Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

1. Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security Specialist

2. Agenda • Security Perspective on Customer Journey to the Cloud • Whiteboard Overview of How Virtualization and Cloud Affect Datacenter Security • How to Secure our Cloud and Make it Compliant • Network Security and Secure Multi-tenancy in the Cloud

3. Security Perspective On Customer Deployment Architectures Physical deployments are still considered to be most secure and remain in all enterprises Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ) Mixed trust clusters typically have the M&M security model, blocking important asset migration to them Private cloud is an extension of the mixed trust deployment, with more automation and self service Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance ON-PREMISEPRIVATE CLOUD MIXEDTRUSTCLUSTERS DEDICATEDPRIVATE“CLOUD”(eBay, CSC) AIR GAPPED PODS PUBLICMULTI-TENANTCLOUD(Terremark, EC2) 2 1 3 4 0 5 PHYSICAL 0 1 2 3 4 5

4. The Datacenter needs to be secured at different levels • Sprawl: hardware, FW rules, VLANs • Rigid FW rules • Performance bottlenecks Cost & Complexity At the vDC Edge • Perimeter security device (s) at the edge • Firewall, VPN, Intrusion Prevention • Load balancers Perimeter Security Keep the bad guys out Internal Security Segmentation of applications, servers VLAN 1 • VLAN or subnet based policies • Interior or Web application Firewalls • DLP, application identity aware policies VLANs End Point Security • Desktop AV agents, • Host based intrusion • DLP agents for privacy End Point Protection

5. Simple Definition of a Virtual Datacenter • The isolated and secured share of a virtualized multitenant environment. • Like a physical datacenter shares the Internet for interconnectivity, the tenants of a cloud (public or private) share the local network within the private datacenter or in the service providers network, and also like a physical datacenter, each tenant also has their own private, isolated, and secured virtual networking infrastructure. Tenant 1 Tenant 2 Tenant … App1 DMZ App2 App1 DMZ App1 DMZ App2 App2 VMware vSphere

6. Securing virtual Data Centers (vDC) with legacy security solutions • Air Gapped Pods with dedicated physical hardware • Mixed trust clusters without internal security segmentation • Configuration Complexity • VLAN sprawl • Firewall rules sprawl • Rigid network IP rules without resource context • Private clouds (?) INTERNAL SECURITY PERIMETER SECURITY ENDPOINT SECURITY WEB ZONE APPLICATION ZONE DATABASE ZONE Internet vSphere vSphere vSphere VIRTUALIZED DMZ WITH FIREWALLS Legacy security solutions do not allow the realization of true virtualization and cloud benefits

7.   Platform Sec.

8. Secure the Underlying Platform FIRST Use the Principles of Information Security • Hardening and Lockdown • Defense in Depth • Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges • Administrative Controls For virtualization this means: • Harden the Virtualization layer • Setup Access Controls • Secure the Guests • Leverage Virtualization Specific Administrative Controls • What Auditors Want to See: • Network Controls • Change Control and Configuration Management • Access Controls & Management • Vulnerability Management

9. Protection of Management Interfaces is Key Other ESX/ESXi hosts vCenter • Segment out all non-production networks • Use VLAN tagging, or • Use separate vSwitch (see diagram) • Strictly control access to management network, e.g. • RDP to jump box, or • VPN through firewall VMkernel Production Mgmt Storage vSwitch2 vSwitch1 vnic vnic vnic ProdNetwork Mgmt Network vmnic1 2 3 4 VMware vSphere 4 Hardening Guidelineshttp://www.vmware.com/resources/techresources/10109 IP-based Storage 9

10. Separation of Duties Must Be Enforced More Power Less Power

11. Air Gapped Design – Costly and Inefficient Internet Remote Access VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch L2-L3 Switch L2-L3 Switch Aggregation Firewall Firewall Firewall Load Balancer Load Balancer Load Balancer Switch Switch Access Switch vSphere vSphere vSphere vSphere vSphere vSphere Company X Company Y Company Z

12. VLAN 1002 VLAN 1001 VLAN 1000 Multi-tenancy – Physical Firewall and VLAN Internet VLAN1000 VLAN 1001 VLAN 1002 Access-Aggregation Firewalls L2-L3 Switch Legend : Port group Company X n/w PG-X Port group Company Y n/w PG-Y Port group Company Z n/w VLAN 1002 VLAN 1000 VLAN 1001 PG-Z Port group to VM Links vDS/vSS Virtual to Ext. Switch Links PG-X (vlan1000) PG-Y (vlan 1001) PG-Z (vlan 1002) VMware vSphere + vShield Company X Company Y Company Z

13. Infrastructure VLAN (VLAN 1000) Multi-tenancy Virtualization Aware Provider VLAN (VLAN 100) Internet Access-Aggregation L2-L3 Switch Legend : Port group Company X n/w PG-X Port group Company Y n/w PG-Y Port group Company Z n/w PG-Z External uplink Port group PG-C VLAN1000 VLAN1000 VLAN1000 Internal Company Links External Up Link vDS vDS to Ext. Switch Links PG-X(vlan1000) PG-C(vlan100) PG-Y(vlan1000) PG-Z(vlan1000) vShield Edge VM VMware vSphere + vShield Traffic flow not allowed Company X Company Y Company Z

14. Enforce Microsegmentation Inside the vDC • Protect applications against Network Based Threats • Application-Aware Full Stateful Packet Inspection FW • Control on per-VM/per vNIC level • See VM-VM traffic within the same host • Security groups enforced with VM movement Virtual Datacenter 1 App Virtual Datacenter 2 Database Web DISA & PCI CIS & PCI VMware vSphere + vCenter ESX Hardening Cluster B Cluster A

15. Offload Endpoint Based Security Functions with VM Introspection Techniques • Improves performance and effectiveness of existing endpoint security solutions • Offload Functions • AV • File Integrity Monitoring • Application Whitelisting

16. Virtualized Security and Edge Services Cloud Aware Security Edge/Perimeter Protection Elastic LogicalEfficientAutomatedProgrammableSecurity as a Service • Secure the edge of the virtual datacenter • Security and Edge networking services gateway Internal Security and Compliance • Micro-segmentation • Discover and report regulated data in the Datacenter and Cloud Endpoint Security • Efficient offload of endpoint based security into the cloud infrastructure – i.e.- anti-virus and file integrity monitoring

17. Continuous and Automated Compliance Ongoing Change and Compliance Management • Understand Pervasive Change • Capture in-band and out-of-band changes • Are you still Compliant? • Remediate • Exceptions • Fit within current enterprise change mgmt workflow process Protect against vulnerabilities • Hypervisor-based anti-virus provides superior protection • Patch Management guards against known attacks • Software provisioning tied to compliance • Day to day vulnerability checks Deployed from Gold Standard Planned Change CompliantState Unplanned Change NoncompliantState Remediate (RFC Optional) CompliantState Mark asException

18. Conclusion • The Cloud Had Great Benefits and like any Technology its Associated Risks • These Risks Can Be Mitigated With Proper Controls • The Classic Principles of Information Security Should be Applied • Key Architecture Decisions must be made for Security • Tools Designed for the Cloud Must Be Utilized

19. Questions? Rob Randell, CISSP, CCSK Principal Security and Compliance Specialist