1 / 31

Compliance for the Software-Defined Data Center

Compliance for the Software-Defined Data Center. Kurt Van Etten. Jerry Breaud. Symantec Director, Risk & Compliance Product Management. VMware Global Strategic Alliances - Compliance. Agenda. IT Drivers and the Software-Defined Data Center. Compliance in the SDDC.

saburo
Download Presentation

Compliance for the Software-Defined Data Center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance for the Software-Defined Data Center Kurt Van Etten Jerry Breaud Symantec Director, Risk & Compliance Product Management VMware Global Strategic Alliances - Compliance IL B16 April 17, 2013 2:30pm to 3:30pm

  2. Agenda IT Drivers and the Software-Defined Data Center Compliance in the SDDC Our Approach: Compliance Reference Architectures Symantec and VMware – PCI Solution Q & A

  3. IT Pressures – a Constant Over the Decades Cost Agility “Are you getting the maximum efficiency out of your infrastructure?” “How quickly can IT respond to LOB requests?” Governance • Legislative Compliance • Risk Reduction – SLAs & Business Continuity • Security – Corp Assets & IP

  4. Adoption Has Enabled Agility >90% 25% 60% Minutes/Seconds DAYS/HOURS WEEKS 2008 2012 FUTURE

  5. Driven by Infrastructure Storage/Availability Management/Monitoring Servers Networking Security VDC Software-definedDatacenter Services 2008 2012 FUTURE Minutes/Seconds DAYS/HOURS WEEKS

  6. Software-Defined Datacenter All infrastructure is virtualized and delivered as a service, and the control of this datacenter is entirely automated by software. Abstract. Pool. Automate.

  7. Getting to The Software-Defined Data Center (SDDC) VMware vCloud Suite VMware vCloudAutomation Center VMware vCloud APIs MANAGEMENT CLOUD INFRASTRUCTURE EXTENSIBILITY VMware vCloud Networking & Security VMware vCenter Site Recovery Manager Software-Defined Networking & Security Software-Defined Storage & Availability VMware vCenterOperations Mngmnt. Suite VMware vCloud Connector VIRTUALIZATION VMware vFabric Application Director VMware vCenter Orchestrator Physical Infrastructure (Server, Storage, Network) VMware vCloud Director VMware vSphere

  8. Extensibility Symantec and the SDDC Security and Compliance Solutions Storage & Availability Solutions VMware vCloudAutomation Center VMware vCloud APIs MANAGEMENT CLOUD INFRASTRUCTURE EXTENSIBILITY “At the endpoint and beyond” Anti-virus and Malware Virtual Server Hardening (vSphere) Data Loss Prevention Threat Correlation Content Filtering Legal & Regulatory Compliance Managed Security • “Always on, always available” • Backup & Recovery • High Availability • Application Availability • Clustering • Archiving • Storage Management and Reporting • Dynamic Multi-pathing VMware vCloud Networking & Security VMware vCenter Site Recovery Manager Software-Defined Networking & Security Software-Defined Storage & Availability VMware vCenterOperations Mngmnt. Suite VMware vCloud Connector VIRTUALIZATION VMware vFabric Application Director VMware vCenter Orchestrator Physical Infrastructure (Server, Storage, Network) VMware vCloud Director VMware vSphere

  9. The Virtualization Path – Continue the Journey Software-Defined Data Center Reducing Cost Agility Enabling Governance Game Change Thru Self-Service Opex Saving Thru Automation Reactive Proactive Capex Savings Thru Consolidation Abstract. Pool. Automate. Empower. Business Production IT Production IT as a Service Presentation Identifier Goes Here

  10. Compliance in the Software-Defined Data Center VMware: The Virtualization Journey: Managing and Proving Compliance

  11. Virtualize Applications on The Journey Typical Compliance Challenges Operations Wants to Virtualize and Consolidate More But Sometimes Risk Owners Need Convincing • Reducing Costs • Infrastructure efficiency • Simpler management • Reduces Compliance Complexity • Streamline compliance reporting Will I meet compliance & security requirements? Will my auditor approve? What’s in it for me? Will my virtualized environment be as compliant as my physical environment? Compliance & Security Operations Business Risk Owner Chief Compliance Officer/ Legal Council

  12. Trust and Cloud Computing – Some New Challenges • Mixed mode levels of trust • VMs riding on the same Guest with different Trust Levels (PCI) • Multi-Tenancy protecting Intellectual Property (IP) with shared Resources • Auditor, QSA Approval of Design • Evidence based compliance • What standards and frameworks do I adopt to minimize risk? • How do I prove my data is properly protected and segmented? • How do I automate the application best practices, regulatory guidelines and vendor standards? • Separation of consumer and provider • Consumer delivered governance around workloads • Evidence from provider around infrastructure compliance • How do I address data governance, privacy, etc? • How do we account for change? (Loss of Service)

  13. VMware Offerings Lay The Foundation Continuously assess and remediate compliance for guests and VMware Infrastructure.

