Protect Root Abuse privilege on Hypervisor (Cloud Security)

(1)

Protect Software Defined Data Center 1

Protect Root Abuse privilege on

Hypervisor (Cloud Security)

Nantharat Puwarang, CISSP Senior Technical Consultant

(2)

2

The Road to Software Defined Data Centers: Virtualization & Cloud Adoption

(3)

Changing Risk Profile: Virtualization and Cloud Concentrates Compute and Access

3

Significant Risk of Catastrophic Failure

(4)

Threats from Abuse of Privilege Access Remains High

Percentage of outages and availability/

performance problems related to misconfiguration Percentage of execs who say their most serious

fraud was due to a privileged user

Percentage of security breaches due to “trusted” insiders and business partners

— PricewaterhouseCoopers, Wall Street Journal, April 2012 — Forrester survey, June 2011

— Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%), 2005-12

56%

50-80%

43%

(5)

our view The SDDC 5 Drivers  _Cost  _Speed  Flexibility Inhibitors  Security Tax  _Complexity  _Compliance The data center of the future is software-defined. It is dynamic and application-centric.

Our mission is to support our customers as they evolve to the SDDC.

D at a C en ter S ecu ri ty

Compute and Storage Virtualization Network Virtualization

Software Defined Services

On-Prem/Private/Public Cloud Resources

So ft w a re -D ef ined D at a C ent

er Applications and Policies

A ut om at ion and M anagem ent

(6)

Host Security Host Security Hardened Virtual Infrastructure

Transitioning Our Security Controls and Architectures

VM Maximum Guest Security VM Maximum Guest Security VM Advanced Security

 Security controls specific to

underlying infrastructure

 _{Security deployed at perimeter to} reduce cost/effort of deployment at each workload

 _{Scales up to meet additional workload} demand

 _{Delivered as a service by the} virtualization infrastructure

 Security deployed on virtualization host (closer to workload) through an

SVA, i.e. “Agentless”

 _{Scales out to meet additional} workload demand (more SVAs)

6

SVA

Baseline Security

Traditional Security SDDC Security

VM Advanced

Security

(7)

D at a C ent er S ec ur it y Compute/Storage Virtualization Network Virtualization Software Defined Services On-Prem/Private/Public Cloud Resources So ft w a re -D ef ined D at a C ent er Applications and Policies A ut om at ion and M anagem ent

Support for key standards for private clouds e.g. Openstack

and partner with vendors delivering those

standards e.g. Amazon, VMWare, Openstack

Security for leading hypervisors Security for hybrid

networks Integrated security orchestration Dynamic, context-based, policy-centric security Need Security?

Roadmap: The Evolution of Data Center Security, Risk and Compliance - 1640

“By 2015, 40% of security controls used in Enterprise

data centers will be virtualized, up from less than 5%

in 2010” – Neil MacDonald

A dynamic, application-centric data center needs dynamic, application-centric security.

7

How to

control/audit on hypervisors?

(8)

Pass compliance audits Identify and prioritize risks Effective resource allocation Enforce regulatory mandates for data and network Separation.

Harden the virtual and physical infrastructure Patching and maintenance

Software-Defined Data Center Security & Compliance Challenges

8

Management & oversight of privilege users Enforce separation of duties Catastrophic Fail: Material & Regulatory Impact Audit, Monitoring, Reporting & Prioritization Infrastructure Resilience & Integrity Identity & Access Governance

Data & Network Segregation

(9)

9

Six Ways Symantec Protects Your Software-Defined Data Center Virtualization Management Clients Virtual Infrastructure 3. Logging and Real-time Alerting

Guest Traffic Uninterrupted

1. Two-Factor AuthN

2. Role-Based Access and Secondary Approval (2 Man Rule)

Management Clients

ESXi Hosts

4. Hypervisor Hardening / Platform Integrity

Tag-based Policies _{5. Guest Hardening* and}

Assessment 6. Malware Protection vCenter 1 2 5 4 3 6

(10)

• Secure the hypervisor from threats

• Granular access control including

secondary approval

• Manage hypervisor and VM

configuration settings

• Automate configuration assessment

and reporting

• Enforce instance separation to

isolate assets and limit scope

• Detailed logging for forensics & audit

CCS Virtualization Security Manager: Oversight & Control of Privileged Users in Virtual Environments

Detailed logging

VMware Hardening Guidelines VSM Dashboard

10

(11)

Presentation Identifier Goes Here 11

(12)

Denied change of Network interfaces

(13)

2 Man Rules – Secondary Approval

(14)

Visibility You Get From VMware

14

(15)

CCS VSM Delivers Audit-Quality Log Detail Needed

(16)

Visibility You Get From VMware

16

(17)

Security for the Data Centre

VM1 VM2 VM3 ESX/ESXi vCenter Server Physical Virtual CCS Vulnerability Manager CCS Virtual Security Manager CCS Dashboard & Reports CCS Assessment Manager Critical System Protection CCS Standards Manager Admin

Harden vCenter based on VMware hardening

guidelines

Monitor & protect hypervisor configuration Harden & protect guest

VM’s with same protection policies as physical servers VMware Admins Email : [email protected]