VMware: The Virtualization Journey:

1

VMware: The Virtualization Journey:

Managing and Proving Compliance with VMware and

Symantec

Jerry Breaud

Strategic Alliances - Compliance, VMware

VMware: The Virtualization Journey:

Todd Zambrovitz

Global Product Marketing Manager -Virtualization, Symantec

Agenda

Challenges in Cloud Adoption

1

VMware Trusted Cloud Approach

2

Building on the Trusted Cloud Foundation

3

VMware Trusted Cloud Ecosystem

4

Q&A

5

SYMANTEC VISION 2012

Challenges in Cloud Adoption

VMware: The Virtualization Journey:

Security and Compliance are Key Concerns for CIOs Moving to Cloud

Q.What are the top challenges or barriers to implementing a cloud computing strategy?

Source: 2010 IDG Enterprise Cloud-based Computing Research, November 2010

Top 4 Concerns are on Security and Compliance

SYMANTEC VISION 2012

Demonstrating Compliance Across a Transitioning Environment…

Accelerate Business Critical Virtualization

• Effective Policy Coverage

• Adaptive control assessments

• End to End Visibility

Requiring

Considerations Solutions

• Accelerated provisioning

• Mixed-trust workloads

• Increased risk of data loss across

varied trust zones

• Multiple overlapping regulations

and mandates

• Consistent policies and controls

• Poor visibility and control

Trust and Cloud Computing – Some New Challenges

• Mixed mode levels of trust

• VMs riding on the same Guest with different Trust Levels (PCI)

• Multi-Tenancy protecting Intellectual Property (IP) with shared

Resources

• Auditor, QSA Approval of Design

• Evidence based compliance

• What standards and frameworks do I adopt to minimize risk?

• How do I prove my data is properly protected and segmented?

• How do I automate the application best practices, regulatory

guidelines and vendor standards?

• Separation of consumer and provider

• Consumer delivered governance around workloads

• Evidence from provider around infrastructure compliance

• How do I address data governance, privacy, etc?

• How do we account for change? (Loss of Service)

SYMANTEC VISION 2012

VMware Trusted Cloud Approach

VMware: The Virtualization Journey:

VMware’s Approach to Trusted Cloud

“A Trusted Cloud provides

enhanced reliability through

enforcement of mandatory

constraints, defined by policy

and validated by regular

audits. ”

VMware Trusted vCloud

Control

Security Compliance

Deliver a solution that meets our customers’ compliance

requirements as they look to migrate tier 1 apps to vSphere

SYMANTEC VISION 2012

9

Customer Must Address Compliance to Get the Next 50%

Virtualization

Cloud

Business Production IT as a Service

Low

Governance

High

Governance

Enterprise Hybrid Cloud

IT Production

Must proactively address

Security and Compliance

Concerns to Continue the

Journey

Accelerate

“Virtual needs to be Better than Physical”

Trusted vCloud: Compliance – Product View

End User Computing

Cloud Applications

Public/Private/Hybrid Cloud Virtualized Infrastructure

Network Security

vShield + 3

Party

Platform Security

VUM +VCM + 3rd Party

Data Security

vShield + 3

Party

Configuration Management

VCM

White Listing

3

Party

Config. & Log Management

VCM + 3

Party

Identity Management

Horizon

End Point Security

vShield + 3rd party

Authorization

Horizon & VIEW

Regulations

Healthcare

Government

Finance

Energy

eG R C

Meet Customers’ Compliance Requirements to

Migrate Tier 1 Apps to vSphere

SYMANTEC VISION 2012

Building on the Trusted Cloud Foundation

VMware: The Virtualization Journey:

Continuously assess and remediate compliance for guests

and VMware Infrastructure.

VMware Offerings Lay The Foundation

SYMANTEC VISION 2012

ASSETS CONTROLS EVIDENCE

Our Approach to Risk and Compliance

13

Environment

P LAN

• Define business and risk objectives

• Create policies for multiple mandates

• Map to controls and de-duplicate

R EPORT

• Demonstrate compliance to multiple

stakeholders

• Correlate risk across business assets

• High level dashboards with drill down

\ A SSESS

• Identify deviations from technical

standards

• Discover critical vulnerabilities

• Evaluate procedural controls

• Combine data from 3

party sources

R EMEDIATE

• Risk-based prioritization

• Closed loop tracking of deficiencies

• Integration with ticketing systems

Stakeholders

Security / Audit IT / Operations Business / Mgmt.

