RSA Solution for Cloud Security and
Compliance
RSA, The Security Division of EMC
Bernard Montel
Directeur Technique, RSA France
[email protected]
Customer Challenges, Key Messages
Solution Capabilities
2
Cloud Computing by NIST and VMware
Cloud Computing is an approach to computing that leverages the efficient pooling
of on-demand, self-managed virtual infrastructure, consumed as a service.
Cloud is a way of
doing computing
Enterprises
Private Cloud
Operated solely for
an organization,
typically within the
firewall
Bridging
Hybrid Cloud
Composition of 2 or
more interoperable
clouds, enabling data
and application
portability
Cloud Service
Providers
Public Cloud
Accessible over the
Internet for general
consumption
Security-Specific Factors That Would Enable More
Widespread Usage of Server Virtualization
From an information security perspective, which of the following developments need to take place in order to
enable more widespread server virtualization usage? (Percent of respondents, N=105, multiple responses
accepted)
More secure virtualization management and operations
33%
Virtual security tools that use the same formats as my physical security
devices
33%
Compliance management tools that recognize virtual server events
27%
Need better tools to identify and configure relationships between virtual
machines
26%
Tighter integration between security management and security
management tools
26%
A better understanding of how server virtualization security will align with
cloud-based security services
24%
Data/storage encryption to protect virtual machines on disk
24%
Virtual firewalls and filtering devices to secure virtual machine to virtual
machine traffic
23%
Network encryption to protect virtual machines in flight
22%
Additional virtualization training for security staff
20%
Log management or SIEM tools that recognize virtual server events
18%
New host-based security tools designed for virtual servers
© 2010
4 Enterprise Strategy Group
16%
0%
5%
10%
15%
20%
25%
30%
35%
Customer Challenges
Business Objective (CIO)
Accelerate/start virtualization of business critical
apps to continue optimizing costs
Business Objective (CISO)
Manage risk and compliance while going from
IT production to business production
PAINS
Lack of visibility into and control over security
and compliance status of the virtual
infrastructure
Difficult to rationalize the complexity of
compliance requirements across virtual and
physical environments
Lack of guidance and orchestration for securing
virtual infrastructure comprehensively
Lack of consistency in physical and virtual
security increases cost and complexity of
virtualization
High cost and difficulty of responding to
compliance audits for virtual environments
Inefficient management of security and
compliance across IT and security operations
teams
Fragmented views of data across hybrid
infrastructure causes delays in identifying risk
and compliance breaches/concerns
Negative Consequences
Increased risk of fines and failed audits
–
–
–
“we are flying blind”
“we are going to be painted into a corner” (if something that fails
an audit gets into production and the company is committed, it is
really hard to fix it later!)
Policy for meeting regulations (e.g. PCI) in virtualized
environments still evolving
Compliance concerns stall the adoption of virtualization
–
–
–
Mission critical applications with sensitive data are riskier
Segmenting regulated data onto separate virtualized hardware
Limits the cost savings inherent in virtualization
Negative Consequences (cont.)
Responding to audits is time consuming, error prone and
costly
–
–
–
Across mixed virtual and non-virtual IT infrastructure
No time for other value-added security projects
20% of IT time and resources spent on compliance; this is
compounded by virtualization
Delays in identifying risk and compliance
breaches/concern
–
Due to fragmented views across virtual and physical infrastructure
The Enterprise Journey to the Hybrid Cloud
Public cloud
adoption
Software
as a Service
Platform
as a Service
Infrastructure
as a Service
IT Production
Business Production
IT-As-A-Service
Lower Costs
Improve Quality Of Service
Improve Agility
% Virtualized
85%
95%
70%
30%
High
Availability
15%
Data
Protection
8
Securing the Enterprise Journey to the
Cloud
Identity management
Public cloud
adoption
Software
as a Service
Platform
as a Service
Infrastructure
as a Service
Multi-factor authentication
Trust management
IT Production
Business Production
IT-As-A-Service
Lower Costs
Improve Quality Of Service
Improve Agility
% Virtualized
85%
Security event
management
70%
Information and
workload control
30%
15%
Hardening
Security patches
95%
Compliance monitoring
Service provider control
Visibility and compliance
Integration with enterprise
security processes
9
Use Case Examples
10
10
Use Case : Reducing Risk of VM Theft
Risk: Securing virtual infrastructure is often a check list of best practices.
Hardening VMware environment is complex and difficult to verify. What can I
do to limit the risk of VM theft from my datacenter?
Need to take preventative steps that limit access to VM file in the first place
(e.g.)
•
•
•
•
Disable Datastore Browser
Storage User Access
Limit use of service console
Use least privileged role concept for system and data access (also: possible strong
authentication to ensure access of only approved people and roles)
Archer has built in Control Procedures to check for VM file access best
practices
Security and IT Ops can easily see if controls enforce policy
Cloud Solution identifies VMware devices, assesses configuration status, and
informs responsible VI admin
EnVision provides “electronic bread crumb trail” for forensics to ensure
security events not disrupting compliance posture
Customer Challenges, Key Messages
Solution Capabilities
12
12
RSA Archer eGRC Solutions
Audit Management
Centrally manage the planning,
prioritization, staffing, procedures
and reporting of audits to increase
collaboration and efficiency.
