet regulatory demands, and a commitment to evolving these frameworks as technologies and regulations change.
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
- 1. VMware Compliance Reference Architecture Framework Overview Jerry Breaud, VMware Allen Shortnacy, VMware SEC5428 #SEC5428
- 2. 2 Agenda VMware Compliance Reference Architecture Framework Compliance Reference Architecture Methodology NSX Service Composer for Compliance Architectures Network Virtualization NSX Network Services Other VMware Product Capabilities Relative to Compliance Summary Next Steps VMworld and Beyond
- 3. 3 Competing Concerns – Pick Any 2 “Are you getting the maximum efficiency out of your infrastructure?” “How quickly can IT respond to LOB requests?” • Legislative Compliance • Security – Corp Assets & IP • Risk Reduction • SLAs & Business Continuity ?
- 4. 4 Infrastructure Requirements Access Control Segmentation Remediation Automation Policy Management Audit Common Control Frameworks Regulations, Standards, Best Practices Reference Architectures PCI Zone VMware vSphere Security & Compliance Influence Design of the SDDC
- 5. 5 VMware Compliance Reference Architectures Reference ArchitecturesVMware Partners Auditors Product Applicability Architecture Design Auditor Validated Referfence Architecture
- 6. 6 Technology Solution Categories Mapped to Regulations Description ISO PCI HIPAASANSCSA FISM A LOW FISM A MOD FISM A HIGH FedRAM P LOW FedRAM P M OD PCI Requirements NIST RequirementsCommon Required Technical Security Solutions 1 VAM VulnerabilityAssessment and Management Identify and track vulnerabilities 6.2, 6.5, 6.6, 11.2 RA-5 2 PT Penetration Testing Validate vulnerabilities 11.3 CA-2 3 SEIM SecurityEvent Information Monitoring Log and correlate environment data 10, A.1.3 SI-4, AU-2/3/6/10/12 4 IPS Intrusion Prevention System Identify attacks 11.4 SI-3, SI-4 5 FIM File IntegrityMonitoring Identify changed files 11.5 SI-7 6 2FA Two Factor Authentication Authenticate users 8.3 IA-2 7 IdM IdentityManagement Provision and deprovision users 8.1, 8.2, 8.5.1 IA-4 8 AAA Authentication, Authorization, Accounting (3A) Identity interaction nonrepudiation 7, 8.5 IA-5, AC-3 9 FW Network (N) and Host (H) Firewall Segment and protect networks 1 SC-7 10 AV Server and Endpoint Antivirus Protect against malware 5 SI-3 11 BU SystemBackups Systems survivability 10.5.3, 12.9.1 CP-9 12 DARE Data At Rest Encryption Protect data 3.4, 3.5, 3.6 SC-12/13/28, IA-7 13 DIME Data In Motion Encryption Protect data 2.3, 4, 8.4 SC-9/12/13, IA-7 14 DBM Database Monitoring Protect database environment 10, A.1.3 SI-4 15 CM Configuration Management Protect infrastructure 2.1, 2.2 SI-2, SA-10, CM-1/2/6 16 PM Patch Management Protect infrastructure 6.1 CM-2, SI-2 17 WAF* Web Application Firewall Protect user services 6.6 SI-3, SI-4, SC-7 18 DLP** Data Leakage Protection Identify sensitive data * Specifically called out in some authorities and implied control in others. Highly recommended where the Internet will be the primary use case. ** Not specifically called out in any authority.