  14. Compliance Framework Compliance Drivers Compliance Levers Compliance is the Top Business Driver for Security Investment Compliance & Regulatory Concerns Is #2 Concern For Private Cloud Compliance Is The # 1 Inhibitor to Moving Data/Apps to the (Public) Cloud

  15. VMware Compliance Reference Architecture Framework VMware: The Virtualization Journey: Managing and Proving Compliance

  16. Virtualize Applications on The Journey VMware Compliance GTM • Customers want to Virtualize Business Critical Applications and maintain required Compliance • Concerns can slow adoption as an “objection” to virtualizing • Concerns are being addressed one-off with individual customers • Opportunity is to define Compliance solutions and scale through GTM model • VMware Approach • Deliver Thought Leadership To/Via Audit/Compliance Industry • Build And Deliver Compliance Reference Architecture Framework • Enable Compliant Cloud Solutions By Extending The VMware Eco-System • 1) Align Audit/Advisory, 2) Infrastructure and 3) SI/SO/SP Partners • Focus on Highly Regulated Industries • Focus On PCI, HIPAA/HITECH, FedRAMP, FISMA, SOX, etc • Start with PCI Solution to build framework and partnerships • Expand to other solutions and GTM activities to scale

  17. Virtualize Applications on The Journey VMware – Compliance GTM – In the News

  18. Virtualize Applications on The Journey Solution Development Lifecycle Capability Architecture Solution VMWARE & PARTNER PRODUCTS MAPPED TO COMPLIANCE CONTROLS BUSINESS FOCUSED ADDRESSES COMPLIANCE RISK PRODUCT + SERVICES JOINT REFERENCE ARCHITECTURE DESIGN AUDITOR LAB VALIDATION TESTED FOR INTEROPERATIBLITY & COMPATIBILITY VMware Ready, NetX, etc. JOINT ARCHITECTURES BEST PRACTICES Assessment, Design, Deployment and Operational Services COLLABORATIVE DESIGN EFFORT VMware + Infrastructure + Auditor + Services Partners • Tested for compatibility & support • Tested for API Conformance • Designed to meet business requirements • Designed to meet majority of technical controls REVIEWED BY AUDITOR VALIDATED BY AUDITOR • Led by VMware • Multi-party strategy • Auditor design input • Meets regulatory audit requirements • Sales motion alignment • Delivery capabilities aligned • Full solution lifecycle

  19. Virtualize Applications on The Journey Route to Market – Access, Expertise, Capability Audit/Advisory Partners Define & Validate RA’s Industry Thought Leadership NEW Partners 1 Enhanced Strategy Infrastructure Partner Technology White Space Enhance Compliance Capabilities Symantec is the first VMware partner to publish Architecture Design Guide for PCI 2 Customer Compliance Solution Guides 1 Validated VMW Reference Architectures Validated Partner Reference Architectures 2 4 GTS Compliance Solution Toolkit 3 3 Converged Infrastructure Systems Integrator Outsourcer Service Provider

  20. Virtualize Applications on The Journey Compliance Reference Architecture Framework Compliance Infrastructure Solution VMware GTS Compliance Solution Toolkit Auditor Reviewed VMware Validated Reference Architecture Auditor Validated VMware Architecture Design Guide Auditor Reviewed VMware Solution Guide VMware Approach to Compliance Document 5 VMware Technology + Services Document 4 Document 3 Document 2 Document 1 1 Defines the overall approach to compliance undertaken by VMware, Partners and Auditors for the broadest understanding of the effort 2 Collaboration between VMware SMEs and Auditor to establish applicability of VMware software and applicable regulation(s) 3 Builds upon the first 2 documents and describes more detailed approach for considerations when designing a compliant architecture 4 Defines expected results of compliant architecture implemented with design principals from Doc 3, focus on audit procedures for verification Audit Advisory Partners 5 Expands concepts of Reference Architecture into a concept of Deployment & operations for green field or remediation implementations