Policy Management
Centrally manage policies, map them to
objectives and guidelines, and promote
awareness to support a culture of
corporate governance.
Risk Management
Identify risks to your business, evaluate
them through online assessments and
metrics, and respond with remediation
or acceptance.
Business Continuity Management
Automate your approach to business
continuity and disaster recovery
planning, and enable rapid, effective
crisis management in one solution.
Threat Management
Track threats through a
centralized early warning system
to help prevent attacks before
they affect your enterprise.
Vendor Management
Centralize vendor data, manage
relationships, assess vendor risk, and
ensure compliance with your policies
and controls.
Compliance Management
Document your control framework,
assess design and operational
effectiveness, and respond to policy
and regulatory compliance issues.
Incident Management
Report incidents and ethics
violations, manage their
escalation, track investigations
and analyze resolutions.
Enterprise Management
Manage relationships and
dependencies within your enterprise
hierarchy and infrastructure to
support GRC initiatives.
Summary: RSA Solution for Cloud Security
and Compliance v1.0
What’s New
RSA Securbook
Discover VMware
infrastructure
Define security policy
What’s New
Over 100 VMware-specific
controls added to Archer
library, mapped to
regulations/standards
Manual and
automated
configuration
assessment
Manage security
incidents that affect
compliance
RSA Archer eGRC
What’s New
RSA enVision collects,
analyzes and feeds security
incidents from RSA,
VMware and ecosystem
products to inform Archer
dashboards (e.g. DLP,
VMware vShield and vCD,
HyTrust, Ionix, etc.)
Remediation of
non-compliant controls
What’s New
New solution component
automatically assesses
VMware configuration and
updates Archer
Enabling the Cycle of Security Compliance
Discover VMware
infrastructure
Define security policy
What’s New
Over 100 VMware-specific
controls added to Archer
library, mapped to
regulations/standards
Manual and
automated
configuration
assessment
Manage security
incidents that affect
compliance
RSA Archer eGRC
Remediation of
non-compliant controls
RSA Archer: Mapping VMware security controls to regulations
and standards
Authoritative Source
Regulations (PCI-DSS, etc.)
“10.10.04 Administrator and Operator Logs”
CxO
Control Standard
Generalized security controls
“CS-179 Activity Logs – system start/stop/config
changes etc.”
Control Procedure
Technology-specific control
“CP-108324 Persistent logging on ESXi Server”
VI Admin
Discover VMware infrastructure and define
policy/controls to manage
Distribution and Tracking Control Procedures
Security
Admin
Server
Admin
Project Manager
Network
Admin
VI
Admin
Enabling the Cycle of Security Compliance
Discover VMware
infrastructure
Define security policy
Manual and
automated
configuration
assessment
Manage security
incidents that affect
compliance
RSA Archer eGRC
Remediation of
non-compliant controls
What’s New
New solution component
automatically assesses
VMware configuration and
updates Archer
Initial Deployment Questionnaire
Automated Assessment via PowerCLI
Automatically discover
and assess VMware
infrastructure via
PowerCLI
RSA Archer eGRC
VMware objects (ESX,
vSwitches, etc…) are
automatically populated
into Archer
They are then mapped to
control procedures. Over
40% are automatically
assessed via PowerCLI
and the results fed into
Archer for reporting and
remediation.
Enabling the Cycle of Security Compliance
Discover VMware
infrastructure
Define security policy
Manual and
automated
configuration
assessment
Manage security
incidents that affect
compliance
RSA Archer eGRC
Remediation of
non-compliant controls
Control Procedure – List, Status and
Measurement Method
Deployment and Remediation Work Queues
Overall Virtual Infrastructure Compliance
Dashboard
Enabling the Cycle of Security Compliance
Discover VMware
infrastructure
Define security policy
Manual and
automated
configuration
assessment
Manage security
incidents that affect
compliance
RSA Archer eGRC
What’s New
RSA enVision collects,
analyzes and feeds security
incidents from RSA,
VMware and ecosystem
products to inform Archer
dashboards (e.g. DLP,
vShield, HyTrust, etc.)
Remediation of
non-compliant controls
RSA Solution for Cloud Security and Compliance: Architecture
Regulations, standards
Generalized security controls
VMware-specific security controls
Automated
assessment
Configuration
State
RSA
enVision
VMware cloud
infrastructure
(vSphere, vShield, VCD)
Ecosystem
(HyTrust, Ionix,)
Security
Events
Example: VMware vShield Network Security
Events Fed to Archer
Overall Compliance Dashboard and
Reporting: Physical and Virtual
Learn More
RSA social media release with demo
http://rsawebdev.na.rsa.net/go/press/RSATheSecurityDivisionofEMCNewsRelease_83010.html
www.rsa.com/virtualization
–
Secure Cloud
www.rsa.com/virtualization
Thank you!

get an essay or any other
homework writing help
for a fair price!
check it here!