- 7. 7 DLP Encryption BC DR Anti Virus Endpoint Protection Firewall AAA Identity and Access 2 Factor AuthN File Integrity Monitoring IPS/IDS SIEM Penetration Testing Vulnerability Assessment Patch Mngmnt Config Mngmnt DB/App Monitor Technology Solution Categories
- 10. 10 Compliance Reference Architecture Methodology Dynamic Composition with Line of Sight • Regulatory Specificity for Audit • Regulation Independent Use Case Controls • Technology Partner Choice • Process Methodology for Delivery and Maturity
- 11. 11 1 Compliance Challenges: Many Systems - Dashboards of Wonder Vulnerability Mgmt System Antivirus System Firewall vCenter IDS System DLP System
- 12. 12 VMware NSX VMware NSX Logical Switch Logical Router Logical Firewall Logical Load Balancer • No multicast requirement • Bridge Physical - Virtual • GSLB & L7 LB • SSL Termination Logical VPN • Site-to-Site • Remote Access Gateway • Distributed & Line Rate • Identity Aware • Distributed L3 • Perimeter Routing NSX API NSX Controller NSX vSwitch – vDS on ESXi NSX Service Composer Extensibility Any Network Hardware
- 13. 13 NSX Service Composer Security services can now be consumed more efficiently in the software-defined data center. Apply. Apply and visualize security policies for workloads, in one place. Automate. Automate workflows across different services, without custom integration. Provision. Provision and monitor uptime of different services, using one method.
- 14. 14 Concept – Apply Policies to Workloads Security Groups WHAT you want to protect Members (VM, vNIC…) and Context (user identity, security posture HOW you want to protect it Services (Firewall, antivirus…) and Profiles (labels representing specific policies) APPLY Define security policies based on service profiles already defined (or blessed) by the security team. Apply these policies to one or more security groups where your workloads are members.
- 15. 15 Software Defined Data Center Anti-Virus (AV), Anti-Malware Application Delivery Controller (ADC) Application Whitelisting Application Firewall Data Loss Prevention (DLP) Encryption File Integrity Monitoring (FIM) Firewall (Host/Network) Identity and Access Management Intrusion Detection/Prevention System (IDS/IPS) Load Balancer Network Forensics Network Gateway (VXLAN) Network Port Profile Network Switch Policy and Compliance Solution Security Intelligence and Event Management (SIEM) User Access Control (closest to our SAM) Vulnerability Management WAN Optimizer Web Filter Extend Platform to Best of Breed Services Properties of virtual services: • Programmatic provisioning • Place any workload anywhere • Move any workload anywhere • Decoupled from hardware • Operationally efficient
- 16. 16 NSX Integrated Partners NSX Controller & NSX Manager NSX API Partner Extensions L2 Gateway FirewallADC/LB IDS/IPS + Cloud Management Platforms AV/FIM Vulnerability Management Security Services
- 17. 17 Priv User Network Activity Monitoring Solution Categories CMP vCD, vCAC, etc. NSX Service Composer Automation vCO, Scripts, etc. API REST, Java, .NET NW Iso VXLAN, NAT Firewall TCP, Identity VPN IPsec, SSL DLP At Rest, Wire Priv User AAA, Session Recording AV Malware, Whitelist FIM Config Files, Registry IPS/IDS Monitor, Prevent, Report Vulnerability Penetration Testing Next Gen FW App Aware, Fine Grained App Layer IPS Encryption VMFS, VMDK, OS Configuration Management Patching SIEM Syslog, Event Correlation Platform (Future NSX Enabled) Extensibility NSX NSX Enabled Consumption VMware & Platform Partner VMware NSX Enabled Partner VMware + Customer/ 3rd Party/ Open Src Platform Partner Logging
- 18. 18 Compute Virtualization The Network is a Barrier to Software Defined Data Center Any Physical Infrastructure • Provisioning is slow • Placement is limited • Mobility is limited • Hardware dependent • Operationally intensive Software Defined Data Center SOFTWARE-DEFINED DATACENTER SERVICES VDC
- 19. 19 Network and Security Virtualization Must… 1. Decouple Physical Virtual 2. Reproduce 3. Automate Network Operations Cloud Operations Hardware independence Operational benefits of virtualization No change to network from end host perspective Virtual Physical