  21. Virtualize Applications on The Journey Compliance Reference Architecture Framework Compliance Infrastructure Solution Compliance Infrastructure Solution Partner Compliance Solution Toolkit Auditor Reviewed VMware GTS Compliance Solution Toolkit Auditor Reviewed VAR, SI, SO, SP Deployment Services Partner Validated Reference Architecture Auditor Validated VMware Validated Reference Architecture Auditor Validated VMware PSO Partner Architecture Design Guide Auditor Reviewed VMware Architecture Design Guide Auditor Reviewed VMware Solution Guide Partner Solution Guide VMware Approach to Compliance Partner Approach to Compliance Document 5 Document 5 VMware Technology + Services Document 4 Document 4 Document 3 Document 3 VMware Technology Document 2 Document 2 Document 1 Document 1 Compliance Infrastructure Solution Audit Advisory Partners Audit Advisory Partners VMware Partners Partner PSO Partner Technology + Services Partner Technology Symantec is the first VMware partner to publish a Solution Guide and Architecture Design Guide for PCI

  22. Symantec-VMware Partnership VMware: The Virtualization Journey: Managing and Proving Compliance

  23. PCI Example – Functional Responsibilities PCI DSS Requirements 29% Organization Responsibility Non-technical Policy, Process, Procedure and Physical 50% VMware Technical Products 22% Partner Technical Products 14% VMware + Partners Technical Products

  24. PCI DSS x Symantec Solutions* Meeting PCI - Before Virtualization DLP Firewalls SIM Policy Endpoint Protection Secure Config

  25. Symantec Security & Compliance Solutions for VMware

  26. PCI Example –Virtualized Environment Symantec DLP with vCloud Networking and SecurityApp • Discover sensitive data • Scans environment looking for sensitive data • Flags affected VM’s • Quarantine out of policy VMS Incident Management and Reporting Symantec Security Information Manager w/vShield Log Collector • Map application environment • Show where the affected systems are connected • Identify relationships vCenter InfrastructureNavigator vShield Endpoint & Symantec Endpoint Solutions Endpoint Malware with Intrusion Detection/Prevention vCloud Networking and SecurityApp Automated and Self-healing • Creates logical trust zones • Automatically • Based on App (banking) segmented • Inter-vSphere “firewall” Symantec Control Compliance Suite w/vSphere Hardening Policy Assess VMs for configuration and vulnerability states to remediate deficiencies and policy violations • Policy and Assessment Management

  27. PCI Validated Solutions – available today • Specific implementation guidance • Maps VMware and Partner technologies • VMware-authored with addendum by partners • Auditor reviewed and validated • HIPAA/HITECH in 2H 13 Symantec Compliance Practice

  28. Bringing It All Together Presentation Identifier Goes Here

  29. Q&A VMware: The Virtualization Journey: Managing and Proving Compliance

  30. VMware Compliance Press Release https://www.vmware.com/company/news/releases/vmw-pci-100412.html VMware Collateral VMware Approach to Compliance http://www.vmware.com/files/pdf/VMware-Approach-to-Compliance.pdf VMware Solution Guide for PCI http://www.vmware.com/files/pdf/VMware-Payment-Card-Industry-Solution-Guide.pdf VMware Architecture Design Guide for PCI http://www.vmware.com/files/pdf/VMware-Architecture-Design-Guide-for-PCI.pdf Partner Collateral VMware Partner Solution Guides for PCI https://solutionexchange.vmware.com/store/categories/compliance Compliance@vmware.com For More Information VMware: The Virtualization Journey: Managing and Proving Compliance

  31. Symantec VMWare Press Release http://www.symantec.com/about/news/release/article.jsp?prid=20120228_02 Symantec Collateral Symantec VMWare Approach to Security in Virtualized Environment http://www.symantec.com/content/en/us/enterprise/white_papers/b-WP_SecuringThePromiseOfVirtualization_WP_21229614.en-us.pdf Symantec Solutions for Security and Compliance in Virtualized Environment http://www.symantec.com/products-solutions/solutions/detail.jsp?parent=virtualization&child=secure_virtualization Symantec Solutions that support PCI Compliance http://www.symantec.com/pci-compliance For More Information VMware: The Virtualization Journey: Managing and Proving Compliance

More Related