Architecting and Building a Secure
and Compliant Virtual
Infrastructure and Private Cloud
Rob Randell, CISSP, CCSK
Principal Systems Engineer – Security Specialist
Agenda
• Security Perspective on Customer Journey to the Cloud
• Whiteboard Overview of How Virtualization and Cloud Affect Datacenter
Security
• How to Secure our Cloud and Make it Compliant
• Network Security and Secure Multi-tenancy in the Cloud
Security Perspective On Customer Deployment Architectures
0
PHYSICAL
1
AIR
GAPPED
PODS
2
MIXED
TRUST
CLUSTERS
3
ON-PREMISE
PRIVATE
CLOUD
4
DEDICATED
PRIVATE
“CLOUD”
(eBay, CSC)
5
PUBLIC
MULTI-TENANT
CLOUD
(Terremark, EC2)
0
Physical deployments are still considered to be most secure and remain in all enterprises
1
Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ)
2
Mixed trust clusters typically have the M&M security model, blocking important asset migration to them
3
Private cloud is an extension of the mixed trust deployment, with more automation and self service
4
Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments
5
Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance
The Datacenter needs to be secured at different levels
Perimeter Security
• Sprawl: hardware, FW rules, VLANs
Perimeter
security device (s) at the edge
• •Rigid
FW rules
Firewall, VPN,
Intrusion Prevention
• •Performance
bottlenecks
• Load balancers
Cost & Complexity
Keep Atthe
bad
guys out
the vDC
Edge
Internal Security
VLAN 1
VLANs
• VLAN or subnet based policies
• Interior or Web application Firewalls
• DLP, application identity aware policies
Segmentation
of applications, servers
End Point Security
• Desktop AV agents,
• Host based intrusion
• DLP agents for privacy
4
End Point Protection
Simple Definition of a Virtual Datacenter
• The isolated and secured share of a virtualized multitenant environment.
• Like a physical datacenter shares the Internet for interconnectivity, the
tenants of a cloud (public or private) share the local network within the
private datacenter or in the service providers network, and also like a
physical datacenter, each tenant also has their own private, isolated, and
secured virtual networking infrastructure.
Tenant 1
DMZ
5
App1
Tenant …
Tenant 2
App2
DMZ
App1
App2
DMZ
App1
App2
Securing virtual Data Centers (vDC) with legacy security
solutions
PERIMETER
SECURITY
INTERNAL
SECURITY
WEB ZONE
APPLICATION ZONE
ENDPOINT
SECURITY
DATABASE ZONE
Internet
vSphere
vSphere
vSphere
VIRTUALIZED DMZ WITH FIREWALLS
• Air Gapped Pods with
dedicated physical
hardware
• Mixed trust clusters
without internal security
segmentation
• Configuration Complexity
o VLAN sprawl
o Firewall rules sprawl
o Rigid network IP rules
without resource context
• Private clouds (?)
Legacy security solutions do not allow the
realization of true virtualization and cloud benefits
6


Platform Sec.
Secure the Underlying Platform FIRST
Use the Principles of Information
Security
• Hardening and Lockdown
• Defense in Depth
• Authorization, Authentication, and
Accounting to enforce Separation of
Duties and Least Privileges
• Administrative Controls
For virtualization this means:
• Harden the Virtualization layer
• Setup Access Controls
• Secure the Guests
• Leverage Virtualization Specific
Administrative Controls
What Auditors Want to See:
• Network Controls
• Change Control and Configuration
Management
• Access Controls & Management
• Vulnerability Management
VMkernel
vnic
vnic
vnic
Protection of Management Interfaces is Key
Mgmt
Production
Storage
vSwitch2
vSwitch1
vmnic1
2
Prod
Network
3
4
Mgmt
Network
vCenter
Segment out all non-production
networks
• Use VLAN tagging, or
• Use separate vSwitch (see diagram)
Strictly control access to
management network, e.g.