- 20. 20 VMware NSX VMware NSX Logical Switch Logical Router Logical Firewall Logical Load Balancer • No multicast requirement • Bridge Physical - Virtual • GSLB & L7 LB • SSL Termination Logical VPN • Site-to-Site • Remote Access Gateway • Distributed & Line Rate • Identity Aware • Distributed L3 • Perimeter Routing NSX API NSX Controller NSX vSwitch – vDS on ESXi NSX Service Composer Extensibility Any Network Hardware
- 21. 21 Logical Switching and Routing • Tightly coupled with physical networks • Hairpins and bottlenecks reduce performance and scale Before • Completely decoupled from hardware – Dynamic routing, no Multicast • Line rate performance with distributed scale out architecture • Connect existing networks with logical networks – L2 bridging With NSX • Speed of provisioning applications across racks, rows or data centers (up to Metro distances) • Enable higher server utilization, leverage existing physical network, only require basic IP hardware for future purchases • Create on demand networks to meet application needs Benefits DynamicRouting DynamicRouting DynamicRouting Physical Workload
- 22. 22 Logical Load Balancing • Physical appliances are costly and create bottlenecks • Rigid architectures tie the application down Before • Cloud level feature set for SLB and GSLB with full HA • TSAM with enhanced health checks, connection throttling and CLI • Simplified Deployment in one-armed or inline mode With NSX • On demand LB services for any application enabling speedy deployment • Pay as you go model for services • Manage multiple LB instances with centralized management Benefits Logical Network Web1a Web1cWeb1b
- 23. 23 Logical VPN • VPN Concentrators become bottlenecks and chokepoints Before • Per Tenant VPN appliance when needed • High Performance – hardware acceleration for IPSec and SSL • Site-2-Site, Client and Cloud VPN extends Corporate LAN With NSX • Network can be extended when needed for different use cases • No investment needed in large VPN Concentrators upfront Benefits Public Cloud
- 24. 24 NSX Next Generation Firewall • Scale out architecture “bolted-on” to L3 with limited performance • Limited visibility and control unless hair-pinning (E/W) to L3 • Error prone, static VLANs and IP/port based policies Before • Massive scale and line rate performance • Virtualization and identity context • Centralized management across entire Datacenter With NSX • Simplified operations – single policy definition Benefits Physical View Web App DB Web App DB Servers Users “skinny VLANs” Business and Virtual Context Logical View VMware Logical View
- 25. 25 vCenter Infrastructure Navigator Capabilities Automated discovery and dependency mapping Speedy and accurate discovery and dependency mapping of application services across virtual infrastructure & adjoining physical servers one hop away Rapid updates that keep mapping information up-to-date
- 26. 26 Cloud Infrastructure (vSphere, vCenter, vShield, vCloud Director) ! ! ! Overview Benefits More than 80 pre-defined templates for country/industry specific regulations Accurately discover and report sensitive data in unstructured files with analysis engine Segment off VMs with sensitive data in separate trust zones Quickly identify sensitive data exposures Reduce risk of non-compliance and reputation damage Improve performance by offloading data discovery functions to a virtual appliance NSX Data Security Visibility Into Sensitive Data to Address Regulatory Compliance
- 27. 27 vShield Endpoint Partners VMware vSphere Introspection SVM OS Hardened AV VM APP OS Kernel BIOS VM APP OS Kernel BIOS VM APP OS Kernel BIOS
- 28. 28 vCenter Operations and Log Insight Machine Data comprises: • Structured Data • vCenter Operations • Unstructured Data • Log Insight Log Insight and vCenter Operations together provide a complete solution for Cloud Operations Management
- 29. 29 vCenter Operations Configuration Manager Harden the VMware Infrastructure • Harden the configuration for ESX, network, storage, etc. • Harden the vSphere guest VM settings • Harden vCD/vCenter settings Harden the Guest OS • Physical and Virtual; Desktop and Servers; Win, UNIX, Mac Virtual Datacenter 1 Virtual Datacenter 2 PCI – PoS PCI Zone Non-PCI Zone ESX Hardening Cluster ACluster B VMware vSphere + vCenter Vendor Hardening Guidelines CIS Benchmarks FISMAHIPAASOX NERC/ FERC NIST ISO 27002 GLBADISA PCI DSSPCI DSS
