• No results found

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud"

Copied!
24
0
0

Loading.... (view fulltext now)

Download now ( 24 Page )

Full text

(1)

Architecting and Building a Secure

and Compliant Virtual Infrastructure

and Private Cloud

Rob Randell, CISSP

(2)

Agenda

What is the Cloud?

Virtualization Basics

How Virtualization and Cloud Affect Datacenter Security

How to Secure our Cloud and Make it Compliant

(3)

The lower down the stack the Cloud

provider stops, the more security you are

tactically responsible for implementing &

managing yourself.

What is the Cloud and What Does it Means To Security

IaaS

Terremark, Rackspace, Savvis, etc#

SaaS

Salesforce.com, Google Apps, etc#

PaaS

Vmforce, Google AppEngine, etc#

Savvis, etc#

(4)

Security Considerations of Each Type of Cloud

Software (SaaS)

 Least extensibility and greatest amount of security responsibility taken on by the cloud provider

Infrastructure (IaaS)

 Greatest extensibility and least amount of security responsibility taken on by the cloud provider

Platform (PaaS)

(5)

Infrastructure as a Service

Hardware Virtualization is the basis of the IaaS Model

Examples include:

VMware vSphere

MS HyperV

Citrix XenServer

(6)
(7)

Traditional View

Next Step is to Leverage Virtualization to Provide

Pools of Shared Resources

Virtual Datacenter

Exchange Operating System PCI Operating System VMware vSphere

VMware Infrastructure VMware Infrastructure

DNS Operating System CRM Operating System Interconnect Pool CPU Pool Memory

Pool

Storage Pool

(8)





(9)

Secure the Underlying Platform 1st

Use the Principles of Information

Security

Hardening and Lockdown

Defense in Depth

Authorization, Authentication, and

Accounting to enforce Separation of Duties and Least Privileges

Administrative Controls

Administrative Controls

For virtualization this means:

Harden the Virtualization layer

Setup Access Controls

Secure the Guests

Leverage Virtualization Specific Administrative Controls

What Auditors Want to See:

Network Controls

Change Control and Configuration Management

Access Controls & Management

(10)

Protection of Management Interfaces is Key

Segment out all non-production

networks

Use VLAN tagging, or

Use separate vSwitch (see diagram)

Strictly control access to

management network, e.g.

RDP to jump box, or

VPN through firewall vSwitch1 vmnic1 2 3 4 Production vSwitch2 VMkernel Mgmt Storage v n ic v n ic v n ic

VPN through firewall 10 vmnic1 2 3 4

vCenter

IP-based Storage

Other ESX/ESXi hosts

Mgmt Network Prod

Network

VMware vSphere 4 Hardening Guidelines

(11)

More Power Super Cloud Admin Cloud Networking Admin Cloud Server Admin Cloud Storage Admin

Separation of Duties Must Be Enforced

(12)

Security Perspective On Customer Deployment Architectures

AIR GAPPED PODS MIXED TRUST CLUSTERS ON-PREMISE PRIVATE CLOUD DEDICATED PRIVATE “CLOUD” (eBay, CSC) PUBLIC MULTI-TENANT CLOUD (Terremark, EC2) 1 2 3 4 5 0 PHYSICAL

Physical deployments are still considered to be most secure and remain in all enterprises

Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ)

Mixed trust clusters typically have the M&M security model, blocking important asset migration to them

Private cloud is an extension of the mixed trust deployment, with more automation and self service

Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments

Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance

(13)

Segmentation

• VLAN or subnet based policies VLAN 1

The Datacenter needs to be secured at different levels

Cost & Complexity

At the vDC Edge • Sprawl: hardware, FW rules, VLANs

• Rigid FW rules

• Performance bottlenecks

Keep the bad guys out

• Perimeter security device (s) at the edge

• Firewall, VPN, Intrusion Prevention • Load balancers Perimeter Security Internal Security 13

Segmentation

of applications, servers

• VLAN or subnet based policies • Interior or Web application Firewalls • DLP, application identity aware policies VLAN 1

VLANs

End Point Protection

• Desktop AV agents, • Host based intrusion • DLP agents for privacy

(14)

Simple Definition of a Virtual Datacenter

Tenant 1 Tenant 2 Tenant #

The isolated and secured share of a virtualized multitenant environment.

Like a physical datacenter shares the Internet for interconnectivity, the tenants of

a cloud (public or private) share the local network within the private datacenter or

in the service providers network, and also like a physical datacenter, each tenant

also has their own private, isolated, and secured virtual networking infrastructure.

(15)

Securing virtual Data Centers (vDC) with legacy security solutions

APPLICATION ZONE DATABASE ZONE WEB ZONE ENDPOINT SECURITY INTERNAL SECURITY PERIMETER SECURITY Internet vSphere vSphere vSphere

Air Gapped Pods with

dedicated physical

hardware

Mixed trust clusters without

internal security

segmentation

Configuration Complexity

o

VLAN sprawl

15

Legacy security solutions do not allow the realization of

true virtualization and cloud benefits

VIRTUALIZED DMZ WITH FIREWALLS

vSphere

vSphere vSphere

o

VLAN sprawl

o

Firewall rules sprawl

o

Rigid network IP rules

without resource context

(16)

Air Gapped Design – Costly and Inefficient

Firewall Load Balancer Aggregation Internet L2-L3 Switch Firewall Load Balancer L2-L3 Switch Firewall Load Balancer L2-L3 Switch VPN Gateway VPN Gateway VPN Gateway

