RSA Solution for Cloud Security and Compliance RSA, The Security Division of EMC Bernard Montel Directeur Technique, RSA France Bernard.montel@rsa.com Customer Challenges, Key Messages Solution Capabilities 2 Cloud Computing by NIST and VMware Cloud Computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Cloud is a way of doing computing Enterprises Private Cloud Operated solely for an organization, typically within the firewall Bridging Hybrid Cloud Composition of 2 or more interoperable clouds, enabling data and application portability Cloud Service Providers Public Cloud Accessible over the Internet for general consumption Security-Specific Factors That Would Enable More Widespread Usage of Server Virtualization From an information security perspective, which of the following developments need to take place in order to enable more widespread server virtualization usage? (Percent of respondents, N=105, multiple responses accepted) More secure virtualization management and operations 33% Virtual security tools that use the same formats as my physical security devices 33% Compliance management tools that recognize virtual server events 27% Need better tools to identify and configure relationships between virtual machines 26% Tighter integration between security management and security management tools 26% A better understanding of how server virtualization security will align with cloud-based security services 24% Data/storage encryption to protect virtual machines on disk 24% Virtual firewalls and filtering devices to secure virtual machine to virtual machine traffic 23% Network encryption to protect virtual machines in flight 22% Additional virtualization training for security staff 20% Log management or SIEM tools that recognize virtual server events 18% New host-based security tools designed for virtual servers © 2010 4 Enterprise Strategy Group 16% 0% 5% 10% 15% 20% 25% 30% 35% Customer Challenges Business Objective (CIO) Accelerate/start virtualization of business critical apps to continue optimizing costs Business Objective (CISO) Manage risk and compliance while going from IT production to business production PAINS Lack of visibility into and control over security and compliance status of the virtual infrastructure Difficult to rationalize the complexity of compliance requirements across virtual and physical environments Lack of guidance and orchestration for securing virtual infrastructure comprehensively Lack of consistency in physical and virtual security increases cost and complexity of virtualization High cost and difficulty of responding to compliance audits for virtual environments Inefficient management of security and compliance across IT and security operations teams Fragmented views of data across hybrid infrastructure causes delays in identifying risk and compliance breaches/concerns Negative Consequences Increased risk of fines and failed audits – – – “we are flying blind” “we are going to be painted into a corner” (if something that fails an audit gets into production and the company is committed, it is really hard to fix it later!) Policy for meeting regulations (e.g. PCI) in virtualized environments still evolving Compliance concerns stall the adoption of virtualization – – – Mission critical applications with sensitive data are riskier Segmenting regulated data onto separate virtualized hardware Limits the cost savings inherent in virtualization Negative Consequences (cont.) Responding to audits is time consuming, error prone and costly – – – Across mixed virtual and non-virtual IT infrastructure No time for other value-added security projects 20% of IT time and resources spent on compliance; this is compounded by virtualization Delays in identifying risk and compliance breaches/concern – Due to fragmented views across virtual and physical infrastructure The Enterprise Journey to the Hybrid Cloud Public cloud adoption Software as a Service Platform as a Service Infrastructure as a Service IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% 95% 70% 30% High Availability 15% Data Protection 8 Securing the Enterprise Journey to the Cloud Identity management Public cloud adoption Software as a Service Platform as a Service Infrastructure as a Service Multi-factor authentication Trust management IT Production Business Production IT-As-A-Service Lower Costs Improve Quality Of Service Improve Agility % Virtualized 85% Security event management 70% Information and workload control 30% 15% Hardening Security patches 95% Compliance monitoring Service provider control Visibility and compliance Integration with enterprise security processes 9 Use Case Examples 10 10 Use Case : Reducing Risk of VM Theft Risk: Securing virtual infrastructure is often a check list of best practices. Hardening VMware environment is complex and difficult to verify. What can I do to limit the risk of VM theft from my datacenter? Need to take preventative steps that limit access to VM file in the first place (e.g.) • • • • Disable Datastore Browser Storage User Access Limit use of service console Use least privileged role concept for system and data access (also: possible strong authentication to ensure access of only approved people and roles) Archer has built in Control Procedures to check for VM file access best practices Security and IT Ops can easily see if controls enforce policy Cloud Solution identifies VMware devices, assesses configuration status, and informs responsible VI admin EnVision provides “electronic bread crumb trail” for forensics to ensure security events not disrupting compliance posture Customer Challenges, Key Messages Solution Capabilities 12 12 RSA Archer eGRC Solutions Audit Management Centrally manage the planning, prioritization, staffing, procedures and reporting of audits to increase collaboration and efficiency. Policy Management Centrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance. Risk Management Identify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance. Business Continuity Management Automate your approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution. Threat Management Track threats through a centralized early warning system to help prevent attacks before they affect your enterprise. Vendor Management Centralize vendor data, manage relationships, assess vendor risk, and ensure compliance with your policies and controls. Compliance Management Document your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues. Incident Management Report incidents and ethics violations, manage their escalation, track investigations and analyze resolutions. Enterprise Management Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives. Summary: RSA Solution for Cloud Security and Compliance v1.0 What’s New RSA Securbook Discover VMware infrastructure Define security policy What’s New Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer eGRC What’s New RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards (e.g. DLP, VMware vShield and vCD, HyTrust, Ionix, etc.) Remediation of non-compliant controls What’s New New solution component automatically assesses VMware configuration and updates Archer Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy What’s New Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer eGRC Remediation of non-compliant controls RSA Archer: Mapping VMware security controls to regulations and standards Authoritative Source Regulations (PCI-DSS, etc.) “10.10.04 Administrator and Operator Logs” CxO Control Standard Generalized security controls “CS-179 Activity Logs – system start/stop/config changes etc.” Control Procedure Technology-specific control “CP-108324 Persistent logging on ESXi Server” VI Admin Discover VMware infrastructure and define policy/controls to manage Distribution and Tracking Control Procedures Security Admin Server Admin Project Manager Network Admin VI Admin Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer eGRC Remediation of non-compliant controls What’s New New solution component automatically assesses VMware configuration and updates Archer Initial Deployment Questionnaire Automated Assessment via PowerCLI Automatically discover and assess VMware infrastructure via PowerCLI RSA Archer eGRC VMware objects (ESX, vSwitches, etc…) are automatically populated into Archer They are then mapped to control procedures. Over 40% are automatically assessed via PowerCLI and the results fed into Archer for reporting and remediation. Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer eGRC Remediation of non-compliant controls Control Procedure – List, Status and Measurement Method Deployment and Remediation Work Queues Overall Virtual Infrastructure Compliance Dashboard Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer eGRC What’s New RSA enVision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards (e.g. DLP, vShield, HyTrust, etc.) Remediation of non-compliant controls RSA Solution for Cloud Security and Compliance: Architecture Regulations, standards Generalized security controls VMware-specific security controls Automated assessment Configuration State RSA enVision VMware cloud infrastructure (vSphere, vShield, VCD) Ecosystem (HyTrust, Ionix,) Security Events Example: VMware vShield Network Security Events Fed to Archer Overall Compliance Dashboard and Reporting: Physical and Virtual Learn More RSA social media release with demo http://rsawebdev.na.rsa.net/go/press/RSATheSecurityDivisionofEMCNewsRelease_83010.html www.rsa.com/virtualization – Secure Cloud www.rsa.com/virtualization Thank you!