Continuous Compliance for Business Critical

Applications

Automated and

Self-healing

Symantec DLP

with vShield

App

vCenter

Infrastructure

Navigator

vShield

Symantec Control App

Compliance Suite

w/vSphere Hardening

Policy

vShield

Endpoint

& Symantec

Endpoint

Solutions

Discover sensitive data

• Scans environment looking

for sensitive data

• Flags affected VM’s

Map application

environment

• Show where the

affected systems

are connected

• Identify

relationships

Creates logical trust zones

• Automatically

• Based on App (banking)

segmented

• Inter-vSphere “firewall”

Assess VMs for configuration

and vulnerability states to

remediate deficiencies and

policy violations

Endpoint Malware with

Intrusion

Detection/Prevention

Quarantine out of policy VMs

with sensitive data

Symantec Security

Information

Manager

w/vShield Log

Collector

Incident

Management and

Reporting

Symantec DLP

with vShield

App

SYMANTEC VISION 2012

VMware Trusted Cloud Ecosystem

VMware: The Virtualization Journey:

Customer

Technology ISV Partner

Technology Function

Audit/Advisory Partners

Define & Validate Reference

Architectures

Leverage Market Leaders – Access, Expertise, Capability

2

1 Audit/Advisory “Compliance” Partners

Design, Build & Validate Reference Architectures, Audit Services

Deliver Guidance

Business

Solutions

Managed Services

Data Center

Service Provider

Outsourcer

Systems Integrator

3 SI/SO/SP Partners

Build Validated Architectures

into Offerings

Validated Reference Architectures

Compliance Solution Toolkit

VMware Sales

Tech ISV Partner

Sales

Audit & Advisory

Partner Sales

Technology ISV “Compliance” Partners

Develop Tech Integration and Compliance Solution GTM

Product Capabilities and Best Practices

Biz ISV Partner Sales

SYMANTEC VISION 2012

PCI Example – Functional Responsibilities

PCI Example - Architecture &Responsibilities Matrix

PCI DSS Requirement

# of PCI Assessment

Tests

^{VMware Symantec}

Not Addressed by

VMware or Partners Requirement 1: Install and maintain a firewall

configuration to protect cardholder data ^{25 21 18 5}

Requirement 2: Do not use vendor-supplied defaults

for system passwords and other security parameters ^{24 22 5 2}

Requirement 3: Protect stored cardholder data

33 12 15 4

Requirement 4: Encrypt transmission of cardholder

data across open, public networks ^{9 7 1 0}

Requirement 5: Use and regularly update anti-virus

software or programs ^{6 6 1 0}

Requirement 6: Develop and maintain secure

systems and applications ^{32 12 20 2}

Requirement 7: Restrict access to cardholder data by

business need to know ^{7 7 7 2}

Requirement 8: Assign a unique ID to each person

with computer access ^{32 20 16 2}

Requirement 9: Restrict physical access to

cardholder data ^{28 0 11 28}

Requirement 10: Track and monitor all access to

network resources and cardholder data ^{29 26 21 2}

Requirement 11: Regularly test security systems and

processes. ^{24 3 5 8}

Requirement 12: Maintain a policy that addresses

information security for all personnel. ^{40 1 30 39}

Requirement A.1: Shared hosting providers must

protect the cardholder data environment ^{8 7 1 1}

TOTAL

Note: Some controls are enhanced by Partners, so the same control may be double counted.

297 144 151 95

1. Auditor Validated 2. Compliance

Specific Architectures 3. 3^rd Party Products

Complete The Architecture

SYMANTEC VISION 2012

Recommendations

 Perform risk assessment prior to vSphere environment design

• Physical access

• Roles and responsibilities

• Services and communication

 Ensure VMs meet “System Components” definition

 Hypervisor of “in scope” VMs always “in scope”

 Harden hypervisor

• Multi-factor access

• Least privilege

• Reduced attack-surface

• Defaults removed/changed

• Remote logs

 Set only one primary function per VM

 Use automated hypervisor and VM patching

 Keep all management and support systems “in scope”

Q&A

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Presentation Identifier Goes Here

Jerry Breaud

[email protected]

(972) 740-9106

Todd Zambrovitz

[email protected]