- 30. 30 Applicability to PCI Requirements PCI Requirement Products 1 Install/maintain a firewall configuration to protect cardholder data vSphere, NSX App/Edge, VIN 2 Don’t use defaults for system passwords/security parameters ESXi, vCenter, VCM, NSX 3 Protect stored cardholder data NSX, VCM 4 Encrypt transmission of cardholder data on public networks NSX Edge 5 Use and regularly update anti-virus software or programs vShield Endpoint + Partners 6 Develop and maintain secure systems and applications vSphere, NSX , VIN, VCM, VUM 7 Restrict access to cardholder data by business need to know vSphere, NSX, vCM 8 Assign a unique ID to each person with computer access ESXi, vSphere, NSX, VCM 9 Restrict physical access to cardholder data 10 Track and monitor all access to network resources/cardholder data vSphere, NSX, VIN, VCM, Log Insight 11 Regularly test security systems and processes VIN, VCM 12 Maintain a policy that addresses information security A1 Shared hosting providers must protect the cardholder data vSphere, NSX, vCD, VCM
- 31. 31 Competing Concerns – Take All 3! “Are you getting the maximum efficiency out of your infrastructure?” “How quickly can IT respond to LOB requests?” • Legislative Compliance • Security – Corp Assets & IP • Risk Reduction • SLAs & Business Continuity
- 32. 32 Summary – Key Takeaways VMware, its Technology Partners and Audit Partners are working to validate reference architectures pertaining to mainstream regulations Guidance is intended to educate SDDC architects, Information Risk personnel and Auditors involved in customer environments Best practices for VMware and Technology Partner products, their configurations and usage in order to meet regulatory controls VMware Compliance Reference Architectures will evolve to support new versions of products and the regulations themselves
- 33. 33 VMworld: Security and Compliance Sessions Category Topic NSX • 5318: NSX Security Solutions In Action (201) • 5753: Dog Fooding NSX at VMware IT (201) • 5828: Datacenter Transformation (201) • 5582: Network Virtualization across Multiple Data Centers (201) NSX Firewall • 5893: Economies of the NSX Distributed Firewall (101) • 5755: NSX Next Generation Firewalls (201) • 5891: Build a Collapsed DMZ Architecture (301) • 5894: NSX Distributed Firewall (301) NSX Service Composer • 5749: Introducing NSX Service Composer (101) • 5750: NSX Automating Security Operations Workflows (201) • 5889: Troubleshooting and Monitoring NSX Service Composer (301) Compliance • 5428: Compliance Reference Architecture Framework Overview (101) • 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201) • 5253: Streamlining Compliance (201) • 5775: Segmentation (301) • 5820: Privileged User Control (301) • 5837: Operational Efficiencies (301) Other • 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in Virtualized Infrastructure (Catbird – Jefferson radiology) • 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust) • 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based IaaS provider better be doing! (Intel)
- 34. 34 For More Information… VMware Collateral VMware Approach to Compliance VMware Solution Guide for PCI VMware Architecture Design Guide for PCI VMware QSA Validated Reference Architecture PCI Partner Collateral VMware Partner Solution Guides for PCI How to Engage? [email protected] @VMW_Compliance on Twitter
- 35. 3535 Other VMware Activities Related to This Session HOL: HOL-SDC-1315 vCloud Suite Use Cases - Control & Compliance HOL-SDC-1317 vCloud Suite Use Cases - Business Critical Applications HOL-PRT-1306 Compliance Reference Architecture- Catbird, HyTrust and LogRhythm Group Discussions: SEC1002-GD Compliance Reference Architecture: Integrating Firewall, Antivirus, Logging and IPS in the SDDC with Allen Shortnacy
- 36. THANK YOU
- 38. VMware Compliance Reference Architecture Framework Overview Allen Shortnacy, VMware SEC5428 #SEC5428