• RDP to jump box, or
• VPN through firewall
VMware vSphere 4 Hardening Guidelines
http://www.vmware.com/resources/techresources/10109
Other ESX/ESXi
hosts
IP-based
Storage
9
Separation of Duties Must Be Enforced
More Power
Super
Cloud
Admin
Cloud
Networking
Admin
Less
Power
Cloud
Server Admin
Tenant A
Admin
VM Admin
Cloud
Storage Admin
Tenant B
Admin
VM Admin
VM Admin
Tenant C
Admin
VM Admin
VM Admin
VM Admin
Air Gapped Design – Costly and Inefficient
Internet
Remote
Access
Aggregation
Access
vSphere
VPN Gateway
VPN Gateway
VPN Gateway
L2-L3 Switch
L2-L3 Switch
L2-L3 Switch
Firewall
Firewall
Firewall
Load Balancer
Load Balancer
Load Balancer
Switch
Switch
Switch
vSphere
Company X
11
vSphere
vSphere
Company Y
vSphere
vSphere
Company Z
Multi-tenancy – Physical Firewall and VLAN
Internet
AccessAggregation
VLAN1000
VLAN 1001
VLAN 1002
L2-L3 Switch
Firewalls
VLAN 1002
VLAN 1001
VLAN 1000
Legend :
PG-X
VLAN 1000
VLAN 1001
Port group Company X n/w
PG-Y
Port group Company Y n/w
PG-Z
Port group Company Z n/w
VLAN 1002
Port group to VM Links
vDS/vSS
PG-X (vlan1000)
PG-Y (vlan 1001)
PG-Z (vlan 1002)
VMware vSphere + vShield
Company X
12
Company Y
Company Z
Virtual to Ext. Switch Links
Multi-tenancy Virtualization Aware
Internet
AccessAggregation
L2-L3 Switch
Infrastructure VLAN (VLAN 1000)
Legend :
Provider VLAN (VLAN 100)
VLAN1000
VLAN1000
VLAN1000
PG-X
Port group Company X n/w
PG-Y
Port group Company Y n/w
PG-Z
Port group Company Z n/w
PG-C
External uplink Port group
Internal Company Links
External Up Link
vDS
vDS to Ext. Switch Links
PG-X(vlan1000)
PG-C(vlan100)
PG-Y(vlan1000)
PG-Z(vlan1000)
vShield Edge VM
VMware vSphere + vShield
Traffic flow not allowed
Company X
13
Company Y
Company Z
Enforce Microsegmentation Inside the vDC
 Protect applications against
Network Based Threats
• Application-Aware Full Stateful
Packet Inspection FW
Virtual Datacenter 1
Web
App
• Control on per-VM/per vNIC
level
• See VM-VM traffic within the
Virtual Datacenter 2
same host
• Security groups enforced with
Database
DISA & PCI
CIS & PCI
VM movement
VMware vSphere + vCenter
ESX Hardening
Cluster B
14
Cluster A
Offload Endpoint Based Security Functions with VM
Introspection Techniques
Improves performance and
effectiveness of existing endpoint
security solutions
• Offload Functions
• AV
• File Integrity Monitoring
• Application Whitelisting
15
Virtualized Security and Edge Services
Cloud Aware Security
Elastic
Logical
Efficient
Automated
Programmable
Security as a Service
Edge/Perimeter Protection
• Secure the edge of the virtual
datacenter
• Security and Edge networking
services gateway
Internal Security and
Compliance
• Micro-segmentation
• Discover and report regulated
data in the Datacenter and Cloud
Endpoint Security
• Efficient offload of endpoint
based security into the cloud
infrastructure – i.e.- anti-virus and
file integrity monitoring
16
Continuous and Automated Compliance
Ongoing Change and Compliance Management
 Understand Pervasive Change
 Capture in-band and out-of-band changes
 Are you still Compliant?
Deployed from
Gold Standard
Planned Change
• Remediate
Compliant
State
• Exceptions
Unplanned Change
 Fit within current enterprise change mgmt
Noncompliant
State
workflow process
Protect against vulnerabilities
 Hypervisor-based anti-virus provides
superior protection
Remediate
(RFC Optional)
 Patch Management guards against
known attacks
 Software provisioning tied to compliance
 Day to day vulnerability checks
17
Compliant
State
Mark as
Exception
Conclusion
• The Cloud Had Great Benefits and like any Technology its Associated Risks
• These Risks Can Be Mitigated With Proper Controls
• The Classic Principles of Information Security Should be Applied
• Key Architecture Decisions must be made for Security
• Tools Designed for the Cloud Must Be Utilized
18
Confidential
Questions?
Rob Randell, CISSP, CCSK
Principal Security and Compliance Specialist