Remote Access 16 Company Z Load Balancer Switch Company Y Company X Access

Load Balancer Load Balancer

Switch Switch

vSphere

(17)

VLAN 1002 VLAN 1001 VLAN1000

Multi-tenancy – Physical Firewall and VLAN

Access-Aggregation

Internet

L2-L3 Switch

PG-X Port group Company X n/w Port group Company Y n/w

Legend : VLAN 1000 VLAN 1001 VLAN 1002 Firewalls 17 Company Z Company Y Company X

VMware vSphere + vShield

PG-X (vlan1000) PG-Y (vlan 1001) PG-Z (vlan 1002)

PG-Z

PG-Y Port group Company Y n/w Port group Company Z n/w

Port group to VM Links

VLAN 1000 VLAN 1001 VLAN 1002

(18)

Multi-tenancy Virtualization Aware

Access-Aggregation Internet L2-L3 Switch PG-Z

PG-X Port group Company X n/w PG-Y Port group Company Y n/w Port group Company Z n/w

Legend :

Infrastructure VLAN (VLAN 1000) Provider VLAN (VLAN 100)

18

Company Z Company Y

Company X

VMware vSphere + vShield

PG-X(vlan1000) PG-Y(vlan1000) PG-Z(vlan1000)

PG-Z Port group Company Z n/w PG-C External uplink Port group

PG-C(vlan100)

Internal Company Links External Up Link

VLAN1000 VLAN1000 VLAN1000

vShield Edge VM vDS to Ext. Switch Links

(19)

Virtual Datacenter 2

Enforce Microsegmentation Inside the vDC



Protect applications against

Network Based Threats

• Application-Aware Full Stateful Packet Inspection FW

• Control on per-VM/per vNIC level

• See VM-VM traffic within the same host

• Security groups enforced with VM

CIS & PCI Virtual Datacenter 1

DISA & PCI Database App Web 19 ESX Hardening Cluster A Cluster B

VMware vSphere + vCenter

• Security groups enforced with VM

(20)

Offload Endpoint Based Security Functions with VM Introspection

Techniques

Improves performance and

effectiveness of existing endpoint

security solutions

Offload Functions

AV

20

AV

(21)

Virtualized Security and Edge Services

Internal Security and Compliance Edge/Perimeter Protection Elastic Logical Efficient Automated Programmable Security as a Service

Cloud Aware Security

• Micro-segmentation

• Secure the edge of the virtual datacenter

• Security and Edge networking services gateway

21

Endpoint Security

• Micro-segmentation

• Discover and report regulated data in the Datacenter and Cloud

(22)

Continuous and Automated Compliance

Ongoing Change and Compliance Management



Understand Pervasive Change



Capture in-band and out-of-band changes



Are you still Compliant?

• Remediate

• Exceptions



Fit within current enterprise change mgmt workflow process Deployed from Gold Standard Compliant State Noncompliant Planned Change Unplanned Change 22 workflow process

Protect against vulnerabilities



Hypervisor-based anti-virus provides superior protection



Patch Management guards against known attacks



Software provisioning tied to compliance



Day to day vulnerability checks

(23)

Conclusion

The Cloud Had Great Benefits and like any Technology its Associated Risks

These Risks Can Be Mitigated With Proper Controls

The Classic Principles of Information Security Should be Applied

Key Architecture Decisions must be made for Security

Tools Designed for the Cloud Must Be Utilized

(24)

Questions?

Rob Randell, CISSP

References

Download now ( PDF - 24 Page - 4.15 MB )

Related documents

Gas Chromatographic determination of parabens after derivatization and dispersive microextraction

The combination of the extraction solvent and the disperser solvent is a key issue in the DLLME process, and thus requires an exhaustive study prior to the

Report on the Economic Well-Being of U.S. Households in 2014

Among all respondents who currently owe money for their own education or that of a family member, 14 percent have credit card debt from edu- cational expenses, 5 percent used a

IDENTIFYING THE RIGHT KIND OF HYBRID CLOUD FOR YOUR BUSINESS

Security Cloud Services Virtual Infrastructure Physical Infrastructure HOSTED PRIVATE CLOUD Virtual Infrastructure Physical Infrastructure PUBLIC CLOUD Virtual

Lectro Dryer

Normally Open (N.O.) auxiliary contact is provided for remote indication of High Inlet Dewpoint Alarm. See wiring diagram for actual terminal numbers. Relay is energized during

Cohort Master s Programs

In order to reserve a seat in a cohort program, please submit this Application for Admission along with your $40 non-refundable application fee (page 5) and your Graduate

Phylogenetics and Phylogeography in the Planktonic Diatom Genus Chaetoceros

geographic point. However, global changes could alter limits both in cosmopolitan or restricted species with consequent range expansion or contraction, highlighting

Abstract 1. INTRODUCTION

When a service provider uses public cloud resources to create their private cloud, the result is called a virtual private cloud.. 1.2.2Public Cloud: The cloud infrastructure

Intelligent WAN 2.0 principles. Pero Gvozdenica, Systems Engineer, Vedran Hafner, Systems Engineer,

Hybrid WAN Transport IPsec Secure Branch MPLS (IP-VPN) Internet Direct Internet Access Private Cloud Virtual Private Cloud Public Cloud.. • Secure WAN transport for private